From aecea7bbd4556082b64c193290d967f47afed198 Mon Sep 17 00:00:00 2001 From: derailed Date: Sat, 9 Mar 2024 10:33:11 -0700 Subject: [PATCH 1/4] [Maint] bump k8s rev --- .gitignore | 1 + go.mod | 89 ++++++++++++++---- go.sum | 263 +++++++++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 295 insertions(+), 58 deletions(-) diff --git a/.gitignore b/.gitignore index 85bc3194..98c447bd 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ popeye spinach.yml /kind /spinach-me +__debug_bin* diff --git a/go.mod b/go.mod index 47eac6e3..7f24f57a 100644 --- a/go.mod +++ b/go.mod @@ -5,81 +5,134 @@ go 1.21.1 require ( github.com/aws/aws-sdk-go v1.35.21 github.com/blang/semver/v4 v4.0.0 + github.com/cilium/cilium v1.15.1 github.com/fvbommel/sortorder v1.0.1 github.com/hashicorp/go-memdb v1.3.4 github.com/prometheus/client_golang v1.17.0 github.com/prometheus/common v0.45.0 github.com/rs/zerolog v1.18.0 - github.com/spf13/cobra v1.7.0 + github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 github.com/xeipuuv/gojsonschema v1.2.0 - golang.org/x/net v0.17.0 + golang.org/x/net v0.19.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/cli-runtime v0.29.0 - k8s.io/client-go v0.29.0 - k8s.io/metrics v0.29.0 - sigs.k8s.io/gateway-api v1.0.0 + k8s.io/api v0.29.2 + k8s.io/apimachinery v0.29.2 + k8s.io/cli-runtime v0.29.2 + k8s.io/client-go v0.29.2 + k8s.io/metrics v0.29.2 + sigs.k8s.io/gateway-api v1.0.1-0.20231102234152-004e14bfe016 sigs.k8s.io/yaml v1.4.0 ) require ( github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/cilium/ebpf v0.12.3 // indirect + github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-ole/go-ole v1.2.6 // indirect + github.com/go-openapi/analysis v0.21.4 // indirect + github.com/go-openapi/errors v0.20.4 // indirect github.com/go-openapi/jsonpointer v0.20.0 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/loads v0.21.2 // indirect + github.com/go-openapi/runtime v0.26.2 // indirect + github.com/go-openapi/spec v0.20.11 // indirect + github.com/go-openapi/strfmt v0.21.9 // indirect github.com/go-openapi/swag v0.22.4 // indirect + github.com/go-openapi/validate v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect + github.com/google/gopacket v1.1.19 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.4.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect - github.com/hashicorp/go-immutable-radix v1.3.0 // indirect + github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/kr/pretty v0.3.1 // indirect + github.com/kr/text v0.2.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/oklog/ulid v1.3.1 // indirect + github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect + github.com/pelletier/go-toml/v2 v2.1.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect + github.com/sagikazarmark/locafero v0.4.0 // indirect + github.com/sagikazarmark/slog-shim v0.1.0 // indirect + github.com/sasha-s/go-deadlock v0.3.1 // indirect + github.com/shirou/gopsutil/v3 v3.23.2 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/sourcegraph/conc v0.3.0 // indirect + github.com/spf13/afero v1.11.0 // indirect + github.com/spf13/cast v1.6.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/spf13/viper v1.18.1 // indirect + github.com/subosito/gotenv v1.6.0 // indirect + github.com/tklauser/go-sysconf v0.3.11 // indirect + github.com/tklauser/numcpus v0.6.0 // indirect + github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a // indirect + github.com/vishvananda/netns v0.0.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xlab/treeprint v1.2.0 // indirect + github.com/yusufpapurcu/wmi v1.2.3 // indirect + go.mongodb.org/mongo-driver v1.13.1 // indirect + go.opentelemetry.io/otel v1.21.0 // indirect + go.opentelemetry.io/otel/metric v1.21.0 // indirect + go.opentelemetry.io/otel/trace v1.21.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect - golang.org/x/oauth2 v0.13.0 // indirect - golang.org/x/sync v0.3.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect - golang.org/x/time v0.3.0 // indirect + go.uber.org/dig v1.17.1 // indirect + go.uber.org/multierr v1.11.0 // indirect + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect + golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb // indirect + golang.org/x/oauth2 v0.15.0 // indirect + golang.org/x/sync v0.5.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/klog/v2 v2.110.1 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect diff --git a/go.sum b/go.sum index 49f56512..a84620c9 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,12 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.35.21 h1:6cMeHzcca+0uweOpUonDYv4DsPp9Qa9PTMYxH+VqDkY= github.com/aws/aws-sdk-go v1.35.21/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -9,45 +14,94 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= +github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= +github.com/cilium/cilium v1.15.1 h1:RnNgjVFmu7MgSs3rJXo/8Js/2Fv7q3sJ+DLQcudSJc8= +github.com/cilium/cilium v1.15.1/go.mod h1:MJ6X0Qo3Hem2CP+yCcVI5EDcvh4yT6+2cq55A6AKpnA= +github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= +github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= +github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018 h1:R/QlThqx099hS6req1k2Q87fvLSRgCEicQGate9vxO4= +github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018/go.mod h1:p044XccCmONGIUbx3bJ7qvHXK0RcrdvIvbTGiu/RjUA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/fvbommel/sortorder v1.0.1 h1:dSnXLt4mJYH25uDDGa3biZNQsozaUWDSWeKJ0qqFfzE= github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= +github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc= +github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo= +github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.20.4 h1:unTcVm6PispJsMECE3zWgvG4xTiKda1LIR5rCRWLG6M= +github.com/go-openapi/errors v0.20.4/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ= github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= +github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= +github.com/go-openapi/runtime v0.26.2 h1:elWyB9MacRzvIVgAZCBJmqTi7hBzU0hlKD4IvfX0Zl0= +github.com/go-openapi/runtime v0.26.2/go.mod h1:O034jyRZ557uJKzngbMDJXkcKJVzXJiymdSfgejrcRw= +github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= +github.com/go-openapi/spec v0.20.11 h1:J/TzFDLTt4Rcl/l1PmyErvkqlJDncGvPTMnCI39I4gY= +github.com/go-openapi/spec v0.20.11/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= +github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= +github.com/go-openapi/strfmt v0.21.9 h1:LnEGOO9qyEC1v22Bzr323M98G13paIUGPU7yeJtG9Xs= +github.com/go-openapi/strfmt v0.21.9/go.mod h1:0k3v301mglEaZRJdDDGSlN6Npq4VMVU69DE0LUyf7uA= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/validate v0.22.3 h1:KxG9mu5HBRYbecRb37KRCihvGGtND2aXziBAv0NNfyI= +github.com/go-openapi/validate v0.22.3/go.mod h1:kVxh31KbfsxU8ZyoHaDbLBWU5CnMdqBUEtadQ2G4d5M= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -61,6 +115,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= @@ -71,23 +126,29 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/hashicorp/go-immutable-radix v1.3.0 h1:8exGP7ego3OmkfksihtSouGMZ+hQrhxx+FVELeXpVPE= github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-memdb v1.3.4 h1:XSL3NR682X/cVk2IeV0d70N4DZ9ljI885xAEU8IoK3c= github.com/hashicorp/go-memdb v1.3.4/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= github.com/hashicorp/go-uuid v1.0.0 h1:RS8zrF7PhGwyNPOtxSClXXj9HA8feRnJzgnI1RJCSnM= @@ -95,6 +156,10 @@ github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -109,6 +174,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -118,10 +185,21 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -131,19 +209,34 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= -github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= +github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU= +github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= +github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 h1:q2e307iGHPdTGp0hoxKjt1H5pDo6utceo3dQVK3I5XQ= +github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5/go.mod h1:jvVRKCrJTQWu0XVbaOlby/2lO20uSCHEMzzplHXte1o= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -153,29 +246,67 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.18.0 h1:CbAm3kP2Tptby1i9sYy2MGRg0uxIN9cyDb59Ys7W8z8= github.com/rs/zerolog v1.18.0/go.mod h1:9nvC1axdVrAHcu/s9taAVfBuIdTZLVQmKQyvrUjF5+I= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= +github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= +github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= +github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= +github.com/sasha-s/go-deadlock v0.3.1 h1:sqv7fDNShgjcaxkO0JNcOAlr8B9+cV5Ey/OB71efZx0= +github.com/sasha-s/go-deadlock v0.3.1/go.mod h1:F73l+cr82YSh10GxyRI6qZiCgK64VaZjwesgfQ1/iLM= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/shirou/gopsutil/v3 v3.23.2 h1:PAWSuiAszn7IhPMBtXsbSCafej7PqUOvY6YywlQUExU= +github.com/shirou/gopsutil/v3 v3.23.2/go.mod h1:gv0aQw33GLo3pG8SiWKiQrbDzbRY1K80RyZJ7V4Th1M= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= +github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= +github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.18.1 h1:rmuU42rScKWlhhJDyXZRKJQHXFX02chSVW1IvkPGiVM= +github.com/spf13/viper v1.18.1/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= +github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= +github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI= +github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= +github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= +github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a h1:PdKmLjqKUM8AfjGqDbrF/C56RvuGFDMYB0Z+8TMmGpU= +github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a/go.mod h1:whJevzBpTrid75eZy99s3DqCmy05NfibNaF2Ol5Ox5A= +github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= +github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= +github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= @@ -184,20 +315,48 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw= +github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= +go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= +go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk= +go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo= +go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc= +go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= +go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4= +go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= +go.opentelemetry.io/otel/sdk v1.17.0 h1:FLN2X66Ke/k5Sg3V623Q7h7nt3cHXaW1FOvKKrW0IpE= +go.opentelemetry.io/otel/sdk v1.17.0/go.mod h1:U87sE0f5vQB7hwUoW98pW5Rz4ZDuCFBZFNUBlSgmDFQ= +go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc= +go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.uber.org/dig v1.17.1 h1:Tga8Lz8PcYNsWsyHMZ1Vm0OQOUaJNDyvPImgbAu9YSc= +go.uber.org/dig v1.17.1/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= +go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8= +golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -211,45 +370,56 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= -golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= +golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= +golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -257,11 +427,12 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190828213141-aed303cbaa74/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -273,6 +444,11 @@ google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f h1:Vn+VyHU5guc9KjB5KrjI2q0wCOWEOIh0OEsleqakHJg= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4 h1:DC7wcm+i+P1rN3Ff07vL+OndGg5OhNddHyTA+ocPqYE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231127180814-3a041ad873d4/go.mod h1:eJVxU6o+4G1PSczBr85xmyvSNYAKvAYgkub40YGomFM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= @@ -289,36 +465,43 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4= -k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= +k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= +k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= +k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/cli-runtime v0.29.2 h1:smfsOcT4QujeghsNjECKN3lwyX9AwcFU0nvJ7sFN3ro= +k8s.io/cli-runtime v0.29.2/go.mod h1:KLisYYfoqeNfO+MkTWvpqIyb1wpJmmFJhioA0xd4MW8= +k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= +k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/metrics v0.29.0 h1:a6dWcNM+EEowMzMZ8trka6wZtSRIfEA/9oLjuhBksGc= -k8s.io/metrics v0.29.0/go.mod h1:UCuTT4dC/x/x6ODSk87IWIZQnuAfcwxOjb1gjWJdjMA= +k8s.io/metrics v0.29.2 h1:oLSTHEr40V7c7C8wDRRhiAefjGRHROK5zeV8NT0tpzc= +k8s.io/metrics v0.29.2/go.mod h1:cWzACDpKElWhm0CElwfK+7I39wDNbmDDCX7hywjvgR4= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= -sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= +sigs.k8s.io/gateway-api v1.0.1-0.20231102234152-004e14bfe016 h1:ovFzI+PB1mdbfAyR+Olnhc+HSys1z9IXSYqNfSdUUf0= +sigs.k8s.io/gateway-api v1.0.1-0.20231102234152-004e14bfe016/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= From da01220f546f508d680d5f956c835d92b78b621b Mon Sep 17 00:00:00 2001 From: derailed Date: Sat, 9 Mar 2024 10:38:43 -0700 Subject: [PATCH 2/4] init cilium res --- internal/alias.go | 64 +++++--- internal/cilium/cache/cep.go | 46 ++++++ internal/cilium/cilium.go | 29 ++++ internal/cilium/lint/ccnp.go | 152 ++++++++++++++++++ internal/cilium/lint/ccnp_test.go | 47 ++++++ internal/cilium/lint/cep.go | 127 +++++++++++++++ internal/cilium/lint/cep_test.go | 52 +++++++ internal/cilium/lint/cid.go | 117 ++++++++++++++ internal/cilium/lint/cid_test.go | 50 ++++++ internal/cilium/lint/cnp.go | 182 ++++++++++++++++++++++ internal/cilium/lint/cnp_test.go | 51 ++++++ internal/cilium/lint/testdata/ccnp/1.yaml | 75 +++++++++ internal/cilium/lint/testdata/cep/1.yaml | 87 +++++++++++ internal/cilium/lint/testdata/cid/1.yaml | 81 ++++++++++ internal/cilium/lint/testdata/cnp/1.yaml | 107 +++++++++++++ internal/cilium/scrub/ccnp.go | 48 ++++++ internal/cilium/scrub/cep.go | 53 +++++++ internal/cilium/scrub/cid.go | 51 ++++++ internal/cilium/scrub/cnp.go | 48 ++++++ internal/cilium/scrub/scrubers.go | 17 ++ internal/issues/assets/codes.yaml | 37 ++++- internal/issues/codes_test.go | 2 +- pkg/popeye.go | 39 ++++- 23 files changed, 1536 insertions(+), 26 deletions(-) create mode 100644 internal/cilium/cache/cep.go create mode 100644 internal/cilium/cilium.go create mode 100644 internal/cilium/lint/ccnp.go create mode 100644 internal/cilium/lint/ccnp_test.go create mode 100644 internal/cilium/lint/cep.go create mode 100644 internal/cilium/lint/cep_test.go create mode 100644 internal/cilium/lint/cid.go create mode 100644 internal/cilium/lint/cid_test.go create mode 100644 internal/cilium/lint/cnp.go create mode 100644 internal/cilium/lint/cnp_test.go create mode 100644 internal/cilium/lint/testdata/ccnp/1.yaml create mode 100644 internal/cilium/lint/testdata/cep/1.yaml create mode 100644 internal/cilium/lint/testdata/cid/1.yaml create mode 100644 internal/cilium/lint/testdata/cnp/1.yaml create mode 100644 internal/cilium/scrub/ccnp.go create mode 100644 internal/cilium/scrub/cep.go create mode 100644 internal/cilium/scrub/cid.go create mode 100644 internal/cilium/scrub/cnp.go create mode 100644 internal/cilium/scrub/scrubers.go diff --git a/internal/alias.go b/internal/alias.go index ee647c52..da2d03ef 100644 --- a/internal/alias.go +++ b/internal/alias.go @@ -25,6 +25,7 @@ type ResourceMetas map[types.GVR]metav1.APIResource type Aliases struct { aliases map[string]types.GVR metas ResourceMetas + cilium bool } // NewAliases returns a new instance. @@ -49,25 +50,46 @@ func (a *Aliases) Dump() { } } -var customShortNames = map[string][]string{ - "cluster": {"cl"}, - "secrets": {"sec"}, - "deployments": {"dp"}, - "clusterroles": {"cr"}, - "clusterrolebindings": {"crb"}, - "roles": {"ro"}, - "rolebindings": {"rb"}, - "networkpolicies": {"np"}, - "httproutes": {"gwr"}, - "gatewayclassess": {"gwc"}, - "gateways": {"gw"}, +type ShortNames map[R][]string + +var customShortNames = ShortNames{ + CL: {"cl"}, + SEC: {"sec"}, + DP: {"dp"}, + CR: {"cr"}, + CRB: {"crb"}, + RO: {"ro"}, + ROB: {"rb"}, + NP: {"np"}, + GWR: {"gwr"}, + GWC: {"gwc"}, + GW: {"gw"}, +} + +func (a *Aliases) Inject(ss ShortNames) { + for gvr, res := range a.metas { + if kk, ok := ss[R(res.Name)]; ok { + for _, k := range kk { + a.aliases[k] = gvr + } + } + } +} + +func (a *Aliases) IsNamespaced(gvr types.GVR) bool { + if r, ok := a.metas[gvr]; ok { + return r.Namespaced + } + + return true } // Init loads the aliases glossary. func (a *Aliases) Init(c types.Connection) error { - if err := a.loadPreferred(c); err != nil { - return err - } + return a.loadPreferred(c) +} + +func (a *Aliases) Realize() { for gvr, res := range a.metas { a.aliases[res.Name] = gvr if res.SingularName != "" { @@ -76,7 +98,7 @@ func (a *Aliases) Init(c types.Connection) error { for _, n := range res.ShortNames { a.aliases[n] = gvr } - if kk, ok := customShortNames[res.Name]; ok { + if kk, ok := customShortNames[R(res.Name)]; ok { for _, k := range kk { a.aliases[k] = gvr } @@ -91,8 +113,6 @@ func (a *Aliases) Init(c types.Connection) error { } } } - - return nil } func greaterV(v1, v2 string) bool { @@ -122,9 +142,14 @@ func (a *Aliases) TitleFor(s string, plural bool) string { if plural { return m.Name } + return m.SingularName } +func (a *Aliases) IsCiliumCluster() bool { + return a.cilium +} + func (a *Aliases) loadPreferred(c types.Connection) error { dial, err := c.CachedDiscovery() if err != nil { @@ -141,6 +166,9 @@ func (a *Aliases) loadPreferred(c types.Connection) error { } for _, r := range l.APIResources { gvr := types.NewGVRFromAPIRes(gv, r) + if !a.cilium && strings.Contains(gvr.G(), "cilium.io") { + a.cilium = true + } r.Group, r.Version = gvr.G(), gvr.V() if r.SingularName == "" { r.SingularName = strings.ToLower(r.Kind) diff --git a/internal/cilium/cache/cep.go b/internal/cilium/cache/cep.go new file mode 100644 index 00000000..92b046af --- /dev/null +++ b/internal/cilium/cache/cep.go @@ -0,0 +1,46 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package cache + +import ( + "fmt" + "strconv" + "sync" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + icache "github.com/derailed/popeye/internal/cache" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/db" +) + +const CIDKey = "cid" + +// CiliumEndpoint represents a CiliumEndpoint cache. +type CiliumEndpoint struct { + db *db.DB +} + +// NewCiliumEndpoint returns a CiliumEndpoint cache. +func NewCiliumEndpoint(dba *db.DB) *CiliumEndpoint { + return &CiliumEndpoint{db: dba} +} + +// CiliumEndpointRefs computes all CiliumEndpoints external references. +func (p *CiliumEndpoint) CEPRefs(refs *sync.Map) error { + txn, it := p.db.MustITFor(internal.Glossary[cilium.CEP]) + defer txn.Abort() + for o := it.Next(); o != nil; o = it.Next() { + cep, ok := o.(*v2.CiliumEndpoint) + if !ok { + return fmt.Errorf("expected a CiliumEndpoint but got %T", o) + } + if cep.Status.Identity != nil { + key := icache.ResFqn(CIDKey, icache.FQN("", strconv.Itoa(int(cep.Status.Identity.ID)))) + refs.Store(key, internal.AllKeys) + } + } + + return nil +} diff --git a/internal/cilium/cilium.go b/internal/cilium/cilium.go new file mode 100644 index 00000000..95341f9d --- /dev/null +++ b/internal/cilium/cilium.go @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package cilium + +import ( + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/types" +) + +func init() { + for _, r := range CiliumRS { + internal.Glossary[r] = types.BlankGVR + } +} + +const ( + CEP internal.R = "ciliumendpoints" + CID internal.R = "ciliumidentities" + CNP internal.R = "ciliumnetworkpolicies" + CCNP internal.R = "ciliumclusterwidenetworkpolicies" +) + +var CiliumRS = []internal.R{CEP, CID, CNP, CCNP} + +var Aliases = internal.ShortNames{ + CEP: {"cep"}, + CID: {"cid"}, +} diff --git a/internal/cilium/lint/ccnp.go b/internal/cilium/lint/ccnp.go new file mode 100644 index 00000000..993ede6b --- /dev/null +++ b/internal/cilium/lint/ccnp.go @@ -0,0 +1,152 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "context" + "fmt" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/cilium/cilium/pkg/policy/api" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/client" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + ilint "github.com/derailed/popeye/internal/lint" + v1 "k8s.io/api/core/v1" +) + +// CiliumClusterwideNetworkPolicy tracks CiliumClusterwideNetworkPolicy sanitization. +type CiliumClusterwideNetworkPolicy struct { + *issues.Collector + db *db.DB +} + +// NewCiliumClusterwideNetworkPolicy returns a new instance. +func NewCiliumClusterwideNetworkPolicy(c *issues.Collector, db *db.DB) *CiliumClusterwideNetworkPolicy { + return &CiliumClusterwideNetworkPolicy{ + Collector: c, + db: db, + } +} + +// Lint lints the resource. +func (s *CiliumClusterwideNetworkPolicy) Lint(ctx context.Context) error { + txn, it := s.db.MustITFor(internal.Glossary[cilium.CCNP]) + defer txn.Abort() + for o := it.Next(); o != nil; o = it.Next() { + ccnp := o.(*v2.CiliumClusterwideNetworkPolicy) + fqn := client.FQN("", ccnp.Name) + s.InitOutcome(fqn) + ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, ccnp)) + + rules := ccnp.Specs + if ccnp.Spec != nil { + rules = append(rules, ccnp.Spec) + } + for _, r := range rules { + if err := s.checkRule(ctx, r); err != nil { + s.AddErr(ctx, err) + } + } + } + + return nil +} + +func (s *CiliumClusterwideNetworkPolicy) checkRule(ctx context.Context, r *api.Rule) error { + if r.EndpointSelector.Size() > 0 { + if ok, err := s.checkEPSel(r.EndpointSelector); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "endpoint") + } + } + if r.NodeSelector.Size() > 0 { + if ok, err := s.checkNodeSel(r.NodeSelector); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1701) + } + } + for _, ing := range r.Ingress { + for _, sel := range ing.FromEndpoints { + if ok, err := s.checkEPSel(sel); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "ingress") + } + } + } + for _, eg := range r.Egress { + for _, sel := range eg.ToEndpoints { + if ok, err := s.checkEPSel(sel); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "egress") + } + } + } + + return nil +} + +func (s *CiliumClusterwideNetworkPolicy) checkEPSel(sel api.EndpointSelector) (bool, error) { + mm, err := s.matchCEPsBySel(sel) + if err != nil { + return false, err + } + + return len(mm) > 0, nil +} + +func (s *CiliumClusterwideNetworkPolicy) checkNodeSel(sel api.EndpointSelector) (bool, error) { + mm, err := s.matchNodesBySel(sel) + if err != nil { + return false, err + } + + return len(mm) > 0, nil +} + +func (s *CiliumClusterwideNetworkPolicy) matchNodesBySel(sel api.EndpointSelector) ([]string, error) { + txn := s.db.Txn(false) + defer txn.Abort() + txn, it := s.db.MustITFor(internal.Glossary[internal.NO]) + defer txn.Abort() + mm := make([]string, 0, 10) + for o := it.Next(); o != nil; o = it.Next() { + no, ok := o.(*v1.Node) + if !ok { + return nil, fmt.Errorf("expecting node but got %s", o) + } + fqn := client.FQN("", no.Name) + if matchSelector(no.Labels, sel) { + mm = append(mm, fqn) + } + } + + return mm, nil +} + +func (s *CiliumClusterwideNetworkPolicy) matchCEPsBySel(sel api.EndpointSelector) ([]string, error) { + txn := s.db.Txn(false) + defer txn.Abort() + txn, it := s.db.MustITFor(internal.Glossary[cilium.CEP]) + defer txn.Abort() + mm := make([]string, 0, 10) + for o := it.Next(); o != nil; o = it.Next() { + cep, ok := o.(*v2.CiliumEndpoint) + if !ok { + return nil, fmt.Errorf("expecting cilium endpoint but got %s", o) + } + fqn := client.FQN(cep.Namespace, cep.Name) + if matchSelector(cep.Labels, sel) { + mm = append(mm, fqn) + } + } + + return mm, nil +} diff --git a/internal/cilium/lint/ccnp_test.go b/internal/cilium/lint/ccnp_test.go new file mode 100644 index 00000000..5d6bf98e --- /dev/null +++ b/internal/cilium/lint/ccnp_test.go @@ -0,0 +1,47 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "testing" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/rules" + "github.com/derailed/popeye/internal/test" + "github.com/stretchr/testify/assert" +) + +func TestCiliumClusterwideNetworkPolicy(t *testing.T) { + dba, err := test.NewTestDB() + assert.NoError(t, err) + l := db.NewLoader(dba) + + ctx := test.MakeCtx(t) + assert.NoError(t, test.LoadDB[*v2.CiliumClusterwideNetworkPolicy](ctx, l.DB, "ccnp/1.yaml", internal.Glossary[cilium.CCNP])) + assert.NoError(t, test.LoadDB[*v2.CiliumEndpoint](ctx, l.DB, "cep/1.yaml", internal.Glossary[cilium.CEP])) + + li := NewCiliumClusterwideNetworkPolicy(test.MakeCollector(t), dba) + assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumclusterwidenetworkpolicies", "ciliumclusterwidenetworkpolicies"))) + assert.Equal(t, 3, len(li.Outcome())) + + ii := li.Outcome()["ccnp1"] + assert.Equal(t, 0, len(ii)) + + ii = li.Outcome()["ccnp2"] + assert.Equal(t, 3, len(ii)) + assert.Equal(t, `[POP-1700] No cilium endpoints matched endpoint selector`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) + assert.Equal(t, `[POP-1700] No cilium endpoints matched ingress selector`, ii[1].Message) + assert.Equal(t, rules.ErrorLevel, ii[1].Level) + assert.Equal(t, `[POP-1700] No cilium endpoints matched egress selector`, ii[2].Message) + assert.Equal(t, rules.ErrorLevel, ii[2].Level) + + ii = li.Outcome()["ccnp3"] + assert.Equal(t, 1, len(ii)) + assert.Equal(t, `[POP-1701] No nodes matched node selector`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) +} diff --git a/internal/cilium/lint/cep.go b/internal/cilium/lint/cep.go new file mode 100644 index 00000000..7a276340 --- /dev/null +++ b/internal/cilium/lint/cep.go @@ -0,0 +1,127 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "context" + "errors" + "fmt" + "strconv" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/client" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + ilint "github.com/derailed/popeye/internal/lint" + "github.com/derailed/popeye/pkg/config" + v1 "k8s.io/api/core/v1" +) + +// CiliumEndpoint tracks CiliumEndpoint sanitization. +type CiliumEndpoint struct { + *issues.Collector + db *db.DB +} + +// NewCiliumEndpoint returns a new instance. +func NewCiliumEndpoint(c *issues.Collector, db *db.DB) *CiliumEndpoint { + return &CiliumEndpoint{ + Collector: c, + db: db, + } +} + +// Lint lints the resource. +func (s *CiliumEndpoint) Lint(ctx context.Context) error { + txn, it := s.db.MustITFor(internal.Glossary[cilium.CEP]) + defer txn.Abort() + for o := it.Next(); o != nil; o = it.Next() { + cep := o.(*v2.CiliumEndpoint) + fqn := client.FQN(cep.Namespace, cep.Name) + s.InitOutcome(fqn) + ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, cep)) + + if cep.Status.State != "ready" { + s.AddErr(ctx, fmt.Errorf("cep is not ready")) + } + s.checkID(ctx, cep) + if err := s.checkOwners(ctx, cep); err != nil { + return err + } + if err := s.checkNode(ctx, cep); err != nil { + return err + } + } + + return nil +} + +func (s *CiliumEndpoint) checkID(ctx context.Context, cep *v2.CiliumEndpoint) { + fqn := client.FQN("", strconv.Itoa(int(cep.Status.Identity.ID))) + _, err := s.db.Find(internal.Glossary[cilium.CID], fqn) + if err != nil { + s.AddCode(ctx, 1700, fqn) + } +} + +func (s *CiliumEndpoint) checkOwners(ctx context.Context, cep *v2.CiliumEndpoint) error { + if len(cep.OwnerReferences) == 0 { + return errors.New("no owner references found") + } + for _, r := range cep.OwnerReferences { + if config.IsBoolSet(r.Controller) { + continue + } + switch r.Kind { + case "Pod": + fqn := client.FQN(cep.Namespace, r.Name) + o, err := s.db.Find(internal.Glossary[internal.PO], fqn) + if err != nil { + s.AddCode(ctx, 1704, fqn) + continue + } + po := o.(*v1.Pod) + if ph := ilint.Phase(po); ph != "Running" { + s.AddCode(ctx, 1703, fqn, ph) + } + default: + return fmt.Errorf("nyi - unhandled owner ref kind: %s", r.Kind) + } + } + + return nil +} + +func (s *CiliumEndpoint) checkNode(ctx context.Context, cep *v2.CiliumEndpoint) error { + nn, err := s.db.ListNodes() + if err != nil { + return err + } + for _, n := range nn { + ip, _ := getIPs(n.Status.Addresses) + if ip != "" && ip == cep.Status.Networking.NodeIP { + return nil + } + } + s.AddCode(ctx, 1702, cep.Status.Networking.NodeIP) + + return nil +} + +// Helpers... + +func getIPs(addrs []v1.NodeAddress) (iIP, eIP string) { + for _, a := range addrs { + switch a.Type { + case v1.NodeExternalIP: + eIP = a.Address + case v1.NodeInternalIP: + iIP = a.Address + } + } + + return +} diff --git a/internal/cilium/lint/cep_test.go b/internal/cilium/lint/cep_test.go new file mode 100644 index 00000000..ee4883a1 --- /dev/null +++ b/internal/cilium/lint/cep_test.go @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "testing" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/rules" + "github.com/derailed/popeye/internal/test" + "github.com/rs/zerolog" + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/core/v1" +) + +func init() { + zerolog.SetGlobalLevel(zerolog.FatalLevel) +} + +func TestCiliumEndpoint(t *testing.T) { + dba, err := test.NewTestDB() + assert.NoError(t, err) + l := db.NewLoader(dba) + + ctx := test.MakeCtx(t) + assert.NoError(t, test.LoadDB[*v2.CiliumEndpoint](ctx, l.DB, "cep/1.yaml", internal.Glossary[cilium.CEP])) + assert.NoError(t, test.LoadDB[*v2.CiliumIdentity](ctx, l.DB, "cid/1.yaml", internal.Glossary[cilium.CID])) + assert.NoError(t, test.LoadDB[*v1.Pod](ctx, l.DB, "../../../lint/testdata/core/pod/1.yaml", internal.Glossary[internal.PO])) + assert.NoError(t, test.LoadDB[*v1.Node](ctx, l.DB, "../../../lint/testdata/core/node/1.yaml", internal.Glossary[internal.NO])) + assert.NoError(t, test.LoadDB[*v1.Namespace](ctx, l.DB, "../../../lint/testdata/core/ns/1.yaml", internal.Glossary[internal.NS])) + assert.NoError(t, test.LoadDB[*v1.ServiceAccount](ctx, l.DB, "../../../lint/testdata/core/sa/1.yaml", internal.Glossary[internal.SA])) + + li := NewCiliumEndpoint(test.MakeCollector(t), dba) + assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumendpoints", "ciliumendpoints"))) + assert.Equal(t, 2, len(li.Outcome())) + + ii := li.Outcome()["default/cep1"] + assert.Equal(t, 1, len(ii)) + assert.Equal(t, `[POP-1703] Pod owner is not in a running state: default/p1 ()`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) + + ii = li.Outcome()["default/cep2"] + assert.Equal(t, 2, len(ii)) + assert.Equal(t, `[POP-1704] References an unknown owner ref: "default/p2"`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) + assert.Equal(t, `[POP-1702] References an unknown node IP: "172.19.0.2"`, ii[1].Message) + assert.Equal(t, rules.ErrorLevel, ii[1].Level) +} diff --git a/internal/cilium/lint/cid.go b/internal/cilium/lint/cid.go new file mode 100644 index 00000000..e0202d71 --- /dev/null +++ b/internal/cilium/lint/cid.go @@ -0,0 +1,117 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "context" + "fmt" + "sync" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + icache "github.com/derailed/popeye/internal/cache" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/cilium/cache" + "github.com/derailed/popeye/internal/client" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + ilint "github.com/derailed/popeye/internal/lint" +) + +// CiliumIdentity tracks CiliumIdentity sanitization. +type CiliumIdentity struct { + *issues.Collector + db *db.DB +} + +// NewCiliumIdentity returns a new instance. +func NewCiliumIdentity(c *issues.Collector, db *db.DB) *CiliumIdentity { + return &CiliumIdentity{ + Collector: c, + db: db, + } +} + +// Lint lints the resource. +func (s *CiliumIdentity) Lint(ctx context.Context) error { + var refs sync.Map + if err := cache.NewCiliumEndpoint(s.db).CEPRefs(&refs); err != nil { + return err + } + + txn, it := s.db.MustITFor(internal.Glossary[cilium.CID]) + defer txn.Abort() + for o := it.Next(); o != nil; o = it.Next() { + cid := o.(*v2.CiliumIdentity) + fqn := client.FQN(cid.Namespace, cid.Name) + s.InitOutcome(fqn) + ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, cid)) + if err := s.checkStale(ctx, fqn, &refs); err != nil { + return err + } + s.checkNS(ctx, cid) + if err := s.checkSA(ctx, fqn, cid); err != nil { + return err + } + } + + return nil +} + +func (s *CiliumIdentity) checkStale(ctx context.Context, fqn string, refs *sync.Map) error { + _, ok := refs.Load(icache.ResFqn(cache.CIDKey, fqn)) + if !ok { + s.AddCode(ctx, 1600) + } + + return nil +} + +const ( + k8sNSLabel = "io.kubernetes.pod.namespace" + k8sSecNSLabel = "k8s:io.kubernetes.pod.namespace" + k8sSecNS1Label = "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name" + k8sSALabel = "io.cilium.k8s.policy.serviceaccount" +) + +func (s *CiliumIdentity) checkNS(ctx context.Context, cid *v2.CiliumIdentity) { + ns, ok := cid.Labels[k8sNSLabel] + if !ok { + s.AddCode(ctx, 1601, k8sNSLabel) + } + _, err := s.db.Find(internal.Glossary[internal.NS], ns) + if err != nil { + s.AddCode(ctx, 1602, ns) + return + } + sns, ok := cid.SecurityLabels[k8sSecNSLabel] + if !ok { + s.AddCode(ctx, 1603, k8sSecNSLabel) + return + } + if ns != sns { + s.AddCode(ctx, 1604, ns, sns) + } +} + +func (s *CiliumIdentity) checkSA(ctx context.Context, fqn string, cid *v2.CiliumIdentity) error { + ns, ok := cid.Labels[k8sNSLabel] + if !ok { + return fmt.Errorf("unable to locate cid namespace") + } + sa, ok := cid.Labels[k8sSALabel] + if !ok { + return fmt.Errorf("unable to locate cid serviceaccount") + } + txn := s.db.Txn(false) + defer txn.Abort() + saFQN := icache.FQN(ns, sa) + o, err := txn.First(internal.Glossary[internal.SA].String(), "id", saFQN) + if err != nil || o == nil { + s.AddCode(ctx, 307, "CiliumIdentity", saFQN) + return nil + } + + return nil +} diff --git a/internal/cilium/lint/cid_test.go b/internal/cilium/lint/cid_test.go new file mode 100644 index 00000000..61632182 --- /dev/null +++ b/internal/cilium/lint/cid_test.go @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "testing" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/rules" + "github.com/derailed/popeye/internal/test" + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/core/v1" +) + +func TestCiliumIdentity(t *testing.T) { + dba, err := test.NewTestDB() + assert.NoError(t, err) + l := db.NewLoader(dba) + + ctx := test.MakeCtx(t) + assert.NoError(t, test.LoadDB[*v2.CiliumIdentity](ctx, l.DB, "cid/1.yaml", internal.Glossary[cilium.CID])) + assert.NoError(t, test.LoadDB[*v2.CiliumEndpoint](ctx, l.DB, "cep/1.yaml", internal.Glossary[cilium.CEP])) + assert.NoError(t, test.LoadDB[*v1.ServiceAccount](ctx, l.DB, "../../../lint/testdata/core/sa/1.yaml", internal.Glossary[internal.SA])) + assert.NoError(t, test.LoadDB[*v1.Namespace](ctx, l.DB, "../../../lint/testdata/core/ns/1.yaml", internal.Glossary[internal.NS])) + + li := NewCiliumIdentity(test.MakeCollector(t), dba) + assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumidentities", "ciliumidentities"))) + assert.Equal(t, 3, len(li.Outcome())) + + ii := li.Outcome()["100"] + assert.Equal(t, 0, len(ii)) + + ii = li.Outcome()["200"] + assert.Equal(t, 3, len(ii)) + assert.Equal(t, "[POP-1600] Stale? unable to locate matching Cilium Endpoint", ii[0].Message) + assert.Equal(t, rules.WarnLevel, ii[0].Level) + assert.Equal(t, `[POP-1604] Namespace mismatch with security labels namespace: "ns1" vs "ns2"`, ii[1].Message) + assert.Equal(t, rules.WarnLevel, ii[1].Level) + assert.Equal(t, `[POP-307] CiliumIdentity references a non existing ServiceAccount: "ns1/sa1"`, ii[2].Message) + assert.Equal(t, rules.WarnLevel, ii[2].Level) + + ii = li.Outcome()["300"] + assert.Equal(t, 1, len(ii)) + assert.Equal(t, `[POP-1603] Missing security namespace label: "k8s:io.kubernetes.pod.namespace"`, ii[0].Message) + assert.Equal(t, rules.WarnLevel, ii[0].Level) +} diff --git a/internal/cilium/lint/cnp.go b/internal/cilium/lint/cnp.go new file mode 100644 index 00000000..9a99a0c1 --- /dev/null +++ b/internal/cilium/lint/cnp.go @@ -0,0 +1,182 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "context" + "fmt" + "strings" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + slimv1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" + "github.com/cilium/cilium/pkg/policy/api" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/client" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + ilint "github.com/derailed/popeye/internal/lint" +) + +// CiliumNetworkPolicy tracks CiliumNetworkPolicy sanitization. +type CiliumNetworkPolicy struct { + *issues.Collector + db *db.DB +} + +// NewCiliumNetworkPolicy returns a new instance. +func NewCiliumNetworkPolicy(c *issues.Collector, db *db.DB) *CiliumNetworkPolicy { + return &CiliumNetworkPolicy{ + Collector: c, + db: db, + } +} + +// Lint lints the resource. +func (s *CiliumNetworkPolicy) Lint(ctx context.Context) error { + txn, it := s.db.MustITFor(internal.Glossary[cilium.CNP]) + defer txn.Abort() + for o := it.Next(); o != nil; o = it.Next() { + cnp := o.(*v2.CiliumNetworkPolicy) + fqn := client.FQN(cnp.Namespace, cnp.Name) + s.InitOutcome(fqn) + ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, cnp)) + + rules := cnp.Specs + if cnp.Spec != nil { + rules = append(rules, cnp.Spec) + } + for _, r := range rules { + if err := s.checkRule(ctx, cnp.Namespace, r); err != nil { + s.AddErr(ctx, err) + } + } + } + + return nil +} + +func (s *CiliumNetworkPolicy) checkRule(ctx context.Context, ns string, r *api.Rule) error { + if r.EndpointSelector.Size() > 0 { + if ok, err := s.checkEPSel(ns, r.EndpointSelector); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "endpoint") + } + } + for _, ing := range r.Ingress { + for _, sel := range ing.FromEndpoints { + if ok, err := s.checkEPSel(ns, sel); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "ingress") + } + } + } + for _, eg := range r.Egress { + for _, sel := range eg.ToEndpoints { + if ok, err := s.checkEPSel(ns, sel); err != nil { + return err + } else if !ok { + s.AddCode(ctx, 1700, "egress") + } + } + } + + return nil +} + +func (s *CiliumNetworkPolicy) checkEPSel(ns string, sel api.EndpointSelector) (bool, error) { + mm, err := s.matchCEPsBySel(ns, sel) + if err != nil { + return false, err + } + + return len(mm) > 0, nil +} + +func (s *CiliumNetworkPolicy) matchCEPsBySel(ns string, sel api.EndpointSelector) ([]string, error) { + txn := s.db.Txn(false) + defer txn.Abort() + txn, it := s.db.MustITForNS(internal.Glossary[cilium.CEP], ns) + defer txn.Abort() + mm := make([]string, 0, 10) + for o := it.Next(); o != nil; o = it.Next() { + cep, ok := o.(*v2.CiliumEndpoint) + if !ok { + return nil, fmt.Errorf("expecting cilium endpoint but got %s", o) + } + fqn := client.FQN(cep.Namespace, cep.Name) + if matchSelector(cep.Labels, sel) { + mm = append(mm, fqn) + } + } + + return mm, nil +} + +func matchSelector(labels map[string]string, sel api.EndpointSelector) bool { + if len(labels) == 0 || sel.Size() == 0 { + return false + } + if matchLabels(labels, sel.MatchLabels) { + return true + } + + return matchExp(labels, sel.MatchExpressions) +} + +func matchExp(labels map[string]string, ee []slimv1.LabelSelectorRequirement) bool { + for _, e := range ee { + if matchSel(labels, e) { + return true + } + } + + return false +} + +func matchSel(labels map[string]string, e slimv1.LabelSelectorRequirement) bool { + key := strings.TrimPrefix(e.Key, "any.") + _, ok := labels[key] + if e.Operator == slimv1.LabelSelectorOpDoesNotExist && !ok { + return true + } + if !ok { + return false + } + + switch e.Operator { + case slimv1.LabelSelectorOpNotIn: + for _, v := range e.Values { + if v1, ok := labels[key]; ok && v1 == v { + return false + } + } + return true + case slimv1.LabelSelectorOpIn: + for _, v := range e.Values { + if v == labels[key] { + return true + } + } + return false + case slimv1.LabelSelectorOpExists: + return true + } + + return false +} + +func matchLabels(labels, sel map[string]string) bool { + var count int + for k, v := range sel { + k = strings.TrimPrefix(k, "any.") + if v1, ok := labels[k]; ok && v == v1 { + count++ + } + } + + return count > 0 +} diff --git a/internal/cilium/lint/cnp_test.go b/internal/cilium/lint/cnp_test.go new file mode 100644 index 00000000..2b00c6ad --- /dev/null +++ b/internal/cilium/lint/cnp_test.go @@ -0,0 +1,51 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package lint + +import ( + "testing" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/rules" + "github.com/derailed/popeye/internal/test" + "github.com/stretchr/testify/assert" +) + +func TestCiliumNetworkPolicy(t *testing.T) { + dba, err := test.NewTestDB() + assert.NoError(t, err) + l := db.NewLoader(dba) + + ctx := test.MakeCtx(t) + assert.NoError(t, test.LoadDB[*v2.CiliumNetworkPolicy](ctx, l.DB, "cnp/1.yaml", internal.Glossary[cilium.CNP])) + assert.NoError(t, test.LoadDB[*v2.CiliumEndpoint](ctx, l.DB, "cep/1.yaml", internal.Glossary[cilium.CEP])) + + li := NewCiliumNetworkPolicy(test.MakeCollector(t), dba) + assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumnetworkpolicies", "ciliumnetworkpolicies"))) + assert.Equal(t, 4, len(li.Outcome())) + + li.Outcome().Dump() + ii := li.Outcome()["default/cnp1"] + assert.Equal(t, 0, len(ii)) + + ii = li.Outcome()["default/cnp2"] + assert.Equal(t, 3, len(ii)) + assert.Equal(t, `[POP-1700] No cilium endpoints matched endpoint selector`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) + assert.Equal(t, `[POP-1700] No cilium endpoints matched ingress selector`, ii[1].Message) + assert.Equal(t, rules.ErrorLevel, ii[1].Level) + assert.Equal(t, `[POP-1700] No cilium endpoints matched egress selector`, ii[2].Message) + assert.Equal(t, rules.ErrorLevel, ii[2].Level) + + ii = li.Outcome()["default/cnp3"] + assert.Equal(t, 1, len(ii)) + assert.Equal(t, `[POP-1700] No cilium endpoints matched endpoint selector`, ii[0].Message) + assert.Equal(t, rules.ErrorLevel, ii[0].Level) + + ii = li.Outcome()["default/cnp4"] + assert.Equal(t, 0, len(ii)) +} diff --git a/internal/cilium/lint/testdata/ccnp/1.yaml b/internal/cilium/lint/testdata/ccnp/1.yaml new file mode 100644 index 00000000..23874053 --- /dev/null +++ b/internal/cilium/lint/testdata/ccnp/1.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: cilium.io/v2 + kind: CiliumClusterwideNetworkPolicy + metadata: + name: ccnp1 + spec: + endpointSelector: + matchLabels: + k8s-app: cep1 + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "90" + protocol: TCP +- apiVersion: cilium.io/v2 + kind: CiliumClusterwideNetworkPolicy + metadata: + name: ccnp2 + spec: + endpointSelector: + matchLabels: + app: be + ingress: + - fromEndpoints: + - matchLabels: + app: fe + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + org: fred + toPorts: + - ports: + - port: "90" + protocol: TCP +- apiVersion: cilium.io/v2 + kind: CiliumClusterwideNetworkPolicy + metadata: + name: ccnp3 + spec: + nodeSelector: + matchLabels: + node: n1 + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "90" + protocol: TCP diff --git a/internal/cilium/lint/testdata/cep/1.yaml b/internal/cilium/lint/testdata/cep/1.yaml new file mode 100644 index 00000000..61c33fc0 --- /dev/null +++ b/internal/cilium/lint/testdata/cep/1.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: cilium.io/v2 + kind: CiliumEndpoint + metadata: + labels: + k8s-app: cep1 + name: cep1 + namespace: default + ownerReferences: + - apiVersion: v1 + kind: Pod + name: p1 + status: + encryption: {} + external-identifiers: + k8s-namespace: default + k8s-pod-name: p1 + pod-name: default/p1 + id: 3646 + identity: + id: 100 + labels: + - k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default + - k8s:io.cilium.k8s.policy.cluster=fred + - k8s:io.cilium.k8s.policy.serviceaccount=sa1 + - k8s:io.kubernetes.pod.namespace=default + - k8s:app=p1 + named-ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP + networking: + addressing: + - ipv4: 10.244.1.10 + node: 192.168.228.3 + state: ready +- apiVersion: cilium.io/v2 + kind: CiliumEndpoint + metadata: + labels: + k8s-app: cep2 + name: cep2 + namespace: default + ownerReferences: + - apiVersion: v1 + kind: Pod + name: p2 + status: + encryption: {} + external-identifiers: + cni-attachment-id: 18b4cbccf768d164ff3e728787f080bd647027e6e71613d18799d9f968523f0e + container-id: 18b4cbccf768d164ff3e728787f080bd647027e6e71613d18799d9f968523f0e + k8s-namespace: default + k8s-pod-name: p2 + pod-name: default/p2 + id: 3140 + identity: + id: 300 + labels: + - k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system + - k8s:io.cilium.k8s.policy.cluster=fred + - k8s:io.cilium.k8s.policy.serviceaccount=sa1 + - k8s:io.kubernetes.pod.namespace=default + - k8s:app=cid2 + named-ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP + networking: + addressing: + - ipv4: 10.244.1.212 + node: 172.19.0.2 + state: ready diff --git a/internal/cilium/lint/testdata/cid/1.yaml b/internal/cilium/lint/testdata/cid/1.yaml new file mode 100644 index 00000000..cf8e0dea --- /dev/null +++ b/internal/cilium/lint/testdata/cid/1.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: cilium.io/v2 + kind: CiliumIdentity + metadata: + creationTimestamp: "2024-03-07T00:36:02Z" + generation: 1 + labels: + batch.kubernetes.io/controller-uid: a40f6e35-61ff-4449-9d3f-3b44d091e90f + batch.kubernetes.io/job-name: hello-28496196 + controller-uid: a40f6e35-61ff-4449-9d3f-3b44d091e90f + io.cilium.k8s.policy.cluster: kind-kind + io.cilium.k8s.policy.serviceaccount: default + io.kubernetes.pod.namespace: default + job-name: hello-28496196 + name: "100" + resourceVersion: "9590682" + uid: 30592dc9-f028-4565-9896-6209b6431011 + security-labels: + k8s:batch.kubernetes.io/controller-uid: a40f6e35-61ff-4449-9d3f-3b44d091e90f + k8s:batch.kubernetes.io/job-name: hello-28496196 + k8s:controller-uid: a40f6e35-61ff-4449-9d3f-3b44d091e90f + k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: default + k8s:io.cilium.k8s.policy.cluster: kind-kind + k8s:io.cilium.k8s.policy.serviceaccount: default + k8s:io.kubernetes.pod.namespace: default + k8s:job-name: hello-28496196 +- apiVersion: cilium.io/v2 + kind: CiliumIdentity + metadata: + annotations: + io.cilium.heartbeat: "2024-03-07T00:22:13.094277331Z" + creationTimestamp: "2024-03-06T23:26:04Z" + generation: 1 + labels: + batch.kubernetes.io/controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + batch.kubernetes.io/job-name: hello-28496126 + controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + io.cilium.k8s.policy.cluster: kind-kind + io.cilium.k8s.policy.serviceaccount: sa1 + io.kubernetes.pod.namespace: ns1 + job-name: hello-28496126 + name: "200" + resourceVersion: "9589067" + uid: 15161fba-b04a-4f0e-8a24-7bd6d38621d4 + security-labels: + k8s:batch.kubernetes.io/controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + k8s:batch.kubernetes.io/job-name: hello-28496126 + k8s:controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: ns1 + k8s:io.cilium.k8s.policy.cluster: kind-kind + k8s:io.cilium.k8s.policy.serviceaccount: default + k8s:io.kubernetes.pod.namespace: ns2 + k8s:job-name: hello-28496126 +- apiVersion: cilium.io/v2 + kind: CiliumIdentity + metadata: + annotations: + io.cilium.heartbeat: "2024-03-07T00:22:13.094277331Z" + creationTimestamp: "2024-03-06T23:26:04Z" + generation: 1 + labels: + batch.kubernetes.io/controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + batch.kubernetes.io/job-name: hello-28496126 + controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + io.cilium.k8s.policy.cluster: kind-kind + io.cilium.k8s.policy.serviceaccount: sa1 + io.kubernetes.pod.namespace: default + job-name: hello-28496126 + name: "300" + resourceVersion: "9589067" + uid: 15161fba-b04a-4f0e-8a24-7bd6d38621d4 + security-labels: + k8s:batch.kubernetes.io/controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + k8s:batch.kubernetes.io/job-name: hello-28496126 + k8s:controller-uid: c765ce0d-551f-4409-8957-ab15c3c75793 + k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: ns1 + k8s:io.cilium.k8s.policy.cluster: kind-kind + k8s:io.cilium.k8s.policy.serviceaccount: default + k8s:job-name: hello-28496126 \ No newline at end of file diff --git a/internal/cilium/lint/testdata/cnp/1.yaml b/internal/cilium/lint/testdata/cnp/1.yaml new file mode 100644 index 00000000..74116731 --- /dev/null +++ b/internal/cilium/lint/testdata/cnp/1.yaml @@ -0,0 +1,107 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + metadata: + name: cnp1 + namespace: default + spec: + endpointSelector: + matchLabels: + k8s-app: cep1 + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + k8s-app: cep2 + toPorts: + - ports: + - port: "90" + protocol: TCP +- apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + metadata: + name: cnp2 + namespace: default + spec: + endpointSelector: + matchLabels: + blee: bozo + ingress: + - fromEndpoints: + - matchLabels: + blee: bozo + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + blee: bozo + toPorts: + - ports: + - port: "90" + protocol: TCP +- apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + metadata: + name: cnp3 + namespace: default + spec: + endpointSelector: + matchExpressions: + - key: k8s-app + operator: In + values: [blee,blah] + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "90" + protocol: TCP +- apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + metadata: + name: cnp4 + namespace: default + spec: + endpointSelector: + matchExpressions: + - key: k8s-app + operator: NotIn + values: [cep3,cep4] + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "80" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + k8s-app: cep1 + toPorts: + - ports: + - port: "90" + protocol: TCP \ No newline at end of file diff --git a/internal/cilium/scrub/ccnp.go b/internal/cilium/scrub/ccnp.go new file mode 100644 index 00000000..d9fbcc5c --- /dev/null +++ b/internal/cilium/scrub/ccnp.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package scrub + +import ( + "context" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/cilium/lint" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + iscrub "github.com/derailed/popeye/internal/scrub" +) + +// CiliumClusterwideNetworkPolicy represents a CiliumClusterwideNetworkPolicy scruber. +type CiliumClusterwideNetworkPolicy struct { + *issues.Collector + *iscrub.Cache +} + +// NewCiliumClusterwideNetworkPolicy returns a new instance. +func NewCiliumClusterwideNetworkPolicy(ctx context.Context, c *iscrub.Cache, codes *issues.Codes) iscrub.Linter { + return &CiliumClusterwideNetworkPolicy{ + Collector: issues.NewCollector(codes, c.Config), + Cache: c, + } +} + +func (s *CiliumClusterwideNetworkPolicy) Preloads() iscrub.Preloads { + return iscrub.Preloads{ + cilium.CCNP: db.LoadResource[*v2.CiliumClusterwideNetworkPolicy], + cilium.CEP: db.LoadResource[*v2.CiliumEndpoint], + } +} + +// Lint all available CiliumClusterwideNetworkPolicys. +func (s *CiliumClusterwideNetworkPolicy) Lint(ctx context.Context) error { + for k, f := range s.Preloads() { + if err := f(ctx, s.Loader, internal.Glossary[k]); err != nil { + return err + } + } + + return lint.NewCiliumClusterwideNetworkPolicy(s.Collector, s.DB).Lint(ctx) +} diff --git a/internal/cilium/scrub/cep.go b/internal/cilium/scrub/cep.go new file mode 100644 index 00000000..9aad19a6 --- /dev/null +++ b/internal/cilium/scrub/cep.go @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package scrub + +import ( + "context" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/cilium/lint" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + iscrub "github.com/derailed/popeye/internal/scrub" + v1 "k8s.io/api/core/v1" +) + +// CiliumEndpoint represents a CiliumEndpoint scruber. +type CiliumEndpoint struct { + *issues.Collector + *iscrub.Cache +} + +// NewCiliumEndpoint returns a new instance. +func NewCiliumEndpoint(ctx context.Context, c *iscrub.Cache, codes *issues.Codes) iscrub.Linter { + return &CiliumEndpoint{ + Collector: issues.NewCollector(codes, c.Config), + Cache: c, + } +} + +func (s *CiliumEndpoint) Preloads() iscrub.Preloads { + return iscrub.Preloads{ + cilium.CEP: db.LoadResource[*v2.CiliumEndpoint], + cilium.CID: db.LoadResource[*v2.CiliumIdentity], + internal.PO: db.LoadResource[*v1.Pod], + internal.NO: db.LoadResource[*v1.Node], + internal.SA: db.LoadResource[*v1.ServiceAccount], + internal.NS: db.LoadResource[*v1.Namespace], + } +} + +// Lint all available CiliumEndpoints. +func (s *CiliumEndpoint) Lint(ctx context.Context) error { + for k, f := range s.Preloads() { + if err := f(ctx, s.Loader, internal.Glossary[k]); err != nil { + return err + } + } + + return lint.NewCiliumEndpoint(s.Collector, s.DB).Lint(ctx) +} diff --git a/internal/cilium/scrub/cid.go b/internal/cilium/scrub/cid.go new file mode 100644 index 00000000..e4e77b71 --- /dev/null +++ b/internal/cilium/scrub/cid.go @@ -0,0 +1,51 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package scrub + +import ( + "context" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/cilium/lint" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + iscrub "github.com/derailed/popeye/internal/scrub" + v1 "k8s.io/api/core/v1" +) + +// CiliumIdentity represents a CiliumIdentity scruber. +type CiliumIdentity struct { + *issues.Collector + *iscrub.Cache +} + +// NewCiliumIdentity returns a new instance. +func NewCiliumIdentity(ctx context.Context, c *iscrub.Cache, codes *issues.Codes) iscrub.Linter { + return &CiliumIdentity{ + Collector: issues.NewCollector(codes, c.Config), + Cache: c, + } +} + +func (s *CiliumIdentity) Preloads() iscrub.Preloads { + return iscrub.Preloads{ + cilium.CID: db.LoadResource[*v2.CiliumIdentity], + cilium.CEP: db.LoadResource[*v2.CiliumEndpoint], + internal.SA: db.LoadResource[*v1.ServiceAccount], + internal.NS: db.LoadResource[*v1.Namespace], + } +} + +// Lint all available CiliumIdentities. +func (s *CiliumIdentity) Lint(ctx context.Context) error { + for k, f := range s.Preloads() { + if err := f(ctx, s.Loader, internal.Glossary[k]); err != nil { + return err + } + } + + return lint.NewCiliumIdentity(s.Collector, s.DB).Lint(ctx) +} diff --git a/internal/cilium/scrub/cnp.go b/internal/cilium/scrub/cnp.go new file mode 100644 index 00000000..4b16f63e --- /dev/null +++ b/internal/cilium/scrub/cnp.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package scrub + +import ( + "context" + + v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + "github.com/derailed/popeye/internal/cilium/lint" + "github.com/derailed/popeye/internal/db" + "github.com/derailed/popeye/internal/issues" + iscrub "github.com/derailed/popeye/internal/scrub" +) + +// CiliumNetworkPolicy represents a CiliumNetworkPolicy scruber. +type CiliumNetworkPolicy struct { + *issues.Collector + *iscrub.Cache +} + +// NewCiliumNetworkPolicy returns a new instance. +func NewCiliumNetworkPolicy(ctx context.Context, c *iscrub.Cache, codes *issues.Codes) iscrub.Linter { + return &CiliumNetworkPolicy{ + Collector: issues.NewCollector(codes, c.Config), + Cache: c, + } +} + +func (s *CiliumNetworkPolicy) Preloads() iscrub.Preloads { + return iscrub.Preloads{ + cilium.CNP: db.LoadResource[*v2.CiliumNetworkPolicy], + cilium.CEP: db.LoadResource[*v2.CiliumEndpoint], + } +} + +// Lint all available CiliumNetworkPolicys. +func (s *CiliumNetworkPolicy) Lint(ctx context.Context) error { + for k, f := range s.Preloads() { + if err := f(ctx, s.Loader, internal.Glossary[k]); err != nil { + return err + } + } + + return lint.NewCiliumNetworkPolicy(s.Collector, s.DB).Lint(ctx) +} diff --git a/internal/cilium/scrub/scrubers.go b/internal/cilium/scrub/scrubers.go new file mode 100644 index 00000000..6a0d41fc --- /dev/null +++ b/internal/cilium/scrub/scrubers.go @@ -0,0 +1,17 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Popeye + +package scrub + +import ( + "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + iscrub "github.com/derailed/popeye/internal/scrub" +) + +func Inject(ss map[internal.R]iscrub.ScrubFn) { + ss[cilium.CEP] = NewCiliumEndpoint + ss[cilium.CID] = NewCiliumIdentity + ss[cilium.CNP] = NewCiliumNetworkPolicy + ss[cilium.CCNP] = NewCiliumClusterwideNetworkPolicy +} diff --git a/internal/issues/assets/codes.yaml b/internal/issues/assets/codes.yaml index fc16368d..48eaf0ac 100644 --- a/internal/issues/assets/codes.yaml +++ b/internal/issues/assets/codes.yaml @@ -316,7 +316,6 @@ codes: message: References a %s (%s) which does not exist severity: 2 - # Ingress 1400: message: "Ingress LoadBalancer port reported an error: %s" @@ -343,4 +342,38 @@ codes: severity: 1 1502: message: CronJob has not run yet or is failing - severity: 2 \ No newline at end of file + severity: 2 + + # CiliumIdentity + 1600: + message: "Stale? unable to locate matching Cilium Endpoint" + severity: 2 + 1601: + message: "Unable to assert namespace label: %q" + severity: 2 + 1602: + message: "References namespace which does not exists: %q" + severity: 2 + 1603: + message: "Missing security namespace label: %q" + severity: 2 + 1604: + message: "Namespace mismatch with security labels namespace: %q vs %q" + severity: 2 + + # CiliumEndpoint + 1700: + message: "No cilium endpoints matched %s selector" + severity: 3 + 1701: + message: "No nodes matched node selector" + severity: 3 + 1702: + message: "References an unknown node IP: %q" + severity: 3 + 1703: + message: "Pod owner is not in a running state: %s (%s)" + severity: 3 + 1704: + message: "References an unknown owner ref: %q" + severity: 3 diff --git a/internal/issues/codes_test.go b/internal/issues/codes_test.go index 17942685..8c417ce7 100644 --- a/internal/issues/codes_test.go +++ b/internal/issues/codes_test.go @@ -15,7 +15,7 @@ func TestCodesLoad(t *testing.T) { cc, err := issues.LoadCodes() assert.Nil(t, err) - assert.Equal(t, 104, len(cc.Glossary)) + assert.Equal(t, 114, len(cc.Glossary)) assert.Equal(t, "No liveness probe", cc.Glossary[103].Message) assert.Equal(t, rules.WarnLevel, cc.Glossary[103].Severity) } diff --git a/pkg/popeye.go b/pkg/popeye.go index 54c0adf9..4db4fa9c 100644 --- a/pkg/popeye.go +++ b/pkg/popeye.go @@ -17,6 +17,8 @@ import ( "time" "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" + cscrub "github.com/derailed/popeye/internal/cilium/scrub" "github.com/derailed/popeye/internal/client" "github.com/derailed/popeye/internal/db" "github.com/derailed/popeye/internal/db/schema" @@ -101,6 +103,7 @@ func (p *Popeye) Init() error { if err := p.aliases.Init(p.client()); err != nil { return err } + p.aliases.Realize() var err error p.db, err = p.initDB() @@ -206,6 +209,18 @@ func (p *Popeye) buildCtx(ctx context.Context) context.Context { return ctx } +func (p *Popeye) validateSpinach(ss scrub.Scrubs) error { + if p.flags.Spinach == nil || *p.flags.Spinach == "" { + return nil + } + for k := range p.config.Exclusions.Linters { + if _, ok := ss[internal.R(k)]; !ok { + return fmt.Errorf("invalid linter name specified: %q", k) + } + } + return nil +} + func (p *Popeye) lint() (int, int, error) { defer func(t time.Time) { log.Debug().Msgf("Lint %v", time.Since(t)) @@ -222,14 +237,25 @@ func (p *Popeye) lint() (int, int, error) { codes.Refine(p.config.Overrides) p.codes = codes - cache := scrub.NewCache(p.db, p.factory, p.config) + var ( + cache = scrub.NewCache(p.db, p.factory, p.config) + runners = make(map[types.GVR]scrub.Linter) + scrubers = scrub.Scrubers() + ) - runners := make(map[types.GVR]scrub.Linter) - for k, fn := range scrub.Scrubers() { + if p.aliases.IsCiliumCluster() { + cscrub.Inject(scrubers) + p.aliases.Inject(cilium.Aliases) + } + if err := p.validateSpinach(scrubers); err != nil { + return 0, 0, err + } + for k, fn := range scrubers { gvr, ok := internal.Glossary[k] if !ok || gvr == types.BlankGVR { continue } + if p.aliases.Exclude(gvr, p.config.Sections()) { continue } @@ -237,12 +263,15 @@ func (p *Popeye) lint() (int, int, error) { if gvr == internal.Glossary[internal.NO] && p.client().ActiveNamespace() != client.AllNamespaces { continue } + if !p.aliases.IsNamespaced(gvr) { + ctx = context.WithValue(ctx, internal.KeyNamespace, client.ClusterScope) + } runners[gvr] = fn(ctx, cache, codes) } total, errCount := len(runners), 0 if total == 0 { - return 0, 0, nil + return 0, 0, fmt.Errorf("no linters matched query. check section selector") } c := make(chan run, 2) for gvr, r := range runners { @@ -272,7 +301,7 @@ func (p *Popeye) lint() (int, int, error) { func (p *Popeye) runLinter(ctx context.Context, gvr types.GVR, l scrub.Linter, c chan run, cache *scrub.Cache, codes *issues.Codes) { defer func() { if e := recover(); e != nil { - BailOut(e.(error)) + BailOut(fmt.Errorf("%s", e)) } }() From 908ea9a4a08a3a3c6b87ea69f9cc15c59ec8810e Mon Sep 17 00:00:00 2001 From: derailed Date: Sat, 9 Mar 2024 10:39:54 -0700 Subject: [PATCH 3/4] [Maint] cleanup --- internal/dao/generic.go | 11 +--- internal/db/db.go | 11 ++-- internal/db/loader.go | 26 ++++++-- internal/lint/cluster.go | 2 +- internal/lint/cm.go | 2 +- internal/lint/cm_test.go | 42 ------------- internal/lint/container_test.go | 10 ++-- internal/lint/cr.go | 2 +- internal/lint/crb.go | 2 +- internal/lint/cronjob.go | 2 +- internal/lint/dp.go | 2 +- internal/lint/ds.go | 2 +- internal/lint/gw.go | 2 +- internal/lint/gwc.go | 2 +- internal/lint/gwr.go | 2 +- internal/lint/helper.go | 101 +++++++++++++++++++++++++++++++- internal/lint/hpa.go | 4 +- internal/lint/ing.go | 2 +- internal/lint/job.go | 2 +- internal/lint/node.go | 2 +- internal/lint/np.go | 2 +- internal/lint/ns.go | 2 +- internal/lint/pdb.go | 2 +- internal/lint/pod.go | 2 +- internal/lint/pod_test.go | 2 +- internal/lint/pv.go | 2 +- internal/lint/pvc.go | 2 +- internal/lint/rb.go | 2 +- internal/lint/ro.go | 16 ++--- internal/lint/rs.go | 2 +- internal/lint/sa.go | 2 +- internal/lint/sec.go | 2 +- internal/lint/sts.go | 2 +- internal/lint/svc.go | 2 +- internal/lint/svc_test.go | 2 +- internal/scrub/cache.go | 8 +-- internal/test/helpers.go | 9 +++ 37 files changed, 182 insertions(+), 110 deletions(-) diff --git a/internal/dao/generic.go b/internal/dao/generic.go index e450065c..ed214779 100644 --- a/internal/dao/generic.go +++ b/internal/dao/generic.go @@ -8,7 +8,6 @@ import ( "github.com/derailed/popeye/internal" "github.com/derailed/popeye/internal/client" - "github.com/rs/zerolog/log" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -22,14 +21,8 @@ type Generic struct { // List returns a collection of resources. func (g *Generic) List(ctx context.Context) ([]runtime.Object, error) { - labelSel, ok := ctx.Value(internal.KeyLabels).(string) - if !ok { - log.Debug().Msgf("No label selector found in context. Listing all resources") - } - ns, ok := ctx.Value(internal.KeyNamespace).(string) - if !ok { - panic("BOOM no ns in context") - } + labelSel, _ := ctx.Value(internal.KeyLabels).(string) + ns, _ := ctx.Value(internal.KeyNamespace).(string) if client.IsAllNamespace(ns) { ns = client.AllNamespaces } diff --git a/internal/db/db.go b/internal/db/db.go index 067451bf..76e012c4 100644 --- a/internal/db/db.go +++ b/internal/db/db.go @@ -382,17 +382,14 @@ func matchSel(labels map[string]string, e metav1.LabelSelectorRequirement) bool // MatchLabels check if pod labels match a selector. func MatchLabels(labels, sel map[string]string) bool { - if len(sel) == 0 { - return false - } - + var count int for k, v := range sel { - if v1, ok := labels[k]; !ok || v1 != v { - return false + if v1, ok := labels[k]; ok && v == v1 { + count++ } } - return true + return count > 0 } func (db *DB) Exists(kind types.GVR, fqn string) bool { diff --git a/internal/db/loader.go b/internal/db/loader.go index 5a25e50e..76875cf2 100644 --- a/internal/db/loader.go +++ b/internal/db/loader.go @@ -5,6 +5,7 @@ package db import ( "context" + "encoding/json" "fmt" "strings" "sync" @@ -58,7 +59,6 @@ func LoadResource[T metav1.ObjectMetaAccessor](ctx context.Context, l *Loader, g if l.isLoaded(gvr) || gvr == types.BlankGVR { return nil } - oo, err := loadResource(ctx, gvr) if err != nil { return err @@ -83,11 +83,25 @@ func Cast[T any](o runtime.Object) (T, error) { func Save[T metav1.ObjectMetaAccessor](ctx context.Context, dba *DB, gvr types.GVR, oo []runtime.Object) error { txn := dba.Txn(true) defer txn.Commit() - for _, o := range oo { - u, err := Cast[T](o) - if err != nil { - return err + var ( + u T + err error + ) + // !!BOZO!! Dud. Can't hydrate cnp/ccnp from unstructured?? + if gvr.R() == "ciliumnetworkpolicies" || gvr.R() == "ciliumclusterwidenetworkpolicies" { + bb, err := json.Marshal(o.(*unstructured.Unstructured)) + if err != nil { + return err + } + if err = json.Unmarshal(bb, &u); err != nil { + return err + } + } else { + u, err = Cast[T](o) + if err != nil { + return err + } } if err := txn.Insert(gvr.String(), u); err != nil { return err @@ -156,6 +170,7 @@ func (l *Loader) fetchPodsMetrics(c types.Connection) (*mv1beta1.PodMetricsList, } ctx, cancel := context.WithTimeout(context.Background(), client.CallTimeout) defer cancel() + return vc.MetricsV1beta1().PodMetricses(c.ActiveNamespace()).List(ctx, metav1.ListOptions{}) } @@ -167,6 +182,7 @@ func (l *Loader) fetchNodesMetrics(c types.Connection) (*mv1beta1.NodeMetricsLis ctx, cancel := context.WithTimeout(context.Background(), client.CallTimeout) defer cancel() + return vc.MetricsV1beta1().NodeMetricses().List(ctx, metav1.ListOptions{}) } diff --git a/internal/lint/cluster.go b/internal/lint/cluster.go index 087a6d05..794f6a1d 100644 --- a/internal/lint/cluster.go +++ b/internal/lint/cluster.go @@ -49,7 +49,7 @@ func (c *Cluster) checkVersion(ctx context.Context) error { return err } - ctx = internal.WithSpec(ctx, specFor("Version", nil)) + ctx = internal.WithSpec(ctx, SpecFor("Version", nil)) if rev.Major != tolerableMajor || rev.Minor < tolerableMinor { c.AddCode(ctx, 405) } else { diff --git a/internal/lint/cm.go b/internal/lint/cm.go index 84c5bc94..8e01675f 100644 --- a/internal/lint/cm.go +++ b/internal/lint/cm.go @@ -51,7 +51,7 @@ func (s *ConfigMap) checkStale(ctx context.Context, refs *sync.Map) error { cm := o.(*v1.ConfigMap) fqn := client.FQN(cm.Namespace, cm.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, cm)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, cm)) if s.system.skip(fqn) { continue } diff --git a/internal/lint/cm_test.go b/internal/lint/cm_test.go index 606226af..986e86f8 100644 --- a/internal/lint/cm_test.go +++ b/internal/lint/cm_test.go @@ -45,45 +45,3 @@ func TestConfigMapLint(t *testing.T) { assert.Equal(t, `[POP-400] Used? Unable to locate resource reference`, ii[0].Message) assert.Equal(t, rules.InfoLevel, ii[0].Level) } - -// ---------------------------------------------------------------------------- -// Helpers... - -// type mockConfigMap struct{} - -// func newMockConfigMap() mockConfigMap { -// return mockConfigMap{} -// } - -// func (c mockConfigMap) PodRefs(refs *sync.Map) { -// refs.Store("cm:default/cm1", internal.StringSet{ -// "k1": internal.Blank, -// "k2": internal.Blank, -// }) -// refs.Store("cm:default/cm2", internal.AllKeys) -// refs.Store("cm:default/cm4", internal.StringSet{ -// "k1": internal.Blank, -// }) -// } - -// func (c mockConfigMap) ListConfigMaps() map[string]*v1.ConfigMap { -// return map[string]*v1.ConfigMap{ -// "default/cm1": makeMockConfigMap("cm1"), -// "default/cm2": makeMockConfigMap("cm2"), -// "default/cm3": makeMockConfigMap("cm3"), -// "default/cm4": makeMockConfigMap("cm4"), -// } -// } - -// func makeMockConfigMap(n string) *v1.ConfigMap { -// return &v1.ConfigMap{ -// ObjectMeta: metav1.ObjectMeta{ -// Name: n, -// Namespace: "default", -// }, -// Data: map[string]string{ -// "k1": "", -// "k2": "", -// }, -// } -// } diff --git a/internal/lint/container_test.go b/internal/lint/container_test.go index 6e78fff5..8c80a212 100644 --- a/internal/lint/container_test.go +++ b/internal/lint/container_test.go @@ -75,7 +75,7 @@ func TestContainerCheckUtilization(t *testing.T) { } ctx := test.MakeContext("containers", "container") - ctx = internal.WithSpec(ctx, specFor("default/p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("default/p1", nil)) for k := range uu { u := uu[k] t.Run(k, func(t *testing.T) { @@ -117,7 +117,7 @@ func TestContainerCheckResources(t *testing.T) { l := NewContainer("default/p1", newRangeCollector(t)) t.Run(k, func(t *testing.T) { - ctx = internal.WithSpec(ctx, specFor("default/p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("default/p1", nil)) ctx = internal.WithGroup(ctx, types.NewGVR("containers"), co.Name) l.checkResources(ctx, co) @@ -184,7 +184,7 @@ func TestContainerCheckImageTags(t *testing.T) { } ctx := test.MakeContext("containers", "container") - ctx = internal.WithSpec(ctx, specFor("default/p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("default/p1", nil)) ctx = internal.WithGroup(ctx, types.NewGVR("containers"), "c1") for k := range uu { u := uu[k] @@ -217,7 +217,7 @@ func TestContainerCheckImageRegistry(t *testing.T) { } ctx := test.MakeContext("containers", "container") - ctx = internal.WithSpec(ctx, specFor("default/p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("default/p1", nil)) ctx = internal.WithGroup(ctx, types.NewGVR("containers"), "c1") for k := range uu { u := uu[k] @@ -248,7 +248,7 @@ func TestContainerCheckNamedPorts(t *testing.T) { } ctx := test.MakeContext("containers", "container") - ctx = internal.WithSpec(ctx, specFor("p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("p1", nil)) ctx = internal.WithGroup(ctx, types.NewGVR("v1/pods"), "p1") for k := range uu { u := uu[k] diff --git a/internal/lint/cr.go b/internal/lint/cr.go index f801892e..76fafdd1 100644 --- a/internal/lint/cr.go +++ b/internal/lint/cr.go @@ -72,7 +72,7 @@ func (s *ClusterRole) checkStale(ctx context.Context, refs *sync.Map) { cr := o.(*rbacv1.ClusterRole) fqn := client.FQN(cr.Namespace, cr.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, cr)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, cr)) if s.system.skip(fqn) { continue } diff --git a/internal/lint/crb.go b/internal/lint/crb.go index 6b4e837d..f8dcf254 100644 --- a/internal/lint/crb.go +++ b/internal/lint/crb.go @@ -46,7 +46,7 @@ func (c *ClusterRoleBinding) checkInUse(ctx context.Context) { fqn := client.FQN(crb.Namespace, crb.Name) c.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, crb)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, crb)) switch crb.RoleRef.Kind { case "ClusterRole": diff --git a/internal/lint/cronjob.go b/internal/lint/cronjob.go index a0c102fc..dd2d0c45 100644 --- a/internal/lint/cronjob.go +++ b/internal/lint/cronjob.go @@ -41,7 +41,7 @@ func (s *CronJob) Lint(ctx context.Context) error { cj := o.(*batchv1.CronJob) fqn := client.FQN(cj.Namespace, cj.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, cj)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, cj)) s.checkCronJob(ctx, fqn, cj) s.checkContainers(ctx, fqn, cj.Spec.JobTemplate.Spec.Template.Spec) s.checkUtilization(ctx, over, fqn) diff --git a/internal/lint/dp.go b/internal/lint/dp.go index 7c021496..c35d02c1 100644 --- a/internal/lint/dp.go +++ b/internal/lint/dp.go @@ -39,7 +39,7 @@ func (s *Deployment) Lint(ctx context.Context) error { dp := o.(*appsv1.Deployment) fqn := client.FQN(dp.Namespace, dp.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, dp)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, dp)) s.checkDeployment(ctx, dp) s.checkContainers(ctx, fqn, dp.Spec.Template.Spec) s.checkUtilization(ctx, over, dp) diff --git a/internal/lint/ds.go b/internal/lint/ds.go index 7f5491ae..523d9904 100644 --- a/internal/lint/ds.go +++ b/internal/lint/ds.go @@ -38,7 +38,7 @@ func (s *DaemonSet) Lint(ctx context.Context) error { ds := o.(*appsv1.DaemonSet) fqn := client.FQN(ds.Namespace, ds.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, ds)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, ds)) s.checkDaemonSet(ctx, ds) s.checkContainers(ctx, fqn, ds.Spec.Template.Spec) diff --git a/internal/lint/gw.go b/internal/lint/gw.go index e4d1218b..89302b2f 100644 --- a/internal/lint/gw.go +++ b/internal/lint/gw.go @@ -40,7 +40,7 @@ func (s *Gateway) Lint(ctx context.Context) error { gw := o.(*gwv1.Gateway) fqn := client.FQN(gw.Namespace, gw.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, gw)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, gw)) s.checkRefs(ctx, gw) } diff --git a/internal/lint/gwc.go b/internal/lint/gwc.go index 1476b151..fe0f2b02 100644 --- a/internal/lint/gwc.go +++ b/internal/lint/gwc.go @@ -39,7 +39,7 @@ func (s *GatewayClass) Lint(ctx context.Context) error { gwc := o.(*gwv1.GatewayClass) fqn := client.FQN(gwc.Namespace, gwc.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, gwc)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, gwc)) s.checkRefs(ctx, gwc.Name) } diff --git a/internal/lint/gwr.go b/internal/lint/gwr.go index f241d891..9c33c205 100644 --- a/internal/lint/gwr.go +++ b/internal/lint/gwr.go @@ -41,7 +41,7 @@ func (s *HTTPRoute) Lint(ctx context.Context) error { gwr := o.(*gwv1.HTTPRoute) fqn := client.FQN(gwr.Namespace, gwr.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, gwr)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, gwr)) s.checkRoute(ctx, fqn, gwr) } diff --git a/internal/lint/helper.go b/internal/lint/helper.go index 7e6239f9..bd74f488 100644 --- a/internal/lint/helper.go +++ b/internal/lint/helper.go @@ -28,7 +28,8 @@ const ( type qos = int -func specFor(fqn string, o metav1.ObjectMetaAccessor) rules.Spec { +// SpecFor construct a new run spec for a given resource. +func SpecFor(fqn string, o metav1.ObjectMetaAccessor) rules.Spec { spec := rules.Spec{ FQN: fqn, } @@ -197,3 +198,101 @@ func portAsStr(p v1.ServicePort) string { } return string(p.Protocol) + "::" + strconv.Itoa(int(p.Port)) } + +const ( + nodeUnreachablePodReason = "NodeLost" + completed = "Completed" + running = "Running" + terminating = "Terminating" +) + +func Phase(po *v1.Pod) string { + status := string(po.Status.Phase) + if po.Status.Reason != "" { + if po.DeletionTimestamp != nil && po.Status.Reason == nodeUnreachablePodReason { + return "Unknown" + } + status = po.Status.Reason + } + + status, ok := initContainerPhase(po, status) + if ok { + return status + } + + status, ok = containerPhase(po.Status, status) + if ok && status == completed { + status = running + } + if po.DeletionTimestamp == nil { + return status + } + + return terminating +} + +func containerPhase(st v1.PodStatus, status string) (string, bool) { + var running bool + for i := len(st.ContainerStatuses) - 1; i >= 0; i-- { + cs := st.ContainerStatuses[i] + switch { + case cs.State.Waiting != nil && cs.State.Waiting.Reason != "": + status = cs.State.Waiting.Reason + case cs.State.Terminated != nil && cs.State.Terminated.Reason != "": + status = cs.State.Terminated.Reason + case cs.State.Terminated != nil: + if cs.State.Terminated.Signal != 0 { + status = "Signal:" + strconv.Itoa(int(cs.State.Terminated.Signal)) + } else { + status = "ExitCode:" + strconv.Itoa(int(cs.State.Terminated.ExitCode)) + } + case cs.Ready && cs.State.Running != nil: + running = true + } + } + + return status, running +} + +func initContainerPhase(po *v1.Pod, status string) (string, bool) { + count := len(po.Spec.InitContainers) + rs := make(map[string]bool, count) + for _, c := range po.Spec.InitContainers { + rs[c.Name] = restartableInitCO(c.RestartPolicy) + } + for i, cs := range po.Status.InitContainerStatuses { + if s := checkInitContainerStatus(cs, i, count, rs[cs.Name]); s != "" { + return s, true + } + } + + return status, false +} + +func restartableInitCO(p *v1.ContainerRestartPolicy) bool { + return p != nil && *p == v1.ContainerRestartPolicyAlways +} + +func checkInitContainerStatus(cs v1.ContainerStatus, count, initCount int, restartable bool) string { + switch { + case cs.State.Terminated != nil: + if cs.State.Terminated.ExitCode == 0 { + return "" + } + if cs.State.Terminated.Reason != "" { + return "Init:" + cs.State.Terminated.Reason + } + if cs.State.Terminated.Signal != 0 { + return "Init:Signal:" + strconv.Itoa(int(cs.State.Terminated.Signal)) + } + return "Init:ExitCode:" + strconv.Itoa(int(cs.State.Terminated.ExitCode)) + case restartable && cs.Started != nil && *cs.Started: + if cs.Ready { + return "" + } + case cs.State.Waiting != nil && cs.State.Waiting.Reason != "" && cs.State.Waiting.Reason != "PodInitializing": + return "Init:" + cs.State.Waiting.Reason + } + + return "Init:" + strconv.Itoa(count) + "/" + strconv.Itoa(initCount) +} diff --git a/internal/lint/hpa.go b/internal/lint/hpa.go index b7f96364..528b008d 100644 --- a/internal/lint/hpa.go +++ b/internal/lint/hpa.go @@ -49,7 +49,7 @@ func (h *HorizontalPodAutoscaler) Lint(ctx context.Context) error { hpa := o.(*autoscalingv1.HorizontalPodAutoscaler) fqn := client.FQN(hpa.Namespace, hpa.Name) h.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, hpa)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, hpa)) var rcpu, rmem resource.Quantity ns, _ := namespaced(fqn) switch hpa.Spec.ScaleTargetRef.Kind { @@ -121,7 +121,7 @@ func (h *HorizontalPodAutoscaler) checkResources(ctx context.Context, max, curre func (h *HorizontalPodAutoscaler) checkUtilization(ctx context.Context, tcpu, tmem resource.Quantity, res v1.ResourceList) { acpu, amem := *res.Cpu(), *res.Memory() - ctx = internal.WithSpec(ctx, specFor("HPA", nil)) + ctx = internal.WithSpec(ctx, SpecFor("HPA", nil)) if toMC(tcpu) > toMC(acpu) { cpu := tcpu.DeepCopy() cpu.Sub(acpu) diff --git a/internal/lint/ing.go b/internal/lint/ing.go index 4e18fdb9..426097aa 100644 --- a/internal/lint/ing.go +++ b/internal/lint/ing.go @@ -42,7 +42,7 @@ func (s *Ingress) Lint(ctx context.Context) error { ing := o.(*netv1.Ingress) fqn := client.FQN(ing.Namespace, ing.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, ing)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, ing)) for _, ing := range ing.Status.LoadBalancer.Ingress { for _, p := range ing.Ports { diff --git a/internal/lint/job.go b/internal/lint/job.go index d028ee13..f693ed67 100644 --- a/internal/lint/job.go +++ b/internal/lint/job.go @@ -39,7 +39,7 @@ func (s *Job) Lint(ctx context.Context) error { j := o.(*batchv1.Job) fqn := client.FQN(j.Namespace, j.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, j)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, j)) s.checkJob(ctx, fqn, j) s.checkContainers(ctx, fqn, j.Spec.Template.Spec) s.checkUtilization(ctx, over, fqn) diff --git a/internal/lint/node.go b/internal/lint/node.go index c1d38020..9b21b875 100644 --- a/internal/lint/node.go +++ b/internal/lint/node.go @@ -48,7 +48,7 @@ func (n *Node) Lint(ctx context.Context) error { no := o.(*v1.Node) fqn := no.Name n.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, no)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, no)) n.checkConditions(ctx, no) if err := n.checkTaints(ctx, no.Spec.Taints, tt); err != nil { diff --git a/internal/lint/np.go b/internal/lint/np.go index 4526abb0..7abbb6a2 100644 --- a/internal/lint/np.go +++ b/internal/lint/np.go @@ -52,7 +52,7 @@ func (s *NetworkPolicy) Lint(ctx context.Context) error { np := o.(*netv1.NetworkPolicy) fqn := client.FQN(np.Namespace, np.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, np)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, np)) s.checkSelector(ctx, fqn, np.Spec.PodSelector) s.checkIngresses(ctx, fqn, np.Spec.Ingress) diff --git a/internal/lint/ns.go b/internal/lint/ns.go index fd5aedb6..af5e5ebc 100644 --- a/internal/lint/ns.go +++ b/internal/lint/ns.go @@ -55,7 +55,7 @@ func (s *Namespace) Lint(ctx context.Context) error { continue } s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, ns)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, ns)) if s.checkActive(ctx, ns.Status.Phase) { if _, ok := used[fqn]; !ok { diff --git a/internal/lint/pdb.go b/internal/lint/pdb.go index a8774c37..4bdb0b7f 100644 --- a/internal/lint/pdb.go +++ b/internal/lint/pdb.go @@ -36,7 +36,7 @@ func (p *PodDisruptionBudget) Lint(ctx context.Context) error { pdb := o.(*polv1.PodDisruptionBudget) fqn := client.FQN(pdb.Namespace, pdb.Name) p.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, pdb)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, pdb)) p.checkInUse(ctx, pdb) } diff --git a/internal/lint/pod.go b/internal/lint/pod.go index 0bd2ad32..22cdbc9e 100644 --- a/internal/lint/pod.go +++ b/internal/lint/pod.go @@ -59,7 +59,7 @@ func (s *Pod) Lint(ctx context.Context) error { s.InitOutcome(fqn) defer s.CloseOutcome(ctx, fqn, nil) - ctx = internal.WithSpec(ctx, specFor(fqn, po)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, po)) s.checkStatus(ctx, po) s.checkContainerStatus(ctx, fqn, po) s.checkContainers(ctx, fqn, po) diff --git a/internal/lint/pod_test.go b/internal/lint/pod_test.go index 2d70a2e8..3c0d0d0f 100644 --- a/internal/lint/pod_test.go +++ b/internal/lint/pod_test.go @@ -91,7 +91,7 @@ func TestPodCheckSecure(t *testing.T) { } ctx := test.MakeContext("v1/pods", "po") - ctx = internal.WithSpec(ctx, specFor("default/p1", nil)) + ctx = internal.WithSpec(ctx, SpecFor("default/p1", nil)) ctx = context.WithValue(ctx, internal.KeyConfig, test.MakeConfig(t)) dba, err := test.NewTestDB() assert.NoError(t, err) diff --git a/internal/lint/pv.go b/internal/lint/pv.go index e55d642f..b35aafae 100644 --- a/internal/lint/pv.go +++ b/internal/lint/pv.go @@ -37,7 +37,7 @@ func (s *PersistentVolume) Lint(ctx context.Context) error { pv := o.(*v1.PersistentVolume) fqn := client.FQN(pv.Namespace, pv.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, pv)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, pv)) s.checkBound(ctx, pv.Status.Phase) } diff --git a/internal/lint/pvc.go b/internal/lint/pvc.go index 3b37c790..5087955f 100644 --- a/internal/lint/pvc.go +++ b/internal/lint/pvc.go @@ -51,7 +51,7 @@ func (s *PersistentVolumeClaim) Lint(ctx context.Context) error { pvc := o.(*v1.PersistentVolumeClaim) fqn := client.FQN(pvc.Namespace, pvc.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, pvc)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, pvc)) s.checkBound(ctx, pvc.Status.Phase) if _, ok := refs[fqn]; !ok { diff --git a/internal/lint/rb.go b/internal/lint/rb.go index ed09f40f..28492a34 100644 --- a/internal/lint/rb.go +++ b/internal/lint/rb.go @@ -45,7 +45,7 @@ func (r *RoleBinding) checkInUse(ctx context.Context) { rb := o.(*rbacv1.RoleBinding) fqn := client.FQN(rb.Namespace, rb.Name) r.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, rb)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, rb)) switch rb.RoleRef.Kind { case "ClusterRole": diff --git a/internal/lint/ro.go b/internal/lint/ro.go index ec604497..d41f07c3 100644 --- a/internal/lint/ro.go +++ b/internal/lint/ro.go @@ -34,12 +34,15 @@ func NewRole(c *issues.Collector, db *db.DB) *Role { // Lint cleanse the resource. func (s *Role) Lint(ctx context.Context) error { - var roRefs sync.Map + var refs sync.Map + crb := cache.NewClusterRoleBinding(s.db) - crb.ClusterRoleRefs(&roRefs) + crb.ClusterRoleRefs(&refs) + rb := cache.NewRoleBinding(s.db) - rb.RoleRefs(&roRefs) - s.checkInUse(ctx, &roRefs) + rb.RoleRefs(&refs) + + s.checkInUse(ctx, &refs) return nil } @@ -51,10 +54,9 @@ func (s *Role) checkInUse(ctx context.Context, refs *sync.Map) { ro := o.(*rbacv1.Role) fqn := client.FQN(ro.Namespace, ro.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, ro)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, ro)) - _, ok := refs.Load(cache.ResFqn(cache.RoleKey, fqn)) - if !ok { + if _, ok := refs.Load(cache.ResFqn(cache.RoleKey, fqn)); !ok { s.AddCode(ctx, 400) } } diff --git a/internal/lint/rs.go b/internal/lint/rs.go index 5dbfebc3..2e9763bd 100644 --- a/internal/lint/rs.go +++ b/internal/lint/rs.go @@ -36,7 +36,7 @@ func (s *ReplicaSet) Lint(ctx context.Context) error { rs := o.(*appsv1.ReplicaSet) fqn := client.FQN(rs.Namespace, rs.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, rs)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, rs)) s.checkHealth(ctx, rs) } diff --git a/internal/lint/sa.go b/internal/lint/sa.go index d44440e0..bad67425 100644 --- a/internal/lint/sa.go +++ b/internal/lint/sa.go @@ -52,7 +52,7 @@ func (s *ServiceAccount) Lint(ctx context.Context) error { sa := o.(*v1.ServiceAccount) fqn := client.FQN(sa.Namespace, sa.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, sa)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, sa)) s.checkMounts(ctx, sa.AutomountServiceAccountToken) s.checkSecretRefs(ctx, fqn, sa.Secrets) diff --git a/internal/lint/sec.go b/internal/lint/sec.go index 24f86103..6c11aa48 100644 --- a/internal/lint/sec.go +++ b/internal/lint/sec.go @@ -61,7 +61,7 @@ func (s *Secret) checkStale(ctx context.Context, refs *sync.Map) { sec := o.(*v1.Secret) fqn := client.FQN(sec.Namespace, sec.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, sec)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, sec)) if s.system.skip(fqn) { continue diff --git a/internal/lint/sts.go b/internal/lint/sts.go index 0dcfb413..6d94ea5d 100644 --- a/internal/lint/sts.go +++ b/internal/lint/sts.go @@ -48,7 +48,7 @@ func (s *StatefulSet) Lint(ctx context.Context) error { sts := o.(*appsv1.StatefulSet) fqn := client.FQN(sts.Namespace, sts.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, sts)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, sts)) s.checkStatefulSet(ctx, sts) s.checkContainers(ctx, fqn, sts) diff --git a/internal/lint/svc.go b/internal/lint/svc.go index 5d81825a..0a401dc7 100644 --- a/internal/lint/svc.go +++ b/internal/lint/svc.go @@ -38,7 +38,7 @@ func (s *Service) Lint(ctx context.Context) error { svc := o.(*v1.Service) fqn := client.FQN(svc.Namespace, svc.Name) s.InitOutcome(fqn) - ctx = internal.WithSpec(ctx, specFor(fqn, svc)) + ctx = internal.WithSpec(ctx, SpecFor(fqn, svc)) if len(svc.Spec.Selector) > 0 { s.checkPorts(ctx, svc.Namespace, svc.Spec.Selector, svc.Spec.Ports) diff --git a/internal/lint/svc_test.go b/internal/lint/svc_test.go index ebbef2be..5381698c 100644 --- a/internal/lint/svc_test.go +++ b/internal/lint/svc_test.go @@ -105,7 +105,7 @@ func Test_svcCheckEndpoints(t *testing.T) { s := NewService(test.MakeCollector(t), dba) if u.fqn != "" { - ctx = internal.WithSpec(ctx, specFor(u.fqn, nil)) + ctx = internal.WithSpec(ctx, SpecFor(u.fqn, nil)) } s.checkEndpoints(ctx, u.fqn, u.kind) diff --git a/internal/scrub/cache.go b/internal/scrub/cache.go index 98aafebd..66b60146 100644 --- a/internal/scrub/cache.go +++ b/internal/scrub/cache.go @@ -10,7 +10,6 @@ import ( "github.com/derailed/popeye/internal/cache" "github.com/derailed/popeye/internal/dag" "github.com/derailed/popeye/internal/db" - "github.com/derailed/popeye/internal/issues" "github.com/derailed/popeye/pkg/config" "github.com/derailed/popeye/types" ) @@ -48,10 +47,9 @@ func (c *Cache) cluster(ctx context.Context) (*cache.Cluster, error) { return c.cl, nil } -type scrubFn func(context.Context, *Cache, *issues.Codes) Linter - -func Scrubers() map[internal.R]scrubFn { - return map[internal.R]scrubFn{ +// Scrubers return a collection of linter scrubbers. +func Scrubers() map[internal.R]ScrubFn { + return map[internal.R]ScrubFn{ internal.CL: NewCluster, internal.CM: NewConfigMap, internal.NS: NewNamespace, diff --git a/internal/test/helpers.go b/internal/test/helpers.go index b31904f4..89a34383 100644 --- a/internal/test/helpers.go +++ b/internal/test/helpers.go @@ -10,6 +10,7 @@ import ( "testing" "github.com/derailed/popeye/internal" + "github.com/derailed/popeye/internal/cilium" "github.com/derailed/popeye/internal/db" "github.com/derailed/popeye/internal/db/schema" "github.com/derailed/popeye/internal/issues" @@ -27,6 +28,7 @@ import ( func NewTestDB() (*db.DB, error) { initLinters() + initCiliumLinters() d, err := memdb.NewMemDB(schema.Init()) if err != nil { return nil, err @@ -35,6 +37,13 @@ func NewTestDB() (*db.DB, error) { return db.NewDB(d), nil } +func initCiliumLinters() { + internal.Glossary[cilium.CID] = types.NewGVR("cilium.io/v2/ciliumidentities") + internal.Glossary[cilium.CEP] = types.NewGVR("cilium.io/v2/ciliumendpoints") + internal.Glossary[cilium.CNP] = types.NewGVR("cilium.io/v2/ciliumnetworkpolicies") + internal.Glossary[cilium.CCNP] = types.NewGVR("cilium.io/v2/ciliumclusterwidenetworkpolicies") +} + func initLinters() { internal.Glossary = internal.Linters{ internal.CM: types.NewGVR("v1/configmaps"), From adc263a8aab4318d31dbbc635ab42cf6ba54f2d5 Mon Sep 17 00:00:00 2001 From: derailed Date: Sat, 9 Mar 2024 10:36:06 -0700 Subject: [PATCH 4/4] Rel v0.21.0 --- .goreleaser.yml | 3 +- .krew.yaml | 16 ++-- Makefile | 2 +- README.md | 5 ++ change_logs/release_v0.21.0.md | 34 ++++++++ spinach-examples/spinach_aks.yml | 50 +++++++++++ spinach-examples/spinach_eks.yml | 47 +++++++++++ spinach/spinach_aks.yml | 87 ------------------- spinach/spinach_eks.yml | 91 -------------------- spinach/spinach_metakube.yml | 141 ------------------------------- 10 files changed, 150 insertions(+), 326 deletions(-) create mode 100644 change_logs/release_v0.21.0.md create mode 100644 spinach-examples/spinach_aks.yml create mode 100644 spinach-examples/spinach_eks.yml delete mode 100644 spinach/spinach_aks.yml delete mode 100644 spinach/spinach_eks.yml delete mode 100644 spinach/spinach_metakube.yml diff --git a/.goreleaser.yml b/.goreleaser.yml index 7d4366bb..5363792a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -30,7 +30,8 @@ builds: archives: - name_template: >- {{ .ProjectName }}_ - {{- title .Os }}_ + {{ .Tag }}_ + {{ .Os }}_ {{- if eq .Arch "amd64" }}amd64 {{- else if eq .Arch "386" }}i386 {{- else }}{{ .Arch }}{{ end }} diff --git a/.krew.yaml b/.krew.yaml index 5c8b4685..26fd5290 100644 --- a/.krew.yaml +++ b/.krew.yaml @@ -25,25 +25,25 @@ spec: matchLabels: os: darwin arch: amd64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Darwin_amd64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_darwin_amd64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: os: darwin arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Darwin_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_darwin_arm64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: os: linux arch: amd64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Linux_amd64.tar.gz" .TagName | indent 6}} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_linux_amd64.tar.gz" .TagName | indent 6}} bin: kubectl-popeye - selector: matchLabels: os: linux arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Linux_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_linux_arm64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye - selector: matchLabels: @@ -55,5 +55,11 @@ spec: matchLabels: os: windows arch: arm64 - {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_Windows_arm64.tar.gz" .TagName | indent 6 }} + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_windows_amd64.tar.gz" .TagName | indent 6 }} bin: kubectl-popeye.exe + - selector: + matchLabels: + os: windows + arch: arm64 + {{ addURIAndSha "https://github.com/derailed/popeye/releases/download/{{ .TagName }}/popeye_{{ .TagName }}_windows_arm64.tar.gz" .TagName | indent 6 }} + bin: kubectl-popeye.exe \ No newline at end of file diff --git a/Makefile b/Makefile index a61a6443..63cae1f6 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ NAME := popeye PACKAGE := github.com/derailed/$(NAME) -VERSION := v0.20.5 +VERSION := v0.21.0 GIT := $(shell git rev-parse --short HEAD) DATE := $(shell date +%FT%T%Z) IMG_NAME := derailed/popeye diff --git a/README.md b/README.md index 65942eb9..35124a21 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,11 @@ popeye: - fqns: [blee-ns] codes: [106] # => skip code 106 for namespace blee-ns + # Skip secrets in namespace bozo. + secrets: + instances: + - fqns: [rx:^bozo] + # Configure the pods linter for v1/pods. pods: instances: diff --git a/change_logs/release_v0.21.0.md b/change_logs/release_v0.21.0.md new file mode 100644 index 00000000..798f06ca --- /dev/null +++ b/change_logs/release_v0.21.0.md @@ -0,0 +1,34 @@ + + +# Release v0.21.0 + +## Notes + +Thank you to all that contributed with flushing out issues and enhancements for Popeye! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close. Your support, kindness and awesome suggestions to make Popeye better is as ever very much noticed and appreciated! + +This project offers a GitHub Sponsor button (over here 👆). As you well know this is not pimped out by big corps with deep pockets. If you feel `Popeye` is saving you cycles diagnosing potential cluster issues please consider sponsoring this project!! It does go a long way in keeping our servers lights on and beers in our fridge. + +Also if you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer) + +--- + +## Maintenance Release + +--- + +## Resolved Issues + +. [#293](https://github.com/derailed/popeye/issues/293) Spinach documentation +. [#263](https://github.com/derailed/popeye/issues/263) Fix automated action to push releases to krew + +--- + +## Contributed PRs + +Please give `Big Thanks!` and `ATTA Girls/Boys!` to all the fine contributors for making Popeye better for all of us!! + +* [PR #294](https://github.com/derailed/popeye/pull/294) Krew manifest update + +--- + +  © 2024 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0) diff --git a/spinach-examples/spinach_aks.yml b/spinach-examples/spinach_aks.yml new file mode 100644 index 00000000..a50dca40 --- /dev/null +++ b/spinach-examples/spinach_aks.yml @@ -0,0 +1,50 @@ +# A Sample AKS Popeye configuration. +popeye: + allocations: + cpu: + # Checks if cpu is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if cpu is over allocated by more than 50% at current load. + overPercUtilization: 50 + memory: + # Checks if mem is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if mem is over allocated by more than 50% at current load. + overPercUtilization: 50 + + # Excludes define rules to exampt resources from sanitization + excludes: + global: + fqns: [rx:kube-system] + + linters: + clusterrolebindings: + instances: + - fqns: [rx:system, rx:aks, rx:omsagent] + + clusterroles: + instances: + - fqns: [omsagent-reader, system, admin, edit, view, cluster-admin] + codes: [400] + + resources: + # Nodes specific sanitization + node: + limits: + cpu: 90 + memory: 80 + + # Pods specific sanitization + pod: + limits: + # Fail if cpu is over 80% + cpu: 80 + # Fail if pod mem is over 75% + memory: 75 + # Fail if more than 3 restarts on any pods + restarts: 3 + + # Code specifies a custom severity level ie critical=3, warn=2, info=1 + overrides: + - codes: 206 + severity: 1 diff --git a/spinach-examples/spinach_eks.yml b/spinach-examples/spinach_eks.yml new file mode 100644 index 00000000..fa8dbf43 --- /dev/null +++ b/spinach-examples/spinach_eks.yml @@ -0,0 +1,47 @@ +# A Sample EKS Popeye configuration. +popeye: + allocations: + cpu: + # Checks if cpu is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if cpu is over allocated by more than 50% at current load. + overPercUtilization: 50 + memory: + # Checks if mem is under allocated by more than 200% at current load. + underPercUtilization: 200 + # Checks if mem is over allocated by more than 50% at current load. + overPercUtilization: 50 + + # Excludes define rules to exampt resources from sanitization + excludes: + global: + fqns: [rx:^kube-system,rx:^local-path-storage] + + linters: + clusterroles: + instances: + - fqns: [rx:^eks,rx:^aws-node,rx:^system,admin,edit,view,cluster-admin] + codes: [400] + + resources: + # Nodes specific sanitization + node: + limits: + cpu: 90 + memory: 80 + + # Pods specific sanitization + pod: + limits: + # Fail if cpu is over 80% + cpu: 80 + # Fail if pod mem is over 75% + memory: 75 + # Fail if more than 3 restarts on any pods + restarts: 3 + + + # Code specifies a custom severity level ie critical=3, warn=2, info=1 + overrides: + - codes: 206 + severity: 1 diff --git a/spinach/spinach_aks.yml b/spinach/spinach_aks.yml deleted file mode 100644 index d74248c6..00000000 --- a/spinach/spinach_aks.yml +++ /dev/null @@ -1,87 +0,0 @@ -# A Sample AKS Popeye configuration. -popeye: - allocations: - cpu: - # Checks if cpu is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if cpu is over allocated by more than 50% at current load. - overPercUtilization: 50 - memory: - # Checks if mem is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if mem is over allocated by more than 50% at current load. - overPercUtilization: 50 - # Excludes define rules to exampt resources from sanitization - excludes: - gvrs: - rbac.authorization.k8s.io/v1/clusterrolebindings: - - name: rx:system - - name: rx:aks - - name: rx:omsagent - rbac.authorization.k8s.io/v1/clusterroles: - - name: omsagent-reader - codes: - - 400 - - name: rx:system - codes: - - 400 - - name: admin - codes: - - 400 - - name: edit - codes: - - 400 - - name: view - codes: - - 400 - - name: cluster-admin - codes: - - 400 - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:kube - rbac.authorization.k8s.io/v1/roles: - - name: rx:kube - apps/v1/daemonsets: - - name: rx:kube-system - apps/v1/deployments: - - name: rx:kube-system - apps/v1/replicasets: - - name: rx:kube - networking.k8s.io/v1/networkpolicies: - - name: rx:kube - policy/v1beta1/poddisruptionbudgets: - - name: rx:kube - v1/configmaps: - - name: rx:kube - v1/namespaces: - - name: rx:kube - v1/pods: - - name: rx:kube - v1/serviceaccounts: - - name: rx:kube - v1/secrets: - - name: rx:kube - v1/services: - - name: rx:kube - - resources: - # Nodes specific sanitization - node: - limits: - cpu: 90 - memory: 80 - - # Pods specific sanitization - pod: - limits: - # Fail if cpu is over 80% - cpu: 80 - # Fail if pod mem is over 75% - memory: 75 - # Fail if more than 3 restarts on any pods - restarts: 3 - - # Code specifies a custom severity level ie critical=3, warn=2, info=1 - codes: - 206: - severity: 1 diff --git a/spinach/spinach_eks.yml b/spinach/spinach_eks.yml deleted file mode 100644 index 048d3a07..00000000 --- a/spinach/spinach_eks.yml +++ /dev/null @@ -1,91 +0,0 @@ -# A Sample EKS Popeye configuration. -popeye: - allocations: - cpu: - # Checks if cpu is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if cpu is over allocated by more than 50% at current load. - overPercUtilization: 50 - memory: - # Checks if mem is under allocated by more than 200% at current load. - underPercUtilization: 200 - # Checks if mem is over allocated by more than 50% at current load. - overPercUtilization: 50 - # Excludes define rules to exampt resources from sanitization - excludes: - gvrs: - rbac.authorization.k8s.io/v1/clusterrolebindings: - - name: rx:system - - name: rx:eks - rbac.authorization.k8s.io/v1/clusterroles: - - name: rx:eks - codes: - - 400 - - name: aws-node - codes: - - 400 - - name: rx:system - codes: - - 400 - - name: admin - codes: - - 400 - - name: edit - codes: - - 400 - - name: view - codes: - - 400 - - name: cluster-admin - codes: - - 400 - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:kube - rbac.authorization.k8s.io/v1/roles: - - name: rx:kube - apps/v1/daemonsets: - - name: rx:kube-system - apps/v1/deployments: - - name: rx:kube-system - apps/v1/replicasets: - - name: rx:kube - networking.k8s.io/v1/networkpolicies: - - name: rx:freddy - policy/v1beta1/podsecuritypolicies: - - name: rx:eks - v1/configmaps: - - name: rx:kube - v1/namespaces: - - name: rx:kube - v1/pods: - - name: rx:kube - v1/serviceaccounts: - - name: rx:kube - v1/secrets: - - name: rx:kube - v1/services: - - name: rx:kube - codes: - - 404 - - resources: - # Nodes specific sanitization - node: - limits: - cpu: 90 - memory: 80 - - # Pods specific sanitization - pod: - limits: - # Fail if cpu is over 80% - cpu: 80 - # Fail if pod mem is over 75% - memory: 75 - # Fail if more than 3 restarts on any pods - restarts: 3 - - # Code specifies a custom severity level ie critical=3, warn=2, info=1 - codes: - 206: - severity: 1 diff --git a/spinach/spinach_metakube.yml b/spinach/spinach_metakube.yml deleted file mode 100644 index eed5ad99..00000000 --- a/spinach/spinach_metakube.yml +++ /dev/null @@ -1,141 +0,0 @@ -popeye: - excludes: - gvrs: - v1/serviceaccounts: - # Those are managed by SysEleven - - name: rx:^syseleven - - # We don’t check the kube* service accounts - this is part of the platform - - name: rx:^kube - - name: default/default - codes: - - 400 - - # Exclude some codes for default services - v1/services: - # Those are managed by SysEleven - - name: rx:^syseleven - - # This service is of type NodePort, which is intentional (1104) - - name: default/kubernetes - codes: - - 1104 - - # The ports here are not named yet (1102) - - name: kube-system/kube-dns - codes: - - 1102 - - # The port here is not named yet (1102) - - name: kube-system/node-exporter - codes: - - 1102 - - # We don’t want to check tiller, it’s only here for backwards compatibility to helm2 - - name: kube-system/tiller-deploy - - # We don’t need to check the metrics-server, this is managed by MetaKube - - name: kube-system/metrics-server - - # Exclude Secrets in the system namespaces - v1/secrets: - # Don’t check helm release secrets - - name: rx:sh.helm.release - - - name: rx:^kube - - # Those are managed by SysEleven - - name: rx:^syseleven - - # The default token may be unused - - name: rx:default/default-token - codes: - - 400 - - # RoleBindings for platform services can be excluded - rbac.authorization.k8s.io/v1/rolebindings: - - name: rx:^kube - - name: rx:^default/system - - name: default/machine-controller - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Roles for platform services can be excluded - rbac.authorization.k8s.io/v1/roles: - - name: rx:^kube - - name: rx:^default/system - - name: default/machine-controller - - # Those are managed by SysEleven - - name: rx:^syseleven - - # ReplicaSets for platform services can be excluded - v1/replicasets: - - name: rx:^kube - - # Those are managed by SysEleven - - name: rx:^syseleven - - # MetaKube provides you with some SysEleven PodSecurityPolicies that we don’t want to scan here - policy/v1beta1/podsecuritypolicies: - # Those are managed by SysEleven - - name: rx:^syseleven - - # PodDisruptionBudgets for platform services can be excluded - policy/v1beta1/poddisruptionbudgets: - - name: kube-system/coredns - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Pods for platform services can be excluded - v1/pods: - - name: rx:^kube-system/ - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Nodes are platform services and can be excluded - v1/nodes: - - name: rx:.* - - # We don’t want to sanitize the default namespaces: - v1/namespaces: - - name: default - - name: kube-node-lease - - name: kube-public - - name: kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Deployments for platform services can be excluded - apps/v1/deployments: - - name: rx:^kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # Daemonsets for platform services can be excluded - apps/v1/daemonsets: - - name: rx:^kube-system - - # Those are managed by SysEleven - - name: rx:^syseleven - - # ConfigMaps for platform services can be excluded - v1/configmaps: - - name: rx:^kube-system - - name: kube-public/cluster-info - - # Those are managed by SysEleven - - name: rx:^syseleven - - rbac.authorization.k8s.io/v1/clusterroles: - - name: rx:.* - codes: - - 400 - - # Those are managed by SysEleven - - name: rx:^syseleven