From 49d241776399035d6011aa2cfeee959d9436c56d Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 28 Feb 2019 19:10:18 +1000 Subject: [PATCH] Documentation quality updates and kubernetes scenario (#98) - Minor grammatical updates - Added documentation for Kubernetes resource validation scenario - Added kubernetes-resources scenario to end-to-end tests --- CHANGELOG.md | 2 +- README.md | 1 + docs/commands/PSRule/en-US/Invoke-PSRule.md | 8 +- .../PSRule/en-US/Test-PSRuleTarget.md | 8 +- .../azure-vote-all-in-one-redis.yaml | 68 ----- .../kubernetes-labels/kubernetes-labels.md | 61 ----- .../kubernetes-labels/kubernetes.Rule.ps1 | 17 -- .../kubernetes-resources/PSRule.yaml | 6 + .../kubernetes-resources.md | 256 ++++++++++++++++++ .../kubernetes-resources/kubernetes.Rule.ps1 | 43 +++ .../kubernetes-resources/resources.yaml | 94 +++++++ tests/PSRule.Tests/PSRule.EndToEnd.Tests.ps1 | 50 ++++ 12 files changed, 459 insertions(+), 155 deletions(-) delete mode 100644 docs/scenarios/kubernetes-labels/azure-vote-all-in-one-redis.yaml delete mode 100644 docs/scenarios/kubernetes-labels/kubernetes-labels.md delete mode 100644 docs/scenarios/kubernetes-labels/kubernetes.Rule.ps1 create mode 100644 docs/scenarios/kubernetes-resources/PSRule.yaml create mode 100644 docs/scenarios/kubernetes-resources/kubernetes-resources.md create mode 100644 docs/scenarios/kubernetes-resources/kubernetes.Rule.ps1 create mode 100644 docs/scenarios/kubernetes-resources/resources.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index aafb1987d5..e59dcc2b53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ - Added support for indexed and quoted field names [#86](https://github.com/BernieWhite/PSRule/issues/86) - Added object type binding and dynamic filtering for rules [#82](https://github.com/BernieWhite/PSRule/issues/82) - Added support for case-sensitive binding operations [#87](https://github.com/BernieWhite/PSRule/issues/87) - - Binding is ignores case by default. Set option `Binding.CaseSensitive` to `true` to enable case-sensitivity. + - Binding ignores case by default. Set option `Binding.CaseSensitive` to `true` to enable case-sensitivity. - **Breaking change** - The `-TargetName` parameter of the `Hint` keyword has been deprecated [#81](https://github.com/BernieWhite/PSRule/issues/81) - `-TargetName` parameter not longer sets the pipeline object _TargetName_ and generates a warning instead. - The `-TargetName` will be completely removed in **v0.4.0**, at which time using the parameter will generate an error. diff --git a/README.md b/README.md index 71a012110e..495131f941 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,7 @@ For practical examples of PSRule see: - [Validate configuration of Azure resources](docs/scenarios/azure-resources/azure-resources.md) - [Validate Azure resources tags](docs/scenarios/azure-tags/azure-tags.md) +- [Validate Kubernetes resources](docs/scenarios/kubernetes-resources/kubernetes-resources.md) ## Language reference diff --git a/docs/commands/PSRule/en-US/Invoke-PSRule.md b/docs/commands/PSRule/en-US/Invoke-PSRule.md index 1efd00cbe0..489f6e5d13 100644 --- a/docs/commands/PSRule/en-US/Invoke-PSRule.md +++ b/docs/commands/PSRule/en-US/Invoke-PSRule.md @@ -163,7 +163,7 @@ Accept wildcard characters: False Only evaluate rules with the specified tags set. If this parameter is not specified all rules in search paths will be evaluated. -When more then one tag is used, all tags must match. Tag names are not case sensitive, tag values are case sensitive. A tag value of `*` may be used to filter rules to any rule with the tag set, regardless of tag value. +When more than one tag is used, all tags must match. Tag names are not case sensitive, tag values are case sensitive. A tag value of `*` may be used to filter rules to any rule with the tag set, regardless of tag value. ```yaml Type: Hashtable @@ -195,7 +195,7 @@ Accept wildcard characters: False ### -Option -Additional options that configure execution. A `PSRuleOption` can be created by using the `New-PSRuleOption` cmdlet. Alternatively a hashtable or path to YAML file can be specified with options. +Additional options that configure execution. A `PSRuleOption` can be created by using the `New-PSRuleOption` cmdlet. Alternatively, a hashtable or path to YAML file can be specified with options. For more information on PSRule options see about_PSRule_Options. @@ -235,7 +235,7 @@ Accept wildcard characters: False ### -Format -Configures the input format for when a string is passed in as a target object. By default, strings are just treated as raw text. However when set strings can be read as YAML or JSON and converted to an object. +Configures the input format for when a string is passed in as a target object. By default, strings are just treated as raw text. However, when set strings can be read as YAML or JSON and converted to an object. The following formats are available: @@ -257,7 +257,7 @@ Accept wildcard characters: False ### -ObjectPath -The name of a property to use instead of the pipeline object. If the property specified by `ObjectPath` is a collection/ array then each item in evaluated separately. +The name of a property to use instead of the pipeline object. If the property specified by `ObjectPath` is a collection or an array, then each item in evaluated separately. ```yaml Type: String diff --git a/docs/commands/PSRule/en-US/Test-PSRuleTarget.md b/docs/commands/PSRule/en-US/Test-PSRuleTarget.md index 5ab1ac0290..eba39db13e 100644 --- a/docs/commands/PSRule/en-US/Test-PSRuleTarget.md +++ b/docs/commands/PSRule/en-US/Test-PSRuleTarget.md @@ -84,7 +84,7 @@ Accept wildcard characters: False Only evaluate rules with the specified tags set. If this parameter is not specified all rules in search paths will be evaluated. -When more then one tag is used, all tags must match. Tag names are not case sensitive, tag values are case sensitive. A tag value of `*` may be used to filter rules to any rule with the tag set, regardless of tag value. +When more than one tag is used, all tags must match. Tag names are not case sensitive, tag values are case sensitive. A tag value of `*` may be used to filter rules to any rule with the tag set, regardless of tag value. ```yaml Type: Hashtable @@ -116,7 +116,7 @@ Accept wildcard characters: False ### -Option -Additional options that configure execution. A `PSRuleOption` can be created by using the `New-PSRuleOption` cmdlet. Alternatively a hashtable or path to YAML file can be specified with options. +Additional options that configure execution. A `PSRuleOption` can be created by using the `New-PSRuleOption` cmdlet. Alternatively, a hashtable or path to YAML file can be specified with options. For more information on PSRule options see about_PSRule_Options. @@ -134,7 +134,7 @@ Accept wildcard characters: False ### -Format -Configures the input format for when a string is passed in as a target object. By default, strings are just treated as raw text. However when set strings can be read as YAML or JSON and converted to an object. +Configures the input format for when a string is passed in as a target object. By default, strings are just treated as raw text. However, when set strings can be read as YAML or JSON and converted to an object. The following formats are available: @@ -156,7 +156,7 @@ Accept wildcard characters: False ### -ObjectPath -The name of a property to use instead of the pipeline object. If the property specified by `ObjectPath` is a collection/ array then each item in evaluated separately. +The name of a property to use instead of the pipeline object. If the property specified by `ObjectPath` is a collection or an array, then each item in evaluated separately. ```yaml Type: String diff --git a/docs/scenarios/kubernetes-labels/azure-vote-all-in-one-redis.yaml b/docs/scenarios/kubernetes-labels/azure-vote-all-in-one-redis.yaml deleted file mode 100644 index f6d8e83daa..0000000000 --- a/docs/scenarios/kubernetes-labels/azure-vote-all-in-one-redis.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: azure-vote-back -spec: - replicas: 1 - template: - metadata: - labels: - app: azure-vote-back - spec: - containers: - - name: azure-vote-back - image: redis - ports: - - containerPort: 6379 - name: redis ---- -apiVersion: v1 -kind: Service -metadata: - name: azure-vote-back -spec: - ports: - - port: 6379 - selector: - app: azure-vote-back ---- -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: azure-vote-front -spec: - replicas: 1 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - minReadySeconds: 5 - template: - metadata: - labels: - app: azure-vote-front - spec: - containers: - - name: azure-vote-front - image: microsoft/azure-vote-front:v1 - ports: - - containerPort: 80 - resources: - requests: - cpu: 250m - limits: - cpu: 500m - env: - - name: REDIS - value: "azure-vote-back" ---- -apiVersion: v1 -kind: Service -metadata: - name: azure-vote-front -spec: - type: LoadBalancer - ports: - - port: 80 - selector: - app: azure-vote-front diff --git a/docs/scenarios/kubernetes-labels/kubernetes-labels.md b/docs/scenarios/kubernetes-labels/kubernetes-labels.md deleted file mode 100644 index 51d5230e63..0000000000 --- a/docs/scenarios/kubernetes-labels/kubernetes-labels.md +++ /dev/null @@ -1,61 +0,0 @@ -# Kubernetes resource validation example - -This is an example of how PSRule can be used to validate Kubernetes resources to match an internal standard. - -//labels and annotations on - -This scenario covers the following: - -- Defining a basic rule. -- Running rules using YAML input. -- Nested property TargetName binding. - -In this scenario we will use a YAML file: - -- [`azure-vote-all-in-one-redis.yaml`](azure-vote-all-in-one-redis.yaml) - A Kubernetes manifest containing deployments and services. - -## Define rules - -To validate our Kubernetes resources, we need to define some rules. Rules are defined by using the `Rule` keyword in a file ending with the `.Rule.ps1` extension. - - - - -We want to achieve: - -```powershell -# Validate service objects -Invoke-PSRule -InputObject (kubectl get services -o yaml) -Format Yaml; -``` - -Or: - -```powershell -# Validate service objects -Invoke-PSRule -InFile .\azure-vote-all-in-one-redis.yaml -Format Yaml; -``` - -For this example we ran: - -```powershell -$option = New-PSRuleOption -Option @{ 'Binding.TargetName' = 'metadata.name' } -Invoke-PSRule -InputObject (Get-Content docs/scenarios/kubernetes-labels/azure-vote-all-in-one-redis.yaml -Raw) -Path docs/scenarios/kubernetes-labels -Format Yaml -Option $option; -``` - -```powershell -# Description: Deployments use a minimum of 2 replicas -Rule 'deployment.HasMinimumReplicas' -If { $TargetObject.kind -eq 'Deployment' } { - Exists 'spec.replicas' - $TargetObject.spec.replicas -ge 2 -} -``` - -```powershell -# Description: Services should not have a load balancer configured -Rule 'service.NotLoadBalancer' -If { $TargetObject.kind -eq 'Service' } { - AnyOf { - Exists 'spec.type' -Not - $TargetObject.spec.type -ne 'LoadBalancer' - } -} -``` diff --git a/docs/scenarios/kubernetes-labels/kubernetes.Rule.ps1 b/docs/scenarios/kubernetes-labels/kubernetes.Rule.ps1 deleted file mode 100644 index 82758ea875..0000000000 --- a/docs/scenarios/kubernetes-labels/kubernetes.Rule.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -# -# Validation rules for Kubernetes objects -# - -# Description: Deployments use a minimum of 2 replicas -Rule 'deployment.HasMinimumReplicas' -If { $TargetObject.kind -eq 'Deployment' } { - Exists 'spec.replicas' - $TargetObject.spec.replicas -ge 2 -} - -# Description: Services should not have a load balancer configured -Rule 'service.NotLoadBalancer' -If { $TargetObject.kind -eq 'Service' } { - AnyOf { - Exists 'spec.type' -Not - $TargetObject.spec.type -ne 'LoadBalancer' - } -} diff --git a/docs/scenarios/kubernetes-resources/PSRule.yaml b/docs/scenarios/kubernetes-resources/PSRule.yaml new file mode 100644 index 0000000000..40de94d7ee --- /dev/null +++ b/docs/scenarios/kubernetes-resources/PSRule.yaml @@ -0,0 +1,6 @@ + +binding: + targetName: + - metadata.name + targetType: + - kind diff --git a/docs/scenarios/kubernetes-resources/kubernetes-resources.md b/docs/scenarios/kubernetes-resources/kubernetes-resources.md new file mode 100644 index 0000000000..808482496c --- /dev/null +++ b/docs/scenarios/kubernetes-resources/kubernetes-resources.md @@ -0,0 +1,256 @@ +# Kubernetes resource validation example + +This is an example of how PSRule can be used to validate Kubernetes resources to match an internal metadata and configuration standard. + +This scenario covers the following: + +- Defining a basic rule. +- Configuring custom binding. +- Using a type precondition. +- Running rules using YAML input. + +In this scenario we will use a YAML file: + +- [`resources.yaml`](resources.yaml) - A Kubernetes manifest containing deployments and services. + +## Define rules + +To validate our Kubernetes resources, we need to define some rules. Rules are defined by using the `Rule` keyword in a file ending with the `.Rule.ps1` extension. + +Our business rules for configuration Kubernetes resources can be defined with the following dot points: + +- The following [recommended](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/) labels will be used on all services and deployments: + - `app.kubernetes.io/name` - the name of the application/ service. + - `app.kubernetes.io/version` - the version of the service. + - `app.kubernetes.io/component` - identifies the type of component, valid options are `web`, `api`, `database` and `gateway` +- For `web` or `api` deployments, a minimum of two (2) replicas must be used. +- Deployments must use container images with a specific version tag, and not `latest`. +- Deployments must declare minimum and maximum memory/ CPU resources. + +In the example below: + +- We use `metadata.Name` directly after the `Rule` keyword to name the rule definition. Each rule must be named uniquely. +- The `# Description: ` comment is used to add additional metadata interpreted by PSRule. +- One or more conditions are defined within the curly braces `{ }`. +- The rule definition is saved within a file named `kubernetes.Rule.ps1`. + +```powershell +# Description: Must have the app.kubernetes.io/name label +Rule 'metadata.Name' { + # Rule conditions go here +} +``` + +### Check that the label exists + +In the next step, we define one or more conditions. + +Conditions can be: + +- Any valid PowerShell that returns a _true_ (pass) when the condition is met or _false_ (fail) when the condition is not met. +- More than one condition can be defined, if any condition returns _false_ then the whole rule fails. + +PSRule includes several convenience keywords such as `AllOf`, `AnyOf`, `Exists`, `Match`, `TypeOf` and `Within` that make conditions faster to define, easier to understand and troubleshoot. However, use of these keywords is optional. + +In the example below: + +- We use the `Exists` keyword to check that the resource has the `app.kubernetes.io/name` label set. + - By default, PSRule will step through nested properties separated by a `.`. i.e. `labels` is a property of `metadata`. + - Kubernetes supports and recommends label namespaces, which often use `.` in their name. PSRule supports this by enclosing the field name (`app.kubernetes.io/name`) in apostrophes (`'`) so that `app.kubernetes.io/name` is checked instead of `app`. + +```powershell +# Description: Must have the app.kubernetes.io/name label +Rule 'metadata.Name' { + Exists "metadata.labels.'app.kubernetes.io/name'" +} +``` + +We have also defined something similar for the _version_ and _component_ labels. + +In the example below: + +- Double apostrophes (`''`) are used to enclose `app.kubernetes.io/name` because the field name uses `'` at the start and end of the string instead of `"` in the previous example. +- The `Within` keyword is used to validate that the `app.kubernetes.io/component` only uses one of four (4) allowed values. + +```powershell +# Description: Must have the app.kubernetes.io/version label +Rule 'metadata.Version' { + Exists 'metadata.labels.''app.kubernetes.io/version''' +} + +# Description: Must have the app.kubernetes.io/component label +Rule 'metadata.Component' { + Exists 'metadata.labels.''app.kubernetes.io/component''' + Within 'metadata.labels.''app.kubernetes.io/component''' 'web', 'api', 'database', 'gateway' -CaseSensitive +} +``` + +## Use custom binding + +Before processing rules, PSRule binds `TargetName` and `TargetType` properties to the pipeline object. These properties are used for filtering and displaying results. + +The default properties that PSRule binds are different from how Kubernetes resources are structured. Kubernetes uses: + +- `metadata.name` to store the name of a resource. +- `kind` to store the type of resource. + +The default bindings can be updated by providing custom property names or a custom script. To change binding property names set the `Binding.TargetName` and `Binding.TargetType` configuration options. + +The following example shows how to set the options using a YAML configuration file: + +- TargetName is bound to `metadata.name` +- TargetType is bound to `kind` + +```yaml +binding: + targetName: + - metadata.name + targetType: + - kind +``` + +Alternatively, these options can be set at runtime using the hashtable syntax. + +```powershell +$option = New-PSRuleOption -Option @{ 'Binding.TargetName' = 'metadata.name'; 'Binding.TargetType' = 'kind' }; +``` + +These options will be passed to `Invoke-PSRule` using the `-Option` parameter in a later step. + +## Define preconditions + +Currently the `metadata.Name` rule defined in a previous step will be executed for any type of object. Kubernetes has many types of built-in resource such as _Services_, _Deployments_, _Namespaces_, _Pods_ and _ClusterRoles_. + +By defining a precondition, we can ensure that the rule is only processed for _Services_ or _Deployments_ to match our business rules. + +PSRule supports two types of preconditions, either type (`-Type`) or script block (`-If`). + +- **Type** preconditions are one or more type names that PSRule compares to the `TargetType` binding, where: + - One of the type names names equal `TargetType` the rule will be processed. + - None of the type names equal `TargetType` the rule be skipped. +- **Script** block preconditions is a PowerShell script block that returns _true_ or _false_, where: + - _True_ - Continue processing the rule. + - _False_ - Skip processing the rule. + +Preconditions are evaluated once per rule for each object. + +In the example below: + +- We update our `metadata.Name` rule to use the `-Type` parameter to specify a type precondition of either _Deployment_ or _Service_. +- In a previous step, `TypeName` was bound to the `kind` property which will be _Deployment_ or _Service_ for these resource types. + +```powershell +# Description: Must have the app.kubernetes.io/name label +Rule 'metadata.Name' -Type 'Deployment', 'Service' { + Exists "metadata.labels.'app.kubernetes.io/name'" +} +``` + +Using a type precondition satisfies our business rules and will deliver faster performance then using a script block. An example using a script block precondition is also shown below. + +```powershell +# Description: Must have the app.kubernetes.io/name label +Rule 'metadata.Name' -If { $TargetObject.kind -eq 'Deployment' -or $TargetObject.kind -eq 'Service' } { + Exists "metadata.labels.'app.kubernetes.io/name'" +} +``` + +## Complete remaining rules + +The remaining rule definitions from our defined business rules are included below. Each follows a similar pattern and builds on the previous sections. + +In the example below: + +- The built-in variable `$TargetObject` is used to get the current pipeline object. + - Built-in keywords like `Exists` automatically default to `$TargetObject`, but can be piped alternative input as shown in the rule definition named `deployment.ResourcesSet`. + +```powershell +# Description: Deployments use a minimum of 2 replicas +Rule 'deployment.HasMinimumReplicas' -Type 'Deployment' { + Exists 'spec.replicas' + $TargetObject.spec.replicas -ge 2 +} + +# Description: Deployments use specific tags +Rule 'deployment.NotLatestImage' -Type 'Deployment' { + foreach ($container in $TargetObject.spec.template.spec.containers) { + $container.image -like '*:*' -and + $container.image -notlike '*:latest' + } +} + +# Description: Resource requirements are set for each container +Rule 'deployment.ResourcesSet' -Type 'Deployment' { + foreach ($container in $TargetObject.spec.template.spec.containers) { + $container | Exists 'resources.requests.cpu' + $container | Exists 'resources.requests.memory' + $container | Exists 'resources.limits.cpu' + $container | Exists 'resources.limits.memory' + } +} +``` + +## Execute rules + +With some rules defined, the next step is to execute them. For this example, we'll use `Invoke-PSRule` to get the result for each rule. The `Test-PSRuleTarget` cmdlet can be used if only a _true_ or _false_ is required. + +In our example we are using the YAML format to store Kubernetes resources. PSRule has built-in support for YAML so we can import these files directly from disk or process output from a command such as `kubectl`. + +In the examples below: + +- `Get-Content` is piped to `Invoke-PSRule` with the `-Raw` switch. The `-Raw` switch reads the full contents of the rule as a string. In contrast, without the `-Raw` switch, each line would be passed to `Invoke-PSRule` individually as separate objects. +- The `-Format` parameter informs PSRule that the string is YAML and it should convert the string into structured objects. +- The `-Option` parameter sets the location of the configuration file that contains custom binding options. +- `kubectl` is called with the `-o yaml` to output resources as YAML. +- `kubectl` is piped to `Out-String` to convert the multi-line output to a single string. +- The `-ObjectPath` parameter is used with the output from `kubectl`. This is required because the output from `kubectl` is a collection of resources instead of individual resources. Specifically `-ObjectPath items` gets the resources from the `items` property of the output. + +```powershell +# Validate resources from file +Get-Content .\resources.yaml -Raw | Invoke-PSRule -Format Yaml -Option .\PSRule.yaml; +``` + +```powershell +# Validate resources directly from kubectl output +kubectl get services -o yaml | Out-String | Invoke-PSRule -Format Yaml -Option .\PSRule.yaml -ObjectPath items; +``` + +For this example, we limited the output to failed results with the following command: + +```powershell +Get-Content docs/scenarios/kubernetes-resources/resources.yaml -Raw | Invoke-PSRule -Path docs/scenarios/kubernetes-resources -Format Yaml -Option docs/scenarios/kubernetes-resources/PSRule.yaml -Outcome Fail; +``` + +The resulting output is: + +```text + TargetName: app1-cache + +RuleName Outcome Message +-------- ------- ------- +deployment.HasMinimumReplicas Fail Deployments use a minimum of 2 replicas +deployment.NotLatestImage Fail Deployments use specific tags +deployment.ResourcesSet Fail Resource requirements are set for each container + + + TargetName: app1-cache-service + +RuleName Outcome Message +-------- ------- ------- +metadata.Name Fail Must have the app.kubernetes.io/name label +metadata.Version Fail Must have the app.kubernetes.io/version label +metadata.Component Fail Must have the app.kubernetes.io/component label + + + TargetName: app1-ui + +RuleName Outcome Message +-------- ------- ------- +metadata.Version Fail Must have the app.kubernetes.io/version label +``` + +## More information + +- [kubernetes.Rule.ps1](kubernetes.Rule.ps1) - Example rules for validating Kubernetes resources. +- [resources.yaml](resources.yaml) - An example Kubernetes manifest. +- [PSRule.yaml](PSRule.yaml) - PSRule options configuration file. diff --git a/docs/scenarios/kubernetes-resources/kubernetes.Rule.ps1 b/docs/scenarios/kubernetes-resources/kubernetes.Rule.ps1 new file mode 100644 index 0000000000..96dc24f8a0 --- /dev/null +++ b/docs/scenarios/kubernetes-resources/kubernetes.Rule.ps1 @@ -0,0 +1,43 @@ +# +# Validation rules for Kubernetes resources +# + +# Description: Must have the app.kubernetes.io/name label +Rule 'metadata.Name' -Type 'Deployment', 'Service' { + Exists "metadata.labels.'app.kubernetes.io/name'" +} + +# Description: Must have the app.kubernetes.io/version label +Rule 'metadata.Version' -Type 'Deployment', 'Service' { + Exists 'metadata.labels.''app.kubernetes.io/version''' +} + +# Description: Must have the app.kubernetes.io/component label +Rule 'metadata.Component' -Type 'Deployment', 'Service' { + Exists 'metadata.labels.''app.kubernetes.io/component''' + Within 'metadata.labels.''app.kubernetes.io/component''' 'web', 'api', 'database', 'gateway' -CaseSensitive +} + +# Description: Deployments use a minimum of 2 replicas +Rule 'deployment.HasMinimumReplicas' -Type 'Deployment' { + Exists 'spec.replicas' + $TargetObject.spec.replicas -ge 2 +} + +# Description: Deployments use specific tags +Rule 'deployment.NotLatestImage' -Type 'Deployment' { + foreach ($container in $TargetObject.spec.template.spec.containers) { + $container.image -like '*:*' -and + $container.image -notlike '*:latest' + } +} + +# Description: Resource requirements are set for each container +Rule 'deployment.ResourcesSet' -Type 'Deployment' { + foreach ($container in $TargetObject.spec.template.spec.containers) { + $container | Exists 'resources.requests.cpu' + $container | Exists 'resources.requests.memory' + $container | Exists 'resources.limits.cpu' + $container | Exists 'resources.limits.memory' + } +} diff --git a/docs/scenarios/kubernetes-resources/resources.yaml b/docs/scenarios/kubernetes-resources/resources.yaml new file mode 100644 index 0000000000..91cb9bf7a8 --- /dev/null +++ b/docs/scenarios/kubernetes-resources/resources.yaml @@ -0,0 +1,94 @@ +# +# Kubernetes resource manaifest +# + +--- +# A sample backend deployment +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: app1-cache + labels: + app.kubernetes.io/name: app1-cache + app.kubernetes.io/version: 1.0.0 + app.kubernetes.io/component: database +spec: + replicas: 1 + template: + metadata: + labels: + app: app1-cache + spec: + containers: + - name: app1-cache + image: redis + ports: + - containerPort: 6379 + name: redis + +--- +# Publish backend to cluster +apiVersion: v1 +kind: Service +metadata: + name: app1-cache-service + lables: +spec: + ports: + - port: 6379 + selector: + app: app1-cache + +--- +# A sample web frontend deployment +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: app1-ui + labels: + app.kubernetes.io/name: app1-ui + app.kubernetes.io/component: web +spec: + replicas: 2 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + minReadySeconds: 5 + template: + metadata: + labels: + app: app1-ui + spec: + containers: + - name: app1-ui + image: psrule/notaniamge:v1 + ports: + - containerPort: 80 + resources: + requests: + cpu: 250m + memory: 50Mi + limits: + cpu: 500m + memory: 100Mi + env: + - name: REDIS + value: "app1-cache" + +--- +# Publish frontend to users +apiVersion: v1 +kind: Service +metadata: + name: app1-ui-service + labels: + app.kubernetes.io/name: app1-ui + app.kubernetes.io/version: 1.1.0 + app.kubernetes.io/component: web +spec: + type: LoadBalancer + ports: + - port: 80 + selector: + app: app1-ui diff --git a/tests/PSRule.Tests/PSRule.EndToEnd.Tests.ps1 b/tests/PSRule.Tests/PSRule.EndToEnd.Tests.ps1 index 5a7637a133..89542d9b80 100644 --- a/tests/PSRule.Tests/PSRule.EndToEnd.Tests.ps1 +++ b/tests/PSRule.Tests/PSRule.EndToEnd.Tests.ps1 @@ -110,3 +110,53 @@ Describe 'Scenarios -- fruit' -Tag 'EndToEnd','fruit' { } } } + +Describe 'Scenarios -- kubernetes-resources' -Tag 'EndToEnd','kubernetes-resources' { + $scenarioPath = Join-Path -Path $rootPath -ChildPath docs/scenarios/kubernetes-resources; + $yamlData = Get-Content -Path (Join-Path -Path $scenarioPath -ChildPath 'resources.yaml') -Raw; + + Context 'Invoke-PSRule' { + $invokeParams = @{ + Path = $scenarioPath + Format = 'Yaml' + Option = (Join-Path -Path $scenarioPath -ChildPath 'PSRule.yaml') + } + $result = @($yamlData | Invoke-PSRule @invokeParams); + + It 'Processes rules' { + $result.Count | Should -Be 18; + } + + It 'Deployment app1-cache' { + $instance = $result | Where-Object -FilterScript { $_.TargetName -eq 'app1-cache' }; + $fail = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Fail' }); + $pass = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Pass' }); + $fail.Length | Should -Be 3; + $pass.Length | Should -Be 3; + } + + It 'Service app1-cache-service' { + $instance = $result | Where-Object -FilterScript { $_.TargetName -eq 'app1-cache-service' }; + $fail = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Fail' }); + $pass = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Pass' }); + $fail.Length | Should -Be 3; + $pass.Length | Should -Be 0; + } + + It 'Deployment app1-ui' { + $instance = $result | Where-Object -FilterScript { $_.TargetName -eq 'app1-ui' }; + $fail = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Fail' }); + $pass = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Pass' }); + $fail.Length | Should -Be 1; + $pass.Length | Should -Be 5; + } + + It 'Service app1-ui-service' { + $instance = $result | Where-Object -FilterScript { $_.TargetName -eq 'app1-ui-service' }; + $fail = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Fail' }); + $pass = @($instance | Where-Object -FilterScript { $_.Outcome -eq 'Pass' }); + $fail.Length | Should -Be 0; + $pass.Length | Should -Be 3; + } + } +}