Add a New Check For Annotations on PersistentVolumeClaims

docs/generated/templates.md

@@ -759,6 +759,26 @@ KubeLinter supports the following templates:
 **Supported Objects**: DeploymentLike
 
 
+## StatefulSet VolumeClaimTemplate Annotation
+
+**Key**: `statefulset-volumeclaimtemplate-annotation`
+
+**Description**: Check if StatefulSet's VolumeClaimTemplate contains a specific annotation
+
+**Supported Objects**: DeploymentLike
+
+
+**Parameters**:
+
+```yaml
+- description: Annotation specifies the required annotation to match.
+  name: annotation
+  negationAllowed: true
+  regexAllowed: true
+  required: true
+  type: string
+```
+
 ## Target Port
 
 **Key**: `target-port`

pkg/extract/sts_spec.go

@@ -0,0 +1,35 @@
+package extract
+
+import (
+	"reflect"
+
+	"golang.stackrox.io/kube-linter/pkg/k8sutil"
+	appsV1 "k8s.io/api/apps/v1"
+)
+
+func StatefulSetSpec(obj k8sutil.Object) (appsV1.StatefulSetSpec, bool) {
+	if obj == nil {
+		return appsV1.StatefulSetSpec{}, false
+	}
+
+	switch obj := obj.(type) {
+	case *appsV1.StatefulSet:
+		return obj.Spec, true
+	default:
+		kind := obj.GetObjectKind().GroupVersionKind().Kind
+		if kind != "StatefulSet" {
+			return appsV1.StatefulSetSpec{}, false
+		}
+
+		objValue := reflect.Indirect(reflect.ValueOf(obj))
+		spec := objValue.FieldByName("Spec")
+		if !spec.IsValid() {
+			return appsV1.StatefulSetSpec{}, false
+		}
+		statefulSetSpec, ok := spec.Interface().(appsV1.StatefulSetSpec)
+		if ok {
+			return statefulSetSpec, true
+		}
+		return appsV1.StatefulSetSpec{}, false
+	}
+}

pkg/extract/sts_spec_test.go

@@ -0,0 +1,93 @@
+package extract
+
+import (
+	"testing"
+	"time"
+
+	appsV1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type fakeStatefulSet struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+	Spec appsV1.StatefulSetSpec
+}
+
+func (f *fakeStatefulSet) GetObjectKind() schema.ObjectKind {
+	return &f.TypeMeta
+}
+
+func (f *fakeStatefulSet) DeepCopyObject() runtime.Object {
+	return &fakeStatefulSet{
+		TypeMeta: f.TypeMeta,
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      f.Name,
+			Namespace: f.Namespace,
+		},
+		Spec: f.Spec,
+	}
+}
+
+func (f *fakeStatefulSet) GetAnnotations() map[string]string {
+	return map[string]string{"key": "value"} // Example annotation
+}
+
+func (f *fakeStatefulSet) GetCreationTimestamp() metav1.Time {
+	return metav1.Time{Time: time.Now()}
+}
+
+func TestStatefulSetSpec(t *testing.T) {
+	t.Run("nil object", func(t *testing.T) {
+		spec, ok := StatefulSetSpec(nil)
+		assert.False(t, ok)
+		assert.Equal(t, appsV1.StatefulSetSpec{}, spec)
+	})
+
+	t.Run("typed StatefulSet", func(t *testing.T) {
+		sampleSpec := appsV1.StatefulSetSpec{
+			ServiceName: "my-service",
+		}
+		obj := &appsV1.StatefulSet{
+			Spec: sampleSpec,
+		}
+		spec, ok := StatefulSetSpec(obj)
+		assert.True(t, ok)
+		assert.Equal(t, sampleSpec, spec)
+	})
+
+	t.Run("fallback via reflection", func(t *testing.T) {
+		sampleSpec := appsV1.StatefulSetSpec{
+			ServiceName: "reflected-service",
+		}
+		obj := &fakeStatefulSet{
+			TypeMeta: metav1.TypeMeta{
+				Kind: "StatefulSet",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "fake-statefulset",
+				Namespace: "default",
+			},
+			Spec: sampleSpec,
+		}
+		spec, ok := StatefulSetSpec(obj)
+		assert.True(t, ok)
+		assert.Equal(t, sampleSpec, spec)
+	})
+
+	t.Run("wrong kind", func(t *testing.T) {
+		obj := &fakeStatefulSet{
+			TypeMeta: metav1.TypeMeta{
+				Kind: "Deployment",
+			},
+			Spec: appsV1.StatefulSetSpec{},
+		}
+		spec, ok := StatefulSetSpec(obj)
+		assert.False(t, ok)
+		assert.Equal(t, appsV1.StatefulSetSpec{}, spec)
+	})
+}

pkg/lintcontext/mocks/context.go

@@ -28,3 +28,8 @@
 func NewMockContext() *MockLintContext {
 	return &MockLintContext{objects: make(map[string]k8sutil.Object)}
 }
+
+// AddObject adds an object to the MockLintContext
+func (l *MockLintContext) AddObject(key string, obj k8sutil.Object) {
+	l.objects[key] = obj
+}

pkg/objectkinds/pvc.go

@@ -0,0 +1,24 @@
+package objectkinds
+
+import (
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	PersistentVolumeClaim = "PersistentVolumeClaim"
+)
+
+var (
+	persistentvolumeclaimGVK = v1.SchemeGroupVersion.WithKind("PersistentVolumeClaim")
+)
+
+func init() {
+	RegisterObjectKind(PersistentVolumeClaim, MatcherFunc(func(gvk schema.GroupVersionKind) bool {
+		return gvk == persistentvolumeclaimGVK
+	}))
+}
+
+func GetPersistentVolumeClaimAPIVersion() string {
+	return persistentvolumeclaimGVK.GroupVersion().String()
+}

pkg/objectkinds/pvc_test.go

@@ -0,0 +1,13 @@
+package objectkinds_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+)
+
+func TestGetPersistentVolumeClaimAPIVersion(t *testing.T) {
+	apiVersion := objectkinds.GetPersistentVolumeClaimAPIVersion()
+	assert.NotEmpty(t, apiVersion)
+}

pkg/templates/all/all.go

@@ -56,6 +56,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/targetport"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/unsafeprocmount"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/updateconfig"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/volumeclaimtemplates"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/wildcardinrules"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/writablehostmount"
 )

pkg/templates/volumeclaimtemplates/internal/params/gen-params_test.go

@@ -0,0 +1,93 @@
+package params
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext"
+)
+
+func TestValidate(t *testing.T) {
+	tests := []struct {
+		name          string
+		params        Params
+		expectedError error
+	}{
+		{
+			name: "valid annotation",
+			params: Params{
+				Annotation: "some-annotation",
+			},
+			expectedError: nil,
+		},
+		{
+			name: "missing annotation",
+			params: Params{
+				Annotation: "",
+			},
+			expectedError: errors.New("invalid parameters: required param annotation not found"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.params.Validate()
+			if tt.expectedError == nil {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, tt.expectedError.Error())
+			}
+		})
+	}
+}
+
+func TestParseAndValidate(t *testing.T) {
+	t.Run("valid map input", func(t *testing.T) {
+		m := map[string]interface{}{
+			"annotation": "required-annotation",
+		}
+		result, err := ParseAndValidate(m)
+		assert.NoError(t, err)
+
+		params, ok := result.(Params)
+		assert.True(t, ok)
+		assert.Equal(t, "required-annotation", params.Annotation)
+	})
+
+	t.Run("missing annotation in map", func(t *testing.T) {
+		m := map[string]interface{}{}
+		_, err := ParseAndValidate(m)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "required param annotation not found")
+	})
+}
+
+func TestWrapInstantiateFunc(t *testing.T) {
+	mockFunc := func(p Params) (check.Func, error) {
+		return func(ctx lintcontext.LintContext, obj lintcontext.Object) []diagnostic.Diagnostic {
+			return []diagnostic.Diagnostic{
+				{
+					Message: "mocked diagnostic",
+				},
+			}
+		}, nil
+	}
+
+	wrapped := WrapInstantiateFunc(mockFunc)
+
+	t.Run("wrapped function works", func(t *testing.T) {
+		params := Params{Annotation: "test-annotation"}
+		fn, err := wrapped(params)
+		assert.NoError(t, err)
+
+		var dummyCtx lintcontext.LintContext
+		var dummyObj lintcontext.Object
+
+		diagnostics := fn(dummyCtx, dummyObj)
+		assert.Len(t, diagnostics, 1)
+		assert.Equal(t, "mocked diagnostic", diagnostics[0].Message)
+	})
+}

pkg/templates/volumeclaimtemplates/internal/params/params.go

@@ -0,0 +1,8 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+	// Annotation specifies the required annotation to match.
+	// +required
+	Annotation string
+}