Merge branch 'stackrox:main' into env-value-from-feature

Author: Nexusrex18

docs/generated/checks.md

@@ -629,6 +629,21 @@ dirs:
 - ^/sys$
 - ^/usr$
 ```
+## sorted-keys
+
+**Enabled by default**: No
+
+**Description**: Check that YAML keys are sorted in alphabetical order wherever possible.
+
+**Remediation**: Ensure that keys in your YAML manifest are sorted in alphabetical order to improve consistency and readability.
+
+**Template**: [sorted-keys](templates.md#sorted-keys)
+
+**Parameters**:
+
+```yaml
+recursive: true
+```
 ## ssh-port
 
 **Enabled by default**: Yes

docs/generated/templates.md

@@ -850,6 +850,25 @@ KubeLinter supports the following templates:
   type: string
 ```
 
+## Sorted Keys
+
+**Key**: `sorted-keys`
+
+**Description**: Flag YAML keys that are not sorted in alphabetical order
+
+**Supported Objects**: Any
+
+
+**Parameters**:
+
+```yaml
+- description: Recursive determines whether to check keys recursively at all nesting
+    levels. Default is true.
+  name: recursive
+  required: false
+  type: boolean
+```
+
 ## Startup Port Exposed
 
 **Key**: `startup-port`

e2etests/bats-tests.sh

@@ -938,6 +938,25 @@ get_value_from() {
   [[ "${count}" == "2" ]]
 }
 
+@test "sorted-keys" {
+  tmp="tests/checks/sorted-keys.yaml"
+  cmd="${KUBE_LINTER_BIN} lint --include sorted-keys --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
+  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+
+  [[ "${message1}" == "Deployment: Keys are not sorted at spec.template.spec.containers[0]. Expected order: [image, name, ports], got: [name, image, ports]" ]]
+  [[ "${message2}" == "Deployment: Keys are not sorted at root. Expected order: [apiVersion, kind, metadata, spec], got: [apiVersion, metadata, spec, kind]" ]]
+  [[ "${message3}" == "Deployment: Keys are not sorted at spec.template. Expected order: [metadata, spec], got: [spec, metadata]" ]]
+  [[ "${count}" == "27" ]]
+}
+
 @test "ssh-port" {
   tmp="tests/checks/ssh-port.yml"
   cmd="${KUBE_LINTER_BIN} lint --include ssh-port --do-not-auto-add-defaults --format json ${tmp}"
@@ -1112,7 +1131,7 @@ get_value_from() {
 
 @test "flag-ignore-paths" {
   tmp="."
-  cmd="${KUBE_LINTER_BIN} lint --ignore-paths \"tests/**\" --ignore-paths \"e2etests/**\" ${tmp}"
+  cmd="${KUBE_LINTER_BIN} lint --ignore-paths \"tests/**\" --ignore-paths \"e2etests/**\" --ignore-paths \"pkg/**/testdata/**\" ${tmp}"
   run ${cmd}
   print_info "${status}" "${output}" "${cmd}" "${tmp}"
   [ "$status" -eq 0 ]

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/cert-manager/cert-manager v1.19.1
 	github.com/fatih/color v1.18.0
 	github.com/go-viper/mapstructure/v2 v2.4.0
+	github.com/goccy/go-yaml v1.18.0
 	github.com/google/cel-go v0.26.1
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0

go.sum

@@ -111,6 +111,8 @@ github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9L
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

pkg/builtinchecks/yamls/sorted-keys.yaml

@@ -0,0 +1,9 @@
+name: "sorted-keys"
+description: "Check that YAML keys are sorted in alphabetical order wherever possible."
+remediation: "Ensure that keys in your YAML manifest are sorted in alphabetical order to improve consistency and readability."
+scope:
+  objectKinds:
+    - Any
+template: "sorted-keys"
+params:
+  recursive: true

pkg/lintcontext/mocks/context.go

@@ -7,14 +7,19 @@ import (
 
 // MockLintContext is mock implementation of the LintContext used in unit tests
 type MockLintContext struct {
-	objects map[string]k8sutil.Object
+	objects    map[string]k8sutil.Object
+	rawObjects map[string][]byte
 }
 
 // Objects returns all the objects under this MockLintContext
 func (l *MockLintContext) Objects() []lintcontext.Object {
 	result := make([]lintcontext.Object, 0, len(l.objects))
-	for _, p := range l.objects {
-		result = append(result, lintcontext.Object{Metadata: lintcontext.ObjectMetadata{}, K8sObject: p})
+	for key, p := range l.objects {
+		metadata := lintcontext.ObjectMetadata{}
+		if raw, ok := l.rawObjects[key]; ok {
+			metadata.Raw = raw
+		}
+		result = append(result, lintcontext.Object{Metadata: metadata, K8sObject: p})
 	}
 	return result
 }
@@ -26,10 +31,19 @@ func (l *MockLintContext) InvalidObjects() []lintcontext.InvalidObject {
 
 // NewMockContext returns an empty mockLintContext
 func NewMockContext() *MockLintContext {
-	return &MockLintContext{objects: make(map[string]k8sutil.Object)}
+	return &MockLintContext{
+		objects:    make(map[string]k8sutil.Object),
+		rawObjects: make(map[string][]byte),
+	}
 }
 
 // AddObject adds an object to the MockLintContext
 func (l *MockLintContext) AddObject(key string, obj k8sutil.Object) {
 	l.objects[key] = obj
 }
+
+// AddObjectWithRaw adds an object to the MockLintContext with raw YAML data
+func (l *MockLintContext) AddObjectWithRaw(key string, obj k8sutil.Object, raw []byte) {
+	l.objects[key] = obj
+	l.rawObjects[key] = raw
+}

pkg/templates/all/all.go

@@ -57,6 +57,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/sccdenypriv"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/serviceaccount"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/servicetype"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/sortedkeys"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/startupport"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/sysctl"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/targetport"

pkg/templates/sortedkeys/internal/params/gen-params.go

@@ -0,0 +1,8 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+	// Recursive determines whether to check keys recursively at all nesting levels.
+	// Default is true.
+	Recursive bool
+}