Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(query): covered additional deprecated API versions in k8s rule #4830

Merged
merged 1 commit into from
Feb 15, 2022
Merged

fix(query): covered additional deprecated API versions in k8s rule #4830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,25 +10,39 @@ CxPolicy[result] {
"extensions/v1beta1": {
"Deployment": "apps/v1",
"DaemonSet": "apps/v1",
"Ingress": "apps/v1",
"ReplicaSet": "apps/v1",
"Ingress": "networking.k8s.io/v1",
"NetworkPolicy": "networking.k8s.io/v1",
},
"apps/v1beta1": {
"Deployment": "apps/v1",
"ReplicaSet": "apps/v1",
"StatefulSet": "apps/v1",
},
"apps/v1beta2": {
"Deployment": "apps/v1",
"DaemonSet": "apps/v1",
"ReplicaSet": "apps/v1",
"StatefulSet": "apps/v1",
},
"networking.k8s.io/v1beta1": {
"Ingress": "networking.k8s.io/v1",
"IngressClass": "networking.k8s.io/v1",
},
"rbac.authorization.k8s.io/v1beta1": {
"ClusterRole": "rbac.authorization.k8s.io/v1",
"ClusterRoleBinding": "rbac.authorization.k8s.io/v1",
"Role": "rbac.authorization.k8s.io/v1",
"RoleBinding": "rbac.authorization.k8s.io/v1",
},
Copy link
Contributor

@rafaela-soares rafaela-soares Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
},
"batch/v1beta1": {
"CronJob": "batch/v1",
},
"policy/v1beta1": {
"PodDisruptionBudget": "policy/v1",
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good suggestion, thank you! I also thought about these two additions but hesitated due to the fact that the substitutes for these deprecations were only introduced with Kubernetes v1.21. In other words, someone still running v1.20 would not be able to apply the recommended version without running into unforeseen issues. It seems that the 1.20 branch is also still maintained until 2022-02-28.

I'd therefore suggest to add the two deprecations you suggested only when 1.25 is released. Would you prefer having them added already now or would it be better to wait?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right. It would be better to add it when 1.25 is released! Thank you so much 😊

}

common_lib.valid_key(recommendedVersions[document.apiVersion], document.kind)
result := {
"documentId": input.document[i].id,
"searchKey": sprintf("apiVersion=%s", [document.apiVersion]),
"documentId": document.id,
"searchKey": sprintf("apiVersion={{%s}}", [document.apiVersion]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'apiVersion' should be %s", [recommendedVersions[document.apiVersion][document.kind]]),
"keyActualValue": sprintf("'apiVersion' is deprecated and is %s", [document.apiVersion]),
"keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion should be {{%s}}", [metadata.name, recommendedVersions[document.apiVersion][document.kind]]),
"keyActualValue": sprintf("metadata.name={{%s}}.apiVersion is deprecated and is {{%s}}", [metadata.name, document.apiVersion]),
}
}
18 changes: 0 additions & 18 deletions assets/queries/k8s/object_is_using_a_deprecated_api_version/test/negative.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,21 +54,3 @@ spec:
- name: optmount
hostPath:
path: /opt
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
18 changes: 18 additions & 0 deletions assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,21 @@ spec:
name: test
port:
number: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: minimal-ingress1
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
5 changes: 5 additions & 0 deletions ...s/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,10 @@
"queryName": "Object Is Using A Deprecated API Version",
"severity": "HIGH",
"line": 58
},
{
"queryName": "Object Is Using A Deprecated API Version",
"severity": "HIGH",
"line": 76
}
]