KubeLinterBot calls KubeLinter with one ore more .yaml or .yml, interprets KubeLinter's output and posts a comment to the relevant commit via the github-API if there is a security-problem. There is a Kube-Linter-binary (version 0.1.6.) included (kubelinter-folder). Check https://github.com/stackrox/kube-linter/releases for updates.
-
If there is no file named kube-linter-bot-configuration.yaml in the KubeLinterBot-folder, copy the sample-file from the samples-folder. Decide which port KubeLinterBot should listen on and copy it to bot.port. Generate a safe secret and add it as user.secret. You will need this later while installing the webhook(s).
-
Generate a personal access token here: https://github.com/settings/tokens. If you don't want to generate a token now and your server has a browser you can use, you can skip step 2 now and later do step 5 instead. Note: This feature is experimental and i do not recommend using it. I recommend using step 2 and skipping step 5. You will need to check the following options:
- repo: If you want to lint private repositories, check repo. If you only want to lint public repositories, check public_repo
- Not yet implemented: admin:repo_hook: If you want your webhook installed automatically, check this.
- Click "Generate token". Github will display it right away. Copy said token to user.accessToken.
- Run make build in /KubeLinterBot/
- Run ./kube-linter-bot
- (Skip if you did step 2): Authorize with github in your browser on https://localhost:7000
You can remove authorization in your github-account-settings. - For every repository you want KubeLinterBot to watch, install a webhook (will be automated in future versions) here: https://github.com/[owner-of-repository-name]/[your-repository]/settings/hooks and set these webhook-options:
- Payload URL: Your kubelinterbot-server address
- Content type: application/json
- Secret: The secret you generated for the configuration-file earlier.
- Select "Let me select individual events" and then choose "Pull Requests" and "Pushes".
- Make sure "Active" is activated.
- Click "Add webhook". You're done!
If there is a push- or pull-request-event in the watched repository, KubeLinterBot will automatically call KubeLinter, process its output and post the results as a commit-comment (in case of a push-event) or a review-comment requesting changes (in case of a pull-request).
There are deployment-files for Kubernetes and a docker-file included. You can find the Kubernetes-files in the deployment-folder and the Dockerfile in the KubeLinterBot-folder.