diff --git a/.github/.kube-linter-config.yaml b/.github/.kube-linter-config.yaml new file mode 100644 index 0000000..a9f5240 --- /dev/null +++ b/.github/.kube-linter-config.yaml @@ -0,0 +1,7 @@ +checks: + # include explicitly adds checks, by name. You can reference any of the built-in checks. + # Note that customChecks defined above are included automatically. + include: [ ] + # exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is + # in exclude, then it is not considered, even if it is in include as well. + exclude: [ ] diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml new file mode 100644 index 0000000..3b2e661 --- /dev/null +++ b/.github/workflows/kube-linter.yaml @@ -0,0 +1,54 @@ +name: Check Kubernetes YAMLs with kube-linter + +on: + pull_request: + branches: [ main ] + paths: + - 'config/default/**.ya?ml' + - 'config/crd/**.ya?ml' + - 'config/rbac/**.ya?ml' + - 'config/manager/**.ya?ml' + - 'config/registry_image_pruner/**.ya?ml' + +jobs: + kube-linter: + name: Kube linter + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Create ../kube-linter/ for deployment yaml files + shell: bash + run: mkdir -p ../kube-linter/ + + - name: Generate Image Controller operator deployment configuration + shell: bash + run: kustomize build config/default/ > ../kube-linter/image-controller.yaml + + - name: Scan yaml files with kube-linter + uses: stackrox/kube-linter-action@v1 + id: kube-linter-action-scan + with: + # Where to do scanning + directory: ../kube-linter/ + # Where to search for kube-linter config. Removing the setting make using the default config. + config: ./.github/.kube-linter-config.yaml + # The following two settings make kube-linter produce scan analysis in SARIF format + # which would then be made available in GitHub UI via upload-sarif action below. + format: sarif + output-file: ../kube-linter/kube-linter.sarif + # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. + # This allows the following upload-sarif action to still upload the results to your GitHub repo. + continue-on-error: true + + - name: Upload SARIF report files to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ../kube-linter/kube-linter.sarif + + # Ensure the workflow eventually fails if files did not pass kube-linter checks. + - name: Verify kube-linter-action succeeded + shell: bash + run: | + echo "If this step fails, kube-linter found issues. Check the output of the scan step above." + [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]] diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index b5873c5..3d7a973 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,3 +13,4 @@ kind: Kustomization images: - name: controller newName: quay.io/redhat-appstudio/image-controller + newTag: next diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 8caab6f..ad8335e 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -26,13 +26,8 @@ spec: spec: securityContext: runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault volumes: - name: quaytoken secret: @@ -46,7 +41,7 @@ spec: - /manager args: - --leader-elect - image: quay.io/redhat-appstudio/image-controller + image: controller:latest name: manager securityContext: allowPrivilegeEscalation: false @@ -66,8 +61,6 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: limits: cpu: 500m