K8s manifest hardening + new bluejay-infra-lint test project

Manifest hardening (per documented memories): - apps/asterisk/deployment.yaml: dnsPolicy: None + explicit dnsConfig with ndots:2 to prevent CoreDNS *.iamworkin.lan template from hijacking external egress (downloads.asterisk.org). - apps/fc-llm-bridge/fc-llm-bridge.yaml: same dnsConfig pattern for api.anthropic.com egress. - apps/fc-ttsreader/fc-ttsreader.yaml: same dnsConfig pattern for huggingface.co model seeding. - apps/fc-messageboard/fc-messageboard.yaml: tcpSocket probes (replacing httpGet /health) per "Probes against /health 404 when app has global auth middleware". - apps/fc-signalcontrol/fc-signalcontrol.yaml: same tcpSocket probe fix. New lint project: - tests/bluejay-infra-lint/BluejayInfraLint.Tests.csproj — local-first lint test sweep for the recurring K8s gotchas in the fleet. - tests/bluejay-infra-lint/FleetManifestLintTests.cs — 7 lint tests covering tcpSocket probes, dnsConfig presence on egress-heavy pods, IngressRoute/Service namespace alignment, image pull policy, etc. - tests/bluejay-infra-lint/conftest.dev/ — matching conftest policies for environments with conftest/opa. - .gitignore — adds bin/ + obj/ + DS_Store/swp. README.md adds a "Local manifest lint" section with the canonical test command, plus 4 new gotcha entries (IngressRoute namespace split, public read-only host method allowlists, Traefik VIP netpol backend ports, auth-safe probes). Tests: 7 / 7 lint tests passed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 03:18:04 -05:00
parent 7a9098d3bd
commit 0b52093b36
16 changed files with 844 additions and 26 deletions
--- a/tests/bluejay-infra-lint/conftest.dev/05_statefulset_volumeclaim_defaults.rego
+++ b/tests/bluejay-infra-lint/conftest.dev/05_statefulset_volumeclaim_defaults.rego
@@ -0,0 +1,23 @@
+package bluejayinfra.statefulset_volumeclaim_defaults
+
+deny[msg] {
+  input.kind == "StatefulSet"
+  count(object.get(input.spec, "volumeClaimTemplates", [])) > 0
+  object.get(input.spec, "podManagementPolicy", "") == ""
+  msg := sprintf("StatefulSet %s/%s is missing spec.podManagementPolicy", [input.metadata.namespace, input.metadata.name])
+}
+
+deny[msg] {
+  input.kind == "StatefulSet"
+  count(object.get(input.spec, "volumeClaimTemplates", [])) > 0
+  object.get(input.spec, "revisionHistoryLimit", 0) == 0
+  msg := sprintf("StatefulSet %s/%s is missing spec.revisionHistoryLimit", [input.metadata.namespace, input.metadata.name])
+}
+
+deny[msg] {
+  input.kind == "StatefulSet"
+  claim := input.spec.volumeClaimTemplates[_]
+  object.get(claim.spec, "volumeMode", "") != "Filesystem"
+  claim_name := object.get(claim.metadata, "name", "<unnamed>")
+  msg := sprintf("StatefulSet %s/%s volumeClaimTemplate %s is missing volumeMode: Filesystem", [input.metadata.namespace, input.metadata.name, claim_name])
+}