dangling service monitor

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

Author: janisz

docs/generated/templates.md

@@ -75,7 +75,9 @@ KubeLinter supports the following templates:
 **Parameters**:
 
 ```yaml
-- description: Check is a CEL expression used to validate the subject and objects.
+- description: 'Check contains a CEL expression for validation logic. Two predefined
+    variables are available: ''object'' (the current Kubernetes object being processed)
+    and ''objects'' (all objects being linted).'
   name: check
   negationAllowed: true
   regexAllowed: false

e2etests/bats-tests.sh

@@ -25,12 +25,24 @@ get_value_from() {
   [ "$status" -eq 1 ]
 
   message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
-  failing_resource=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.Name')
+  message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
+  message3=$(get_value_from "${lines[0]}" '.Reports[2].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[2].Diagnostic.Message')
+  message4=$(get_value_from "${lines[0]}" '.Reports[3].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[3].Diagnostic.Message')
+  message5=$(get_value_from "${lines[0]}" '.Reports[4].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[4].Diagnostic.Message')
+  message6=$(get_value_from "${lines[0]}" '.Reports[5].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[5].Diagnostic.Message')
+
   count=$(get_value_from "${lines[0]}" '.Reports | length')
 
+  echo $message2
+
   [[ "${message1}" == "Deployment: CEL check expression returned: Object has reloader annotation" ]]
-  [[ "${failing_resource}" == "bad-irsa-role" ]]
-  [[ "${count}" == "2" ]]
+  [[ "${message2}" == "ServiceAccount: CEL check expression returned: Invalid EKS IAM role ARN format" ]]
+  [[ "${message3}" == "ServiceMonitor: CEL check expression returned: no services found matching the service monitor's label selector and namespace selector" ]]
+  [[ "${message4}" == "ServiceMonitor: CEL check expression returned: no services found matching the service monitor's label selector and namespace selector" ]]
+  [[ "${message5}" == "ServiceMonitor: CEL check expression returned: no services found matching the service monitor's label selector and namespace selector" ]]
+  [[ "${message6}" == "ServiceMonitor: CEL check expression returned: no services found matching the service monitor's label selector and namespace selector" ]]
+
+  [[ "${count}" == "6" ]]
 }
 
 @test "template-check-installed-bash-version" {

e2etests/testdata/cel-config.yaml

@@ -3,14 +3,15 @@ checks:
 customChecks:
   - name: "cel-forbidden-annotation"
     description: "cel espression cehck"
-    remediation: "Remove reloader.stakater.com/auto annotation"
+    remediation: "Remove foo.bar/baz annotation"
     scope:
       objectKinds:
         - DeploymentLike
     template: "cel-expression"
     params:
       check: |
-        has(subject.metadata.annotations) && subject.metadata.annotations["reloader.stakater.com/auto"] == "true" ? "Object has reloader annotation" : ""
+        has(object.metadata.annotations) && object.metadata.annotations["foo.bar/baz"] == "true" ? "Object has reloader annotation" : ""
+
   - name: invalid-irsa-role
     description: "IRSA annotations must have a valid IAM Role ARN value"
     remediation: "Validate the format of the annotation's value to ensure it is a valid IAM Role ARN"
@@ -20,4 +21,39 @@ customChecks:
     template: "cel-expression"
     params:
       check: |
-        subject.metadata.annotations["eks.amazonaws.com/role-arn"].matches("^arn:aws:iam::\\d{12}:role/[\\w+=,.@-]{1,64}$") ? "" : "Invalid EKS IAM role ARN format"
+        object.metadata.annotations["eks.amazonaws.com/role-arn"].matches("^arn:aws:iam::\\d{12}:role/[\\w+=,.@-]{1,64}$") ? "" : "Invalid EKS IAM role ARN format"
+
+  - name: "cel-dangling-servicemonitor"
+    description: "Flag service monitors which do not match any service"
+    remediation: "Ensure the ServiceMonitor's selector matches at least one Service"
+    scope:
+      objectKinds:
+        - ServiceMonitor
+    template: "cel-expression"
+    params:
+      check: |
+        // Check if ServiceMonitor has selectors
+        (!has(object.spec.selector.matchLabels) || size(object.spec.selector.matchLabels) == 0) &&
+        (!has(object.spec.namespaceSelector.matchNames) || size(object.spec.namespaceSelector.matchNames) == 0) &&
+        (!has(object.spec.namespaceSelector.any) || !object.spec.namespaceSelector.any) ?
+        "service monitor has no selector specified" :
+
+        // Check if any services match the ServiceMonitor's selectors
+        !objects.exists(obj,
+          obj.kind == "Service" &&
+          (
+            // Check namespace selector
+            (has(object.spec.namespaceSelector.any) && object.spec.namespaceSelector.any) ||
+            (has(object.spec.namespaceSelector.matchNames) &&
+             object.spec.namespaceSelector.matchNames.exists(ns, ns == (has(obj.metadata.namespace) ? obj.metadata.namespace : ""))) ||
+            (!has(object.spec.namespaceSelector.matchNames) && !has(object.spec.namespaceSelector.any))
+          ) &&
+          (
+            // Check label selector
+            (!has(object.spec.selector.matchLabels) || size(object.spec.selector.matchLabels) == 0) ||
+            (has(obj.metadata.labels) &&
+             object.spec.selector.matchLabels.all(key, key in obj.metadata.labels &&
+                                                 obj.metadata.labels[key] == object.spec.selector.matchLabels[key]))
+          )
+        ) ?
+        "no services found matching the service monitor's label selector and namespace selector" : ""

memoryrequirements.rego

@@ -1,8 +1,8 @@
 package params
 
-// Params represents the params accepted by this template.
+// Params defines the configuration parameters for this template.
 type Params struct {
-	// Check is a CEL expression used to validate the subject and objects.
+	// Check contains a CEL expression for validation logic. Two predefined variables are available: 'object' (the current Kubernetes object being processed) and 'objects' (all objects being linted).
 	// +required
 	// +noregex
 	Check string

pkg/templates/cel/internal/params/gen-params.go

@@ -47,45 +47,45 @@ func init() {
 	})
 }
 
-func evaluate(check string, subject lintcontext.Object, objects []lintcontext.Object) (string, error) {
-	// Convert subject to map via JSON marshaling/unmarshaling for CEL compatibility
+func evaluate(check string, object lintcontext.Object, objects []lintcontext.Object) (string, error) {
+	// Convert object to map via JSON marshaling/unmarshaling for CEL compatibility
 	// We need to marshal the underlying K8sObject, not the lintcontext.Object
-	subjectMap, err := toMap(subject.K8sObject)
+	objectMap, err := toMap(object.K8sObject)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to convert object to map: %w", err)
 	}
 
 	// Convert objects to maps via JSON marshaling/unmarshaling
 	objectsMaps := make([]map[string]any, len(objects))
 	for i, obj := range objects {
 		objMap, err := toMap(obj.K8sObject)
 		if err != nil {
-			return "", err
+			return "", fmt.Errorf("failed to convert object %s to map: %w", obj.GetK8sObjectName().String(), err)
 		}
 		objectsMaps[i] = objMap
 	}
 
 	e, err := cel.NewEnv(
-		cel.Variable("subject", cel.MapType(cel.StringType, cel.AnyType)),
+		cel.Variable("object", cel.MapType(cel.StringType, cel.AnyType)),
 		cel.Variable("objects", cel.ListType(cel.MapType(cel.StringType, cel.AnyType))),
 	)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to create CEL environment: %w", err)
 	}
 	ast, iss := e.Compile(check)
 	if iss.Err() != nil {
-		return "", iss.Err()
+		return "", fmt.Errorf("failed to compile CEL expression: %w", iss.Err())
 	}
 	prg, err := e.Program(ast)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to create CEL program: %w", err)
 	}
 	out, _, err := prg.Eval(map[string]any{
-		"subject": subjectMap,
+		"object":  objectMap,
 		"objects": objectsMaps,
 	})
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to evaluate CEL expression: %w", err)
 	}
 
 	o, ok := out.Value().(string)
@@ -98,11 +98,11 @@ func evaluate(check string, subject lintcontext.Object, objects []lintcontext.Ob
 func toMap(obj any) (map[string]any, error) {
 	bytes, err := json.Marshal(obj)
 	if err != nil {
-		return nil, fmt.Errorf("failed to marshal subject: %w", err)
+		return nil, fmt.Errorf("failed to marshal object: %w", err)
 	}
 	var output map[string]any
 	if err := json.Unmarshal(bytes, &output); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal subject: %w", err)
+		return nil, fmt.Errorf("failed to unmarshal object: %w", err)
 	}
 	return output, nil
 }

pkg/templates/cel/internal/params/params.go

@@ -13,15 +13,15 @@ func TestEvaluate(t *testing.T) {
 	tests := []struct {
 		name        string
 		check       string
-		subject     lintcontext.Object
+		object      lintcontext.Object
 		objects     []lintcontext.Object
 		expectedMsg string
 		expectError bool
 	}{
 		{
 			name:  "simple string return",
 			check: `"test message"`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -31,9 +31,9 @@ func TestEvaluate(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name:  "conditional message based on subject",
-			check: `subject.metadata.name == "test-pod" ? "pod found" : "pod not found"`,
-			subject: lintcontext.Object{
+			name:  "conditional message based on object",
+			check: `object.metadata.name == "test-pod" ? "pod found" : "pod not found"`,
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -45,7 +45,7 @@ func TestEvaluate(t *testing.T) {
 		{
 			name:  "check objects list length",
 			check: `size(objects) > 0 ? "objects found" : "no objects"`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -61,9 +61,9 @@ func TestEvaluate(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name:  "complex expression with subject properties",
-			check: `subject.metadata.namespace == "default" && subject.metadata.name.startsWith("test") ? "valid test object" : "invalid object"`,
-			subject: lintcontext.Object{
+			name:  "complex expression with object properties",
+			check: `object.metadata.namespace == "default" && object.metadata.name.startsWith("test") ? "valid test object" : "invalid object"`,
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test-pod",
@@ -78,7 +78,7 @@ func TestEvaluate(t *testing.T) {
 		{
 			name:  "empty string return",
 			check: `""`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -90,7 +90,7 @@ func TestEvaluate(t *testing.T) {
 		{
 			name:  "invalid CEL expression",
 			check: `invalid syntax here`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -102,7 +102,7 @@ func TestEvaluate(t *testing.T) {
 		{
 			name:  "non-string return type",
 			check: `123`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -114,7 +114,7 @@ func TestEvaluate(t *testing.T) {
 		{
 			name:  "boolean return type",
 			check: `true`,
-			subject: lintcontext.Object{
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
 				},
@@ -125,8 +125,8 @@ func TestEvaluate(t *testing.T) {
 		},
 		{
 			name:  "accessing nested properties",
-			check: `subject.metadata.labels.app == "web" ? "web app detected" : "not a web app"`,
-			subject: lintcontext.Object{
+			check: `object.metadata.labels.app == "web" ? "web app detected" : "not a web app"`,
+			object: lintcontext.Object{
 				K8sObject: &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-pod",
@@ -144,7 +144,7 @@ func TestEvaluate(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			msg, err := evaluate(tt.check, tt.subject, tt.objects)
+			msg, err := evaluate(tt.check, tt.object, tt.objects)
 
 			if tt.expectError {
 				assert.Error(t, err)