From d96188010723bb218b4694751464d2f20c2aefeb Mon Sep 17 00:00:00 2001
From: peefy <xpf6677@163.com>
Date: Mon, 13 Nov 2023 22:40:30 +0800
Subject: [PATCH] feat: add more tekton modules

Signed-off-by: peefy <xpf6677@163.com>
---
 tekton-require-bundle/README.md                 |  7 +++++++
 tekton-require-bundle/kcl.mod                   |  5 +++++
 tekton-require-bundle/main.k                    |  9 +++++++++
 tekton-require-namespace-pipeline-run/README.md |  7 +++++++
 tekton-require-namespace-pipeline-run/kcl.mod   |  5 +++++
 tekton-require-namespace-pipeline-run/main.k    |  8 ++++++++
 tekton-require-securitycontext/README.md        |  7 +++++++
 tekton-require-securitycontext/kcl.mod          |  5 +++++
 tekton-require-securitycontext/main.k           | 10 ++++++++++
 9 files changed, 63 insertions(+)
 create mode 100644 tekton-require-bundle/README.md
 create mode 100644 tekton-require-bundle/kcl.mod
 create mode 100644 tekton-require-bundle/main.k
 create mode 100644 tekton-require-namespace-pipeline-run/README.md
 create mode 100644 tekton-require-namespace-pipeline-run/kcl.mod
 create mode 100644 tekton-require-namespace-pipeline-run/main.k
 create mode 100644 tekton-require-securitycontext/README.md
 create mode 100644 tekton-require-securitycontext/kcl.mod
 create mode 100644 tekton-require-securitycontext/main.k

diff --git a/tekton-require-bundle/README.md b/tekton-require-bundle/README.md
new file mode 100644
index 00000000..3daeb5ba
--- /dev/null
+++ b/tekton-require-bundle/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`tekton-require-bundle` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-bundle)
diff --git a/tekton-require-bundle/kcl.mod b/tekton-require-bundle/kcl.mod
new file mode 100644
index 00000000..7bd07ec0
--- /dev/null
+++ b/tekton-require-bundle/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "tekton-require-bundle"
+edition = "*"
+version = "0.1.0"
+description = "`tekton-require-bundle` is a KCL validation module"
diff --git a/tekton-require-bundle/main.k b/tekton-require-bundle/main.k
new file mode 100644
index 00000000..8df48c84
--- /dev/null
+++ b/tekton-require-bundle/main.k
@@ -0,0 +1,9 @@
+validate = lambda item {
+    if item.kind in ["PipelineRun"]:
+        assert item.spec?.pipelineRef?.bundle, "A bundle is required."
+    elif item.kind in ["TaskeRun"]:
+        assert item.spec?.taskRef?.bundle, "A bundle is required."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/tekton-require-namespace-pipeline-run/README.md b/tekton-require-namespace-pipeline-run/README.md
new file mode 100644
index 00000000..ebd481b4
--- /dev/null
+++ b/tekton-require-namespace-pipeline-run/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`tekton-require-namespace-pipeline-run` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-namespace-pipeline-run)
diff --git a/tekton-require-namespace-pipeline-run/kcl.mod b/tekton-require-namespace-pipeline-run/kcl.mod
new file mode 100644
index 00000000..05db8688
--- /dev/null
+++ b/tekton-require-namespace-pipeline-run/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "tekton-require-namespace-pipeline-run"
+edition = "*"
+version = "0.1.0"
+description = "`tekton-require-namespace-pipeline-run` is a KCL validation module"
diff --git a/tekton-require-namespace-pipeline-run/main.k b/tekton-require-namespace-pipeline-run/main.k
new file mode 100644
index 00000000..ac7a9721
--- /dev/null
+++ b/tekton-require-namespace-pipeline-run/main.k
@@ -0,0 +1,8 @@
+validate = lambda item {
+    if item.kind in ["PipelineRun"]:
+        ns = item.metadata.namespace or "default"
+        assert ns != "default", "A namespace is required and may not be set to default."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/tekton-require-securitycontext/README.md b/tekton-require-securitycontext/README.md
new file mode 100644
index 00000000..f586a2ba
--- /dev/null
+++ b/tekton-require-securitycontext/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`tekton-require-securitycontext` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/tekton-require-securitycontext)
diff --git a/tekton-require-securitycontext/kcl.mod b/tekton-require-securitycontext/kcl.mod
new file mode 100644
index 00000000..0ff4f34a
--- /dev/null
+++ b/tekton-require-securitycontext/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "tekton-require-securitycontext"
+edition = "*"
+version = "0.1.0"
+description = "`tekton-require-securitycontext` is a KCL validation module"
diff --git a/tekton-require-securitycontext/main.k b/tekton-require-securitycontext/main.k
new file mode 100644
index 00000000..af97e83c
--- /dev/null
+++ b/tekton-require-securitycontext/main.k
@@ -0,0 +1,10 @@
+validate = lambda item {
+    if item.kind in ["TaskRun"]:
+        steps = [s for s in (item.status?.taskSpec?.steps or [] + item.spec?.steps or []) if s.name != digest-to-results]
+        assert all s in steps {
+            s.privileged == False and s.allowPrivilegeEscalation == False
+        }, "A securityContext is required with `privileged` and `allowPrivilegeEscalation` set to `false`."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]