github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubelinter/customchecks/automount/automount.go

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubelinter/customchecks/automount/automount.go (about)

     1  package automount
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  
     7  	"golang.stackrox.io/kube-linter/pkg/check"
     8  	"golang.stackrox.io/kube-linter/pkg/config"
     9  	"golang.stackrox.io/kube-linter/pkg/diagnostic"
    10  	"golang.stackrox.io/kube-linter/pkg/extract"
    11  	"golang.stackrox.io/kube-linter/pkg/lintcontext"
    12  	"golang.stackrox.io/kube-linter/pkg/objectkinds"
    13  	"golang.stackrox.io/kube-linter/pkg/templates"
    14  	"golang.stackrox.io/kube-linter/pkg/templates/util"
    15  )
    16  
    17  func Check() *config.Check {
    18  	return &config.Check{
    19  		Name:        "sa-token-automount",
    20  		Description: "Service Account Token automount is not disabled",
    21  		Template:    "sa-token-automount",
    22  		Params:      map[string]interface{}{},
    23  	}
    24  }
    25  
    26  func init() {
    27  	templates.Register(check.Template{
    28  		HumanName: "Service Account Token mounts",
    29  		Key:       "sa-token-automount",
    30  		SupportedObjectKinds: config.ObjectKindsDesc{
    31  			ObjectKinds: []string{objectkinds.DeploymentLike},
    32  		},
    33  		Parameters:             ParamDescs,
    34  		ParseAndValidateParams: ParseAndValidate,
    35  		Instantiate: WrapInstantiateFunc(func(_ Params) (check.Func, error) {
    36  			return func(_ lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
    37  				podSpec, found := extract.PodSpec(object.K8sObject)
    38  				if !found {
    39  					return nil
    40  				}
    41  				if podSpec.AutomountServiceAccountToken != nil && *podSpec.AutomountServiceAccountToken {
    42  					return nil
    43  				}
    44  				return []diagnostic.Diagnostic{{Message: "Resource does not have service account token automount disabled"}}
    45  			}, nil
    46  		}),
    47  	})
    48  }
    49  
    50  type Params struct {
    51  }
    52  
    53  var (
    54  	// Use some imports in case they don't get used otherwise.
    55  	_ = util.MustParseParameterDesc
    56  	_ = fmt.Sprintf
    57  
    58  	ParamDescs = []check.ParameterDesc{}
    59  )
    60  
    61  func (p *Params) Validate() error {
    62  	var validationErrors []string
    63  	if len(validationErrors) > 0 {
    64  		return fmt.Errorf("invalid parameters: %s", strings.Join(validationErrors, ", "))
    65  	}
    66  	return nil
    67  }
    68  
    69  // ParseAndValidate instantiates a Params object out of the passed map[string]interface{},
    70  // validates it, and returns it.
    71  // The return type is interface{} to satisfy the type in the Template struct.
    72  func ParseAndValidate(m map[string]interface{}) (interface{}, error) {
    73  	var p Params
    74  	if err := util.DecodeMapStructure(m, &p); err != nil {
    75  		return nil, err
    76  	}
    77  	if err := p.Validate(); err != nil {
    78  		return nil, err
    79  	}
    80  	return p, nil
    81  }
    82  
    83  // WrapInstantiateFunc is a convenience wrapper that wraps an untyped instantiate function
    84  // into a typed one.
    85  func WrapInstantiateFunc(f func(p Params) (check.Func, error)) func(interface{}) (check.Func, error) {
    86  	return func(paramsInt interface{}) (check.Func, error) {
    87  		return f(paramsInt.(Params))
    88  	}
    89  }