Implement first pass of kube-linter lint command (#4)

Author: viswajithiii

.gitignore

@@ -9,3 +9,6 @@
 
 # Empty file touched by `make deps`
 /deps
+
+# Packr generated files
+*-packr.go

Makefile

@@ -33,6 +33,11 @@ $(STATICCHECK_BIN): deps
 	@echo "+ $@"
 	@go install honnef.co/go/tools/cmd/staticcheck
 
+PACKR_BIN := $(GOBIN)/packr
+$(PACKR_BIN): deps
+	@echo "+ $@"
+	@go install github.com/gobuffalo/packr/packr
+
 ###########
 ## Lint ##
 ###########
@@ -50,7 +55,19 @@ endif
 
 .PHONY: staticcheck
 staticcheck: $(STATICCHECK_BIN)
-	staticcheck -checks=all ./...
+	staticcheck -checks=all,-ST1000 ./...
 
 .PHONY: lint
 lint: golangci-lint staticcheck
+
+#############
+## Compile ##
+#############
+
+.PHONY: packr
+packr: $(PACKR_BIN)
+	packr
+
+.PHONY: build
+build: packr
+	go build -o kube-linter ./cmd/kubelinter

cmd/kubelinter/kube-linter.go

@@ -2,8 +2,17 @@ package main
 
 import (
 	"fmt"
+	"os"
+
+	"golang.stackrox.io/kube-linter/internal/command/root"
+	// Register templates
+	_ "golang.stackrox.io/kube-linter/internal/templates/all"
 )
 
 func main() {
-	fmt.Println("This is kube-linter. It does not do anything yet!")
+	c := root.Command()
+	if err := c.Execute(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
 }

go.mod

@@ -3,6 +3,17 @@ module golang.stackrox.io/kube-linter
 go 1.14
 
 require (
+	github.com/fatih/color v1.9.0
+	github.com/ghodss/yaml v1.0.0
+	github.com/gobuffalo/packr v1.30.1
 	github.com/golangci/golangci-lint v1.30.0
+	github.com/pkg/errors v0.9.1
+	github.com/spf13/cobra v1.0.0
+	github.com/stretchr/objx v0.2.0 // indirect
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
 	honnef.co/go/tools v0.0.1-2020.1.5
+	k8s.io/api v0.19.1
+	k8s.io/apimachinery v0.19.1
+	k8s.io/client-go v0.19.0
 )

go.sum

@@ -0,0 +1,31 @@
+package builtinchecks
+
+import (
+	"github.com/ghodss/yaml"
+	"github.com/gobuffalo/packr"
+	"github.com/pkg/errors"
+	"golang.stackrox.io/kube-linter/internal/check"
+	"golang.stackrox.io/kube-linter/internal/checkregistry"
+)
+
+var (
+	box = packr.NewBox("./yamls")
+)
+
+// LoadInto loads built-in checks into the registry.
+func LoadInto(registry checkregistry.CheckRegistry) error {
+	for _, fileName := range box.List() {
+		contents, err := box.Find(fileName)
+		if err != nil {
+			return errors.Wrapf(err, "loading default check from %s", fileName)
+		}
+		var chk check.Check
+		if err := yaml.Unmarshal(contents, &chk); err != nil {
+			return errors.Wrapf(err, "unmarshaling default check from %s", fileName)
+		}
+		if err := registry.Register(&chk); err != nil {
+			return errors.Wrapf(err, "registering default check from %s", fileName)
+		}
+	}
+	return nil
+}

internal/builtinchecks/built_in_checks.go

@@ -0,0 +1,8 @@
+name: "env-var-secret"
+description: "Alert on objects using a secret in an environment variable"
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "env-var"
+params:
+  name: ".*secret.*"

internal/builtinchecks/yamls/env-var-secret.yaml

@@ -0,0 +1,6 @@
+name: "privileged-container"
+description: "Alert on deployments with containers running in privileged mode"
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "privileged"

internal/builtinchecks/yamls/privileged.yaml

@@ -0,0 +1,8 @@
+name: "required-label-owner"
+description: "Alert on objects without the 'owner' label"
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "required-label"
+params:
+  key: "owner"

internal/builtinchecks/yamls/required-label-owner.yaml

@@ -0,0 +1,10 @@
+package check
+
+// A Check represents a single check. It is serializable.
+type Check struct {
+	Name        string            `json:"name"`
+	Description string            `json:"description"`
+	Scope       *ObjectKindsDesc  `json:"scope"`
+	Template    string            `json:"template"`
+	Params      map[string]string `json:"params,omitempty"`
+}