From 8254848ef84d106d354ca1270e45fa39347e479d Mon Sep 17 00:00:00 2001
From: ssube <seansube@gmail.com>
Date: Fri, 15 Nov 2019 20:53:09 -0600
Subject: [PATCH] feat(rules/kubernetes): add rule to prevent latest tag, rule
 to ensure pull policy is set

---
 rules/kubernetes.yml                         | 42 +++++++++++++++++++-
 test/examples/kubernetes-resources-high.yml  |  2 +
 test/examples/kubernetes-resources-low.yml   |  2 +
 test/examples/kubernetes-resources-med.yml   |  2 +
 test/examples/kubernetes-resources-multi.yml |  4 ++
 test/examples/kubernetes-resources-none.yml  |  2 +
 test/examples/kubernetes-resources-some.yml  |  6 +++
 7 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/rules/kubernetes.yml b/rules/kubernetes.yml
index 4bb1ff7..e85da85 100644
--- a/rules/kubernetes.yml
+++ b/rules/kubernetes.yml
@@ -106,6 +106,7 @@ rules:
     level: info
     tags:
       - kubernetes
+      - important
       - labels
 
     check:
@@ -121,4 +122,43 @@ rules:
               additionalProperties: false
               patternProperties:
                 "^[-.a-z0-9]{1,63}$":
-                  type: string
\ No newline at end of file
+                  type: string
+
+  - name: kubernetes-container-pull-policy
+    desc: all containers should have a pull policy
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - optional
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image, imagePullPolicy]
+      properties:
+        imagePullPolicy:
+          type: string
+          enum:
+            - Always
+            - IfNotPresent
+            - Never
+
+
+  - name: kubernetes-image-latest
+    desc: images should never use :latest tag
+    level: info
+    tags:
+      - kubernetes
+      - image
+      - important
+
+    select: '$..containers.*'
+    check:
+      type: object
+      required: [image]
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ':latest$'
\ No newline at end of file
diff --git a/test/examples/kubernetes-resources-high.yml b/test/examples/kubernetes-resources-high.yml
index 277104e..b6e619c 100644
--- a/test/examples/kubernetes-resources-high.yml
+++ b/test/examples/kubernetes-resources-high.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m
diff --git a/test/examples/kubernetes-resources-low.yml b/test/examples/kubernetes-resources-low.yml
index 288e2b1..457dde9 100644
--- a/test/examples/kubernetes-resources-low.yml
+++ b/test/examples/kubernetes-resources-low.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               memory: 5Mi
diff --git a/test/examples/kubernetes-resources-med.yml b/test/examples/kubernetes-resources-med.yml
index 6bdf2cb..d3d250a 100644
--- a/test/examples/kubernetes-resources-med.yml
+++ b/test/examples/kubernetes-resources-med.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 200m
diff --git a/test/examples/kubernetes-resources-multi.yml b/test/examples/kubernetes-resources-multi.yml
index 03c2589..c4149ca 100644
--- a/test/examples/kubernetes-resources-multi.yml
+++ b/test/examples/kubernetes-resources-multi.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m
@@ -19,6 +21,8 @@ spec:
               memory: 5Gi
 
         - name: other
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 2000m
diff --git a/test/examples/kubernetes-resources-none.yml b/test/examples/kubernetes-resources-none.yml
index 9421ea6..daf7c1e 100644
--- a/test/examples/kubernetes-resources-none.yml
+++ b/test/examples/kubernetes-resources-none.yml
@@ -10,4 +10,6 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           # missing resources
\ No newline at end of file
diff --git a/test/examples/kubernetes-resources-some.yml b/test/examples/kubernetes-resources-some.yml
index 26a15b1..2eea7e3 100644
--- a/test/examples/kubernetes-resources-some.yml
+++ b/test/examples/kubernetes-resources-some.yml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m
@@ -28,6 +30,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 200m
@@ -46,6 +50,8 @@ spec:
     spec:
       containers:
         - name: test
+          image: foo
+          imagePullPolicy: Always
           resources:
             limits:
               cpu: 4000m