Add support to check dnsConfig options (#358)

Co-authored-by: Travis Truman <[email protected]>
Co-authored-by: Mike Ball <[email protected]>

Author: 3 people

docs/generated/checks.md

@@ -118,6 +118,22 @@ serviceAccount: ^(|default)$
 **Remediation**: Use the serviceAccountName field instead. If you must specify serviceAccount, ensure values for serviceAccount and serviceAccountName match.
 
 **Template**: [deprecated-service-account-field](generated/templates.md#deprecated-service-account-field)
+## dnsconfig-options
+
+**Enabled by default**: No
+
+**Description**: Alert on deployments that have no specified dnsConfig options
+
+**Remediation**: Specify dnsconfig options in your Pod specification to ensure the expected DNS setting on the Pod. Refer to https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for details.
+
+**Template**: [dnsconfig-options](generated/templates.md#dnsconfig-options)
+
+**Parameters**:
+
+```yaml
+Key: ndots
+Value: "2"
+```
 ## docker-sock
 
 **Enabled by default**: Yes

docs/generated/templates.md

@@ -187,6 +187,32 @@ KubeLinter supports the following templates:
   type: string
 ```
 
+## DnsConfig Options
+
+**Key**: `dnsconfig-options`
+
+**Description**: Flag objects that don't have specified DNSConfig Options
+
+**Supported Objects**: DeploymentLike
+
+
+**Parameters**:
+
+```yaml
+- description: Key of the dnsConfig option.
+  name: key
+  negationAllowed: true
+  regexAllowed: true
+  required: false
+  type: string
+- description: Value of the dnsConfig option.
+  name: value
+  negationAllowed: true
+  regexAllowed: true
+  required: false
+  type: string
+```
+
 ## Environment Variables
 
 **Key**: `env-var`

e2etests/bats-tests.sh

@@ -162,6 +162,25 @@ get_value_from() {
   [[ "${count}" == "2" ]]
 }
 
+@test "dnsconfig-options" {
+  tmp="tests/checks/dnsconfig-options-ndots.yml"
+  cmd="${KUBE_LINTER_BIN} lint --include dnsconfig-options --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
+  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+
+  [[ "${message1}" == "Deployment: DNSConfig Options \"ndots:2\" not found." ]]
+  [[ "${message2}" == "Deployment: Object does not define any DNSConfig Options." ]]
+  [[ "${message3}" == "Deployment: Object does not define any DNSConfig rules." ]]
+  [[ "${count}" == "3" ]]
+}
+
 @test "docker-sock" {
   tmp="tests/checks/docker-sock.yml"
   cmd="${KUBE_LINTER_BIN} lint --include docker-sock --do-not-auto-add-defaults --format json ${tmp}"

pkg/builtinchecks/yamls/dnsconfig-options.yaml

@@ -0,0 +1,12 @@
+name: "dnsconfig-options"
+description: "Alert on deployments that have no specified dnsConfig options"
+remediation: >-
+  Specify dnsconfig options in your Pod specification to ensure the expected DNS setting on the Pod.
+  Refer to https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for details.
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "dnsconfig-options"
+params:
+  Key: ndots
+  Value: "2"

pkg/templates/all/all.go

@@ -13,6 +13,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/danglingservice"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/deprecatedserviceaccount"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/disallowedgvk"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/dnsconfigoptions"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/envvar"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/forbiddenannotation"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hostipc"

pkg/templates/dnsconfigoptions/internal/params/gen-params.go

@@ -0,0 +1,11 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+
+	// Key of the dnsConfig option.
+	Key string
+
+	// Value of the dnsConfig option.
+	Value string
+}

pkg/templates/dnsconfigoptions/internal/params/params.go

@@ -0,0 +1,51 @@
+package dnsconfigoptions
+
+import (
+	"fmt"
+
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/config"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/extract"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/dnsconfigoptions/internal/params"
+)
+
+func init() {
+	templates.Register(check.Template{
+		HumanName:   "DnsConfig Options",
+		Key:         "dnsconfig-options",
+		Description: "Flag objects that don't have specified DNSConfig Options",
+		SupportedObjectKinds: config.ObjectKindsDesc{
+			ObjectKinds: []string{objectkinds.DeploymentLike},
+		},
+		Parameters:             params.ParamDescs,
+		ParseAndValidateParams: params.ParseAndValidate,
+		Instantiate: params.WrapInstantiateFunc(func(p params.Params) (check.Func, error) {
+			return func(_ lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				podTemplateSpec, found := extract.PodTemplateSpec(object.K8sObject)
+				if !found {
+					return nil
+				}
+				if podTemplateSpec.Spec.DNSConfig == nil {
+					return []diagnostic.Diagnostic{{Message: "Object does not define any DNSConfig rules."}}
+				}
+				if podTemplateSpec.Spec.DNSConfig.Options == nil {
+					return []diagnostic.Diagnostic{{Message: "Object does not define any DNSConfig Options."}}
+				}
+
+				for _, option := range podTemplateSpec.Spec.DNSConfig.Options {
+					if option.Name == p.Key && *option.Value == p.Value {
+						// Found
+						return nil
+					}
+				}
+				return []diagnostic.Diagnostic{{
+					Message: fmt.Sprintf("DNSConfig Options \"%s:%s\" not found.", p.Key, p.Value),
+				}}
+			}, nil
+		}),
+	})
+}

pkg/templates/dnsconfigoptions/template.go

@@ -0,0 +1,145 @@
+package dnsconfigoptions
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext/mocks"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/dnsconfigoptions/internal/params"
+	appsV1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+)
+
+func TestDnsconfigOptions(t *testing.T) {
+	suite.Run(t, new(DnsconfigOptionsTestSuite))
+}
+
+type DnsconfigOptionsTestSuite struct {
+	templates.TemplateTestSuite
+	ctx *mocks.MockLintContext
+}
+
+const (
+	templateKey    = "dnsconfig-options"
+	deploymentName = "deployment"
+	key            = "ndots"
+	value          = "2"
+)
+
+func (s *DnsconfigOptionsTestSuite) SetupTest() {
+	s.Init(templateKey)
+	s.ctx = mocks.NewMockContext()
+}
+
+func (s *DnsconfigOptionsTestSuite) TestIgnoreDnsconfigOptionsCheckOnObjectWithoutDnsconfig() {
+	s.ctx.AddMockClusterRole(s.T(), deploymentName)
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param:                    params.Params{Key: key, Value: value},
+			Diagnostics:              nil,
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *DnsconfigOptionsTestSuite) TestNoPodTemplateSpecDnsconfigDefined() {
+	s.ctx.AddMockDeployment(s.T(), deploymentName)
+
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{Key: key, Value: value},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				deploymentName: {
+					{
+						Message: "Object does not define any DNSConfig rules.",
+					},
+				},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *DnsconfigOptionsTestSuite) TestNoDnsconfigOptionsDefined() {
+	s.ctx.AddMockDeployment(s.T(), deploymentName)
+
+	s.ctx.ModifyDeployment(s.T(), deploymentName, func(deployment *appsV1.Deployment) {
+		dnsconfig := &v1.PodDNSConfig{
+			Options: nil,
+		}
+		deployment.Spec.Template.Spec.DNSConfig = dnsconfig
+	})
+
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{Key: key, Value: value},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				deploymentName: {
+					{
+						Message: "Object does not define any DNSConfig Options.",
+					},
+				},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *DnsconfigOptionsTestSuite) TestDnsconfigOptionsNotMatched() {
+	s.ctx.AddMockDeployment(s.T(), deploymentName)
+
+	v := "5"
+	s.ctx.ModifyDeployment(s.T(), deploymentName, func(deployment *appsV1.Deployment) {
+		dnsconfig := &v1.PodDNSConfig{
+			Options: []v1.PodDNSConfigOption{
+				{
+					Name:  "foo",
+					Value: &v,
+				},
+			},
+		}
+		deployment.Spec.Template.Spec.DNSConfig = dnsconfig
+	})
+
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{Key: key, Value: value},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				deploymentName: {
+					{
+						Message: fmt.Sprintf("DNSConfig Options \"%s:%s\" not found.", key, value),
+					},
+				},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *DnsconfigOptionsTestSuite) TestDnsconfigOptionsMatched() {
+	s.ctx.AddMockDeployment(s.T(), deploymentName)
+
+	v := "2"
+	s.ctx.ModifyDeployment(s.T(), deploymentName, func(deployment *appsV1.Deployment) {
+		dnsconfig := &v1.PodDNSConfig{
+			Options: []v1.PodDNSConfigOption{
+				{
+					Name:  "ndots",
+					Value: &v,
+				},
+			},
+		}
+		deployment.Spec.Template.Spec.DNSConfig = dnsconfig
+	})
+
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param:                    params.Params{Key: key, Value: value},
+			Diagnostics:              nil,
+			ExpectInstantiationError: false,
+		},
+	})
+}