mirror of
https://github.com/stackrox/kube-linter-action.git
synced 2026-07-04 23:51:37 +00:00
Update action (refactorings) (#5)
This commit is contained in:
@@ -11,9 +11,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Scan repo
|
||||
id: kube-lint-repo
|
||||
uses: stackrox/kube-linter-action@v1.0.0
|
||||
|
||||
- name: Scan valid yaml with kube-linter
|
||||
uses: stackrox/kube-linter-action@v1.0.2
|
||||
with:
|
||||
directory: yaml
|
||||
#config: .kube-linter/config.yaml
|
||||
directory: sample/valid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
Executable
+65
@@ -0,0 +1,65 @@
|
||||
# This workflow is provided for testing changes to the action.
|
||||
# When developing make sure that "Scan 2 - failing" produces expected kube-linter validation logs.
|
||||
|
||||
name: kube-linter-action development self-test
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
jobs:
|
||||
test-scan-linux:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Scan 1 - succeeding
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/valid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
|
||||
- name: Scan 2 - failing
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/invalid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
continue-on-error: true
|
||||
|
||||
test-scan-windows:
|
||||
runs-on: windows-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Scan 1 - succeeding
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/valid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
|
||||
- name: Scan 2 - failing
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/invalid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
continue-on-error: true
|
||||
|
||||
test-scan-macos:
|
||||
runs-on: macos-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Scan 1 - succeeding
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/valid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
|
||||
- name: Scan 2 - failing
|
||||
uses: ./
|
||||
with:
|
||||
directory: sample/invalid-yaml
|
||||
config: sample/.kube-linter-config.yaml
|
||||
continue-on-error: true
|
||||
@@ -0,0 +1 @@
|
||||
.idea/
|
||||
@@ -1,23 +1,28 @@
|
||||
# kube-linter-action
|
||||
<p align="center"><img src="https://raw.githubusercontent.com/stackrox/kube-linter/main/images/logo/KubeLinter-horizontal.svg" width="360"></p>
|
||||
|
||||
This is a GitHub action for scanning Kubernetes deployment files with [kube-linter](https://github.com/stackrox/kube-linter). This includes both the action itself (.github/actions) and sample GitHub workflow (.github/workflows) and a test YAML.
|
||||
# kube-linter-action - KubeLinter GitHub Action
|
||||
|
||||
Quick deployment:
|
||||
This is a GitHub action for scanning Kubernetes YAML files and Helm charts in your GitHub workflow with [kube-linter](https://github.com/stackrox/kube-linter).
|
||||
|
||||
1. Create a new GitHub repo.
|
||||
2. Push all files from the `sample` directory into the repo.
|
||||
3. The `kube-linter.yml` workflow will run as an action every time there's a new push to this repo.
|
||||
## Quickstart
|
||||
|
||||
The action takes two parameters.
|
||||
1. Copy [.github/workflows/kube-linter-sample.yml](https://github.com/stackrox/kube-linter-action/tree/main/.github/workflows/kube-linter-sample.yml) file to `.github/workflows` directory in your repo.
|
||||
2. Adjust scan `directory` to the location where your Kubernetes or Helm files are. See Parameters below.
|
||||
|
||||
```
|
||||
- name: Scan repo
|
||||
id: kube-lint-repo
|
||||
uses: stackrox/kube-linter-action@v1
|
||||
The new workflow will run every time there's a new push to the repo.
|
||||
Workflow will fail if kube-linter detects issues. You'll find issues in the output of `kube-linter-action`.
|
||||
|
||||
### Example
|
||||
|
||||
```yaml
|
||||
- name: Scan repo with kube-linter
|
||||
uses: stackrox/kube-linter-action@v1.0.2
|
||||
with:
|
||||
directory: yamls
|
||||
config: .kube-linter/config.yaml
|
||||
```
|
||||
|
||||
* `directory` is mandatory -- this is the directory of deployment files to scan.
|
||||
* `config` is optional -- this is the path to a [configuration file](https://github.com/stackrox/kube-linter/blob/main/config.yaml.example) if you wish to use a non-default configuration.
|
||||
### Parameters
|
||||
|
||||
* `directory` (required) - path of file or directory to scan, absolute or relative to the root of the repo.
|
||||
* `config` (optional) - path to a [configuration file](https://docs.kubelinter.io/#/configuring-kubelinter) if you wish to use a non-default configuration.
|
||||
|
||||
+25
-15
@@ -1,11 +1,11 @@
|
||||
name: 'kube-linter'
|
||||
description: 'Scan directory with kube-linter'
|
||||
description: 'Scan directory or file with kube-linter'
|
||||
branding:
|
||||
icon: 'check-circle'
|
||||
color: 'green'
|
||||
inputs:
|
||||
directory:
|
||||
description: 'Directory to scan '
|
||||
description: 'Directory or file to scan'
|
||||
required: true
|
||||
config:
|
||||
description: 'Path to config file'
|
||||
@@ -17,25 +17,35 @@ inputs:
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Download latest kube-linter
|
||||
- name: Download the latest kube-linter
|
||||
run: |
|
||||
LOCATION=$(curl -s https://api.github.com/repos/stackrox/kube-linter/releases/latest \
|
||||
| grep "tag_name" \
|
||||
| awk '{print "https://github.com/stackrox/kube-linter/releases/download/" substr($2, 2, length($2)-3) "/kube-linter-linux.tar.gz"}')
|
||||
curl -s -L -o kube-linter-linux.tar.gz $LOCATION
|
||||
tar -xf kube-linter-linux.tar.gz -C "${GITHUB_WORKSPACE}/"
|
||||
set -euo pipefail
|
||||
case "${{ runner.os }}" in
|
||||
macOS) OS=darwin ;;
|
||||
Windows) OS=windows ;;
|
||||
*) OS=linux ;;
|
||||
esac
|
||||
RELEASE_INFO=$(curl --silent --show-error --fail https://api.github.com/repos/stackrox/kube-linter/releases/latest)
|
||||
RELEASE_NAME=$(echo "${RELEASE_INFO}" | jq --raw-output ".name")
|
||||
LOCATION=$(echo "${RELEASE_INFO}" \
|
||||
| jq --raw-output ".assets[].browser_download_url" \
|
||||
| grep --fixed-strings kube-linter-${OS}.tar.gz)
|
||||
TARGET=kube-linter-${OS}-${RELEASE_NAME}.tar.gz
|
||||
# Skip downloading release if downloaded already, e.g. when the action is used multiple times.
|
||||
if [ ! -e $TARGET ]; then
|
||||
curl --silent --show-error --fail --location --output $TARGET "$LOCATION"
|
||||
tar -xf $TARGET
|
||||
fi
|
||||
shell: bash
|
||||
- name: Lint files
|
||||
id: lint
|
||||
run: |
|
||||
set -u
|
||||
set +e
|
||||
cd "${GITHUB_WORKSPACE}"
|
||||
if [ -z ${{ inputs.config }} ]; then
|
||||
export CONFIG=""
|
||||
CONFIG=""
|
||||
else
|
||||
export CONFIG="--config ${{ inputs.config }}"
|
||||
CONFIG="--config ${{ inputs.config }}"
|
||||
fi
|
||||
./kube-linter $CONFIG lint ${{ inputs.directory }} 2>&1 | tee ${{ inputs.output-file }}
|
||||
result_code=${PIPESTATUS[0]}
|
||||
exit $result_code
|
||||
./kube-linter $CONFIG lint ${{ inputs.directory }} 2>&1 | tee -a ${{ inputs.output-file }}
|
||||
exit ${PIPESTATUS[0]}
|
||||
shell: bash
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
# customChecks defines custom checks.
|
||||
customChecks:
|
||||
- name: "required-annotation-team"
|
||||
template: "required-annotation"
|
||||
params:
|
||||
key: "team"
|
||||
remediation: "Add a team annotation to your object"
|
||||
checks:
|
||||
# if doNotAutoAddDefaults is true, default checks are not automatically added.
|
||||
doNotAutoAddDefaults: false
|
||||
|
||||
# include explicitly adds checks, by name. You can reference any of the built-in checks.
|
||||
# Note that customChecks defined above are included automatically.
|
||||
include: [ ]
|
||||
# exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is
|
||||
# in exclude, then it is not considered, even if it is in include as well.
|
||||
exclude: [ ]
|
||||
@@ -15,7 +15,7 @@ spec:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:1.14.2
|
||||
ports:
|
||||
- containerPort: 80
|
||||
- name: nginx
|
||||
image: nginx:1.14.2
|
||||
ports:
|
||||
- containerPort: 80
|
||||
Executable
+45
@@ -0,0 +1,45 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: compliant
|
||||
namespace: my-namespace
|
||||
annotations:
|
||||
team: database
|
||||
spec:
|
||||
replicas: 1
|
||||
minReadySeconds: 15
|
||||
selector:
|
||||
matchLabels:
|
||||
app: compliant
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
namespace: my-namespace
|
||||
labels:
|
||||
app: compliant
|
||||
spec:
|
||||
serviceAccountName: my-service-account
|
||||
containers:
|
||||
- image: nginx:latest
|
||||
name: nginx
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
resources:
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "1"
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: my-service-account
|
||||
namespace: my-namespace
|
||||
labels:
|
||||
app.kubernetes.io/name: my-app
|
||||
annotations:
|
||||
team: database
|
||||
Reference in New Issue
Block a user