HighwayofLife
diff --git a/‎CHANGELOG.md‎
Lines changed: 44 additions & 9 deletions b/‎CHANGELOG.md‎
Lines changed: 44 additions & 9 deletions
diff --git a/‎Dockerfile‎
Lines changed: 78 additions & 29 deletions b/‎Dockerfile‎
Lines changed: 78 additions & 29 deletions
diff --git a/‎README.md‎
Lines changed: 90 additions & 1 deletion b/‎README.md‎
Lines changed: 90 additions & 1 deletion
@@ -1,16 +1,48 @@
+v2.5
+----
+
+### Features 🚀 
+
+* 🚀 **[NEW]** Added **[Kubeconform](https://github.com/yannh/kubeconform)**, a Kubernetes manifests validation tool.
+
+It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements:
+
+* high performance: will validate & download manifests over multiple routines, caching downloaded files in memory
+* configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities
+* uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes. 
+
+* 🚀 **[NEW]** Added **[Kubeaudit](https://github.com/Shopify/kubeaudit)**, a command line tool and a Go package to audit Kubernetes clusters for various different security concerns.
+
+### Updates 📝 
+* Update Python from 3.9.0 to 3.9.5 on Alpine 3.13
+* Update Kubectl from 1.19.3 to [v1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md), now installed via [Alpine package manager](https://pkgs.alpinelinux.org/package/edge/testing/x86_64/kubectl)
+* Update Yamllint from 1.25.0 to [1.26.0](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst#1260-2021-01-29)
+* Update Kustomize from 3.8.6 to [v4.1.0](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.0)
+* Update OPA Conftest from 0.21.0 to [v0.25.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.25.0)
+* Update Kube-Score to [v1.11.0](https://github.com/zegl/kube-score/releases/tag/v1.11.0)
+* Update Polaris to [3.2.1](https://github.com/FairwindsOps/polaris/releases/tag/3.2.1)
+* Update Kube-Linter to [0.2.1](https://github.com/stackrox/kube-linter/releases/tag/0.2.1)
+* Install Kubeconform [v0.4.7](https://github.com/yannh/kubeconform/releases/tag/v0.4.7)
+
+
 v2.4
 ----
-* 📝 Updated base Python to [v3.9.1-alpine3.12](https://hub.docker.com/layers/python/library/python/3.9.1/images/sha256-758539bea3c58d4b0bf09bfa97c633cd657599e58648f5eb791b25d95cb854c2?context=explore)
-* 📝 Updated Kubectl to [v1.20.0](https://github.com/kubernetes/kubectl/releases/tag/kubernetes-1.20.2)
-* 📝 Updated Kubeval to [v1.15.0](https://github.com/instrumenta/kubeval/releases/tag/0.15.0)
-* 📝 Updated YAMLLint to [v1.25.0](https://pypi.org/project/yamllint/)
-* 📝 Updated Kustomize to [v3.9.2](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv3.9.2)
-* 📝 Updated Conftest to [v0.23.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.23.0)
-* 📝 Updated Config-Lint to [v1.6.0](https://github.com/stelligent/config-lint/releases/tag/v1.6.0)
+* 🚀 **[NEW]** Added [Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
+* 🚀 **[NEW]** Added [Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process.
+* 🚀 **[NEW]** Added [Kube Linter](https://github.com/stackrox/kube-linter), a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code.
+
+### Updates
+* 📝 Updated Python from 3.8.4 to 3.9.0
+* 📝 Updated Kubectl from 1.18.6 to 1.19.3
+* 📝 Updated Yamllint from 1.24.2 to 1.25.0
+* 📝 Updated Kustomize from 3.8.1 to 3.8.6
+* 📝 Updated Conftest from 0.20.0 to 0.21.0
 
 v2.3
 ----
-* 🚀 [NEW] Added [Config-lint](https://stelligent.github.io/config-lint/#/?id=%f0%9f%94%8d-config-lint-%f0%9f%94%8e), A CLI tool to validate config files (JSON, Terraform, YAML + Kubernetes), using rules specified in YAML.
+* 🚀 **[NEW]** Added [Config-lint](https://stelligent.github.io/config-lint/#/?id=%f0%9f%94%8d-config-lint-%f0%9f%94%8e), A CLI tool to validate config files (JSON, Terraform, YAML + Kubernetes), using rules specified in YAML.
+
+### Updates
 * 📝 Updated Kubectl to [v1.18.6](https://kubernetes.io/docs/setup/release/notes/)
 * 📝 Updated YAMLLint to [v1.24.2](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst)
 * 📝 Updated Kustomize to [v3.8.1](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv3.8.1)
@@ -23,6 +55,7 @@ v2.2
 v2.1
 ----
 
+### Updates
 * Updated base Python to 3.8.4-alpine3.12
 * Updated Kubectl to v1.18.5
 * Updated Kustomize to 3.8.0
@@ -32,10 +65,12 @@ v2.1
 v2.0
 ----
 
+* 🚀 **[NEW]** Added ConfTest v0.18.1
+
+### Updates
 * Updated base Python to v3.8.2-alpine3.11
 * Updated KubeCTL to v1.18.2
 * Updated KubeVal to v0.15
 * Updated YamlLint to v1.23
 * Updated Kustomize to v3.5.4
-* Added ConfTest v0.18.1
 
@@ -1,56 +1,81 @@
-FROM python:3.9.1-alpine3.12
+FROM python:3.9.5-alpine3.13
 # https://hub.docker.com/_/python
 
-ARG APP_VERSION=2.4
-
-# https://github.com/kubernetes/kubectl/releases
-ARG KUBECTL_VERSION=1.20.0
+ARG APP_VERSION=2.5
 
 # https://github.com/instrumenta/kubeval/releases
-ARG KUBEVAL_VERSION=0.15.0
-
-# https://pypi.org/project/yamllint/
-ARG YAMLLINT_VERSION=1.25.0
+ARG KUBEVAL_VERSION=0.16.1
 
 # https://github.com/kubernetes-sigs/kustomize/releases
-ARG KUSTOMIZE_VERSION=3.9.2
+ARG KUSTOMIZE_VERSION=4.1.0
 
 # https://github.com/open-policy-agent/conftest/releases
-ARG CONFTEST_VERSION=0.23.0
+ARG CONFTEST_VERSION=0.25.0
 
 # https://github.com/stelligent/config-lint/releases
 ARG CONFIG_LINT_VERSION=1.6.0
 
+# https://github.com/zegl/kube-score/releases
+ARG KUBE_SCORE_VERSION=1.11.0
+
+# https://github.com/FairwindsOps/polaris/releases
+ARG POLARIS_VERSION=3.2.1
+
+# https://github.com/stackrox/kube-linter/releases
+ARG KUBE_LINTER_VERSION=0.2.1
+
+# https://github.com/yannh/kubeconform/releases
+ARG KUBECONFORM_VERSION=0.4.7
+
+# https://github.com/Shopify/kubeaudit/releases
+ARG KUBEAUDIT_VERSION=0.14.0
+
 # split layers into distinct components
-RUN apk add --no-cache ca-certificates curl
+# Install yamllint and kubectl via the alpine packages repositories
+RUN apk add --no-cache --upgrade bash ca-certificates curl tar yamllint \
+ && apk add kubectl --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrusted
 
 # Install Kubeval
 RUN mkdir /tmp/kubeval \
- && curl -L -o /tmp/kubeval/kubeval.tar.gz \
- https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz \
- && tar xf /tmp/kubeval/kubeval.tar.gz -C /tmp/kubeval \
- && mv /tmp/kubeval/kubeval /usr/local/bin \
- && chmod +x /usr/local/bin/kubeval \
- && rm -rf /tmp/kubeval
-
-# Install yamllint
-RUN pip install yamllint==${YAMLLINT_VERSION} && \
- rm -rf ~/.cache/pip
+ && curl -L -o /tmp/kubeval/kubeval.tar.gz \
+ https://github.com/instrumenta/kubeval/releases/download/v${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz \
+ && tar -xzf /tmp/kubeval/kubeval.tar.gz -C /tmp/kubeval \
+ && mv /tmp/kubeval/kubeval /usr/local/bin \
+ && chmod +x /usr/local/bin/kubeval \
+ && rm -rf /tmp/kubeval
 
 # Install Kustomize
 RUN mkdir /tmp/kustomize \
  && curl -L -o /tmp/kustomize/kustomize.tar.gz \
  https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz \
- && tar xf /tmp/kustomize/kustomize.tar.gz -C /tmp/kustomize \
+ && tar -xzf /tmp/kustomize/kustomize.tar.gz -C /tmp/kustomize \
  && mv /tmp/kustomize/kustomize /usr/local/bin \
  && chmod +x /usr/local/bin/kustomize \
  && rm -rf /tmp/kustomize
 
+# Install KubeConform
+RUN mkdir /tmp/kubeconform \
+ && curl -L -o /tmp/kubeconform/kubeconform.tar.gz \
+ https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz \
+ && tar -xzf /tmp/kubeconform/kubeconform.tar.gz -C /tmp/kubeconform \
+ && mv /tmp/kubeconform/kubeconform /usr/local/bin \
+ && chmod +x /usr/local/bin/kubeconform \
+ && rm -rf /tmp/kubeconform
+
+# Install Kubeaudit
+RUN mkdir /tmp/kubeaudit \
+ && curl -L -o /tmp/kubeaudit/kubeaudit.tar.gz \
+ https://github.com/Shopify/kubeaudit/releases/download/v${KUBEAUDIT_VERSION}/kubeaudit_${KUBEAUDIT_VERSION}_linux_amd64.tar.gz \
+ && tar -xzf /tmp/kubeaudit/kubeaudit.tar.gz -C /tmp/kubeaudit \
+ && mv /tmp/kubeaudit/kubeaudit /usr/local/bin \
+ && chmod +x /usr/local/bin/kubeaudit \
+ && rm -rf /tmp/kubeaudit
+
 # Install Conftest (https://www.conftest.dev/)
 RUN mkdir /tmp/conftest \
  && curl -L -o /tmp/conftest/conftest.tar.gz \
  https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz \
- && tar xf /tmp/conftest/conftest.tar.gz -C /tmp/conftest \
+ && tar -xzf /tmp/conftest/conftest.tar.gz -C /tmp/conftest \
  && mv /tmp/conftest/conftest /usr/local/bin \
  && chmod +x /usr/local/bin/conftest \
  && rm -rf /tmp/conftest
@@ -59,13 +84,37 @@ RUN mkdir /tmp/conftest \
 RUN mkdir /tmp/config-lint \
  && curl -L -o /tmp/config-lint/config-lint.tar.gz \
  https://github.com/stelligent/config-lint/releases/download/v${CONFIG_LINT_VERSION}/config-lint_Linux_x86_64.tar.gz \
- && tar xf /tmp/config-lint/config-lint.tar.gz -C /tmp/config-lint \
+ && tar -xzf /tmp/config-lint/config-lint.tar.gz -C /tmp/config-lint \
  && mv /tmp/config-lint/config-lint /usr/local/bin \
  && chmod +x /usr/local/bin/config-lint \
  && rm -rf /tmp/config-lint
 
-# Install Kubectl
-RUN curl -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \
- && chmod +x /usr/local/bin/kubectl
+# Install Kube Score (https://github.com/zegl/kube-score)
+RUN mkdir /tmp/kube-score \
+ && curl -L -o /tmp/kube-score/kube-score.tar.gz \
+ https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64.tar.gz \
+ && tar -xzf /tmp/kube-score/kube-score.tar.gz -C /tmp/kube-score \
+ && mv /tmp/kube-score/kube-score /usr/local/bin \
+ && chmod +x /usr/local/bin/kube-score \
+ && rm -rf /tmp/kube-score
+
+# Install Polaris (https://github.com/FairwindsOps/polaris)
+RUN mkdir /tmp/polaris \
+ && curl -L -o /tmp/polaris/polaris.tar.gz \
+ https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_${POLARIS_VERSION}_linux_amd64.tar.gz \
+ && tar -xzf /tmp/polaris/polaris.tar.gz -C /tmp/polaris \
+ && mv /tmp/polaris/polaris /usr/local/bin \
+ && chmod +x /usr/local/bin/polaris \
+ && rm -rf /tmp/polaris
+
+# Install Kube Linter (https://github.com/stackrox/kube-linter)
+RUN mkdir /tmp/kube-linter \
+ && curl -L -o /tmp/kube-linter/kube-linter.tar.gz \
+ https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz \
+ && tar -xzf /tmp/kube-linter/kube-linter.tar.gz -C /tmp/kube-linter \
+ && mv /tmp/kube-linter/kube-linter /usr/local/bin \
+ && chmod +x /usr/local/bin/kube-linter \
+ && rm -rf /tmp/kube-linter
+
+CMD ["/bin/bash"]
 
-CMD ["/bin/sh"]
 
@@ -1,7 +1,7 @@
 Kubernetes Validation Tools
 ===========================
 
-Common validation and linting tools for structured configuration data, including Kubernetes YAML Manifests.
+An all-in-one collection of tools to run linting, common validation, static code analysis, security scanning, configuration tests, auditing, kustomize build, and dry run configuration for structured Kubernetes YAML Manifests. Designed to run in a CI (Continuious Integration) process as part of validation and testing, especially useful for Kubernetes clusters that are managed through GitOps.
 
 Why?
 ----
@@ -17,6 +17,24 @@ Grab the latest image from Docker hub: [Deck15/kubeval-tools](https://hub.docker
 docker run --rm -it deck15/kubeval-tools /bin/sh
 ```
 
+Ideally the kubeval-tools container should be used in a CI process to validate and lint Kubernetes configs and manifests. It's optimal to run these tools as part of a [GitOps](https://www.gitops.tech/) CI workflow.
+
+Tools List
+----------
+
+
+Kubeaudit
+---------
+[Kubeaudit](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
+
+* run as non-root
+* use a read-only root filesystem
+* drop scary capabilities, don't add new ones
+* don't run privileged
+* and more!
+
+kubeaudit makes sure you deploy secure containers!
+
 KubeVal
 -------
 
@@ -61,3 +79,74 @@ Config-Lint
 config-lint -rules example-files/rules/kubernetes.yml example-files/config
 ```
 
+Kube-Score
+----------
+[Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
+
+kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.
+
+The input to kube-score should be all applications that you deploy to the same namespace for the best result.
+
+#### Example with Helm
+```sh
+helm template my-app | kube-score score -
+```
+
+#### Example with Kustomize
+```sh
+kustomize build . | kube-score score -
+```
+
+#### Example with static YAMLs
+```sh
+kube-score score my-app/*.yaml
+kube-score score my-app/deployment.yaml my-app/service.yaml
+```
+
+Polaris
+-------
+[Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process.
+
+Polaris can be run in a few different modes:
+
+* As a dashboard, so you can audit what's running inside your cluster.
+* As a validating webhook, so you can automatically reject workloads that don't adhere to your organization's policies.
+* As a command-line tool, so you can test local YAML files, e.g. as part of a CI/CD process.
+
+You can run audits on the command line and see the output as JSON, YAML, or a raw score:
+
+```sh
+polaris audit --format yaml > report.yaml
+polaris audit --format score
+# 92
+```
+
+Audits can run against a local directory or YAML file rather than a cluster:
+```sh
+polaris audit --audit-path ./deploy/
+
+# or to use STDIN
+cat pod.yaml | polaris audit --audit-path -
+```
+You can also run the audit on a single resource instead of the entire cluster:
+
+```sh
+polaris audit --resource "nginx-ingress/Deployment.apps/v1/default-backend"
+```
+#### Running with CI/CD
+You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code. For example, to fail if polaris detects any danger-level issues, or if the score drops below 90%:
+
+```sh
+polaris audit --audit-path ./deploy/ \
+ --set-exit-code-on-danger \
+ --set-exit-code-below-score 90
+```
+
+For more usage options for CLI, see the [Usage Doc](https://github.com/FairwindsOps/polaris/blob/master/docs/usage.md)
+
+Kube Linter
+-----------
+
+[Kube Linter](https://github.com/stackrox/kube-linter) is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code.
+
+