Merge pull request #4 from HighwayofLife/add-update-packages

Add new packages and Update all others
HighwayofLife · May 18, 2021 · 6b54ae0 · 6b54ae0
2 parents 32a6f1a + fe1ce3a
commit 6b54ae0
Show file tree

Hide file tree

Showing 4 changed files with 267 additions and 42 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,48 @@
+v2.5
+----
+
+### Features 🚀 
+
+* 🚀  **[NEW]** Added **[Kubeconform](https://github.com/yannh/kubeconform)**, a Kubernetes manifests validation tool.
+
+It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:
+
+* high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
+* configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
+* uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes. 
+
+* 🚀  **[NEW]** Added **[Kubeaudit](https://github.com/Shopify/kubeaudit)**, a command line tool and a Go package to audit Kubernetes clusters for various different security concerns.
+
+### Updates 📝 
+* Update Python from 3.9.0 to 3.9.5 on Alpine 3.13
+* Update Kubectl from 1.19.3 to [v1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md), now installed via [Alpine package manager](https://pkgs.alpinelinux.org/package/edge/testing/x86_64/kubectl)
+* Update Yamllint from 1.25.0 to [1.26.0](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst#1260-2021-01-29)
+* Update Kustomize from 3.8.6 to [v4.1.0](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.0)
+* Update OPA Conftest from 0.21.0 to [v0.25.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.25.0)
+* Update Kube-Score to [v1.11.0](https://github.com/zegl/kube-score/releases/tag/v1.11.0)
+* Update Polaris to [3.2.1](https://github.com/FairwindsOps/polaris/releases/tag/3.2.1)
+* Update Kube-Linter to [0.2.1](https://github.com/stackrox/kube-linter/releases/tag/0.2.1)
+* Install Kubeconform [v0.4.7](https://github.com/yannh/kubeconform/releases/tag/v0.4.7)
+
+
 v2.4
 ----
-* 📝 Updated base Python to [v3.9.1-alpine3.12](https://hub.docker.com/layers/python/library/python/3.9.1/images/sha256-758539bea3c58d4b0bf09bfa97c633cd657599e58648f5eb791b25d95cb854c2?context=explore)
-* 📝 Updated Kubectl to [v1.20.0](https://github.com/kubernetes/kubectl/releases/tag/kubernetes-1.20.2)
-* 📝 Updated Kubeval to [v1.15.0](https://github.com/instrumenta/kubeval/releases/tag/0.15.0)
-* 📝 Updated YAMLLint to [v1.25.0](https://pypi.org/project/yamllint/)
-* 📝 Updated Kustomize to [v3.9.2](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv3.9.2)
-* 📝 Updated Conftest to [v0.23.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.23.0)
-* 📝 Updated Config-Lint to [v1.6.0](https://github.com/stelligent/config-lint/releases/tag/v1.6.0)
+* 🚀 **[NEW]** Added [Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
+* 🚀 **[NEW]** Added [Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process.
+* 🚀 **[NEW]** Added [Kube Linter](https://github.com/stackrox/kube-linter), a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code.
+
+### Updates
+* 📝 Updated Python from 3.8.4 to 3.9.0
+* 📝 Updated Kubectl from 1.18.6 to 1.19.3
+* 📝 Updated Yamllint from 1.24.2 to 1.25.0
+* 📝 Updated Kustomize from 3.8.1 to 3.8.6
+* 📝 Updated Conftest from 0.20.0 to 0.21.0
 
 v2.3
 ----
-* 🚀 [NEW] Added [Config-lint](https://stelligent.github.io/config-lint/#/?id=%f0%9f%94%8d-config-lint-%f0%9f%94%8e), A CLI tool to validate config files (JSON, Terraform, YAML + Kubernetes), using rules specified in YAML.
+* 🚀 **[NEW]** Added [Config-lint](https://stelligent.github.io/config-lint/#/?id=%f0%9f%94%8d-config-lint-%f0%9f%94%8e), A CLI tool to validate config files (JSON, Terraform, YAML + Kubernetes), using rules specified in YAML.
+
+### Updates
 * 📝 Updated Kubectl to [v1.18.6](https://kubernetes.io/docs/setup/release/notes/)
 * 📝 Updated YAMLLint to [v1.24.2](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst)
 * 📝 Updated Kustomize to [v3.8.1](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv3.8.1)
@@ -23,6 +55,7 @@ v2.2
 v2.1
 ----
 
+### Updates
 * Updated base Python to 3.8.4-alpine3.12
 * Updated Kubectl to v1.18.5
 * Updated Kustomize to 3.8.0
@@ -32,10 +65,12 @@ v2.1
 v2.0
 ----
 
+* 🚀 **[NEW]** Added ConfTest v0.18.1
+
+### Updates
 * Updated base Python to v3.8.2-alpine3.11
 * Updated KubeCTL to v1.18.2
 * Updated KubeVal to v0.15
 * Updated YamlLint to v1.23
 * Updated Kustomize to v3.5.4
-* Added ConfTest v0.18.1
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,4 +1,40 @@
-Contributing
-============
+# Contributing to kubernetes-validation-tools
 
-To contribute to this project, open a pull-request with updates or new tools, or updates to docs as needed.
+👋 Hey, thanks for taking the time to contribute! Your help is appreciated.
+
+## How can I contribute?
+
+### Reporting bugs
+
+Bug reports are always welcome, and should be reported as a [GitHub issue](https://github.com/HighwayofLife/kubernetes-validation-tools/issues/new).
+
+
+### Feature requests
+
+Feature requests are always welcome, this should also be done as a [GitHub issue](https://github.com/HighwayofLife/kubernetes-validation-tools/issues/new).
+
+Describe the feature that you would like to see as clearly as possible.
+
+### Contributing code
+
+Code contributions are welcome as [GitHub Pull Requests](https://github.com/HighwayofLife/kubernetes-validation-tools/pulls).
+
+#### Good commit messages
+
+We try to use the same commit message format as [the Go programming language](https://golang.org/doc/contribute.html#commit_messages).
+
+Example of a good commit message:
+
+```
+kube-score: Update kube-score project to v1.2.3
+
+Fixes #79
+```
+
+The first line of the commit message should contain a short description of the change, prefixed by the primary affected package.
+
+Additional lines can be used if a longer explanation of the change is needed.
+
+Issues should be referenced with the syntax `Fixes #123` or `Updates #123` to track that this change is related to an issue.
+
+Make a change to the [CHANGELOG](CHANGELOG.md) to include a line item about your change, fix, or addition/feature.
diff --git a/Dockerfile b/Dockerfile
@@ -1,56 +1,81 @@
-FROM python:3.9.1-alpine3.12
+FROM python:3.9.5-alpine3.13
 # https://hub.docker.com/_/python
 
-ARG APP_VERSION=2.4
-
-# https://github.com/kubernetes/kubectl/releases
-ARG KUBECTL_VERSION=1.20.0
+ARG APP_VERSION=2.5
 
 # https://github.com/instrumenta/kubeval/releases
-ARG KUBEVAL_VERSION=0.15.0
-
-# https://pypi.org/project/yamllint/
-ARG YAMLLINT_VERSION=1.25.0
+ARG KUBEVAL_VERSION=0.16.1
 
 # https://github.com/kubernetes-sigs/kustomize/releases
-ARG KUSTOMIZE_VERSION=3.9.2
+ARG KUSTOMIZE_VERSION=4.1.0
 
 # https://github.com/open-policy-agent/conftest/releases
-ARG CONFTEST_VERSION=0.23.0
+ARG CONFTEST_VERSION=0.25.0
 
 # https://github.com/stelligent/config-lint/releases
 ARG CONFIG_LINT_VERSION=1.6.0
 
+# https://github.com/zegl/kube-score/releases
+ARG KUBE_SCORE_VERSION=1.11.0
+
+# https://github.com/FairwindsOps/polaris/releases
+ARG POLARIS_VERSION=3.2.1
+
+# https://github.com/stackrox/kube-linter/releases
+ARG KUBE_LINTER_VERSION=0.2.1
+
+# https://github.com/yannh/kubeconform/releases
+ARG KUBECONFORM_VERSION=0.4.7
+
+# https://github.com/Shopify/kubeaudit/releases
+ARG KUBEAUDIT_VERSION=0.14.0
+
 # split layers into distinct components
-RUN apk add --no-cache ca-certificates curl
+# Install yamllint and kubectl via the alpine packages repositories
+RUN apk add --no-cache --upgrade bash ca-certificates curl tar yamllint \
+  && apk add kubectl --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrusted
 
 # Install Kubeval
 RUN  mkdir /tmp/kubeval \
-    && curl -L -o /tmp/kubeval/kubeval.tar.gz \
-      https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz \
-    && tar xf /tmp/kubeval/kubeval.tar.gz -C /tmp/kubeval \
-    && mv /tmp/kubeval/kubeval /usr/local/bin \
-    && chmod +x /usr/local/bin/kubeval \
-    && rm -rf /tmp/kubeval
-
-# Install yamllint
-RUN pip install yamllint==${YAMLLINT_VERSION} && \
-    rm -rf ~/.cache/pip
+  && curl -L -o /tmp/kubeval/kubeval.tar.gz \
+  https://github.com/instrumenta/kubeval/releases/download/v${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz \
+  && tar -xzf /tmp/kubeval/kubeval.tar.gz -C /tmp/kubeval \
+  && mv /tmp/kubeval/kubeval /usr/local/bin \
+  && chmod +x /usr/local/bin/kubeval \
+  && rm -rf /tmp/kubeval
 
 # Install Kustomize
 RUN mkdir /tmp/kustomize \
   && curl -L -o /tmp/kustomize/kustomize.tar.gz \
   https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz \
-  && tar xf /tmp/kustomize/kustomize.tar.gz -C /tmp/kustomize \
+  && tar -xzf /tmp/kustomize/kustomize.tar.gz -C /tmp/kustomize \
   && mv /tmp/kustomize/kustomize /usr/local/bin \
   && chmod +x /usr/local/bin/kustomize \
   && rm -rf /tmp/kustomize
 
+# Install KubeConform
+RUN mkdir /tmp/kubeconform \
+  && curl -L -o /tmp/kubeconform/kubeconform.tar.gz \
+  https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz \
+  && tar -xzf /tmp/kubeconform/kubeconform.tar.gz -C /tmp/kubeconform \
+  && mv /tmp/kubeconform/kubeconform /usr/local/bin \
+  && chmod +x /usr/local/bin/kubeconform \
+  && rm -rf /tmp/kubeconform
+
+# Install Kubeaudit
+RUN mkdir /tmp/kubeaudit \
+  && curl -L -o /tmp/kubeaudit/kubeaudit.tar.gz \
+  https://github.com/Shopify/kubeaudit/releases/download/v${KUBEAUDIT_VERSION}/kubeaudit_${KUBEAUDIT_VERSION}_linux_amd64.tar.gz \
+  && tar -xzf /tmp/kubeaudit/kubeaudit.tar.gz -C /tmp/kubeaudit \
+  && mv /tmp/kubeaudit/kubeaudit /usr/local/bin \
+  && chmod +x /usr/local/bin/kubeaudit \
+  && rm -rf /tmp/kubeaudit
+
 # Install Conftest (https://www.conftest.dev/)
 RUN mkdir /tmp/conftest \
   && curl -L -o /tmp/conftest/conftest.tar.gz \
   https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz \
-  && tar xf /tmp/conftest/conftest.tar.gz -C /tmp/conftest \
+  && tar -xzf /tmp/conftest/conftest.tar.gz -C /tmp/conftest \
   && mv /tmp/conftest/conftest /usr/local/bin \
   && chmod +x /usr/local/bin/conftest \
   && rm -rf /tmp/conftest
@@ -59,13 +84,37 @@ RUN mkdir /tmp/conftest \
 RUN mkdir /tmp/config-lint \
   && curl -L -o /tmp/config-lint/config-lint.tar.gz \
   https://github.com/stelligent/config-lint/releases/download/v${CONFIG_LINT_VERSION}/config-lint_Linux_x86_64.tar.gz \
-  && tar xf /tmp/config-lint/config-lint.tar.gz -C /tmp/config-lint \
+  && tar -xzf /tmp/config-lint/config-lint.tar.gz -C /tmp/config-lint \
   && mv /tmp/config-lint/config-lint /usr/local/bin \
   && chmod +x /usr/local/bin/config-lint \
   && rm -rf /tmp/config-lint
 
-# Install Kubectl
-RUN curl -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \
-    && chmod +x /usr/local/bin/kubectl
+# Install Kube Score (https://github.com/zegl/kube-score)
+RUN mkdir /tmp/kube-score \
+  && curl -L -o /tmp/kube-score/kube-score.tar.gz \
+  https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64.tar.gz \
+  && tar -xzf /tmp/kube-score/kube-score.tar.gz -C /tmp/kube-score \
+  && mv /tmp/kube-score/kube-score /usr/local/bin \
+  && chmod +x /usr/local/bin/kube-score \
+  && rm -rf /tmp/kube-score
+
+# Install Polaris (https://github.com/FairwindsOps/polaris)
+RUN mkdir /tmp/polaris \
+  && curl -L -o /tmp/polaris/polaris.tar.gz \
+  https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_${POLARIS_VERSION}_linux_amd64.tar.gz \
+  && tar -xzf /tmp/polaris/polaris.tar.gz -C /tmp/polaris \
+  && mv /tmp/polaris/polaris /usr/local/bin \
+  && chmod +x /usr/local/bin/polaris \
+  && rm -rf /tmp/polaris
+
+# Install Kube Linter (https://github.com/stackrox/kube-linter)
+RUN mkdir /tmp/kube-linter \
+  && curl -L -o /tmp/kube-linter/kube-linter.tar.gz \
+  https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz \
+  && tar -xzf /tmp/kube-linter/kube-linter.tar.gz -C /tmp/kube-linter \
+  && mv /tmp/kube-linter/kube-linter /usr/local/bin \
+  && chmod +x /usr/local/bin/kube-linter \
+  && rm -rf /tmp/kube-linter
+
+CMD ["/bin/bash"]
 
-CMD ["/bin/sh"]
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 Kubernetes Validation Tools
 ===========================
 
-Common validation and linting tools for structured configuration data, including Kubernetes YAML Manifests.
+An all-in-one collection of tools to run linting, common validation, static code analysis, security scanning, configuration tests, auditing, kustomize build, and dry run configuration for structured Kubernetes YAML Manifests. Designed to run in a CI (Continuious Integration) process as part of validation and testing, especially useful for Kubernetes clusters that are managed through GitOps.
 
 Why?
 ----
@@ -17,6 +17,36 @@ Grab the latest image from Docker hub: [Deck15/kubeval-tools](https://hub.docker
 docker run --rm -it deck15/kubeval-tools /bin/sh
 ```
 
+Ideally the kubeval-tools container should be used in a CI process to validate and lint Kubernetes configs and manifests. It's optimal to run these tools as part of a [GitOps](https://www.gitops.tech/) CI workflow.
+
+Tools List
+----------
+| Tool        | Version | Purpose    | Description                                                                       |
+|-------------|---------|------------|-----------------------------------------------------------------------------------|
+| Kubectl     | 1.21.1  | CLI        | Kubernetes CLI. Can be used with `--dry-run=client` to validate manifests         |
+| Yamllint    | 1.26.0  | Linter     | Basic linter for YAML files                                                       |
+| Kubeval     | 0.16.1  | Validation | Tool for validating a Kubernetes YAML manifests. Doesn't work with CRDs.          |
+| Kustomize   | 4.1.0   | Compile    | Template-free way to customize app configs. Useful to validate kustomize configs. |
+| Config Lint | 1.6.0   | Validation | Validate config files using custom rules specified in YAML.                       |
+| Conftest    | 0.25.0  | Tests      | Utility to help you write tests against structured configuration data.            |
+| Kube Score  | 1.11.0  | Security   | Tool that performs **static code analysis** of Kubernetes object definitions.     |
+| Polaris     | 3.2.1   | Validation | Identifies Kubernetes deployment configuration errors                             |
+| Kube Linter | 0.2.1   | Security   | Linter and Static analysis tool that checks Kubernetes manifests                  |
+| Kubeconform | 0.4.7   | Validation | Kubernetes manifests validation tool like Kubeval with CRD support                |
+| Kubeaudit   | 0.14.0  | Security   | Audit clusters or manifest files for security concerns                            |
+
+Kubeaudit
+---------
+[Kubeaudit](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
+
+* run as non-root
+* use a read-only root filesystem
+* drop scary capabilities, don't add new ones
+* don't run privileged
+* and more!
+
+kubeaudit makes sure you deploy secure containers!
+
 KubeVal
 -------
 
@@ -61,3 +91,78 @@ Config-Lint
 config-lint -rules example-files/rules/kubernetes.yml example-files/config
 ```
 
+Kube-Score
+----------
+[Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
+
+kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.
+
+The input to kube-score should be all applications that you deploy to the same namespace for the best result.
+
+#### Example with Helm
+```sh
+helm template my-app | kube-score score -
+```
+
+#### Example with Kustomize
+```sh
+kustomize build . | kube-score score -
+```
+
+#### Example with static YAMLs
+```sh
+kube-score score my-app/*.yaml
+kube-score score my-app/deployment.yaml my-app/service.yaml
+```
+
+Polaris
+-------
+[Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process.
+
+Polaris can be run in a few different modes:
+
+* As a dashboard, so you can audit what's running inside your cluster.
+* As a validating webhook, so you can automatically reject workloads that don't adhere to your organization's policies.
+* As a command-line tool, so you can test local YAML files, e.g. as part of a CI/CD process.
+
+You can run audits on the command line and see the output as JSON, YAML, or a raw score:
+
+```sh
+polaris audit --format yaml > report.yaml
+polaris audit --format score
+# 92
+```
+
+Audits can run against a local directory or YAML file rather than a cluster:
+```sh
+polaris audit --audit-path ./deploy/
+
+# or to use STDIN
+cat pod.yaml | polaris audit --audit-path -
+```
+You can also run the audit on a single resource instead of the entire cluster:
+
+```sh
+polaris audit --resource "nginx-ingress/Deployment.apps/v1/default-backend"
+```
+#### Running with CI/CD
+You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code. For example, to fail if polaris detects any danger-level issues, or if the score drops below 90%:
+
+```sh
+polaris audit --audit-path ./deploy/ \
+  --set-exit-code-on-danger \
+  --set-exit-code-below-score 90
+```
+
+For more usage options for CLI, see the [Usage Doc](https://github.com/FairwindsOps/polaris/blob/master/docs/usage.md)
+
+Kube Linter
+-----------
+
+[Kube Linter](https://github.com/stackrox/kube-linter) is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code.
+
+
+Contributing
+------------
+
+PRs welcome! Check out the [CONTRIBUTING](CONTRIBUTING.md) Guidelines for more information.