tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/k8s/pod-security.js

@@ -0,0 +1,114 @@
+/**
+ * Pod Security Standards (Baseline, Restricted)
+ */
+
+/**
+ * Generates a security context based on the specified level
+ * @param {Object} options - Configuration options
+ * @param {string} options.level - Security level ('restricted', 'baseline', 'privileged')
+ * @returns {Object} Security context configuration
+ */
+export function generateSecurityContext({ level = 'restricted' } = {}) {
+  const context = {
+    capabilities: {
+      drop: ['ALL']
+    }
+  };
+
+  if (level === 'restricted') {
+    context.runAsNonRoot = true;
+    context.readOnlyRootFilesystem = true;
+    context.allowPrivilegeEscalation = false;
+  } else if (level === 'baseline') {
+    context.runAsNonRoot = false;
+    context.readOnlyRootFilesystem = false;
+  }
+
+  return context;
+}
+
+/**
+ * Enforces Pod Security Standards at namespace level
+ * @param {Object} options - Configuration options
+ * @param {string} options.namespace - Target namespace
+ * @param {string} options.level - Enforcement level (default: 'restricted')
+ * @returns {Object} Namespace labels for Pod Security Standards
+ */
+export function enforceRestricted({ namespace, level = 'restricted' } = {}) {
+  return {
+    'pod-security.kubernetes.io/enforce': level,
+    'pod-security.kubernetes.io/enforce-version': 'latest',
+    'pod-security.kubernetes.io/audit': level,
+    'pod-security.kubernetes.io/warn': level
+  };
+}
+
+/**
+ * Blocks privileged container settings
+ * @param {Object} options - Configuration options
+ * @param {boolean} options.includeHostSettings - Whether to include host namespace settings
+ * @returns {Object} Security settings that block privileged access
+ */
+export function blockPrivileged({ includeHostSettings = false } = {}) {
+  const settings = {
+    privileged: false,
+    allowPrivilegeEscalation: false
+  };
+
+  if (includeHostSettings) {
+    settings.hostNetwork = false;
+    settings.hostPID = false;
+    settings.hostIPC = false;
+  }
+
+  return settings;
+}
+
+/**
+ * Sets seccomp profile configuration
+ * @param {Object} options - Configuration options
+ * @param {string} options.type - Seccomp profile type ('RuntimeDefault', 'Localhost', 'Unconfined')
+ * @param {string} options.localhostProfile - Path to localhost profile (if type is 'Localhost')
+ * @returns {Object} Seccomp profile configuration
+ */
+export function setSeccomp({ type = 'RuntimeDefault', localhostProfile } = {}) {
+  const profile = {
+    type
+  };
+
+  if (type === 'Localhost' && localhostProfile) {
+    profile.localhostProfile = localhostProfile;
+  }
+
+  return profile;
+}
+
+/**
+ * Creates a pod security manager
+ * @returns {Object} Pod security manager with generate and validate methods
+ */
+export function createPodSecurity() {
+  return {
+    generate: (options) => generateSecurityContext(options),
+    validate: (spec) => {
+      const issues = [];
+
+      if (spec.privileged === true) {
+        issues.push('privileged-container');
+      }
+
+      if (spec.runAsNonRoot !== true) {
+        issues.push('runs-as-root');
+      }
+
+      if (!spec.capabilities?.drop?.includes('ALL')) {
+        issues.push('capabilities-not-dropped');
+      }
+
+      return {
+        valid: issues.length === 0,
+        issues
+      };
+    }
+  };
+}

package/server/lib/k8s/pod-security.test.js

@@ -0,0 +1,55 @@
+/**
+ * Pod Security Tests
+ */
+import { describe, it, expect } from 'vitest';
+import { generateSecurityContext, enforceRestricted, blockPrivileged, setSeccomp, createPodSecurity } from './pod-security.js';
+
+describe('pod-security', () => {
+  describe('generateSecurityContext', () => {
+    it('generates restricted security context', () => {
+      const ctx = generateSecurityContext({ level: 'restricted' });
+      expect(ctx.runAsNonRoot).toBe(true);
+      expect(ctx.readOnlyRootFilesystem).toBe(true);
+    });
+
+    it('drops all capabilities', () => {
+      const ctx = generateSecurityContext({ level: 'restricted' });
+      expect(ctx.capabilities.drop).toContain('ALL');
+    });
+  });
+
+  describe('enforceRestricted', () => {
+    it('enforces Pod Security Standards', () => {
+      const labels = enforceRestricted({ namespace: 'default' });
+      expect(labels['pod-security.kubernetes.io/enforce']).toBe('restricted');
+    });
+  });
+
+  describe('blockPrivileged', () => {
+    it('blocks privileged containers', () => {
+      const ctx = blockPrivileged({});
+      expect(ctx.privileged).toBe(false);
+    });
+
+    it('blocks host namespaces', () => {
+      const spec = blockPrivileged({ includeHostSettings: true });
+      expect(spec.hostNetwork).toBe(false);
+      expect(spec.hostPID).toBe(false);
+    });
+  });
+
+  describe('setSeccomp', () => {
+    it('sets RuntimeDefault seccomp', () => {
+      const profile = setSeccomp({ type: 'RuntimeDefault' });
+      expect(profile.type).toBe('RuntimeDefault');
+    });
+  });
+
+  describe('createPodSecurity', () => {
+    it('creates security manager', () => {
+      const manager = createPodSecurity();
+      expect(manager.generate).toBeDefined();
+      expect(manager.validate).toBeDefined();
+    });
+  });
+});

package/server/lib/k8s/rbac-generator.js

@@ -0,0 +1,132 @@
+/**
+ * RBAC Role and Binding Generator
+ */
+
+/**
+ * Creates a minimal service account
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Service account name
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @returns {Object} ServiceAccount resource
+ */
+export function createServiceAccount({ name, namespace = 'default' } = {}) {
+  return {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name,
+      namespace
+    },
+    automountServiceAccountToken: false
+  };
+}
+
+/**
+ * Creates a role with least privilege
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Role name
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @param {Array} options.rules - Array of policy rules
+ * @returns {Object} Role resource with optional warnings
+ */
+export function createRole({ name, namespace = 'default', rules = [] } = {}) {
+  const role = {
+    apiVersion: 'rbac.authorization.k8s.io/v1',
+    kind: 'Role',
+    metadata: {
+      name,
+      namespace
+    },
+    rules
+  };
+
+  // Check for excessive permissions (wildcard usage)
+  const hasWildcardPermissions = rules.some(rule =>
+    rule.apiGroups?.includes('*') ||
+    rule.resources?.includes('*') ||
+    rule.verbs?.includes('*')
+  );
+
+  if (hasWildcardPermissions) {
+    role.warnings = ['excessive-permissions'];
+  }
+
+  return role;
+}
+
+/**
+ * Creates a role binding
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Binding name
+ * @param {string} options.roleName - Name of the role to bind
+ * @param {string} options.serviceAccount - Service account name (optional)
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @returns {Object} RoleBinding resource
+ */
+export function createRoleBinding({ name, roleName, serviceAccount, namespace = 'default' } = {}) {
+  const binding = {
+    apiVersion: 'rbac.authorization.k8s.io/v1',
+    kind: 'RoleBinding',
+    metadata: {
+      name,
+      namespace
+    },
+    roleRef: {
+      apiGroup: 'rbac.authorization.k8s.io',
+      kind: 'Role',
+      name: roleName
+    },
+    subjects: []
+  };
+
+  if (serviceAccount) {
+    binding.subjects.push({
+      kind: 'ServiceAccount',
+      name: serviceAccount,
+      namespace
+    });
+  }
+
+  return binding;
+}
+
+/**
+ * Validates RBAC resource syntax
+ * @param {Object} resource - RBAC resource to validate
+ * @returns {Object} Validation result with valid boolean and issues array
+ */
+export function validateRbac(resource) {
+  const issues = [];
+
+  if (!resource.kind) {
+    issues.push('missing-kind');
+  }
+
+  if (!resource.metadata?.name) {
+    issues.push('missing-name');
+  }
+
+  if (resource.kind === 'Role' || resource.kind === 'ClusterRole') {
+    if (!Array.isArray(resource.rules)) {
+      issues.push('missing-rules');
+    }
+  }
+
+  return {
+    valid: issues.length === 0,
+    issues
+  };
+}
+
+/**
+ * Creates an RBAC generator
+ * @returns {Object} Generator with serviceAccount, role, and binding methods
+ */
+export function createRbacGenerator() {
+  return {
+    serviceAccount: (options) => createServiceAccount(options),
+    role: (options) => createRole(options),
+    binding: (options) => createRoleBinding(options),
+    validate: (resource) => validateRbac(resource)
+  };
+}

package/server/lib/k8s/rbac-generator.test.js

@@ -0,0 +1,57 @@
+/**
+ * RBAC Generator Tests
+ */
+import { describe, it, expect } from 'vitest';
+import { createServiceAccount, createRole, createRoleBinding, validateRbac, createRbacGenerator } from './rbac-generator.js';
+
+describe('rbac-generator', () => {
+  describe('createServiceAccount', () => {
+    it('creates minimal service account', () => {
+      const sa = createServiceAccount({ name: 'app-sa', namespace: 'default' });
+      expect(sa.kind).toBe('ServiceAccount');
+      expect(sa.metadata.name).toBe('app-sa');
+    });
+  });
+
+  describe('createRole', () => {
+    it('generates role with least privilege', () => {
+      const role = createRole({ name: 'app-role', rules: [{ apiGroups: [''], resources: ['pods'], verbs: ['get', 'list'] }] });
+      expect(role.kind).toBe('Role');
+      expect(role.rules[0].verbs).not.toContain('*');
+    });
+
+    it('blocks cluster-admin for apps', () => {
+      const role = createRole({ name: 'app-role', rules: [{ apiGroups: ['*'], resources: ['*'], verbs: ['*'] }] });
+      expect(role.warnings).toContain('excessive-permissions');
+    });
+  });
+
+  describe('createRoleBinding', () => {
+    it('creates role binding', () => {
+      const binding = createRoleBinding({ name: 'app-binding', roleName: 'app-role', serviceAccount: 'app-sa' });
+      expect(binding.kind).toBe('RoleBinding');
+      expect(binding.roleRef.name).toBe('app-role');
+    });
+
+    it('supports namespace-scoped roles', () => {
+      const binding = createRoleBinding({ name: 'app-binding', roleName: 'app-role', namespace: 'production' });
+      expect(binding.metadata.namespace).toBe('production');
+    });
+  });
+
+  describe('validateRbac', () => {
+    it('validates RBAC syntax', () => {
+      const result = validateRbac({ kind: 'Role', metadata: { name: 'test' }, rules: [] });
+      expect(result.valid).toBe(true);
+    });
+  });
+
+  describe('createRbacGenerator', () => {
+    it('creates generator', () => {
+      const generator = createRbacGenerator();
+      expect(generator.serviceAccount).toBeDefined();
+      expect(generator.role).toBeDefined();
+      expect(generator.binding).toBeDefined();
+    });
+  });
+});

package/server/lib/k8s/resource-manager.js

@@ -0,0 +1,172 @@
+/**
+ * Resource Quotas and Limits Manager
+ */
+
+/**
+ * Sets resource requests
+ * @param {Object} options - Configuration options
+ * @param {string} options.cpu - CPU request (e.g., '100m')
+ * @param {string} options.memory - Memory request (e.g., '128Mi')
+ * @returns {Object} Resource configuration with requests
+ */
+export function setResourceRequests({ cpu, memory } = {}) {
+  return {
+    requests: {
+      ...(cpu && { cpu }),
+      ...(memory && { memory })
+    }
+  };
+}
+
+/**
+ * Sets resource limits
+ * @param {Object} options - Configuration options
+ * @param {string} options.cpu - CPU limit (e.g., '500m')
+ * @param {string} options.memory - Memory limit (e.g., '512Mi')
+ * @returns {Object} Resource configuration with limits
+ */
+export function setResourceLimits({ cpu, memory } = {}) {
+  return {
+    limits: {
+      ...(cpu && { cpu }),
+      ...(memory && { memory })
+    }
+  };
+}
+
+/**
+ * Generates a Horizontal Pod Autoscaler configuration
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Target deployment name
+ * @param {number} options.minReplicas - Minimum replicas
+ * @param {number} options.maxReplicas - Maximum replicas
+ * @param {number} options.targetCpu - Target CPU utilization percentage
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @returns {Object} HorizontalPodAutoscaler resource
+ */
+export function generateHpa({ name, minReplicas = 1, maxReplicas = 10, targetCpu = 80, namespace = 'default' } = {}) {
+  return {
+    apiVersion: 'autoscaling/v2',
+    kind: 'HorizontalPodAutoscaler',
+    metadata: {
+      name: `${name}-hpa`,
+      namespace
+    },
+    spec: {
+      scaleTargetRef: {
+        apiVersion: 'apps/v1',
+        kind: 'Deployment',
+        name
+      },
+      minReplicas,
+      maxReplicas,
+      metrics: [{
+        type: 'Resource',
+        resource: {
+          name: 'cpu',
+          target: {
+            type: 'Utilization',
+            averageUtilization: targetCpu
+          }
+        }
+      }]
+    }
+  };
+}
+
+/**
+ * Generates a Pod Disruption Budget configuration
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Target deployment name
+ * @param {number} options.minAvailable - Minimum available pods (optional)
+ * @param {number} options.maxUnavailable - Maximum unavailable pods (optional)
+ * @param {Object} options.selector - Pod selector (default: matches app label)
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @returns {Object} PodDisruptionBudget resource
+ */
+export function generatePdb({ name, minAvailable, maxUnavailable, selector, namespace = 'default' } = {}) {
+  const pdb = {
+    apiVersion: 'policy/v1',
+    kind: 'PodDisruptionBudget',
+    metadata: {
+      name: `${name}-pdb`,
+      namespace
+    },
+    spec: {
+      selector: selector || {
+        matchLabels: {
+          app: name
+        }
+      }
+    }
+  };
+
+  if (minAvailable !== undefined) {
+    pdb.spec.minAvailable = minAvailable;
+  } else if (maxUnavailable !== undefined) {
+    pdb.spec.maxUnavailable = maxUnavailable;
+  }
+
+  return pdb;
+}
+
+/**
+ * Sets a priority class configuration
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Priority class name
+ * @param {number} options.value - Priority value
+ * @param {boolean} options.globalDefault - Whether this is the global default
+ * @param {string} options.description - Description of the priority class
+ * @returns {Object} PriorityClass resource
+ */
+export function setPriorityClass({ name, value, globalDefault = false, description } = {}) {
+  return {
+    apiVersion: 'scheduling.k8s.io/v1',
+    kind: 'PriorityClass',
+    metadata: {
+      name
+    },
+    value,
+    globalDefault,
+    description: description || `Priority class: ${name}`
+  };
+}
+
+/**
+ * Validates resource syntax
+ * @param {Object} resources - Resource configuration to validate
+ * @returns {Object} Validation result with valid boolean and issues array
+ */
+function validateResources(resources) {
+  const issues = [];
+  const cpuPattern = /^\d+m?$/;
+  const memoryPattern = /^\d+(Ki|Mi|Gi|Ti|Pi|Ei)?$/;
+
+  if (resources.cpu && !cpuPattern.test(resources.cpu)) {
+    issues.push('invalid-cpu-format');
+  }
+
+  if (resources.memory && !memoryPattern.test(resources.memory)) {
+    issues.push('invalid-memory-format');
+  }
+
+  return {
+    valid: issues.length === 0,
+    issues
+  };
+}
+
+/**
+ * Creates a resource manager
+ * @returns {Object} Manager with setRequests, setLimits, generateHpa, and validate methods
+ */
+export function createResourceManager() {
+  return {
+    setRequests: (options) => setResourceRequests(options),
+    setLimits: (options) => setResourceLimits(options),
+    generateHpa: (options) => generateHpa(options),
+    generatePdb: (options) => generatePdb(options),
+    setPriorityClass: (options) => setPriorityClass(options),
+    validate: (resources) => validateResources(resources)
+  };
+}

package/server/lib/k8s/resource-manager.test.js

@@ -0,0 +1,60 @@
+/**
+ * Resource Manager Tests
+ */
+import { describe, it, expect } from 'vitest';
+import { setResourceRequests, setResourceLimits, generateHpa, generatePdb, setPriorityClass, createResourceManager } from './resource-manager.js';
+
+describe('resource-manager', () => {
+  describe('setResourceRequests', () => {
+    it('sets resource requests', () => {
+      const resources = setResourceRequests({ cpu: '100m', memory: '128Mi' });
+      expect(resources.requests.cpu).toBe('100m');
+      expect(resources.requests.memory).toBe('128Mi');
+    });
+  });
+
+  describe('setResourceLimits', () => {
+    it('sets resource limits', () => {
+      const resources = setResourceLimits({ cpu: '500m', memory: '512Mi' });
+      expect(resources.limits.cpu).toBe('500m');
+    });
+  });
+
+  describe('generateHpa', () => {
+    it('generates HPA config', () => {
+      const hpa = generateHpa({ name: 'app', minReplicas: 2, maxReplicas: 10, targetCpu: 80 });
+      expect(hpa.kind).toBe('HorizontalPodAutoscaler');
+      expect(hpa.spec.minReplicas).toBe(2);
+    });
+  });
+
+  describe('generatePdb', () => {
+    it('generates PDB config', () => {
+      const pdb = generatePdb({ name: 'app', minAvailable: 1 });
+      expect(pdb.kind).toBe('PodDisruptionBudget');
+      expect(pdb.spec.minAvailable).toBe(1);
+    });
+  });
+
+  describe('setPriorityClass', () => {
+    it('configures priority classes', () => {
+      const pc = setPriorityClass({ name: 'high-priority', value: 1000000 });
+      expect(pc.kind).toBe('PriorityClass');
+    });
+  });
+
+  describe('createResourceManager', () => {
+    it('creates manager', () => {
+      const manager = createResourceManager();
+      expect(manager.setRequests).toBeDefined();
+      expect(manager.setLimits).toBeDefined();
+      expect(manager.generateHpa).toBeDefined();
+    });
+
+    it('validates resource syntax', () => {
+      const manager = createResourceManager();
+      const result = manager.validate({ cpu: '100m', memory: '128Mi' });
+      expect(result.valid).toBe(true);
+    });
+  });
+});