implement image checks using json schema

FairwindsOps · Dec 23, 2019 · 0f2e5e0 · 0f2e5e0
1 parent 8b20fd9
commit 0f2e5e0
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 28 deletions.
diff --git a/checks/pullPolicyNotAlways.yaml b/checks/pullPolicyNotAlways.yaml
@@ -0,0 +1,13 @@
+name: PullPolicyNotAlways
+id: pullPolicyNotAlways
+successMessage: Image pull policy is "Always"
+failureMessage: Image pull policy should be "Always"
+category: Images
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  required:
+  - imagePullPolicy
+  properties:
+    imagePullPolicy:
+      const: Always
diff --git a/checks/tagNotSpecified.yaml b/checks/tagNotSpecified.yaml
@@ -0,0 +1,18 @@
+name: TagNotSpecified
+id: tagNotSpecified
+successMessage: Image tag is specified
+failureMessage: Image tag should be specified
+category: Images
+target: Container
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  required:
+  - image
+  allOf:
+  - properties:
+      image:
+        pattern: ^.+:.+$
+  - properties:
+      image:
+        not:
+          pattern: ^.+:latest$
diff --git a/pkg/validator/container.go b/pkg/validator/container.go
@@ -16,7 +16,6 @@ package validator
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/fairwindsops/polaris/pkg/config"
 	"github.com/fairwindsops/polaris/pkg/validator/messages"
@@ -65,7 +64,6 @@ func ValidateContainer(container *corev1.Container, parentPodResult *PodResult,
 		panic(err)
 	}
 
-	cv.validateImage(conf, controllerName)
 	cv.validateNetworking(conf, controllerName)
 	cv.validateSecurity(conf, controllerName)
 
@@ -157,31 +155,6 @@ func (cv *ContainerValidation) validateResourceRange(id, resourceName string, ra
 	}
 }
 
-func (cv *ContainerValidation) validateImage(conf *config.Configuration, controllerName string) {
-	category := messages.CategoryImages
-
-	name := "PullPolicyNotAlways"
-	if conf.IsActionable(conf.Images, name, controllerName) {
-		id := config.GetIDFromField(conf.Images, name)
-		if cv.Container.ImagePullPolicy != corev1.PullAlways {
-			cv.addFailure(messages.ImagePullPolicyFailure, conf.Images.PullPolicyNotAlways, category, id)
-		} else {
-			cv.addSuccess(messages.ImagePullPolicySuccess, category, id)
-		}
-	}
-
-	name = "TagNotSpecified"
-	if conf.IsActionable(conf.Images, name, controllerName) {
-		id := config.GetIDFromField(conf.Images, name)
-		img := strings.Split(cv.Container.Image, ":")
-		if len(img) == 1 || img[1] == "latest" {
-			cv.addFailure(messages.ImageTagFailure, conf.Images.TagNotSpecified, category, id)
-		} else {
-			cv.addSuccess(messages.ImageTagSuccess, category, id)
-		}
-	}
-}
-
 func (cv *ContainerValidation) validateNetworking(conf *config.Configuration, controllerName string) {
 	category := messages.CategoryNetworking
 

diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go
@@ -528,7 +528,10 @@ func TestValidateImage(t *testing.T) {
 	for _, tt := range testCases {
 		t.Run(tt.name, func(t *testing.T) {
 			tt.cv = resetCV(tt.cv)
-			tt.cv.validateImage(&conf.Configuration{Images: tt.image}, "")
+			err := applyContainerSchemaChecks(&conf.Configuration{Images: tt.image}, tt.cv.Container, "", conf.Deployments, tt.cv.IsInitContainer, &tt.cv)
+			if err != nil {
+				panic(err)
+			}
 			assert.Len(t, tt.cv.Errors, len(tt.expected))
 			assert.ElementsMatch(t, tt.cv.Errors, tt.expected)
 		})

diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go
@@ -55,6 +55,8 @@ var (
 		// Container checks
 		"readinessProbe",
 		"livenessProbe",
+		"pullPolicyNotAlways",
+		"tagNotSpecified",
 	}
 )