npm - @intentius/chant-lexicon-k8s - Versions diffs - 0.0.14 → 0.0.16 - Mend

@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/dist/integrity.json +8 -4
package/dist/manifest.json +1 -1
package/dist/rules/latest-image-tag.ts +121 -0
package/dist/rules/missing-resource-limits.ts +111 -0
package/dist/rules/wk8204.ts +33 -1
package/dist/rules/wk8304.ts +70 -0
package/dist/rules/wk8305.ts +115 -0
package/dist/rules/wk8306.ts +50 -0
package/package.json +27 -24
package/src/codegen/docs.ts +1 -1
package/src/composites/adot-collector.ts +8 -2
package/src/composites/agic-ingress.ts +148 -0
package/src/composites/aks-external-dns-agent.ts +199 -0
package/src/composites/alb-ingress.ts +2 -1
package/src/composites/autoscaled-service.ts +25 -7
package/src/composites/azure-disk-storage-class.ts +82 -0
package/src/composites/azure-file-storage-class.ts +77 -0
package/src/composites/azure-monitor-collector.ts +232 -0
package/src/composites/batch-job.ts +36 -3
package/src/composites/composites.test.ts +1060 -0
package/src/composites/config-connector-context.ts +62 -0
package/src/composites/configured-app.ts +6 -0
package/src/composites/cron-workload.ts +6 -0
package/src/composites/ebs-storage-class.ts +4 -4
package/src/composites/external-dns-agent.ts +6 -0
package/src/composites/filestore-storage-class.ts +79 -0
package/src/composites/fluent-bit-agent.ts +5 -0
package/src/composites/gce-ingress.ts +143 -0
package/src/composites/gce-pd-storage-class.ts +85 -0
package/src/composites/gke-external-dns-agent.ts +175 -0
package/src/composites/gke-fluent-bit-agent.ts +219 -0
package/src/composites/gke-gateway.ts +143 -0
package/src/composites/gke-otel-collector.ts +229 -0
package/src/composites/index.ts +31 -0
package/src/composites/metrics-server.ts +1 -1
package/src/composites/monitored-service.ts +6 -0
package/src/composites/network-isolated-app.ts +6 -0
package/src/composites/node-agent.ts +6 -0
package/src/composites/security-context.ts +10 -0
package/src/composites/sidecar-app.ts +6 -0
package/src/composites/stateful-app.ts +4 -7
package/src/composites/web-app.ts +4 -7
package/src/composites/worker-pool.ts +4 -7
package/src/composites/workload-identity-sa.ts +118 -0
package/src/composites/workload-identity-service-account.ts +116 -0
package/src/index.ts +20 -1
package/src/lint/post-synth/post-synth.test.ts +362 -1
package/src/lint/post-synth/wk8204.ts +33 -1
package/src/lint/post-synth/wk8304.ts +70 -0
package/src/lint/post-synth/wk8305.ts +115 -0
package/src/lint/post-synth/wk8306.ts +50 -0
package/src/lint/rules/latest-image-tag.ts +121 -0
package/src/lint/rules/missing-resource-limits.ts +111 -0
package/src/lint/rules/rules.test.ts +192 -0
package/src/plugin.test.ts +2 -2
package/src/plugin.ts +129 -209
package/src/serializer.test.ts +120 -0
package/src/serializer.ts +16 -4
package/src/skills/chant-k8s-aks.md +146 -0
package/src/skills/chant-k8s-gke.md +191 -0
package/src/skills/kubernetes-patterns.md +183 -0
package/src/skills/kubernetes-security.md +237 -0
/package/{dist → src}/skills/chant-k8s-eks.md +0 -0

package/src/composites/azure-monitor-collector.ts ADDED Viewed

@@ -0,0 +1,232 @@
+/**
+ * AzureMonitorCollector composite — DaemonSet + RBAC + ConfigMap for Azure Monitor / OTel collector.
+ *
+ * @aks Azure Monitor agent with OpenTelemetry collector config for
+ * Log Analytics workspace integration on AKS clusters.
+ */
+export interface AzureMonitorCollectorProps {
+  /** Azure Log Analytics workspace ID. */
+  workspaceId: string;
+  /** AKS cluster name. */
+  clusterName: string;
+  /** Agent name (default: "azure-monitor-collector"). */
+  name?: string;
+  /** Collector image (default: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.35"). */
+  image?: string;
+  /** Namespace (default: "azure-monitor"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** CPU request (default: "100m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "256Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "500m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "512Mi"). */
+  memoryLimit?: string;
+  /** Azure AD client ID for Workload Identity (adds azure.workload.identity annotations to ServiceAccount). */
+  clientId?: string;
+}
+export interface AzureMonitorCollectorResult {
+  daemonSet: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  configMap: Record<string, unknown>;
+}
+/**
+ * Create an AzureMonitorCollector composite — returns prop objects for
+ * a DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, and ConfigMap.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AzureMonitorCollector } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { daemonSet, serviceAccount, clusterRole, clusterRoleBinding, configMap } = AzureMonitorCollector({
+ *   workspaceId: "00000000-0000-0000-0000-000000000000",
+ *   clusterName: "my-aks-cluster",
+ * });
+ * ```
+ */
+export function AzureMonitorCollector(props: AzureMonitorCollectorProps): AzureMonitorCollectorResult {
+  const {
+    workspaceId,
+    clusterName,
+    name = "azure-monitor-collector",
+    image = "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.35",
+    namespace = "azure-monitor",
+    labels: extraLabels = {},
+    cpuRequest = "100m",
+    memoryRequest = "256Mi",
+    cpuLimit = "500m",
+    memoryLimit = "512Mi",
+    clientId,
+  } = props;
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+  const configMapName = `${name}-config`;
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+  // Build OTel collector config YAML for Azure Monitor
+  const collectorConfig = `receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+processors:
+  batch:
+    timeout: 30s
+    send_batch_size: 8192
+exporters:
+  azuremonitor:
+    connection_string: InstrumentationKey=\${APPINSIGHTS_INSTRUMENTATIONKEY}
+    endpoint: https://dc.services.visualstudio.com/v2/track
+  azuremonitor/logs:
+    workspace_id: ${workspaceId}
+    cluster_name: ${clusterName}
+service:
+  pipelines:
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [azuremonitor]
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [azuremonitor]
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [azuremonitor/logs]
+`;
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    ports: [
+      { containerPort: 4317, name: "otlp-grpc" },
+      { containerPort: 4318, name: "otlp-http" },
+    ],
+    env: [
+      { name: "AKS_CLUSTER_NAME", value: clusterName },
+      { name: "WORKSPACE_ID", value: workspaceId },
+    ],
+    resources: {
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+    },
+    volumeMounts: [
+      { name: "config", mountPath: "/etc/otel", readOnly: true },
+    ],
+  };
+  const daemonSetProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+    },
+    spec: {
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [container],
+          volumes: [
+            { name: "config", configMap: { name: configMapName } },
+          ],
+          tolerations: [{ operator: "Exists" }],
+        },
+      },
+    },
+  };
+  const saLabels: Record<string, string> = {
+    ...commonLabels,
+    "app.kubernetes.io/component": "agent",
+  };
+  if (clientId) {
+    saLabels["azure.workload.identity/use"] = "true";
+  }
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: saLabels,
+      ...(clientId ? { annotations: { "azure.workload.identity/client-id": clientId } } : {}),
+    },
+  };
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["pods", "nodes", "endpoints"], verbs: ["get", "list", "watch"] },
+      { apiGroups: ["apps"], resources: ["replicasets"], verbs: ["get", "list", "watch"] },
+      { apiGroups: ["batch"], resources: ["jobs"], verbs: ["get", "list", "watch"] },
+      { apiGroups: [""], resources: ["nodes/proxy"], verbs: ["get"] },
+      { apiGroups: [""], resources: ["nodes/stats", "configmaps", "events"], verbs: ["create", "get"] },
+      { apiGroups: [""], resources: ["configmaps"], verbs: ["get", "update", "create"], resourceNames: ["otel-container-insight-clusterleader"] },
+    ],
+  };
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+  const configMapProps: Record<string, unknown> = {
+    metadata: {
+      name: configMapName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
+    },
+    data: {
+      "config.yaml": collectorConfig,
+    },
+  };
+  return {
+    daemonSet: daemonSetProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+    configMap: configMapProps,
+  };
+}

package/src/composites/batch-job.ts CHANGED Viewed

@@ -5,6 +5,28 @@
  * seed tasks, backups). For scheduled workloads, use CronWorkload instead.
  */
+import type { ContainerSecurityContext } from "./security-context";
+/** Parse a K8s memory string (e.g. "256Mi", "1Gi") to bytes for comparison. */
+function parseMemoryBytes(mem: string): number {
+  const match = mem.match(/^(\d+(?:\.\d+)?)\s*(Ki|Mi|Gi|Ti|k|M|G|T|[eE]\d+)?$/);
+  if (!match) return 0;
+  const value = parseFloat(match[1]);
+  const unit = match[2] ?? "";
+  const multipliers: Record<string, number> = {
+    "": 1, Ki: 1024, Mi: 1024 ** 2, Gi: 1024 ** 3, Ti: 1024 ** 4,
+    k: 1e3, M: 1e6, G: 1e9, T: 1e12,
+  };
+  if (unit.startsWith("e") || unit.startsWith("E")) return value * 10 ** parseInt(unit.slice(1));
+  return value * (multipliers[unit] ?? 1);
+}
+/** Parse a K8s CPU string (e.g. "500m", "1") to millicores for comparison. */
+function parseCpuMillis(cpu: string): number {
+  if (cpu.endsWith("m")) return parseFloat(cpu.slice(0, -1));
+  return parseFloat(cpu) * 1000;
+}
 export interface BatchJobProps {
   /** Job name — used in metadata and labels. */
   name: string;
@@ -44,6 +66,8 @@ export interface BatchJobProps {
   memoryLimit?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 export interface BatchJobResult {
@@ -85,12 +109,20 @@ export function BatchJob(props: BatchJobProps): BatchJobResult {
     labels: extraLabels = {},
     namespace,
     cpuRequest = "100m",
-    memoryRequest = "128Mi",
-    cpuLimit = "500m",
-    memoryLimit = "256Mi",
+    memoryRequest: rawMemoryRequest = "128Mi",
+    cpuLimit: rawCpuLimit = "500m",
+    memoryLimit: rawMemoryLimit = "256Mi",
     env,
+    securityContext,
   } = props;
+  // Ensure limits >= requests (K8s rejects pods where request > limit).
+  const memoryRequest = rawMemoryRequest;
+  const memoryLimit = parseMemoryBytes(rawMemoryRequest) > parseMemoryBytes(rawMemoryLimit)
+    ? rawMemoryRequest : rawMemoryLimit;
+  const cpuLimit = parseCpuMillis(cpuRequest) > parseCpuMillis(rawCpuLimit)
+    ? cpuRequest : rawCpuLimit;
   const saName = `${name}-sa`;
   const roleName = `${name}-role`;
   const bindingName = `${name}-binding`;
@@ -117,6 +149,7 @@ export function BatchJob(props: BatchJobProps): BatchJobResult {
       requests: { cpu: cpuRequest, memory: memoryRequest },
     },
     ...(env && { env }),
+    ...(securityContext && { securityContext }),
   };
   const jobProps: Record<string, unknown> = {