From b011f559e911ef351de448c09055299b60af3226 Mon Sep 17 00:00:00 2001
From: dark0dave <dark0dave@mykolab.com>
Date: Thu, 2 May 2024 21:18:44 +0100
Subject: [PATCH] feat(k8s1.32): Add rego for v1.32 deprecations

Signed-off-by: dark0dave <dark0dave@mykolab.com>
---
 .github/workflows/main.yaml                   | 19 +++--
 fixtures/flowschema-v1beta3.yaml              | 30 +++++++
 .../prioritylevelconfiguration-v1beta3.yaml   | 14 ++++
 go.mod                                        | 13 ++-
 pkg/collector/cluster.go                      | 82 +++++++++----------
 pkg/rules/rego/deprecated-1-32.rego           | 49 +++++++++++
 test/rules_132_test.go                        | 14 ++++
 7 files changed, 164 insertions(+), 57 deletions(-)
 create mode 100644 fixtures/flowschema-v1beta3.yaml
 create mode 100644 fixtures/prioritylevelconfiguration-v1beta3.yaml
 create mode 100644 pkg/rules/rego/deprecated-1-32.rego
 create mode 100644 test/rules_132_test.go

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 8bf9ec47..438c28ab 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -102,13 +102,14 @@ jobs:
           "kindest/node:v1.19.16",
           "kindest/node:v1.20.15",
           "kindest/node:v1.21.14",
-          "kindest/node:v1.22.15",
-          "kindest/node:v1.23.13",
-          "kindest/node:v1.24.7",
-          "kindest/node:v1.25.3",
-          "kindest/node:v1.26.6",
-          "kindest/node:v1.27.3",
-          "kindest/node:v1.28.0"
+          "kindest/node:v1.22.17",
+          "kindest/node:v1.23.17",
+          "kindest/node:v1.24.17",
+          "kindest/node:v1.25.16",
+          "kindest/node:v1.26.14",
+          "kindest/node:v1.27.11",
+          "kindest/node:v1.28.7",
+          "kindest/node:v1.29.2"
         ]
     steps:
     - name: Checkout
@@ -121,14 +122,14 @@ jobs:
         name: release-artifacts-linux-amd64
         path: release-artifacts
     - name: Create k8s Kind Cluster
-      uses: helm/kind-action@v1.4.0
+      uses: helm/kind-action@v1.10.0
       with:
         node_image: ${{ matrix.k8s_version }}
         cluster_name: kubent-test-cluster
     - name: run integration test
       run: |
         tar xvzf release-artifacts/kubent-*-linux-amd64.tar.gz
-        kubectl version --short
+        kubectl version
         kubectl cluster-info --context kind-kubent-test-cluster
         ./kubent
   create-release:
diff --git a/fixtures/flowschema-v1beta3.yaml b/fixtures/flowschema-v1beta3.yaml
new file mode 100644
index 00000000..c71dd69e
--- /dev/null
+++ b/fixtures/flowschema-v1beta3.yaml
@@ -0,0 +1,30 @@
+apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
+kind: FlowSchema
+metadata:
+  name: service-accounts-test
+spec:
+  distinguisherMethod:
+    type: ByUser
+  matchingPrecedence: 9000
+  priorityLevelConfiguration:
+    name: workload-medium
+  rules:
+  - nonResourceRules:
+    - nonResourceURLs:
+      - '*'
+      verbs:
+      - '*'
+    resourceRules:
+    - apiGroups:
+      - '*'
+      clusterScope: true
+      namespaces:
+      - '*'
+      resources:
+      - '*'
+      verbs:
+      - '*'
+    subjects:
+    - group:
+        name: system:serviceaccounts
+      kind: Group
diff --git a/fixtures/prioritylevelconfiguration-v1beta3.yaml b/fixtures/prioritylevelconfiguration-v1beta3.yaml
new file mode 100644
index 00000000..bcc76704
--- /dev/null
+++ b/fixtures/prioritylevelconfiguration-v1beta3.yaml
@@ -0,0 +1,14 @@
+apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
+kind: PriorityLevelConfiguration
+metadata:
+  name: workload-medium
+spec:
+  limited:
+    assuredConcurrencyShares: 70
+    limitResponse:
+      queuing:
+        handSize: 6
+        queueLengthLimit: 50
+        queues: 128
+      type: Queue
+  type: Limited
diff --git a/go.mod b/go.mod
index bb77d0ee..ee585725 100644
--- a/go.mod
+++ b/go.mod
@@ -6,12 +6,12 @@ toolchain go1.22.1
 
 require (
 	github.com/ghodss/yaml v1.0.0
-	github.com/hashicorp/go-version v1.6.0
+	github.com/hashicorp/go-version v1.7.0
 	github.com/open-policy-agent/opa v0.64.1
-	github.com/rs/zerolog v1.32.0
+	github.com/rs/zerolog v1.33.0
 	github.com/spf13/pflag v1.0.5
 	helm.sh/helm/v3 v3.13.3
-	k8s.io/apimachinery v0.28.4
+	k8s.io/apimachinery v0.30.2
 	k8s.io/client-go v0.28.4 // Change me and break everything
 	k8s.io/klog/v2 v2.120.1
 )
@@ -38,7 +38,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
@@ -87,9 +86,9 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.28.4 // indirect
 	k8s.io/apiextensions-apiserver v0.28.4 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/pkg/collector/cluster.go b/pkg/collector/cluster.go
index 6ce73904..22373b37 100644
--- a/pkg/collector/cluster.go
+++ b/pkg/collector/cluster.go
@@ -71,47 +71,47 @@ func NewClusterCollector(opts *ClusterOpts, additionalKinds []string, additional
 
 func (c *ClusterCollector) Get() ([]map[string]interface{}, error) {
 	gvrs := []schema.GroupVersionResource{
-		schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "daemonsets"},
-		schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
-		schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "replicasets"},
-		schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "statefulsets"},
-		schema.GroupVersionResource{Group: "networking.k8s.io", Version: "v1", Resource: "networkpolicies"},
-		schema.GroupVersionResource{Group: "policy", Version: "v1beta1", Resource: "podsecuritypolicies"},
-		schema.GroupVersionResource{Group: "networking.k8s.io", Version: "v1", Resource: "ingresses"},
-		schema.GroupVersionResource{Group: "networking.k8s.io", Version: "v1", Resource: "ingressclasses"},
-		schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "csidrivers"},
-		schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "csinodes"},
-		schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "storageclasses"},
-		schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "volumeattachments"},
-		schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "csistoragecapacities"},
-		schema.GroupVersionResource{Group: "scheduling.k8s.io", Version: "v1", Resource: "priorityclasses"},
-		schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"},
-		schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"},
-		schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "roles"},
-		schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "rolebindings"},
-		schema.GroupVersionResource{Group: "coordination.k8s.io", Version: "v1", Resource: "leases"},
-		schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "subjectaccessreviews"},
-		schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "selfsubjectaccessreviews"},
-		schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "localsubjectaccessreviews"},
-		schema.GroupVersionResource{Group: "authentication.k8s.io", Version: "v1", Resource: "tokenreviews"},
-		schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1", Resource: "certificatesigningrequests"},
-		schema.GroupVersionResource{Group: "apiregistration.k8s.io", Version: "v1", Resource: "apiservices"},
-		schema.GroupVersionResource{Group: "apiextensions.k8s.io", Version: "v1", Resource: "customresourcedefinitions"},
-		schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "mutatingwebhookconfigurations"},
-		schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "validatingwebhookconfigurations"},
-		schema.GroupVersionResource{Group: "node.k8s.io", Version: "v1", Resource: "runtimeclasses"},
-		schema.GroupVersionResource{Group: "policy", Version: "v1", Resource: "poddisruptionbudgets"},
-		schema.GroupVersionResource{Group: "policy", Version: "v1beta1", Resource: "podsecuritypolicies"},
-		schema.GroupVersionResource{Group: "discovery.k8s.io", Version: "v1", Resource: "endpointslices"},
-		schema.GroupVersionResource{Group: "batch", Version: "v1", Resource: "cronjobs"},
-		schema.GroupVersionResource{Group: "autoscaling", Version: "v2", Resource: "horizontalpodautoscalers"},
-		schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshots"},
-		schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotclasses"},
-		schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotcontents"},
-		schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "flowschemas"},
-		schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "prioritylevelconfigurations"},
-		schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "flowschemas"},
-		schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "prioritylevelconfigurations"},
+		{Group: "apps", Version: "v1", Resource: "daemonsets"},
+		{Group: "apps", Version: "v1", Resource: "deployments"},
+		{Group: "apps", Version: "v1", Resource: "replicasets"},
+		{Group: "apps", Version: "v1", Resource: "statefulsets"},
+		{Group: "networking.k8s.io", Version: "v1", Resource: "networkpolicies"},
+		{Group: "policy", Version: "v1beta1", Resource: "podsecuritypolicies"},
+		{Group: "networking.k8s.io", Version: "v1", Resource: "ingresses"},
+		{Group: "networking.k8s.io", Version: "v1", Resource: "ingressclasses"},
+		{Group: "storage.k8s.io", Version: "v1", Resource: "csidrivers"},
+		{Group: "storage.k8s.io", Version: "v1", Resource: "csinodes"},
+		{Group: "storage.k8s.io", Version: "v1", Resource: "storageclasses"},
+		{Group: "storage.k8s.io", Version: "v1", Resource: "volumeattachments"},
+		{Group: "storage.k8s.io", Version: "v1", Resource: "csistoragecapacities"},
+		{Group: "scheduling.k8s.io", Version: "v1", Resource: "priorityclasses"},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "roles"},
+		{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "rolebindings"},
+		{Group: "coordination.k8s.io", Version: "v1", Resource: "leases"},
+		{Group: "authorization.k8s.io", Version: "v1", Resource: "subjectaccessreviews"},
+		{Group: "authorization.k8s.io", Version: "v1", Resource: "selfsubjectaccessreviews"},
+		{Group: "authorization.k8s.io", Version: "v1", Resource: "localsubjectaccessreviews"},
+		{Group: "authentication.k8s.io", Version: "v1", Resource: "tokenreviews"},
+		{Group: "certificates.k8s.io", Version: "v1", Resource: "certificatesigningrequests"},
+		{Group: "apiregistration.k8s.io", Version: "v1", Resource: "apiservices"},
+		{Group: "apiextensions.k8s.io", Version: "v1", Resource: "customresourcedefinitions"},
+		{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "mutatingwebhookconfigurations"},
+		{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "validatingwebhookconfigurations"},
+		{Group: "node.k8s.io", Version: "v1", Resource: "runtimeclasses"},
+		{Group: "policy", Version: "v1", Resource: "poddisruptionbudgets"},
+		{Group: "policy", Version: "v1beta1", Resource: "podsecuritypolicies"},
+		{Group: "discovery.k8s.io", Version: "v1", Resource: "endpointslices"},
+		{Group: "batch", Version: "v1", Resource: "cronjobs"},
+		{Group: "autoscaling", Version: "v2", Resource: "horizontalpodautoscalers"},
+		{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshots"},
+		{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotclasses"},
+		{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotcontents"},
+		{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "flowschemas"},
+		{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "prioritylevelconfigurations"},
+		{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "flowschemas"},
+		{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "prioritylevelconfigurations"},
 	}
 	gvrs = append(gvrs, c.additionalResources...)
 
diff --git a/pkg/rules/rego/deprecated-1-32.rego b/pkg/rules/rego/deprecated-1-32.rego
new file mode 100644
index 00000000..11a16edf
--- /dev/null
+++ b/pkg/rules/rego/deprecated-1-32.rego
@@ -0,0 +1,49 @@
+package deprecated132
+
+main[return] {
+	resource := input[_]
+	api := deprecated_resource(resource)
+	return := {
+		"Name": get_default(resource.metadata, "name", "<undefined>"),
+		# Namespace does not have to be defined in case of local manifests
+		"Namespace": get_default(resource.metadata, "namespace", "<undefined>"),
+		"Kind": resource.kind,
+		"ApiVersion": api.old,
+		"ReplaceWith": api.new,
+		"RuleSet": "Deprecated APIs removed in 1.32",
+		"Since": api.since,
+	}
+}
+
+deprecated_resource(r) = api {
+	api := deprecated_api(r.kind, r.apiVersion)
+}
+
+deprecated_api(kind, api_version) = api {
+	deprecated_apis = {
+		"FlowSchema": {
+			"old": ["flowcontrol.apiserver.k8s.io/v1beta3"],
+			"new": "flowcontrol.apiserver.k8s.io/v1",
+			"since": "1.32",
+		},
+		"PriorityLevelConfiguration": {
+			"old": ["flowcontrol.apiserver.k8s.io/v1beta3"],
+			"new": "flowcontrol.apiserver.k8s.io/v1",
+			"since": "1.32",
+		},
+	}
+
+	deprecated_apis[kind].old[_] == api_version
+
+	api := {
+		"old": api_version,
+		"new": deprecated_apis[kind].new,
+		"since": deprecated_apis[kind].since,
+	}
+}
+
+get_default(val, key, _) = val[key]
+
+get_default(val, key, fallback) = fallback {
+	not val[key]
+}
diff --git a/test/rules_132_test.go b/test/rules_132_test.go
new file mode 100644
index 00000000..98c1fbde
--- /dev/null
+++ b/test/rules_132_test.go
@@ -0,0 +1,14 @@
+package test
+
+import (
+	"testing"
+)
+
+func TestRego132(t *testing.T) {
+	testCases := []resourceFixtureTestCase{
+		{"FlowSchema", []string{"../fixtures/flowschema-v1beta3.yaml"}, []string{"FlowSchema"}},
+		{"PriorityLevelConfiguration", []string{"../fixtures/prioritylevelconfiguration-v1beta3.yaml"}, []string{"PriorityLevelConfiguration"}},
+	}
+
+	testResourcesUsingFixtures(t, testCases)
+}