github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubelinter/customchecks/networkpolicypernamespace/networkpolicypernamespace.go (about)

     1  package networkpolicypernamespace
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  
     7  	"github.com/castai/kvisor/cmd/controller/state/kubelinter/customobjectkinds"
     8  	"golang.stackrox.io/kube-linter/pkg/check"
     9  	"golang.stackrox.io/kube-linter/pkg/config"
    10  	"golang.stackrox.io/kube-linter/pkg/diagnostic"
    11  	"golang.stackrox.io/kube-linter/pkg/lintcontext"
    12  	"golang.stackrox.io/kube-linter/pkg/templates"
    13  	"golang.stackrox.io/kube-linter/pkg/templates/util"
    14  	corev1 "k8s.io/api/core/v1"
    15  	networkingv1 "k8s.io/api/networking/v1"
    16  )
    17  
    18  func Check() *config.Check {
    19  	return &config.Check{
    20  		Name:        "network-policy-per-namespace",
    21  		Description: "Use network policies to isolate traffic in your cluster network",
    22  		Template:    "network-policy-per-namespace",
    23  		Params:      map[string]interface{}{},
    24  	}
    25  }
    26  
    27  func init() {
    28  	networkPolicyGVR := networkingv1.SchemeGroupVersion.WithKind("NetworkPolicy")
    29  
    30  	templates.Register(check.Template{
    31  		HumanName: "Use network policies to isolate traffic in your cluster network",
    32  		Key:       "network-policy-per-namespace",
    33  		SupportedObjectKinds: config.ObjectKindsDesc{
    34  			ObjectKinds: []string{customobjectkinds.Namespace},
    35  		},
    36  		Parameters:             ParamDescs,
    37  		ParseAndValidateParams: ParseAndValidate,
    38  		Instantiate: WrapInstantiateFunc(func(_ Params) (check.Func, error) {
    39  			return func(ctx lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
    40  				ns, ok := object.K8sObject.(*corev1.Namespace)
    41  				if !ok {
    42  					return nil
    43  				}
    44  				for _, obj := range ctx.Objects() {
    45  					if obj.GetK8sObjectName().GroupVersionKind == networkPolicyGVR && obj.K8sObject.GetNamespace() == ns.Name {
    46  						return nil
    47  					}
    48  				}
    49  				return []diagnostic.Diagnostic{{Message: "Namespace does not have any network policy"}}
    50  			}, nil
    51  		}),
    52  	})
    53  }
    54  
    55  type Params struct {
    56  }
    57  
    58  var (
    59  	// Use some imports in case they don't get used otherwise.
    60  	_ = util.MustParseParameterDesc
    61  	_ = fmt.Sprintf
    62  
    63  	ParamDescs = []check.ParameterDesc{}
    64  )
    65  
    66  func (p *Params) Validate() error {
    67  	var validationErrors []string
    68  	if len(validationErrors) > 0 {
    69  		return fmt.Errorf("invalid parameters: %s", strings.Join(validationErrors, ", "))
    70  	}
    71  	return nil
    72  }
    73  
    74  // ParseAndValidate instantiates a Params object out of the passed map[string]interface{},
    75  // validates it, and returns it.
    76  // The return type is interface{} to satisfy the type in the Template struct.
    77  func ParseAndValidate(m map[string]interface{}) (interface{}, error) {
    78  	var p Params
    79  	if err := util.DecodeMapStructure(m, &p); err != nil {
    80  		return nil, err
    81  	}
    82  	if err := p.Validate(); err != nil {
    83  		return nil, err
    84  	}
    85  	return p, nil
    86  }
    87  
    88  // WrapInstantiateFunc is a convenience wrapper that wraps an untyped instantiate function
    89  // into a typed one.
    90  func WrapInstantiateFunc(f func(p Params) (check.Func, error)) func(interface{}) (check.Func, error) {
    91  	return func(paramsInt interface{}) (check.Func, error) {
    92  		return f(paramsInt.(Params))
    93  	}
    94  }