1
0
mirror of https://github.com/stackrox/kube-linter-action.git synced 2026-07-18 13:28:08 +00:00

Update action (refactorings) (#5)

This commit is contained in:
msugakov
2021-05-10 17:57:13 +02:00
committed by GitHub
parent 0aa052e480
commit f269162ccb
8 changed files with 180 additions and 37 deletions
@@ -11,9 +11,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Scan repo
id: kube-lint-repo - name: Scan valid yaml with kube-linter
uses: stackrox/kube-linter-action@v1.0.0 uses: stackrox/kube-linter-action@v1.0.2
with: with:
directory: yaml directory: sample/valid-yaml
#config: .kube-linter/config.yaml config: sample/.kube-linter-config.yaml
+65
View File
@@ -0,0 +1,65 @@
# This workflow is provided for testing changes to the action.
# When developing make sure that "Scan 2 - failing" produces expected kube-linter validation logs.
name: kube-linter-action development self-test
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
test-scan-linux:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Scan 1 - succeeding
uses: ./
with:
directory: sample/valid-yaml
config: sample/.kube-linter-config.yaml
- name: Scan 2 - failing
uses: ./
with:
directory: sample/invalid-yaml
config: sample/.kube-linter-config.yaml
continue-on-error: true
test-scan-windows:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- name: Scan 1 - succeeding
uses: ./
with:
directory: sample/valid-yaml
config: sample/.kube-linter-config.yaml
- name: Scan 2 - failing
uses: ./
with:
directory: sample/invalid-yaml
config: sample/.kube-linter-config.yaml
continue-on-error: true
test-scan-macos:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Scan 1 - succeeding
uses: ./
with:
directory: sample/valid-yaml
config: sample/.kube-linter-config.yaml
- name: Scan 2 - failing
uses: ./
with:
directory: sample/invalid-yaml
config: sample/.kube-linter-config.yaml
continue-on-error: true
+1
View File
@@ -0,0 +1 @@
.idea/
+18 -13
View File
@@ -1,23 +1,28 @@
# kube-linter-action <p align="center"><img src="https://raw.githubusercontent.com/stackrox/kube-linter/main/images/logo/KubeLinter-horizontal.svg" width="360"></p>
This is a GitHub action for scanning Kubernetes deployment files with [kube-linter](https://github.com/stackrox/kube-linter). This includes both the action itself (.github/actions) and sample GitHub workflow (.github/workflows) and a test YAML. # kube-linter-action - KubeLinter GitHub Action
Quick deployment: This is a GitHub action for scanning Kubernetes YAML files and Helm charts in your GitHub workflow with [kube-linter](https://github.com/stackrox/kube-linter).
1. Create a new GitHub repo. ## Quickstart
2. Push all files from the `sample` directory into the repo.
3. The `kube-linter.yml` workflow will run as an action every time there's a new push to this repo.
The action takes two parameters. 1. Copy [.github/workflows/kube-linter-sample.yml](https://github.com/stackrox/kube-linter-action/tree/main/.github/workflows/kube-linter-sample.yml) file to `.github/workflows` directory in your repo.
2. Adjust scan `directory` to the location where your Kubernetes or Helm files are. See Parameters below.
``` The new workflow will run every time there's a new push to the repo.
- name: Scan repo Workflow will fail if kube-linter detects issues. You'll find issues in the output of `kube-linter-action`.
id: kube-lint-repo
uses: stackrox/kube-linter-action@v1 ### Example
```yaml
- name: Scan repo with kube-linter
uses: stackrox/kube-linter-action@v1.0.2
with: with:
directory: yamls directory: yamls
config: .kube-linter/config.yaml config: .kube-linter/config.yaml
``` ```
* `directory` is mandatory -- this is the directory of deployment files to scan. ### Parameters
* `config` is optional -- this is the path to a [configuration file](https://github.com/stackrox/kube-linter/blob/main/config.yaml.example) if you wish to use a non-default configuration.
* `directory` (required) - path of file or directory to scan, absolute or relative to the root of the repo.
* `config` (optional) - path to a [configuration file](https://docs.kubelinter.io/#/configuring-kubelinter) if you wish to use a non-default configuration.
+25 -15
View File
@@ -1,11 +1,11 @@
name: 'kube-linter' name: 'kube-linter'
description: 'Scan directory with kube-linter' description: 'Scan directory or file with kube-linter'
branding: branding:
icon: 'check-circle' icon: 'check-circle'
color: 'green' color: 'green'
inputs: inputs:
directory: directory:
description: 'Directory to scan ' description: 'Directory or file to scan'
required: true required: true
config: config:
description: 'Path to config file' description: 'Path to config file'
@@ -17,25 +17,35 @@ inputs:
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Download latest kube-linter - name: Download the latest kube-linter
run: | run: |
LOCATION=$(curl -s https://api.github.com/repos/stackrox/kube-linter/releases/latest \ set -euo pipefail
| grep "tag_name" \ case "${{ runner.os }}" in
| awk '{print "https://github.com/stackrox/kube-linter/releases/download/" substr($2, 2, length($2)-3) "/kube-linter-linux.tar.gz"}') macOS) OS=darwin ;;
curl -s -L -o kube-linter-linux.tar.gz $LOCATION Windows) OS=windows ;;
tar -xf kube-linter-linux.tar.gz -C "${GITHUB_WORKSPACE}/" *) OS=linux ;;
esac
RELEASE_INFO=$(curl --silent --show-error --fail https://api.github.com/repos/stackrox/kube-linter/releases/latest)
RELEASE_NAME=$(echo "${RELEASE_INFO}" | jq --raw-output ".name")
LOCATION=$(echo "${RELEASE_INFO}" \
| jq --raw-output ".assets[].browser_download_url" \
| grep --fixed-strings kube-linter-${OS}.tar.gz)
TARGET=kube-linter-${OS}-${RELEASE_NAME}.tar.gz
# Skip downloading release if downloaded already, e.g. when the action is used multiple times.
if [ ! -e $TARGET ]; then
curl --silent --show-error --fail --location --output $TARGET "$LOCATION"
tar -xf $TARGET
fi
shell: bash shell: bash
- name: Lint files - name: Lint files
id: lint
run: | run: |
set -u
set +e set +e
cd "${GITHUB_WORKSPACE}"
if [ -z ${{ inputs.config }} ]; then if [ -z ${{ inputs.config }} ]; then
export CONFIG="" CONFIG=""
else else
export CONFIG="--config ${{ inputs.config }}" CONFIG="--config ${{ inputs.config }}"
fi fi
./kube-linter $CONFIG lint ${{ inputs.directory }} 2>&1 | tee ${{ inputs.output-file }} ./kube-linter $CONFIG lint ${{ inputs.directory }} 2>&1 | tee -a ${{ inputs.output-file }}
result_code=${PIPESTATUS[0]} exit ${PIPESTATUS[0]}
exit $result_code
shell: bash shell: bash
+17
View File
@@ -0,0 +1,17 @@
# customChecks defines custom checks.
customChecks:
- name: "required-annotation-team"
template: "required-annotation"
params:
key: "team"
remediation: "Add a team annotation to your object"
checks:
# if doNotAutoAddDefaults is true, default checks are not automatically added.
doNotAutoAddDefaults: false
# include explicitly adds checks, by name. You can reference any of the built-in checks.
# Note that customChecks defined above are included automatically.
include: [ ]
# exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is
# in exclude, then it is not considered, even if it is in include as well.
exclude: [ ]
+45
View File
@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: compliant
namespace: my-namespace
annotations:
team: database
spec:
replicas: 1
minReadySeconds: 15
selector:
matchLabels:
app: compliant
strategy:
type: Recreate
template:
metadata:
namespace: my-namespace
labels:
app: compliant
spec:
serviceAccountName: my-service-account
containers:
- image: nginx:latest
name: nginx
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
resources:
requests:
memory: "1Gi"
cpu: "1"
limits:
memory: "4Gi"
cpu: "2"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: my-namespace
labels:
app.kubernetes.io/name: my-app
annotations:
team: database