Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON schema checks #234

Merged
merged 22 commits into from
Jan 2, 2020
Merged

JSON schema checks #234

merged 22 commits into from
Jan 2, 2020

Conversation

rbren
Copy link
Contributor

@rbren rbren commented Dec 19, 2019

This is step 1 toward supporting custom checks written in JSON schema.

I think rewriting many of our current checks using JSON schema will help clean up the codebase a bunch too.

@rbren rbren changed the title swap out host_network for a schema-based check JSON schema checks Dec 19, 2019
rbren and others added 20 commits December 20, 2019 17:33
@rbren
move rest of pod checks over to schema
b4e3f78
@rbren
simplify GetSupportedControllerFromString
d4e3258
@rbren
migrate health checks to schemas
8b20fd9
@rbren
implement image checks using json schema
0f2e5e0
@rbren
move networking checks over to json schema
95c04b1
@rbren
move runAsRootAllowed over to jsonschema
ddf815d
@rbren
fix up exclusions
25be9e4
@rbren
move more security checks to jsonschema
02252c6
Merge branch 'master' into rb/custom-checks
df48615
@rbren
swap out host_network for a schema-based check
d80d326
@rbren
move rest of pod checks over to schema
3304285
@rbren
simplify GetSupportedControllerFromString
d0dc7f4
@rbren
migrate health checks to schemas
f2c5752
@rbren
implement image checks using json schema
30b49c4
@rbren
move networking checks over to json schema
3fa627a
@rbren
move runAsRootAllowed over to jsonschema
ad3a8e6
@rbren
fix up exclusions
6c58884
@rbren
move more security checks to jsonschema
f7dccc0
@rbren
Merge branch 'rb/custom-checks' of ssh://github.com/fairwindsops/pola…
7070eb7 
…ris into rb/custom-checks
@rbren
fix lint errors
b003515
@codecov
Copy link

codecov bot commented Dec 23, 2019
edited
Loading

Codecov Report

Merging #234 into master will decrease coverage by 7.89%.
The diff coverage is 54.16%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master     #234     +/-   ##
=========================================
- Coverage   79.21%   71.31%   -7.9%     
=========================================
  Files          12       13      +1     
  Lines         765      781     +16     
=========================================
- Hits          606      557     -49     
- Misses        134      186     +52     
- Partials       25       38     +13
Impacted Files Coverage Δ
pkg/config/exemptions.go 0% <0%> (ø) ⬆️
pkg/config/supportedcontrollers.go 58.49% <100%> (ø) ⬆️
pkg/validator/controller.go 92.3% <100%> (+0.3%) ⬆️
pkg/validator/pod.go 90.47% <33.33%> (-9.53%) ⬇️
pkg/validator/container.go 91.27% <50%> (-3.69%) ⬇️
pkg/validator/schema.go 61.53% <61.53%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5978519...7cc0be4. Read the comment docs.

@rbren rbren marked this pull request as ready for review December 26, 2019 19:15
@rbren
Copy link
Contributor Author

rbren commented Dec 26, 2019

In the interest of keeping changes small, I'm going to cut this PR here.

Future work:

  • implement default capabilities check in JSON schema
  • deprecate resource max/min checks in favor of custom JSON schema
  • update config syntax
  • allow specifying new checks in config
  • refactor validation loops for better error handling (currently panics if schema checks fail)

@rbren
Copy link
Contributor Author

rbren commented Dec 26, 2019

Also note: while this PR is backward-compatible, this will likely get released as a major version update.

makoscafee
makoscafee reviewed Dec 30, 2019
View reviewed changes
Copy link
Contributor

@makoscafee makoscafee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks _Robert . Looks good I just had few questions.

pkg/validator/container.go
cv.validateHealthChecks(conf, controllerName)

err := applyContainerSchemaChecks(conf, controllerName, controllerType, &cv)
// FIXME: don't panic
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming this was left on purpose to be fixed in separate PR right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup - I've got another PR coming in after this one, and probably one more refactor after that.

pkg/validator/container.go
}
}
}

func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, controllerName string) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I understand why is only validate security is left here ...?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The capabilities check is harder to implement in JSON schema, so I'm leaving it here for now. It'll be gone in the next PR.

@rbren rbren merged commit 1067255 into master Jan 2, 2020
@rbren rbren deleted the rb/custom-checks branch January 2, 2020 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@makoscafee makoscafee makoscafee left review comments

@jordandoig jordandoig Awaiting requested review from jordandoig

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rbren @makoscafee