Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions internal/module/module.go
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,10 @@ func mapContainerRules(linterSettings *pkg.LintersSettings, configSettings *conf
globalConfig.Container.Rules.ReadinessRule.Impact,
configSettings.Container.Impact,
)
linterSettings.Container.Rules.MountPointsRule.SetLevel(
globalConfig.Container.Rules.MountPointsRule.Impact,
configSettings.Container.Impact,
)
}

// mapImageRules configures Image linter rules
Expand Down Expand Up @@ -341,6 +345,7 @@ func mapTemplatesRules(linterSettings *pkg.LintersSettings, configSettings *conf
rules.ClusterDomainRule.SetLevel(globalRules.ClusterDomainRule.Impact, fallbackImpact)
rules.RegistryRule.SetLevel(globalRules.RegistryRule.Impact, fallbackImpact)
rules.EnabledModulesRule.SetLevel(globalRules.EnabledModulesRule.Impact, fallbackImpact)
rules.MountPointsRule.SetLevel(globalRules.MountPointsRule.Impact, fallbackImpact)
}

// mapOpenAPIRules configures OpenAPI linter rules
Expand Down Expand Up @@ -408,6 +413,7 @@ func mapContainerExclusions(linterSettings *pkg.LintersSettings, configSettings
excludes.SeccompProfile = configExcludes.SeccompProfile.Get()
excludes.NoNewPrivileges = configExcludes.NoNewPrivileges.Get()
excludes.Description = pkg.StringRuleExcludeList(configExcludes.Description)
excludes.MountPoints = pkg.StringRuleExcludeList(configExcludes.MountPoints)
Comment thread
Copilot marked this conversation as resolved.
}

// mapImageExclusionsAndSettings maps Image linter exclusions and additional settings
Expand Down Expand Up @@ -455,6 +461,7 @@ func mapTemplatesExclusionsAndSettings(linterSettings *pkg.LintersSettings, conf
excludes.Ingress = configExcludes.Ingress.Get()
excludes.EnabledModules.Files = pkg.StringRuleExcludeList(configExcludes.EnabledModules.Files)
excludes.EnabledModules.Directories = pkg.DirectoryRuleExcludeList(configExcludes.EnabledModules.Directories)
excludes.MountPoints = pkg.StringRuleExcludeList(configExcludes.MountPoints)

// Additional settings
linterSettings.Templates.PrometheusRuleSettings.Disable = configSettings.Templates.PrometheusRules.Disable
Expand Down
4 changes: 4 additions & 0 deletions pkg/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ type TemplatesLinterRules struct {
RegistryRule RuleConfig
HTTPRouteRule RuleConfig
EnabledModulesRule RuleConfig
MountPointsRule RuleConfig
}

type PrometheusRuleSettings struct {
Expand All @@ -159,6 +160,7 @@ type TemplatesExcludeRules struct {
Ingress KindRuleExcludeList
HTTPRoute KindRuleExcludeList
EnabledModules EnabledModulesExcludeRule
MountPoints StringRuleExcludeList
}

type EnabledModulesExcludeRule struct {
Expand Down Expand Up @@ -343,6 +345,7 @@ type ContainerLinterRules struct {
PortsRule RuleConfig
LivenessRule RuleConfig
ReadinessRule RuleConfig
MountPointsRule RuleConfig
}

type ContainerExcludeRules struct {
Expand All @@ -363,6 +366,7 @@ type ContainerExcludeRules struct {
Readiness ContainerRuleExcludeList

Description StringRuleExcludeList
MountPoints StringRuleExcludeList
}

type StringRuleExcludeList []string
Expand Down
2 changes: 2 additions & 0 deletions pkg/config/global/global.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ type ContainerRules struct {
PortsRule RuleConfig `mapstructure:"ports"`
LivenessRule RuleConfig `mapstructure:"liveness-probe"`
ReadinessRule RuleConfig `mapstructure:"readiness-probe"`
MountPointsRule RuleConfig `mapstructure:"mount-points"`
}

type ImagesLinterConfig struct {
Expand Down Expand Up @@ -139,6 +140,7 @@ type TemplatesLinterRules struct {
ClusterDomainRule RuleConfig `mapstructure:"cluster-domain"`
RegistryRule RuleConfig `mapstructure:"registry"`
EnabledModulesRule RuleConfig `mapstructure:"enabled-modules"`
MountPointsRule RuleConfig `mapstructure:"mount-points"`
}

func (c LinterConfig) IsWarn() bool {
Expand Down
3 changes: 3 additions & 0 deletions pkg/config/linters_settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ type ContainerExcludeRules struct {
Readiness ContainerRuleExcludeList `mapstructure:"readiness-probe"`

Description StringRuleExcludeList `mapstructure:"description"`
MountPoints StringRuleExcludeList `mapstructure:"mount-points"`
}

type HooksSettings struct {
Expand Down Expand Up @@ -228,6 +229,7 @@ type TemplatesLinterRules struct {
ClusterDomainRule RuleConfig `mapstructure:"cluster-domain"`
RegistryRule RuleConfig `mapstructure:"registry"`
EnabledModulesRule RuleConfig `mapstructure:"enabled-modules"`
MountPointsRule RuleConfig `mapstructure:"mount-points"`
}

type TemplatesExcludeRules struct {
Expand All @@ -237,6 +239,7 @@ type TemplatesExcludeRules struct {
KubeRBACProxy StringRuleExcludeList `mapstructure:"kube-rbac-proxy"`
Ingress KindRuleExcludeList `mapstructure:"ingress"`
EnabledModules EnabledModulesExcludeRule `mapstructure:"enabled-modules"`
MountPoints StringRuleExcludeList `mapstructure:"mount-points"`
}

type EnabledModulesExcludeRule struct {
Expand Down
4 changes: 4 additions & 0 deletions pkg/linters/container/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ type Container struct {
name, desc string
cfg *pkg.ContainerLinterConfig
ErrorList *errors.LintRuleErrorsList

modulePath string
}

func New(containerCfg *pkg.ContainerLinterConfig, errorList *errors.LintRuleErrorsList) *Container {
Expand All @@ -49,6 +51,8 @@ func (l *Container) Run(m *module.Module) {

errorList := l.ErrorList.WithModule(m.GetName())

l.modulePath = m.GetPath()

storage := m.GetStorage()
for _, object := range storage {
l.applyContainerRules(object, storage, errorList)
Expand Down
4 changes: 4 additions & 0 deletions pkg/linters/container/rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,10 @@ func (l *Container) applyContainerRules(object storage.StoreObject, storageMap m
func(object storage.StoreObject, containers []corev1.Container, errorList *errors.LintRuleErrorsList) {
rules.NewPortsRule(l.cfg.ExcludeRules.Ports.Get()).ContainerPorts(object, containers, errorList.WithMaxLevel(l.cfg.Rules.PortsRule.GetLevel()))
},
func(object storage.StoreObject, containers []corev1.Container, errorList *errors.LintRuleErrorsList) {
rules.NewMountPointsRule(l.cfg.ExcludeRules.MountPoints.Get(), l.modulePath).
CheckMountPaths(object, containers, errorList.WithMaxLevel(l.cfg.Rules.MountPointsRule.GetLevel()))
},
}

for _, rule := range containerRules {
Expand Down
142 changes: 142 additions & 0 deletions pkg/linters/container/rules/mount_points.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
/*
Copyright 2026 Flant JSC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package rules

import (
"os"
"path/filepath"
"strings"
"sync"

"gopkg.in/yaml.v3"
corev1 "k8s.io/api/core/v1"

"github.com/deckhouse/dmt/internal/storage"
"github.com/deckhouse/dmt/pkg"
"github.com/deckhouse/dmt/pkg/errors"
)

const (
MountPointsRuleName = "mount-points"
)

type mountPointsFile struct {
Dirs []string `yaml:"dirs"`
}

func NewMountPointsRule(excludeRules []pkg.StringRuleExclude, modulePath string) *MountPointsRule {
return &MountPointsRule{
RuleMeta: pkg.RuleMeta{
Name: MountPointsRuleName,
},
StringRule: pkg.StringRule{
ExcludeRules: excludeRules,
},
mountPointsDirs: collectMountPointsDirs(modulePath),
}
}

type MountPointsRule struct {
pkg.RuleMeta
pkg.StringRule
mountPointsDirs map[string]bool
}

// CheckMountPaths verifies that every volumeMount.mountPath in pod controllers
// is declared in at least one mount-points.yaml file in the module.
//
// Direction: templates → mount-points.yaml (reverse of the existing templates rule).
func (r *MountPointsRule) CheckMountPaths(object storage.StoreObject, containers []corev1.Container, errorList *errors.LintRuleErrorsList) {
errorList = errorList.WithRule(r.GetName()).WithFilePath(object.ShortPath())

if len(r.mountPointsDirs) == 0 {
return
}

switch object.Unstructured.GetKind() {
case "Deployment", "DaemonSet", "StatefulSet":
default:
return
}

for _, container := range containers {
for _, vm := range container.VolumeMounts {
normalizedPath := strings.TrimRight(vm.MountPath, "/")
if !r.Enabled(normalizedPath) {
continue
}

if !r.mountPointsDirs[normalizedPath] {
errorList.WithObjectID(object.Identity()).
Warnf("Container %q mountPath %q is not declared in any mount-points.yaml", container.Name, vm.MountPath)
}
}
}
}

var mpDirsCache sync.Map // map[string]map[string]bool

// collectMountPointsDirs walks the module directory and collects all dirs
// from mount-points.yaml files into a set keyed by normalized path.
// Results are cached per module path.
func collectMountPointsDirs(modulePath string) map[string]bool {
if cached, ok := mpDirsCache.Load(modulePath); ok {
return cached.(map[string]bool)
}

dirs := make(map[string]bool)

searchDir := filepath.Join(modulePath, "images")
if _, err := os.Stat(searchDir); os.IsNotExist(err) {
mpDirsCache.Store(modulePath, dirs)
return dirs
}

_ = filepath.Walk(modulePath, func(path string, info os.FileInfo, err error) error {
if err != nil {
return nil
}

if info.IsDir() {
return nil
}

if filepath.Base(path) != "mount-points.yaml" {
return nil
}

data, err := os.ReadFile(path)
if err != nil {
return nil
}

var mpf mountPointsFile
if err := yaml.Unmarshal(data, &mpf); err != nil {
return nil
}

for _, dir := range mpf.Dirs {
dirs[strings.TrimRight(dir, "/")] = true
}

return nil
})

mpDirsCache.Store(modulePath, dirs)

return dirs
}
Loading
Loading