diff --git a/tekton-require-bundle/README.md b/tekton-require-bundle/README.md new file mode 100644 index 00000000..3daeb5ba --- /dev/null +++ b/tekton-require-bundle/README.md @@ -0,0 +1,7 @@ +## Introduction + +`tekton-require-bundle` is a KCL validation module. + +## Resource + +The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-bundle) diff --git a/tekton-require-bundle/kcl.mod b/tekton-require-bundle/kcl.mod new file mode 100644 index 00000000..7bd07ec0 --- /dev/null +++ b/tekton-require-bundle/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "tekton-require-bundle" +edition = "*" +version = "0.1.0" +description = "`tekton-require-bundle` is a KCL validation module" diff --git a/tekton-require-bundle/main.k b/tekton-require-bundle/main.k new file mode 100644 index 00000000..8df48c84 --- /dev/null +++ b/tekton-require-bundle/main.k @@ -0,0 +1,9 @@ +validate = lambda item { + if item.kind in ["PipelineRun"]: + assert item.spec?.pipelineRef?.bundle, "A bundle is required." + elif item.kind in ["TaskeRun"]: + assert item.spec?.taskRef?.bundle, "A bundle is required." + item +} +# Validate All resource +items = [validate(i) for i in option("items") or []] diff --git a/tekton-require-namespace-pipeline-run/README.md b/tekton-require-namespace-pipeline-run/README.md new file mode 100644 index 00000000..ebd481b4 --- /dev/null +++ b/tekton-require-namespace-pipeline-run/README.md @@ -0,0 +1,7 @@ +## Introduction + +`tekton-require-namespace-pipeline-run` is a KCL validation module. + +## Resource + +The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-namespace-pipeline-run) diff --git a/tekton-require-namespace-pipeline-run/kcl.mod b/tekton-require-namespace-pipeline-run/kcl.mod new file mode 100644 index 00000000..05db8688 --- /dev/null +++ b/tekton-require-namespace-pipeline-run/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "tekton-require-namespace-pipeline-run" +edition = "*" +version = "0.1.0" +description = "`tekton-require-namespace-pipeline-run` is a KCL validation module" diff --git a/tekton-require-namespace-pipeline-run/main.k b/tekton-require-namespace-pipeline-run/main.k new file mode 100644 index 00000000..ac7a9721 --- /dev/null +++ b/tekton-require-namespace-pipeline-run/main.k @@ -0,0 +1,8 @@ +validate = lambda item { + if item.kind in ["PipelineRun"]: + ns = item.metadata.namespace or "default" + assert ns != "default", "A namespace is required and may not be set to default." + item +} +# Validate All resource +items = [validate(i) for i in option("items") or []] diff --git a/tekton-require-securitycontext/README.md b/tekton-require-securitycontext/README.md new file mode 100644 index 00000000..f586a2ba --- /dev/null +++ b/tekton-require-securitycontext/README.md @@ -0,0 +1,7 @@ +## Introduction + +`tekton-require-securitycontext` is a KCL validation module. + +## Resource + +The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-securitycontext) diff --git a/tekton-require-securitycontext/kcl.mod b/tekton-require-securitycontext/kcl.mod new file mode 100644 index 00000000..0ff4f34a --- /dev/null +++ b/tekton-require-securitycontext/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "tekton-require-securitycontext" +edition = "*" +version = "0.1.0" +description = "`tekton-require-securitycontext` is a KCL validation module" diff --git a/tekton-require-securitycontext/main.k b/tekton-require-securitycontext/main.k new file mode 100644 index 00000000..af97e83c --- /dev/null +++ b/tekton-require-securitycontext/main.k @@ -0,0 +1,10 @@ +validate = lambda item { + if item.kind in ["TaskRun"]: + steps = [s for s in (item.status?.taskSpec?.steps or [] + item.spec?.steps or []) if s.name != digest-to-results] + assert all s in steps { + s.privileged == False and s.allowPrivilegeEscalation == False + }, "A securityContext is required with `privileged` and `allowPrivilegeEscalation` set to `false`." + item +} +# Validate All resource +items = [validate(i) for i in option("items") or []]