Step 9 - Linting Kubernetes Manifests

OpenShift Supply Chain

- Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2024-05-08 ) - 5 min read

At this point we have checked our source code, verified that it has been signed and has no vulnerabilities, generated a SBOM and updated the Kubernetes manifests, that are responsible to deploy our application on OpenShift. As everything with OpenShift these Kubernetes objects are simple yaml files. In this step we will perform a linting on these files, to verify if they follow certain rules and best practices.

Goals

The goals of this step are:

  • Clone the Kubernetes manifest into a workspace

  • Create Tasks that perform the linting

  • WARN when the manifests do not follow best practices (we will not let the Task fail here, because I would need to modify all manifests)

What is linting

A linter is an analysis tool that verifies if your code has any errors, bugs or stylistic errors. SonarQube could be seen as such tool. We used it to scan our source code. For Kubernetes manifests we can use tools that check the yaml files against best practices or security. For example, it could notify you if you forgot to define resources or probes in your manifests.

Tools

In this step, I will use three linting tools. In no way, this means you need to use all three. I only use them for demonstration purposes. However, to lint your yaml files or Helm charts is a common practice you should consider.

For this demonstration I am leveraging:

In the end, you should choose the tool that fits best for you.

Manifests

The manifest we are going to use can be found at my GitHub repository: Securing Software Supply Chain. It is a fork and the original can be found here.

Prepare Pipeline

  1. Modify the TriggerTemplate and add a parameter LINTING_INFORM_ONLY that either sets the Tasks to inform or enforce (failing when linting does find issues). In addition, we define a new workspace, where we will download and store the Kubernetes manifests.

    spec:
  params:
...
    - description: Only inform on linting errors (Log) but do not actually fail
      name: lintingInformOnly (1)
  resourcetemplates:
...
      spec:
        params:
...
          - name: LINTING_INFORM_ONLY
            value: $(tt.params.lintingInformOnly)
...
       workspaces:
...
          - name: shared-data-manifests (2)
            volumeClaimTemplate:
              metadata:
                creationTimestamp: null
              spec:
                accessModes:
                  - ReadWriteOnce
                resources:
                  requests:
                    storage: 1Gi
              status: {}
    1New parameter to either inform only when linting is unsuccessful or to enforce that the Task will end with an error.
    2Workspace to download and store the yaml files.

  2. Update the TriggerBinding to set the values for the PipelineRun.

    spec:
  params:
...
    - name: lintingInformOnly (1)
      value: 'true'
    1Set the parameter to 'true'

  3. Update the Pipeline object. Here we will need to add the parameter and four Tasks (clone the Git Repo, KubeLinter, Yamllint and kube-score) as well as the workspace.

    spec:
  params:
...
    - name: LINTING_INFORM_ONLY (1)
      type: string
...
    - name: pull-manifests (2)
      params:
        - name: url
          value: $(params.MANIFEST_REPO)
        - name: revision
          value: $(params.MANIFEST_GIT_REF)
        - name: deleteExisting
          value: 'true'
      runAfter:
        - update-dev-manifest (3)
      taskRef:
        kind: ClusterTask (4)
        name: git-clone
      workspaces: (5)
        - name: output
          workspace: shared-data-manifests
    - name: kube-linter (6)
      params:
        - name: informLintingOnly (7)
          value: $(params.LINTING_INFORM_ONLY)
      runAfter:
        - pull-manifests (8)
      taskRef:
        kind: Task
        name: kube-linter
      workspaces:
        - name: repository
          workspace: shared-data-manifests
    - name: kube-score (9)
      params:
        - name: informLintingOnly
          value: $(params.LINTING_INFORM_ONLY)
      runAfter:
        - pull-manifests (10)
      taskRef:
        kind: Task
        name: kube-score
      workspaces:
        - name: repository (11)
          workspace: shared-data-manifests
    - name: yaml-lint (12)
      params:
        - name: informLintingOnly
          value: $(params.LINTING_INFORM_ONLY)
      runAfter:
        - pull-manifests (13)
      taskRef:
        kind: Task
        name: yaml-lint
      workspaces:
        - name: repository (14)
          workspace: shared-data-manifests
  workspaces:
...
    - name: shared-data-manifests
    1New parameter assigned to the Pipeline.
    2Task to clone the repository to the workspace.
    3Will run after the Pipeline has updated the manifests with the new image.
    4Is a child of the ClusterTask git-clone.
    5The workspace to clone the repository.
    6Task to execute KubeLinter.
    7Parameter to either enforce or inform only.
    8Will run after the repository has been cloned.
    9Task to execute kube-score.
    10Will run after the repository has been cloned.
    11Workspace where the cloned repository can be found.
    12Task to execute Yamllint.
    13Will run after the repository has been cloned.
    14Workspace where the cloned repository can be found.
Remember: It is not required to execute three different linter tools. It is only done as a showcase. I personally like KubeLinter. Choose whatever tool is suitable for you.

  1. Create the different Task objects for the linter tools. Each Task will execute a linter program and provides its very own Log.

I have created the image linter-image that contains the three required binaries. It is available at Quay.io and its original Dockerfile can be found here. Use it at your own risk :).

  1. KubeLinter

    apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: kube-linter
  namespace: ci
spec:
  description: >-
    Task to run KubeLinter and perform a linting of Kubernetes manifets.
  params:
    - default: 'false'
      name: informLintingOnly
      type: string
    - default: 'quay.io/tjungbau/linter-image:v1.0.2'
      name: linterImage
      type: string
  steps:
    - image: $(params.linterImage)
      name: kube-linter
      resources: {}
      script: >
        #!/usr/bin/env bash

        RC=0

        kube-linter lint /workspace/repository/. --config "/workspace/repository/.kube-linter.yaml" (1)

        if [ $? -gt 0 ]; then
          RC=1
        fi

        # We actually do not fail but inform only

        if [ "$(params.informLintingOnly)" = "true" ]; then
          echo "Informing only, task will not fail. Actual return code was $RC"
          exit 0;
        fi

        (exit $RC)
      workingDir: /workspace/repository
  workspaces:
    - name: repository
    1Execute kube-linter using the configuration stored in the repository.

  2. kube-score

    apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: kube-score
  namespace: ci
spec:
  description: >-
    Task to run kube-score and perform a linting of Kubernetes manifets.
  params:
    - default: 'false'
      name: informLintingOnly
      type: string
    - default: 'quay.io/tjungbau/linter-image:v1.0.2'
      name: linterImage
      type: string
  steps:
    - image: $(params.linterImage)
      name: kube-linter
      resources: {}
      script: >
        #!/usr/bin/env bash

        RC=0

        KUBESCORE_IGNORE_TESTS="${KUBESCORE_IGNORE_TESTS:-container-image-pull-policy,pod-networkpolicy}" (1)

        for i in `find . -name '*.yaml' -type f`;  do kube-score score
        --ignore-test ${KUBESCORE_IGNORE_TESTS} $i; let RC=RC+$?; done

        if [ $? -gt 0 ]; then
          RC=1
        fi

        # We actually do not fail but inform only

        if [ "$(params.informLintingOnly)" = "true" ]; then
          echo "Informing only, task will not fail. Actual return code was $RC"
          exit 0;
        fi

        (exit $RC)
      workingDir: /workspace/repository
  workspaces:
    - name: repository
    1Disable checks for Network Policies or image Pull policy for kube-score.

  3. Yammllint

    apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: yaml-lint
  namespace: ci
spec:
  description: >-
    Task to run yamllint and perform a linting of Kubernetes manifets.
  params:
    - default: 'false'
      name: informLintingOnly
      type: string
    - default: 'quay.io/tjungbau/linter-image:v1.0.2'
      name: linterImage
      type: string
  steps:
    - image: $(params.linterImage)
      name: yaml-lint
      resources: {}
      script: |
        #!/usr/bin/env bash

        for files in `find . -type f -name '*.yaml'`; do (1)
          yamllint -c /workspace/repository/.yamllint.yaml ${files}; let var=var+$?
        done

        # We actually do not fail but inform only

        if [ "$(params.informLintingOnly)" = "true" ]; then
          echo "Informing only, task will not fail. Actual return code was $var"
          exit 0;
        fi

        (exit $var)
      workingDir: /workspace/repository
  workspaces:
    - name: repository
    1Execute kube-linter using the configuration stored in the repository.

Execute the Pipeline

The Pipeline now looks like this:

Pipeline Details
Figure 1. Pipeline Details

Remember, you typically need only one linter tool, not three different ones. Since we inform only you will see some errors in the logs. For example, for kube-linter:

Kube-Linter Results
Figure 2. Kube-Linter Results

Summary

Now, all our yaml manifests have been linted, with three different tools. And because we do not fail at this stage, we can continue. The next steps will be some deployment checks.

Since everything is done using Argo CD and the manifests have been updated during the step "update-manifest", the changes will be most likely already deployed. Even if the linting-step comes later and might even fail. This is fine because we first deploy on a DEV environment. So, if linting fails, it will prohibit the rollout to production, while some application testing can still be done on DEV.

See Also:

  • Introducing AdminNetworkPolicies

    Classic Kubernetes/OpenShift offer a feature called NetworkPolicy that allows users to control the traffic to and from their assigned Namespace. NetworkPolicies are designed to give project owners or tenants the ability to protect their own namespace. Sometimes, however, I worked with customers where the cluster administrators or a dedicated (network) team need to enforce these policies. Since the NetworkPolicy API is namespace-scoped, it is not possible to enforce policies across namespaces. The only solution was to create custom (project) admin and edit roles, and remove the ability of creating, modifying or deleting NetworkPolicy objects. Technically, this is possible and easily done. But shifts the whole network security to cluster administrators. Luckily, this is where AdminNetworkPolicy (ANP) and BaselineAdminNetworkPolicy (BANP) comes into play.

  • Using Kustomize to post render a Helm Chart

    Lately I came across several issues where a given Helm Chart must be modified after it has been rendered by Argo CD. Argo CD does a helm template to render a Chart. Sometimes, especially when you work with Subcharts or when a specific setting is not yet supported by the Chart, you need to modify it later …​ you need to post-render the Chart. In this very short article, I would like to demonstrate this on a real-live example I had to do. I would like to inject annotations to a Route objects, so that the certificate can be injected. This is done by the cert-utils operator. For the post-rendering the Argo CD repo pod will be extended with a sidecar container, that is watching for the repos and patches them if required.

  • Managing Certificates using GitOps approach

    The article SSL Certificate Management for OpenShift on AWS explains how to use the Cert-Manager Operator to request and install a new SSL Certificate. This time, I would like to leverage the GitOps approach using the Helm Chart cert-manager I have prepared to deploy the Operator and order new Certificates. I will use an ACME Letsencrypt issuer with a DNS challenge. My domain is hosted at AWS Route 53. However, any other integration can be easily used.

  • Update Cluster Version using GitOps approach

    During a GitOps journey at one point, the question arises, how to update a cluster? Nowadays it is very easy to update a cluster using CLI or WebUI, so why bother with GitOps in that case? The reason is simple: Using GitOps you can be sure that all clusters are updated to the correct, required version and the version of each cluster is also managed in Git. All you need is the channel you want to use and the desired cluster version. Optionally, you can define the exact image SHA. This might be required when you are operating in a restricted environment.

  • Multiple Sources for Applications in Argo CD

    Argo CD or OpenShift GitOps uses Applications or ApplicationSets to define the relationship between a source (Git) and a cluster. Typically, this is a 1:1 link, which means one Application is using one source to compare the cluster status. This can be a limitation. For example, if you are working with Helm Charts and a Helm repository, you do not want to re-build (or re-release) the whole chart just because you made a small change in the values file that is packaged into the repository. You want to separate the configuration of the chart with the Helm package. The most common scenarios for multiple sources are (see: Argo CD documentation): Your organization wants to use an external/public Helm chart You want to override the Helm values with your own local values You don’t want to clone the Helm chart locally as well because that would lead to duplication and you would need to monitor it manually for upstream changes. This small article describes three different ways with a working example and tries to cover the advantages and disadvantages of each of them. They might be opinionated but some of them proved to be easier to use and manage.

Copyright © 2020 - 2024 Toni Schmidbauer & Thomas Jungbauer