diff --git a/fixtures/csistoragecapacity-v1beta1.yaml b/fixtures/csistoragecapacity-v1beta1.yaml new file mode 100644 index 00000000..a2e6875b --- /dev/null +++ b/fixtures/csistoragecapacity-v1beta1.yaml @@ -0,0 +1,5 @@ +kind: CSIStorageCapacity +apiVersion: storage.k8s.io/v1beta1 +metadata: + name: my-csi-capacity +storageClassName: gp2 diff --git a/fixtures/flowschema-v1beta1.yaml b/fixtures/flowschema-v1beta1.yaml new file mode 100644 index 00000000..8d141cfd --- /dev/null +++ b/fixtures/flowschema-v1beta1.yaml @@ -0,0 +1,30 @@ +apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 +kind: FlowSchema +metadata: + name: service-accounts-test +spec: + distinguisherMethod: + type: ByUser + matchingPrecedence: 9000 + priorityLevelConfiguration: + name: workload-medium + rules: + - nonResourceRules: + - nonResourceURLs: + - '*' + verbs: + - '*' + resourceRules: + - apiGroups: + - '*' + clusterScope: true + namespaces: + - '*' + resources: + - '*' + verbs: + - '*' + subjects: + - group: + name: system:serviceaccounts + kind: Group diff --git a/fixtures/flowschema-v1beta2.yaml b/fixtures/flowschema-v1beta2.yaml new file mode 100644 index 00000000..cec5e531 --- /dev/null +++ b/fixtures/flowschema-v1beta2.yaml @@ -0,0 +1,30 @@ +apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 +kind: FlowSchema +metadata: + name: service-accounts-test +spec: + distinguisherMethod: + type: ByUser + matchingPrecedence: 9000 + priorityLevelConfiguration: + name: workload-medium + rules: + - nonResourceRules: + - nonResourceURLs: + - '*' + verbs: + - '*' + resourceRules: + - apiGroups: + - '*' + clusterScope: true + namespaces: + - '*' + resources: + - '*' + verbs: + - '*' + subjects: + - group: + name: system:serviceaccounts + kind: Group diff --git a/fixtures/prioritylevelconfiguration-v1beta1.yaml b/fixtures/prioritylevelconfiguration-v1beta1.yaml new file mode 100644 index 00000000..6a12f601 --- /dev/null +++ b/fixtures/prioritylevelconfiguration-v1beta1.yaml @@ -0,0 +1,14 @@ +apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 +kind: PriorityLevelConfiguration +metadata: + name: workload-medium +spec: + limited: + assuredConcurrencyShares: 70 + limitResponse: + queuing: + handSize: 6 + queueLengthLimit: 50 + queues: 128 + type: Queue + type: Limited diff --git a/fixtures/prioritylevelconfiguration-v1beta2.yaml b/fixtures/prioritylevelconfiguration-v1beta2.yaml new file mode 100644 index 00000000..83d33bd2 --- /dev/null +++ b/fixtures/prioritylevelconfiguration-v1beta2.yaml @@ -0,0 +1,14 @@ +apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 +kind: PriorityLevelConfiguration +metadata: + name: workload-medium +spec: + limited: + assuredConcurrencyShares: 70 + limitResponse: + queuing: + handSize: 6 + queueLengthLimit: 50 + queues: 128 + type: Queue + type: Limited diff --git a/pkg/collector/cluster.go b/pkg/collector/cluster.go index a891ead5..6ce73904 100644 --- a/pkg/collector/cluster.go +++ b/pkg/collector/cluster.go @@ -83,6 +83,7 @@ func (c *ClusterCollector) Get() ([]map[string]interface{}, error) { schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "csinodes"}, schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "storageclasses"}, schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "volumeattachments"}, + schema.GroupVersionResource{Group: "storage.k8s.io", Version: "v1", Resource: "csistoragecapacities"}, schema.GroupVersionResource{Group: "scheduling.k8s.io", Version: "v1", Resource: "priorityclasses"}, schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"}, schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterrolebindings"}, @@ -107,6 +108,10 @@ func (c *ClusterCollector) Get() ([]map[string]interface{}, error) { schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshots"}, schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotclasses"}, schema.GroupVersionResource{Group: "snapshot.storage.k8s.io", Version: "v1", Resource: "volumesnapshotcontents"}, + schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "flowschemas"}, + schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta2", Resource: "prioritylevelconfigurations"}, + schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "flowschemas"}, + schema.GroupVersionResource{Group: "flowcontrol.apiserver.k8s.io", Version: "v1beta3", Resource: "prioritylevelconfigurations"}, } gvrs = append(gvrs, c.additionalResources...) diff --git a/pkg/rules/rego/deprecated-1-26.rego b/pkg/rules/rego/deprecated-1-26.rego index 84d4f247..e2d0e09f 100644 --- a/pkg/rules/rego/deprecated-1-26.rego +++ b/pkg/rules/rego/deprecated-1-26.rego @@ -20,11 +20,23 @@ deprecated_resource(r) = api { } deprecated_api(kind, api_version) = api { - deprecated_apis = {"HorizontalPodAutoscaler": { - "old": ["autoscaling/v2beta2"], - "new": "autoscaling/v2", - "since": "1.23", - }} + deprecated_apis = { + "HorizontalPodAutoscaler": { + "old": ["autoscaling/v2beta2"], + "new": "autoscaling/v2", + "since": "1.23", + }, + "FlowSchema": { + "old": ["flowcontrol.apiserver.k8s.io/v1beta1"], + "new": "flowcontrol.apiserver.k8s.io/v1beta3", + "since": "1.26", + }, + "PriorityLevelConfiguration": { + "old": ["flowcontrol.apiserver.k8s.io/v1beta1"], + "new": "flowcontrol.apiserver.k8s.io/v1beta3", + "since": "1.26", + }, + } deprecated_apis[kind].old[_] == api_version diff --git a/pkg/rules/rego/deprecated-1-27.rego b/pkg/rules/rego/deprecated-1-27.rego new file mode 100644 index 00000000..7595dca6 --- /dev/null +++ b/pkg/rules/rego/deprecated-1-27.rego @@ -0,0 +1,42 @@ +package deprecated127 + +main[return] { + resource := input[_] + api := deprecated_resource(resource) + return := { + "Name": get_default(resource.metadata, "name", ""), + # Namespace does not have to be defined in case of local manifests + "Namespace": get_default(resource.metadata, "namespace", ""), + "Kind": resource.kind, + "ApiVersion": api.old, + "ReplaceWith": api.new, + "RuleSet": "Deprecated APIs removed in 1.27", + "Since": api.since, + } +} + +deprecated_resource(r) = api { + api := deprecated_api(r.kind, r.apiVersion) +} + +deprecated_api(kind, api_version) = api { + deprecated_apis = {"CSIStorageCapacity": { + "old": ["storage.k8s.io/v1beta1"], + "new": "storage.k8s.io/v1", + "since": "1.24", + }} + + deprecated_apis[kind].old[_] == api_version + + api := { + "old": api_version, + "new": deprecated_apis[kind].new, + "since": deprecated_apis[kind].since, + } +} + +get_default(val, key, _) = val[key] + +get_default(val, key, fallback) = fallback { + not val[key] +} diff --git a/pkg/rules/rego/deprecated-1-29.rego b/pkg/rules/rego/deprecated-1-29.rego new file mode 100644 index 00000000..94b0c40d --- /dev/null +++ b/pkg/rules/rego/deprecated-1-29.rego @@ -0,0 +1,49 @@ +package deprecated129 + +main[return] { + resource := input[_] + api := deprecated_resource(resource) + return := { + "Name": get_default(resource.metadata, "name", ""), + # Namespace does not have to be defined in case of local manifests + "Namespace": get_default(resource.metadata, "namespace", ""), + "Kind": resource.kind, + "ApiVersion": api.old, + "ReplaceWith": api.new, + "RuleSet": "Deprecated APIs removed in 1.29", + "Since": api.since, + } +} + +deprecated_resource(r) = api { + api := deprecated_api(r.kind, r.apiVersion) +} + +deprecated_api(kind, api_version) = api { + deprecated_apis = { + "FlowSchema": { + "old": ["flowcontrol.apiserver.k8s.io/v1beta2"], + "new": "flowcontrol.apiserver.k8s.io/v1beta3", + "since": "1.26", + }, + "PriorityLevelConfiguration": { + "old": ["flowcontrol.apiserver.k8s.io/v1beta2"], + "new": "flowcontrol.apiserver.k8s.io/v1beta3", + "since": "1.26", + }, + } + + deprecated_apis[kind].old[_] == api_version + + api := { + "old": api_version, + "new": deprecated_apis[kind].new, + "since": deprecated_apis[kind].since, + } +} + +get_default(val, key, _) = val[key] + +get_default(val, key, fallback) = fallback { + not val[key] +} diff --git a/test/rules_126_test.go b/test/rules_126_test.go index d54d5f86..8da19340 100644 --- a/test/rules_126_test.go +++ b/test/rules_126_test.go @@ -7,6 +7,8 @@ import ( func TestRego126(t *testing.T) { testCases := []resourceFixtureTestCase{ {"AutoScaler", []string{"../fixtures/autoscaler-v2beta2.yaml"}, []string{"HorizontalPodAutoscaler"}}, + {"FlowSchema", []string{"../fixtures/flowschema-v1beta1.yaml"}, []string{"FlowSchema"}}, + {"PriorityLevelConfiguration", []string{"../fixtures/prioritylevelconfiguration-v1beta1.yaml"}, []string{"PriorityLevelConfiguration"}}, } testResourcesUsingFixtures(t, testCases) diff --git a/test/rules_127_test.go b/test/rules_127_test.go new file mode 100644 index 00000000..9dc36e80 --- /dev/null +++ b/test/rules_127_test.go @@ -0,0 +1,13 @@ +package test + +import ( + "testing" +) + +func TestRego127(t *testing.T) { + testCases := []resourceFixtureTestCase{ + {"CSIStorageCapacity", []string{"../fixtures/csistoragecapacity-v1beta1.yaml"}, []string{"CSIStorageCapacity"}}, + } + + testResourcesUsingFixtures(t, testCases) +} diff --git a/test/rules_129_test.go b/test/rules_129_test.go new file mode 100644 index 00000000..3cdaec66 --- /dev/null +++ b/test/rules_129_test.go @@ -0,0 +1,14 @@ +package test + +import ( + "testing" +) + +func TestRego129(t *testing.T) { + testCases := []resourceFixtureTestCase{ + {"FlowSchema", []string{"../fixtures/flowschema-v1beta2.yaml"}, []string{"FlowSchema"}}, + {"PriorityLevelConfiguration", []string{"../fixtures/prioritylevelconfiguration-v1beta2.yaml"}, []string{"PriorityLevelConfiguration"}}, + } + + testResourcesUsingFixtures(t, testCases) +}