@monokle/validation - npm Package Compare versions

Comparing version 0.30.1 to 0.31.0

lib/pluginLoaders/PluginLoader.js

@@ -7,2 +7,3 @@ import kbpPlugin from '../validators/practices/plugin.js';
 import { RemoteWasmLoader } from '../validators/open-policy-agent/wasmLoader/RemoteWasmLoader.browser.js';
+import { AdmissionPolicyValidator } from '../validators/admission-policy/validator.js';
 export class DefaultPluginLoader {
@@ -36,2 +37,5 @@ _registry = {};
         });
+        this.register('admission-policy', ({ parser }) => {
+            return new AdmissionPolicyValidator(parser);
+        });
         this.register(DEV_MODE_TOKEN, ({ parser, fixer }) => {
@@ -38,0 +42,0 @@ return new DevCustomValidator(parser, fixer);

lib/references/mappers/mappers.js

@@ -12,2 +12,3 @@ import { createPodSelectorOutgoingRefMappers } from './core.js';
 import { ownerReferenceMapper } from './ownerReference.js';
+import { validatingAdmissionPolicyBindingMappers } from './validatingAdmissionPolicyBinding';
 export function getOutgoingRefMappers(kind) {
@@ -31,2 +32,3 @@ var mappers = OUTGOING_MAPPERS_BY_KIND[kind] ?? [];
     ClusterRoleBinding: clusterRoleBindingMappers,
+    ValidatingAdmissionPolicyBinding: validatingAdmissionPolicyBindingMappers,
     VolumeAttachment: volumeAttachmentMappers,
@@ -33,0 +35,0 @@ Endpoints: endpointsMappers,

lib/references/process.js

 import groupBy from 'lodash/groupBy.js';
 import keyBy from 'lodash/keyBy.js';
 import uniq from 'lodash/uniq.js';
+import { ResourceRefType } from '../common/types.js';
 import { handlePairRefMapping } from './handlePairRefMapping.js';
@@ -13,2 +14,4 @@ import { handleRefMappingByKey } from './handleRefMappingByKey.js';
 import { processKustomizations } from './utils/kustomizeRefs.js';
+import { isDefined } from '../utils/isDefined';
+import { isNode } from 'yaml';
 /**
@@ -71,4 +74,92 @@ * Processes resources and MUTATES them with their references to other resources.
         }
+        if (sourceResource.kind === 'ValidatingAdmissionPolicyBinding') {
+            processValidatingAdmissionPolicyParams(sourceResource, resourceMap, resourcesByKind, config.parser);
+        }
     }
     cleanResourceRefs(resources);
 }
+/**
+ * Process references to parameters of ValidationAdmissionPolicyBindings.
+ *
+ * These are quite unique as it needs a referenced Policy object to determine the referenced Params object.
+ * To avoid further complicating the reference framework, we handle this as a one-off special case.
+ */
+function processValidatingAdmissionPolicyParams(policyBinding, resourceMap, resourcesByKind, parser) {
+    const paramName = policyBinding.content?.spec?.paramRef?.name;
+    const { paramKind } = determineParamKind(policyBinding, resourceMap);
+    const paramNamespace = policyBinding.content?.spec?.paramRef?.namespace;
+    if (!policyBinding.refs || !paramName || !paramKind) {
+        return;
+    }
+    const relatedParams = resourcesByKind[paramKind].find(o => {
+        const matchingName = paramName === o.name;
+        const matchingNamespace = paramNamespace ? paramNamespace === o.namespace : true;
+        return matchingName && matchingNamespace;
+    });
+    if (!relatedParams) {
+        return;
+    }
+    // Add reference to Binding object
+    policyBinding.refs.push({
+        type: ResourceRefType.Outgoing,
+        name: paramName,
+        target: {
+            type: 'resource',
+            resourceId: relatedParams.id,
+            resourceKind: relatedParams.kind,
+        },
+        position: getPosition(parser, policyBinding, ['spec', 'paramRef', 'name']),
+    });
+    // Add reference to Params object
+    if (!relatedParams.refs) {
+        relatedParams.refs = [];
+    }
+    const hasRef = relatedParams.refs.some(ref => ref.type === ResourceRefType.Incoming &&
+        ref.name === paramName &&
+        ref.target &&
+        ref.target.type === 'resource' &&
+        ref.target.resourceId === policyBinding.id);
+    if (hasRef) {
+        return;
+    }
+    relatedParams.refs.push({
+        type: ResourceRefType.Incoming,
+        name: paramName,
+        target: {
+            type: 'resource',
+            resourceId: policyBinding.id,
+            resourceKind: policyBinding.kind,
+        },
+        position: getPosition(parser, relatedParams, ['metadata', 'name']),
+    });
+}
+function determineParamKind(policyBinding, resourceMap) {
+    if (!policyBinding.refs) {
+        return { paramKind: undefined, paramApiVersion: undefined };
+    }
+    const relatedPolicy = policyBinding.refs
+        .map(ref => (ref.target?.type === 'resource' ? ref.target.resourceId : undefined))
+        .filter(isDefined)
+        .map(relatedId => resourceMap[relatedId])
+        .find(object => object?.kind === 'ValidatingAdmissionPolicy');
+    return {
+        paramKind: relatedPolicy?.content?.spec?.paramKind?.kind,
+        paramApiVersion: relatedPolicy?.content?.spec?.paramKind?.apiVersion,
+    };
+}
+function getPosition(parser, object, path) {
+    const parsedObject = parser.parse(object);
+    const node = parsedObject.parsedDoc.getIn(path, true);
+    if (!isNode(node)) {
+        return { line: 0, column: 0, length: 0 };
+    }
+    if (node && parsedObject.lineCounter && node.range) {
+        const linePos = parsedObject.lineCounter.linePos(node.range[0]);
+        return {
+            line: linePos.line,
+            column: linePos.col,
+            length: node.range[1] - node.range[0],
+        };
+    }
+    return { line: 0, column: 0, length: 0 };
+}

lib/utils/knownResourceKinds.d.ts

 export declare function isKnownResourceKind(kind: string): boolean;
 export declare type KnownResourceKinds = typeof KNOWN_RESOURCE_KINDS[number];
-export declare const KNOWN_RESOURCE_KINDS: readonly ["ClusterRole", "ClusterRoleBinding", "ConfigMap", "CronJob", "CustomResourceDefinition", "DaemonSet", "Deployment", "Endpoints", "EndpointSlice", "HorizontalPodAutoscaler", "Ingress", "Job", "LimitRange", "Namespace", "NetworkPolicy", "PersistentVolume", "PersistentVolumeClaim", "Pod", "ReplicaSet", "ReplicationController", "ResourceQuota", "Role", "RoleBinding", "Secret", "Service", "ServiceAccount", "StatefulSet", "StorageClass", "VolumeAttachment"];
+export declare const KNOWN_RESOURCE_KINDS: readonly ["ClusterRole", "ClusterRoleBinding", "ConfigMap", "CronJob", "CustomResourceDefinition", "DaemonSet", "Deployment", "Endpoints", "EndpointSlice", "HorizontalPodAutoscaler", "Ingress", "Job", "LimitRange", "Namespace", "NetworkPolicy", "PersistentVolume", "PersistentVolumeClaim", "Pod", "ReplicaSet", "ReplicationController", "ResourceQuota", "Role", "RoleBinding", "Secret", "Service", "ServiceAccount", "StatefulSet", "StorageClass", "VolumeAttachment", "ValidatingAdmissionPolicy", "ValidatingAdmissionPolicyBinding"];

lib/utils/knownResourceKinds.js

@@ -34,2 +34,4 @@ export function isKnownResourceKind(kind) {
     'VolumeAttachment',
+    'ValidatingAdmissionPolicy',
+    'ValidatingAdmissionPolicyBinding',
 ];

lib/validators/pod-security-standards/rules/PSS202-privilege-escalation.js

@@ -18,3 +18,3 @@ import { CIS_RELATIONS, NSA_RELATIONS, PSS_RELATIONS } from '../../../taxonomies/index.js';
                 const allowPrivilegeEscalation = container.securityContext?.allowPrivilegeEscalation;
-                const valid = !allowPrivilegeEscalation;
+                const valid = allowPrivilegeEscalation !== undefined && !allowPrivilegeEscalation;
                 if (valid)
@@ -28,3 +28,3 @@ return;
                 const allowPrivilegeEscalation = container.securityContext?.allowPrivilegeEscalation;
-                const valid = !allowPrivilegeEscalation;
+                const valid = allowPrivilegeEscalation !== undefined && !allowPrivilegeEscalation;
                 if (valid)
@@ -38,3 +38,3 @@ return;
                 const allowPrivilegeEscalation = container.securityContext?.allowPrivilegeEscalation;
-                const valid = !allowPrivilegeEscalation;
+                const valid = allowPrivilegeEscalation !== undefined && !allowPrivilegeEscalation;
                 if (valid)
@@ -41,0 +41,0 @@ return;

package.json

 {
   "name": "@monokle/validation",
-  "version": "0.30.1",
+  "version": "0.31.0",
   "description": "Kubernetes resource validation",
@@ -53,6 +53,7 @@ "author": "Kubeshop",
     "@types/lodash": "4.14.185",
+    "@types/pako": "^2.0.1",
     "@types/require-from-string": "1.2.1",
     "@types/uuid": "9.0.1",
+    "esbuild": "0.17.18",
     "rimraf": "3.0.2",
-    "esbuild": "0.17.18",
     "tiny-glob": "0.2.9",
@@ -69,5 +70,7 @@ "type-fest": "3.0.0",
     "change-case": "4.1.2",
+    "get-random-values": "^3.0.0",
     "isomorphic-fetch": "3.0.0",
     "lodash": "4.17.21",
     "node-fetch": "3.3.0",
+    "pako": "^2.1.0",
     "require-from-string": "2.0.2",
@@ -74,0 +77,0 @@ "rollup": "3.18.0",

New alerts

Mixed license

License

(Experimental) Package contains multiple licenses.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

555178

increased by7.54%

Number of package files

362

increased by4.02%

Lines of code

13833

increased by7.62%

Worsened metrics

Dependency count

15

increased by15.38%

Dev dependency count

12

increased by9.09%

Number of low license alerts

1

increased byInfinity%

Number of low supply chain risk alerts

5

increased by25%

Number of medium supply chain risk alerts

6

increased by20%

Dependency changes

• + Addedget-random-values@^3.0.0

• + Addedpako@^2.1.0

• + Addeddom-walk@0.1.2(transitive)

• + Addedget-random-values@3.0.0(transitive)

• + Addedglobal@4.4.0(transitive)

• + Addedmin-document@2.19.0(transitive)

• + Addedpako@2.1.0(transitive)

• + Addedprocess@0.11.10(transitive)