kube_cluster 0.3.7 → 0.3.9

data/lib/kube/cluster/middleware/resource_preset.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "bundler/setup"
+require "kube/cluster"
+
 module Kube
   module Cluster
     class Middleware
@@ -62,3 +65,164 @@ module Kube
     end
   end
 end
+
+test do
+  Middleware = Kube::Cluster::Middleware
+
+  it "injects_small_preset_into_deployment" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :requests, :cpu).should == "500m"
+  end
+
+  it "injects_nano_preset" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "tiny"
+      metadata.labels = { "app.kubernetes.io/size": "nano" }
+      spec.selector.matchLabels = { app: "tiny" }
+      spec.template.metadata.labels = { app: "tiny" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :requests, :cpu).should == "100m"
+  end
+
+  it "injects_xlarge_preset" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "big"
+      metadata.labels = { "app.kubernetes.io/size": "xlarge" }
+      spec.selector.matchLabels = { app: "big" }
+      spec.template.metadata.labels = { app: "big" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :limits, :cpu).should == "3"
+  end
+
+  it "applies_to_all_containers" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "multi"
+      metadata.labels = { "app.kubernetes.io/size": "micro" }
+      spec.selector.matchLabels = { app: "multi" }
+      spec.template.metadata.labels = { app: "multi" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+        { name: "sidecar", image: "sidecar:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+    containers.last.dig(:resources, :requests, :cpu).should == "250m"
+  end
+
+  it "skips_non_pod_bearing_resources" do
+    resource = Kube::Cluster["ConfigMap"].new {
+      metadata.name = "config"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+    }
+    m = manifest(resource)
+
+    Middleware::ResourcePreset.new.call(m)
+
+    m.resources.first.to_h.should == resource.to_h
+  end
+
+  it "skips_resources_without_size_label" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container[:resources].should.be.nil
+  end
+
+  it "raises_on_unknown_size" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "potato" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    lambda { Middleware::ResourcePreset.new.call(m) }.should.raise ArgumentError
+  end
+
+  it "applies_to_statefulset" do
+    m = manifest(Kube::Cluster["StatefulSet"].new {
+      metadata.name = "db"
+      metadata.labels = { "app.kubernetes.io/size": "medium" }
+      spec.selector.matchLabels = { app: "db" }
+      spec.template.metadata.labels = { app: "db" }
+      spec.template.spec.containers = [
+        { name: "postgres", image: "postgres:16" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :requests, :cpu).should == "500m"
+  end
+
+  it "preserves_existing_container_resources_via_deep_merge" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        {
+          name: "web", image: "nginx:latest",
+          resources: { requests: { cpu: "999m" } },
+        },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    # The container's explicit value wins over the preset
+    container.dig(:resources, :requests, :cpu).should == "999m"
+  end
+
+  private
+
+    def manifest(*resources)
+      m = Kube::Cluster::Manifest.new
+      resources.each { |r| m << r }
+      m
+    end
+end

data/lib/kube/cluster/middleware/security_context.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "bundler/setup"
+require "kube/cluster"
+
 module Kube
   module Cluster
     class Middleware
@@ -82,3 +85,143 @@ module Kube
     end
   end
 end
+
+test do
+  Middleware = Kube::Cluster::Middleware
+
+  it "applies_restricted_profile_by_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:runAsNonRoot].should == true
+  end
+
+  it "applies_baseline_profile_via_label" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "baseline" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:runAsNonRoot].should == true
+  end
+
+  it "applies_baseline_profile_via_constructor_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new(default: :baseline).call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:seccompProfile].should.be.nil
+  end
+
+  it "label_overrides_constructor_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "restricted" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new(default: :baseline).call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:seccompProfile].should == { type: "RuntimeDefault" }
+  end
+
+  it "applies_to_all_containers" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+        { name: "sidecar", image: "sidecar:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+    containers.last.dig(:securityContext, :allowPrivilegeEscalation).should == false
+  end
+
+  it "skips_non_pod_bearing_resources" do
+    resource = Kube::Cluster["ConfigMap"].new { metadata.name = "config" }
+    m = manifest(resource)
+
+    Middleware::SecurityContext.new.call(m)
+
+    m.resources.first.to_h.should == resource.to_h
+  end
+
+  it "raises_on_unknown_profile" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "yolo" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    lambda { Middleware::SecurityContext.new.call(m) }.should.raise ArgumentError
+  end
+
+  it "preserves_existing_pod_security_context" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.securityContext = { runAsUser: 9999 }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    pod_sc = m.resources.first.to_h.dig(:spec, :template, :spec, :securityContext)
+
+    # Existing value wins
+    pod_sc[:runAsUser].should == 9999
+  end
+
+  private
+
+    def manifest(*resources)
+      m = Kube::Cluster::Manifest.new
+      resources.each { |r| m << r }
+      m
+    end
+end

data/lib/kube/cluster/middleware/service_for_deployment.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "bundler/setup"
+require "kube/cluster"
+
 module Kube
   module Cluster
     class Middleware
@@ -69,3 +72,144 @@ module Kube
     end
   end
 end
+
+test do
+  Middleware = Kube::Cluster::Middleware
+
+  it "generates_service_from_deployment" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.namespace = "production"
+      metadata.labels = { app: "web" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080, protocol: "TCP" }] },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    deploy, service = m.resources
+    sh = service.to_h
+    port = sh.dig(:spec, :ports, 0)
+
+    port[:protocol].should == "TCP"
+  end
+
+  it "maps_multiple_ports" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        {
+          name: "web", image: "nginx",
+          ports: [
+            { name: "http", containerPort: 8080 },
+            { name: "metrics", containerPort: 9090 },
+          ],
+        },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+    service = m.resources.last
+    ports = service.to_h.dig(:spec, :ports)
+
+    ports.size.should == 2
+  end
+
+  it "copies_labels_from_source" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/name": "web", "app.kubernetes.io/size": "small" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080 }] },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+    service_labels = m.resources.last.to_h.dig(:metadata, :labels)
+
+    service_labels[:"app.kubernetes.io/size"].should == "small"
+  end
+
+  it "skips_deployment_without_named_ports" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx", ports: [{ containerPort: 8080 }] },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    m.resources.size.should == 1
+  end
+
+  it "skips_deployment_without_ports" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "worker"
+      spec.selector.matchLabels = { app: "worker" }
+      spec.template.metadata.labels = { app: "worker" }
+      spec.template.spec.containers = [
+        { name: "worker", image: "worker:latest" },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    m.resources.size.should == 1
+  end
+
+  it "skips_non_pod_bearing_resources" do
+    m = manifest(Kube::Cluster["ConfigMap"].new { metadata.name = "config" })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    m.resources.size.should == 1
+  end
+
+  it "skips_deployment_without_match_labels" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080 }] },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    m.resources.size.should == 1
+  end
+
+  it "works_with_statefulset" do
+    m = manifest(Kube::Cluster["StatefulSet"].new {
+      metadata.name = "db"
+      metadata.namespace = "database"
+      spec.selector.matchLabels = { app: "db" }
+      spec.template.metadata.labels = { app: "db" }
+      spec.template.spec.containers = [
+        { name: "postgres", image: "postgres:16", ports: [{ name: "tcp-pg", containerPort: 5432 }] },
+      ]
+    })
+
+    Middleware::ServiceForDeployment.new.call(m)
+
+    m.resources.last.to_h.dig(:metadata, :namespace).should == "database"
+  end
+
+  private
+
+    def manifest(*resources)
+      m = Kube::Cluster::Manifest.new
+      resources.each { |r| m << r }
+      m
+    end
+end