syncable-cli 0.37.1

A Rust-based CLI that analyzes code repositories and generates Infrastructure as Code configurations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

//! Host mount detection templates.

use crate::analyzer::kubelint::context::Object;
use crate::analyzer::kubelint::extract;
use crate::analyzer::kubelint::templates::{CheckFunc, ParameterDesc, Template, TemplateError};
use crate::analyzer::kubelint::types::{Diagnostic, ObjectKindsDesc};

/// Template for detecting host path mounts.
pub struct HostMountsTemplate;

impl Template for HostMountsTemplate {
    fn key(&self) -> &str {
        "host-mounts"
    }

    fn human_name(&self) -> &str {
        "Host Mounts"
    }

    fn description(&self) -> &str {
        "Detects containers with host path volume mounts"
    }

    fn supported_object_kinds(&self) -> ObjectKindsDesc {
        ObjectKindsDesc::default()
    }

    fn parameters(&self) -> Vec<ParameterDesc> {
        Vec::new()
    }

    fn instantiate(
        &self,
        _params: &serde_yaml::Value,
    ) -> Result<Box<dyn CheckFunc>, TemplateError> {
        Ok(Box::new(HostMountsCheck))
    }
}

struct HostMountsCheck;

impl CheckFunc for HostMountsCheck {
    fn check(&self, object: &Object) -> Vec<Diagnostic> {
        let mut diagnostics = Vec::new();

        if let Some(pod_spec) = extract::pod_spec::extract_pod_spec(&object.k8s_object) {
            for volume in &pod_spec.volumes {
                if let Some(host_path) = &volume.host_path {
                    diagnostics.push(Diagnostic {
                        message: format!(
                            "Volume '{}' mounts host path '{}'",
                            volume.name, host_path.path
                        ),
                        remediation: Some(
                            "Avoid using hostPath volumes as they provide access to the host filesystem. \
                             Use PersistentVolumeClaims or ConfigMaps instead.".to_string()
                        ),
                    });
                }
            }
        }

        diagnostics
    }
}

/// Template for detecting writable host path mounts.
pub struct WritableHostMountTemplate;

impl Template for WritableHostMountTemplate {
    fn key(&self) -> &str {
        "writable-host-mount"
    }

    fn human_name(&self) -> &str {
        "Writable Host Mount"
    }

    fn description(&self) -> &str {
        "Detects containers with writable host path volume mounts"
    }

    fn supported_object_kinds(&self) -> ObjectKindsDesc {
        ObjectKindsDesc::default()
    }

    fn parameters(&self) -> Vec<ParameterDesc> {
        Vec::new()
    }

    fn instantiate(
        &self,
        _params: &serde_yaml::Value,
    ) -> Result<Box<dyn CheckFunc>, TemplateError> {
        Ok(Box::new(WritableHostMountCheck))
    }
}

struct WritableHostMountCheck;

impl CheckFunc for WritableHostMountCheck {
    fn check(&self, object: &Object) -> Vec<Diagnostic> {
        let mut diagnostics = Vec::new();

        if let Some(pod_spec) = extract::pod_spec::extract_pod_spec(&object.k8s_object) {
            // Find host path volumes
            let host_volumes: std::collections::HashSet<_> = pod_spec
                .volumes
                .iter()
                .filter(|v| v.host_path.is_some())
                .map(|v| v.name.as_str())
                .collect();

            // Check each container's volume mounts
            for container in extract::container::all_containers(pod_spec) {
                for mount in &container.volume_mounts {
                    if host_volumes.contains(mount.name.as_str()) {
                        // Default is writable (readOnly: false)
                        let is_writable = mount.read_only != Some(true);

                        if is_writable {
                            diagnostics.push(Diagnostic {
                                message: format!(
                                    "Container '{}' has writable host mount at '{}'",
                                    container.name, mount.mount_path
                                ),
                                remediation: Some(
                                    "Set volumeMounts.readOnly to true for host path mounts, \
                                     or avoid using hostPath volumes entirely."
                                        .to_string(),
                                ),
                            });
                        }
                    }
                }
            }
        }

        diagnostics
    }
}