Add check to enforce that objects with multiple replicas use inter-po…

…d anti affinity (#54)
stackrox · Nov 14, 2020 · 55597dc · 55597dc
1 parent 6a27cdf
commit 55597dc
Show file tree

Hide file tree

Showing 10 changed files with 219 additions and 1 deletion.
diff --git a/docs/generated/checks.md b/docs/generated/checks.md
@@ -7,6 +7,7 @@ The following table enumerates built-in checks:
  | deprecated-service-account-field | Yes | Alert on deployments that use the deprecated serviceAccount field | Use the serviceAccountName field instead of the serviceAccount field. | deprecated-service-account-field | `{}` |
  | env-var-secret | Yes | Alert on objects using a secret in an environment variable | Don't use raw secrets in an environment variable. Instead, either mount the secret as a file or use a secretKeyRef. See https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for more details. | env-var | `{"name":"(?i).*secret.*","value":".+"}` |
  | mismatching-selector | Yes | Alert on deployments where the selector doesn't match the pod template labels | Make sure your deployment's selector correctly matches the labels in its pod template. | mismatching-selector | `{}` |
+ | no-anti-affinity | Yes | Alert on deployments with multiple replicas that don't specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different nodes | Specify anti-affinity in your pod spec to ensure that the orchestrator attempts to schedule replicas on different nodes. You can do this by using podAntiAffinity, specifying a labelSelector that matches pods of this deployment, and setting the topologyKey to kubernetes.io/hostname. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity for more details. | anti-affinity | `{"minReplicas":2}` |
  | no-extensions-v1beta | Yes | Alert on objects using deprecated API versions under extensions v1beta | Migrate to using the apps/v1 API versions for these objects. See https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. | disallowed-api-obj | `{"group":"extensions","version":"v1beta.+"}` |
  | no-liveness-probe | No | Alert on containers which don't specify a liveness probe | Specify a liveness probe in your container. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for more details. | liveness-probe | `{}` |
  | no-read-only-root-fs | Yes | Alert on containers not running with a read-only root filesystem | Set readOnlyRootFilesystem to true in your container's securityContext. | read-only-root-fs | `{}` |

diff --git a/docs/generated/templates.md b/docs/generated/templates.md
@@ -1,5 +1,26 @@
 This page lists supported check templates.
 
+## Anti affinity not specified
+
+**Key**: `anti-affinity`
+
+**Description**: Flag objects with multiple replicas but inter-pod anti affinity not specified in the pod template spec
+
+**Supported Objects**: DeploymentLike
+
+**Parameters**:
+```
+[
+	{
+		"name": "minReplicas",
+		"type": "integer",
+		"description": "The minimum number of replicas a deployment must have before anti-affinity is enforced on it",
+		"required": false
+	}
+]
+
+```
+
 ## CPU Requirements
 
 **Key**: `cpu-requirements`

diff --git a/internal/builtinchecks/built_in_checks.go b/internal/builtinchecks/built_in_checks.go
@@ -43,7 +43,7 @@ func List() ([]check.Check, error) {
 			}
 			var chk check.Check
 			if err := yaml.Unmarshal(contents, &chk); err != nil {
-				loadErr = errors.Wrapf(err, "unmarshaling default check from %s", fileName)
+				loadErr = errors.Wrapf(err, "unmarshalling default check from %s", fileName)
 				return
 			}
 			list = append(list, chk)

diff --git a/internal/builtinchecks/yamls/no-anti-affinity.yaml b/internal/builtinchecks/yamls/no-anti-affinity.yaml
@@ -0,0 +1,13 @@
+name: "no-anti-affinity"
+description: "Alert on deployments with multiple replicas that don't specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different nodes"
+remediation: >-
+  Specify anti-affinity in your pod spec to ensure that the orchestrator attempts to schedule replicas on different nodes.
+  You can do this by using podAntiAffinity, specifying a labelSelector that matches pods of this deployment,
+  and setting the topologyKey to kubernetes.io/hostname.
+  See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity for more details.
+scope:
+  objectKinds:
+    - DeploymentLike
+template: "anti-affinity"
+params:
+  minReplicas: 2
diff --git a/internal/defaultchecks/default_checks.go b/internal/defaultchecks/default_checks.go
@@ -11,6 +11,7 @@ var (
 		"deprecated-service-account-field",
 		"env-var-secret",
 		"mismatching-selector",
+		"no-anti-affinity",
 		"no-extensions-v1beta",
 		"no-read-only-root-fs",
 		"non-existent-service-account",

diff --git a/internal/extract/pod_spec.go b/internal/extract/pod_spec.go
@@ -72,3 +72,25 @@ func Selector(obj k8sutil.Object) (*metaV1.LabelSelector, bool) {
 	}
 	return nil, false
 }
+
+// Replicas extracts replicas from the given object, if available.
+func Replicas(obj k8sutil.Object) (int32, bool) {
+	objValue := reflect.Indirect(reflect.ValueOf(obj))
+	spec := objValue.FieldByName("Spec")
+	if !spec.IsValid() {
+		return 0, false
+	}
+	replicas := spec.FieldByName("Replicas")
+	if !replicas.IsValid() {
+		return 0, false
+	}
+	numReplicas, ok := replicas.Interface().(*int32)
+	if ok {
+		if numReplicas != nil {
+			return *numReplicas, true
+		}
+		// If numReplicas is a `nil` pointer, then it defaults to 1.
+		return 1, true
+	}
+	return 0, false
+}
diff --git a/internal/templates/all/all.go b/internal/templates/all/all.go
@@ -2,6 +2,7 @@ package all
 
 import (
 	// Import all check templates.
+	_ "golang.stackrox.io/kube-linter/internal/templates/antiaffinity"
 	_ "golang.stackrox.io/kube-linter/internal/templates/cpurequirements"
 	_ "golang.stackrox.io/kube-linter/internal/templates/danglingservice"
 	_ "golang.stackrox.io/kube-linter/internal/templates/deprecatedserviceaccount"

diff --git a/internal/templates/antiaffinity/internal/params/gen-params.go b/internal/templates/antiaffinity/internal/params/gen-params.go
diff --git a/internal/templates/antiaffinity/internal/params/params.go b/internal/templates/antiaffinity/internal/params/params.go
@@ -0,0 +1,8 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+
+	// The minimum number of replicas a deployment must have before anti-affinity is enforced on it
+	MinReplicas int
+}
diff --git a/internal/templates/antiaffinity/template.go b/internal/templates/antiaffinity/template.go
@@ -0,0 +1,83 @@
+package antiaffinity
+
+import (
+	"fmt"
+
+	"golang.stackrox.io/kube-linter/internal/check"
+	"golang.stackrox.io/kube-linter/internal/diagnostic"
+	"golang.stackrox.io/kube-linter/internal/extract"
+	"golang.stackrox.io/kube-linter/internal/lintcontext"
+	"golang.stackrox.io/kube-linter/internal/objectkinds"
+	"golang.stackrox.io/kube-linter/internal/templates"
+	"golang.stackrox.io/kube-linter/internal/templates/antiaffinity/internal/params"
+	coreV1 "k8s.io/api/core/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+func init() {
+	templates.Register(check.Template{
+		HumanName:   "Anti affinity not specified",
+		Key:         "anti-affinity",
+		Description: "Flag objects with multiple replicas but inter-pod anti affinity not specified in the pod template spec",
+		SupportedObjectKinds: check.ObjectKindsDesc{
+			ObjectKinds: []string{objectkinds.DeploymentLike},
+		},
+		Parameters:             params.ParamDescs,
+		ParseAndValidateParams: params.ParseAndValidate,
+		Instantiate: params.WrapInstantiateFunc(func(p params.Params) (check.Func, error) {
+			return func(_ *lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				replicas, found := extract.Replicas(object.K8sObject)
+				if !found {
+					return nil
+				}
+				if int(replicas) < p.MinReplicas {
+					return nil
+				}
+				podTemplateSpec, hasPods := extract.PodTemplateSpec(object.K8sObject)
+				if !hasPods {
+					return nil
+				}
+				if affinity := podTemplateSpec.Spec.Affinity; affinity != nil && affinity.PodAntiAffinity != nil {
+					preferredAffinity := affinity.PodAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution
+					requiredAffinity := affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution
+					for _, preferred := range preferredAffinity {
+						if affinityTermMatchesLabelsAgainstNodes(preferred.PodAffinityTerm, podTemplateSpec.Namespace, podTemplateSpec.Labels) {
+							return nil
+						}
+					}
+					for _, required := range requiredAffinity {
+						if affinityTermMatchesLabelsAgainstNodes(required, podTemplateSpec.Namespace, podTemplateSpec.Labels) {
+							return nil
+						}
+					}
+				}
+				return []diagnostic.Diagnostic{{Message: fmt.Sprintf("object has %d replicas but does not specify inter pod anti-affinity", replicas)}}
+			}, nil
+		}),
+	})
+}
+
+func affinityTermMatchesLabelsAgainstNodes(affinityTerm coreV1.PodAffinityTerm, podNamespace string, podLabels map[string]string) bool {
+	// If namespaces is not specified in the affinity term, that means the affinity term implicitly applies to the pod's namespace.
+	if len(affinityTerm.Namespaces) > 0 {
+		var matchingNSFound bool
+		for _, ns := range affinityTerm.Namespaces {
+			if ns == podNamespace {
+				matchingNSFound = true
+				break
+			}
+		}
+		if !matchingNSFound {
+			return false
+		}
+	}
+	labelSelector, err := metaV1.LabelSelectorAsSelector(affinityTerm.LabelSelector)
+	if err != nil {
+		return false
+	}
+	if affinityTerm.TopologyKey == "kubernetes.io/hostname" && labelSelector.Matches(labels.Set(podLabels)) {
+		return true
+	}
+	return false
+}