@intentius/chant-lexicon-k8s 0.0.14 → 0.0.15

package/src/lint/post-synth/post-synth.test.ts

@@ -22,6 +22,9 @@ import { wk8209 } from "./wk8209";
 import { wk8301 } from "./wk8301";
 import { wk8302 } from "./wk8302";
 import { wk8303 } from "./wk8303";
+import { wk8304 } from "./wk8304";
+import { wk8305 } from "./wk8305";
+import { wk8306 } from "./wk8306";
 
 function makeCtx(yaml: string): PostSynthContext {
   return {
@@ -592,7 +595,7 @@ describe("WK8204: runAsNonRoot", () => {
     expect(diags[0].checkId).toBe("WK8204");
   });
 
-  test("passes with runAsNonRoot: true", () => {
+  test("warns when runAsNonRoot: true but no runAsUser", () => {
     const ctx = makeCtx(JSON.stringify({
       apiVersion: "apps/v1",
       kind: "Deployment",
@@ -608,6 +611,68 @@ describe("WK8204: runAsNonRoot", () => {
       },
     }));
     const diags = wk8204.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8204");
+    expect(diags[0].message).toContain("no explicit runAsUser");
+  });
+
+  test("warns when runAsNonRoot: true with runAsUser: 0 (contradictory)", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0", securityContext: { runAsNonRoot: true, runAsUser: 0 } },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8204.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8204");
+    expect(diags[0].message).toContain("contradictory");
+  });
+
+  test("passes with runAsNonRoot: true and runAsUser: 65534", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0", securityContext: { runAsNonRoot: true, runAsUser: 65534 } },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8204.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("pod-level runAsUser satisfies container-level runAsNonRoot", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            securityContext: { runAsUser: 1000 },
+            containers: [
+              { name: "app", image: "app:1.0", securityContext: { runAsNonRoot: true } },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8204.check(ctx);
     expect(diags.length).toBe(0);
   });
 });
@@ -967,3 +1032,299 @@ spec:
     expect(diags.length).toBe(0);
   });
 });
+
+// ── WK8304: SSL redirect without certificate ────────────────────────
+
+describe("WK8304: SSL redirect without certificate", () => {
+  test("flags ssl-redirect without certificate-arn", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: {
+        name: "app-ingress",
+        annotations: {
+          "alb.ingress.kubernetes.io/ssl-redirect": "443",
+          "alb.ingress.kubernetes.io/scheme": "internet-facing",
+        },
+      },
+      spec: { rules: [] },
+    }));
+    const diags = wk8304.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8304");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("flags ssl-redirect with valid cert but no HTTPS in listen-ports", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: {
+        name: "app-ingress",
+        annotations: {
+          "alb.ingress.kubernetes.io/ssl-redirect": "443",
+          "alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:us-east-1:123:certificate/abc",
+          "alb.ingress.kubernetes.io/listen-ports": '[{"HTTP":80}]',
+        },
+      },
+      spec: { rules: [] },
+    }));
+    const diags = wk8304.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8304");
+  });
+
+  test("passes with valid cert and HTTPS listen-ports", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: {
+        name: "app-ingress",
+        annotations: {
+          "alb.ingress.kubernetes.io/ssl-redirect": "443",
+          "alb.ingress.kubernetes.io/certificate-arn": "arn:aws:acm:us-east-1:123:certificate/abc",
+          "alb.ingress.kubernetes.io/listen-ports": '[{"HTTPS":443}]',
+        },
+      },
+      spec: { rules: [] },
+    }));
+    const diags = wk8304.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("passes with no ssl-redirect annotation", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: {
+        name: "app-ingress",
+        annotations: {
+          "alb.ingress.kubernetes.io/scheme": "internet-facing",
+        },
+      },
+      spec: { rules: [] },
+    }));
+    const diags = wk8304.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+});
+
+// ── WK8305: Ingress port not matching Service ───────────────────────
+
+describe("WK8305: Ingress port not matching Service", () => {
+  test("flags Ingress backend port not on Service", () => {
+    const svc = JSON.stringify({
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: { name: "api", namespace: "default" },
+      spec: { ports: [{ port: 80, targetPort: 8080 }] },
+    });
+    const ingress = JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: { name: "api-ingress", namespace: "default" },
+      spec: {
+        rules: [{
+          host: "api.example.com",
+          http: {
+            paths: [{
+              path: "/",
+              backend: { service: { name: "api", port: { number: 8080 } } },
+            }],
+          },
+        }],
+      },
+    });
+    const ctx = makeCtx(`${svc}\n---\n${ingress}`);
+    const diags = wk8305.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8305");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("passes when port matches Service", () => {
+    const svc = JSON.stringify({
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: { name: "api", namespace: "default" },
+      spec: { ports: [{ port: 80, targetPort: 8080 }] },
+    });
+    const ingress = JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: { name: "api-ingress", namespace: "default" },
+      spec: {
+        rules: [{
+          host: "api.example.com",
+          http: {
+            paths: [{
+              path: "/",
+              backend: { service: { name: "api", port: { number: 80 } } },
+            }],
+          },
+        }],
+      },
+    });
+    const ctx = makeCtx(`${svc}\n---\n${ingress}`);
+    const diags = wk8305.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("skips when Service not in manifest set", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: { name: "api-ingress", namespace: "default" },
+      spec: {
+        rules: [{
+          host: "api.example.com",
+          http: {
+            paths: [{
+              path: "/",
+              backend: { service: { name: "external-svc", port: { number: 443 } } },
+            }],
+          },
+        }],
+      },
+    }));
+    const diags = wk8305.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("passes with multiple Services, correct match", () => {
+    const svc1 = JSON.stringify({
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: { name: "api", namespace: "prod" },
+      spec: { ports: [{ port: 80 }, { port: 443 }] },
+    });
+    const svc2 = JSON.stringify({
+      apiVersion: "v1",
+      kind: "Service",
+      metadata: { name: "web", namespace: "prod" },
+      spec: { ports: [{ port: 3000 }] },
+    });
+    const ingress = JSON.stringify({
+      apiVersion: "networking.k8s.io/v1",
+      kind: "Ingress",
+      metadata: { name: "main-ingress", namespace: "prod" },
+      spec: {
+        rules: [{
+          host: "app.example.com",
+          http: {
+            paths: [
+              { path: "/api", backend: { service: { name: "api", port: { number: 443 } } } },
+              { path: "/", backend: { service: { name: "web", port: { number: 3000 } } } },
+            ],
+          },
+        }],
+      },
+    });
+    const ctx = makeCtx(`${svc1}\n---\n${svc2}\n---\n${ingress}`);
+    const diags = wk8305.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+});
+
+// ── WK8306: Container command starts with flag ───────────────────
+
+describe("WK8306: Container command starts with flag", () => {
+  test("flags command[0] starting with --", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "adot" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "collector", image: "otel:1.0", command: ["--config=/etc/adot/config.yaml"] },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8306.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].checkId).toBe("WK8306");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("--config");
+  });
+
+  test("flags command[0] starting with -", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0", command: ["-c", "echo hello"] },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8306.check(ctx);
+    expect(diags.length).toBe(1);
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("passes when command[0] is a binary path", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0", command: ["/usr/bin/app", "--flag"] },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8306.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("passes when flags are in args (correct usage)", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0", args: ["--config=foo"] },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8306.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+
+  test("passes when no command field", () => {
+    const ctx = makeCtx(JSON.stringify({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      metadata: { name: "app" },
+      spec: {
+        template: {
+          spec: {
+            containers: [
+              { name: "app", image: "app:1.0" },
+            ],
+          },
+        },
+      },
+    }));
+    const diags = wk8306.check(ctx);
+    expect(diags.length).toBe(0);
+  });
+});

package/src/lint/post-synth/wk8204.ts

@@ -4,6 +4,10 @@
  * Containers should set securityContext.runAsNonRoot to true at either
  * the container level or pod level. Running as root inside a container
  * increases the blast radius of a container breakout.
+ *
+ * Additionally warns when runAsNonRoot: true is set but no explicit
+ * runAsUser is provided — without a numeric UID, K8s relies on the
+ * image's USER directive, which may be root (UID 0).
  */
 
 import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
@@ -30,13 +34,17 @@ export const wk8204: PostSynthCheck = {
         // Check pod-level securityContext
         const podSecCtx = podSpec.securityContext as Record<string, unknown> | undefined;
         const podRunAsNonRoot = podSecCtx?.runAsNonRoot === true;
+        const podRunAsUser = podSecCtx?.runAsUser;
 
         const containers = extractContainers(manifest);
         for (const container of containers) {
           const secCtx = container.securityContext;
           const containerRunAsNonRoot = secCtx?.runAsNonRoot === true;
+          const containerRunAsUser = secCtx?.runAsUser;
+
+          const hasRunAsNonRoot = podRunAsNonRoot || containerRunAsNonRoot;
 
-          if (!podRunAsNonRoot && !containerRunAsNonRoot) {
+          if (!hasRunAsNonRoot) {
             diagnostics.push({
               checkId: "WK8204",
               severity: "warning",
@@ -44,6 +52,30 @@ export const wk8204: PostSynthCheck = {
               entity: resourceName,
               lexicon: "k8s",
             });
+            continue;
+          }
+
+          // runAsNonRoot is true — check for explicit runAsUser
+          const effectiveRunAsUser = containerRunAsUser ?? podRunAsUser;
+
+          if (effectiveRunAsUser === 0) {
+            // Contradictory: runAsNonRoot: true + runAsUser: 0
+            diagnostics.push({
+              checkId: "WK8204",
+              severity: "warning",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has runAsNonRoot: true but runAsUser: 0 — these settings are contradictory and the container will fail to start`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
+          } else if (effectiveRunAsUser === undefined || effectiveRunAsUser === null) {
+            // runAsNonRoot: true but no explicit UID
+            diagnostics.push({
+              checkId: "WK8204",
+              severity: "warning",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has runAsNonRoot: true but no explicit runAsUser — set a numeric UID to ensure the container doesn't run as root`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
           }
         }
       }

package/src/lint/post-synth/wk8304.ts

@@ -0,0 +1,70 @@
+/**
+ * WK8304: SSL Redirect Without Certificate
+ *
+ * Flags Ingress resources that have `alb.ingress.kubernetes.io/ssl-redirect`
+ * annotation set but are missing `alb.ingress.kubernetes.io/certificate-arn`
+ * or don't have HTTPS in their listen-ports.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests } from "./k8s-helpers";
+
+export const wk8304: PostSynthCheck = {
+  id: "WK8304",
+  description: "SSL redirect without certificate — ssl-redirect annotation requires a valid certificate-arn and HTTPS listen-ports",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "Ingress") continue;
+
+        const annotations = manifest.metadata?.annotations as Record<string, string> | undefined;
+        if (!annotations) continue;
+
+        const sslRedirect = annotations["alb.ingress.kubernetes.io/ssl-redirect"];
+        if (!sslRedirect) continue;
+
+        const resourceName = manifest.metadata?.name ?? "Ingress";
+        const certArn = annotations["alb.ingress.kubernetes.io/certificate-arn"];
+
+        if (!certArn) {
+          diagnostics.push({
+            checkId: "WK8304",
+            severity: "warning",
+            message: `Ingress "${resourceName}" has ssl-redirect annotation but no certificate-arn — HTTPS redirect will fail without a TLS certificate`,
+            entity: resourceName,
+            lexicon: "k8s",
+          });
+          continue;
+        }
+
+        // Check listen-ports includes HTTPS
+        const listenPorts = annotations["alb.ingress.kubernetes.io/listen-ports"];
+        if (listenPorts) {
+          try {
+            const ports = JSON.parse(listenPorts) as Array<Record<string, number>>;
+            const hasHttps = ports.some((p) => "HTTPS" in p);
+            if (!hasHttps) {
+              diagnostics.push({
+                checkId: "WK8304",
+                severity: "warning",
+                message: `Ingress "${resourceName}" has ssl-redirect but listen-ports does not include HTTPS`,
+                entity: resourceName,
+                lexicon: "k8s",
+              });
+            }
+          } catch {
+            // Can't parse listen-ports — skip this check
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wk8305.ts

@@ -0,0 +1,115 @@
+/**
+ * WK8305: Ingress Port Not Matching Service
+ *
+ * Flags Ingress backends whose `service.port.number` does not match
+ * any declared port on the referenced Service in the manifest set.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests } from "./k8s-helpers";
+import type { K8sManifest } from "./k8s-helpers";
+
+export const wk8305: PostSynthCheck = {
+  id: "WK8305",
+  description: "Ingress port not matching Service — backend port must match a declared Service port",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      // Build a map of Service name+namespace → set of port numbers
+      const servicePorts = collectServicePorts(manifests);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "Ingress") continue;
+
+        const ingressName = manifest.metadata?.name ?? "Ingress";
+        const ingressNamespace = manifest.metadata?.namespace ?? "default";
+        const spec = manifest.spec;
+        if (!spec) continue;
+
+        const rules = spec.rules as Array<Record<string, unknown>> | undefined;
+        if (!rules) continue;
+
+        for (const rule of rules) {
+          const http = rule.http as Record<string, unknown> | undefined;
+          if (!http) continue;
+
+          const paths = http.paths as Array<Record<string, unknown>> | undefined;
+          if (!paths) continue;
+
+          for (const pathEntry of paths) {
+            const backend = pathEntry.backend as Record<string, unknown> | undefined;
+            if (!backend) continue;
+
+            const service = backend.service as Record<string, unknown> | undefined;
+            if (!service) continue;
+
+            const svcName = service.name as string | undefined;
+            const port = service.port as Record<string, unknown> | undefined;
+            const portNumber = port?.number as number | undefined;
+
+            if (!svcName || portNumber === undefined) continue;
+
+            // Look up the Service in the manifest set
+            const key = `${ingressNamespace}/${svcName}`;
+            const knownPorts = servicePorts.get(key);
+
+            // Skip if the Service is not in the manifest set (external service)
+            if (!knownPorts) continue;
+
+            if (!knownPorts.has(portNumber)) {
+              diagnostics.push({
+                checkId: "WK8305",
+                severity: "warning",
+                message: `Ingress "${ingressName}" references Service "${svcName}" port ${portNumber}, but the Service only declares ports [${[...knownPorts].join(", ")}]`,
+                entity: ingressName,
+                lexicon: "k8s",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};
+
+/**
+ * Collect port numbers from all Service manifests, keyed by namespace/name.
+ */
+function collectServicePorts(manifests: K8sManifest[]): Map<string, Set<number>> {
+  const result = new Map<string, Set<number>>();
+
+  for (const manifest of manifests) {
+    if (manifest.kind !== "Service") continue;
+
+    const name = manifest.metadata?.name;
+    const namespace = manifest.metadata?.namespace ?? "default";
+    if (!name) continue;
+
+    const key = `${namespace}/${name}`;
+    const ports = new Set<number>();
+
+    const spec = manifest.spec;
+    if (spec) {
+      const specPorts = spec.ports as Array<Record<string, unknown>> | undefined;
+      if (specPorts) {
+        for (const p of specPorts) {
+          const port = p.port as number | undefined;
+          if (port !== undefined) {
+            ports.add(port);
+          }
+        }
+      }
+    }
+
+    result.set(key, ports);
+  }
+
+  return result;
+}

package/src/lint/post-synth/wk8306.ts

@@ -0,0 +1,50 @@
+/**
+ * WK8306: Container Command Starts With Flag
+ *
+ * If `command[0]` starts with `-` or `--`, it's almost certainly a mistake —
+ * the first element should be the binary/entrypoint, flags belong in `args`.
+ * This causes OCI runtime errors because the container runtime tries to
+ * execute the flag as a binary.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests, extractContainers, WORKLOAD_KINDS } from "./k8s-helpers";
+
+export const wk8306: PostSynthCheck = {
+  id: "WK8306",
+  description: "Container command starts with flag — first element should be a binary, not a flag",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (!manifest.kind || !WORKLOAD_KINDS.has(manifest.kind)) continue;
+
+        const resourceName = manifest.metadata?.name ?? manifest.kind;
+        const containers = extractContainers(manifest);
+
+        for (const container of containers) {
+          const command = (container as Record<string, unknown>).command as unknown[] | undefined;
+          if (!Array.isArray(command) || command.length === 0) continue;
+
+          const firstArg = String(command[0]);
+          if (firstArg.startsWith("-")) {
+            diagnostics.push({
+              checkId: "WK8306",
+              severity: "error",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has command[0]="${firstArg}" which starts with a flag — the first element should be the binary, flags belong in args`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/plugin.test.ts

@@ -30,10 +30,10 @@ describe("k8sPlugin", () => {
     expect(rules.some((r) => r.id === "WK8001")).toBe(true);
   });
 
-  test("postSynthChecks() returns array of 20 checks", () => {
+  test("postSynthChecks() returns array of 22 checks", () => {
     const checks = k8sPlugin.postSynthChecks!();
     expect(Array.isArray(checks)).toBe(true);
-    expect(checks.length).toBe(20);
+    expect(checks.length).toBe(23);
   });
 
   test("intrinsics() returns empty array", () => {