feat: check readonly filesystem on containers #57

juev · 2025-01-14T11:18:16Z

refactor: consolidate duplicate code
added checks for readonly filesystem on containers (fixed: deckhouse/deckhouse#4690)
remove panics

juev · 2025-01-14T12:43:28Z

Checked locally, partial result:

🐒 [#k8s-resources]
        Message - Container's SecurityContext has `ReadOnlyRootFilesystem: false`, but it must be `true`
        Object  - kind = Deployment ; name = terraform-auto-converger ; namespace = d8-system ; container = converger
        Module  - terraform-manager

🐒 [#k8s-resources]
        Message - Container's SecurityContext has `ReadOnlyRootFilesystem: false`, but it must be `true`
        Object  - kind = Deployment ; name = terraform-state-exporter ; namespace = d8-system ; container = exporter
        Module  - terraform-manager

🐒 [#images]
        Message - Use `from:` or `fromImage:` and `final: false` directives instead of `artifact:` in the werf file
        Object  - /Users/devsyukov/src/github.com/deckhouse/deckhouse-test-modules/modules/500-upmeter/images/smoke-mini/werf.inc.yaml
        Module  - upmeter
        Value   - .Images.BASE_GOLANG_20_ALPINE

🐒 [#images]
        Message - Use `from:` or `fromImage:` and `final: false` directives instead of `artifact:` in the werf file
        Object  - /Users/devsyukov/src/github.com/deckhouse/deckhouse-test-modules/modules/500-upmeter/images/status/werf.inc.yaml
        Module  - upmeter
        Value   - node:14-alpine3.12@sha256:426384fb33a11d27dbbdc545f39bb8daacd3e7db7c60b52cd6bc0597e0045b8d

🐒 [#images]
        Message - Use `from:` or `fromImage:` and `final: false` directives instead of `artifact:` in the werf file
        Object  - /Users/devsyukov/src/github.com/deckhouse/deckhouse-test-modules/modules/500-upmeter/images/upmeter/werf.inc.yaml
        Module  - upmeter
        Value   - .Images.BASE_GOLANG_20_ALPINE

🐒 [#images]
        Message - Use `from:` or `fromImage:` and `final: false` directives instead of `artifact:` in the werf file
        Object  - /Users/devsyukov/src/github.com/deckhouse/deckhouse-test-modules/modules/500-upmeter/images/webui/werf.inc.yaml
        Module  - upmeter
        Value   - node:14-alpine3.12@sha256:426384fb33a11d27dbbdc545f39bb8daacd3e7db7c60b52cd6bc0597e0045b8d

🐒 [#k8s-resources]
        Message - Container's SecurityContext missing parameter ReadOnlyRootFilesystem
        Object  - kind = DaemonSet ; name = upmeter-agent ; namespace = d8-upmeter ; container = chown-volume-data
        Module  - upmeter

pkg/linters/container/rules.go

pkg/linters/k8s-resources/rules.go

refactor: consolidate duplicate code remove panics

…s resource kinds

…and rulesEx handling

juev requested a review from yalosev January 14, 2025 11:18

juev self-assigned this Jan 14, 2025

juev requested a review from ldmonster January 14, 2025 11:19

juev marked this pull request as ready for review January 14, 2025 12:43

ldmonster reviewed Jan 15, 2025

View reviewed changes

pkg/linters/container/rules.go Show resolved Hide resolved

ldmonster reviewed Jan 15, 2025

View reviewed changes

pkg/linters/container/rules.go Outdated Show resolved Hide resolved

ldmonster reviewed Jan 15, 2025

View reviewed changes

pkg/linters/k8s-resources/rules.go Show resolved Hide resolved

juev requested a review from ldmonster January 20, 2025 09:48

ldmonster approved these changes Jan 20, 2025

View reviewed changes

yalosev approved these changes Jan 24, 2025

View reviewed changes

juev added 5 commits January 27, 2025 11:18

feat: check readonly filesystem on containers

3bf57a2

refactor: consolidate duplicate code remove panics

fix: enhance security context checks for containers

d663fe0

feat: add support for priority class validation in specific Kubernete…

9a6060d

…s resource kinds

fix: update isContentMatching function to include content comparison …

1aab6b8

…and rulesEx handling

fix: update image pull policy check to use v1.PullAlways constant

271e5cc

juev force-pushed the feature/ro-root-file-system branch from 7afb190 to 271e5cc Compare January 27, 2025 08:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: check readonly filesystem on containers #57

feat: check readonly filesystem on containers #57

juev commented Jan 14, 2025

juev commented Jan 14, 2025

feat: check readonly filesystem on containers #57

Are you sure you want to change the base?

feat: check readonly filesystem on containers #57

Conversation

juev commented Jan 14, 2025

juev commented Jan 14, 2025