Add new check job-ttl-seconds-after-finished (stackrox#963) (stackrox#964)

wissamir · web-flow · commit c17833d87f7f · 2025-06-18T16:44:38.000+02:00
* Add new check job-ttl-seconds-after-finished (stackrox#963) The new check advices for - Setting ttlSecondsAfterFinished for standalone Job objects whenever it's not set - Unsetting ttlSecondsAfterFinished for managed Job objects whenever it's set
diff --git a/docs/generated/checks.md b/docs/generated/checks.md
@@ -277,6 +277,15 @@ minReplicas: 3
 **Remediation**: Ensure that port naming is in conjunction with the specification. For more information, please look at the Kubernetes Service specification on this page: https://kubernetes.io/docs/reference/_print/#ServiceSpec. And additional information about IANA Service naming can be found on the following page: https://www.rfc-editor.org/rfc/rfc6335.html#section-5.1.
 
 **Template**: [target-port](templates.md#target-port)
+## job-ttl-seconds-after-finished
+
+**Enabled by default**: Yes
+
+**Description**: Indicates when standalone jobs do not set ttlSecondsAfterFinished and when jobs managed by cronjob do set ttlSecondsAfterFinished.
+
+**Remediation**: Set Job.spec.ttlSecondsAfterFinished. Unset CronJob.Spec.JobTemplate.Spec.ttlSecondsAfterFinished.
+
+**Template**: [job-ttl-seconds-after-finished](templates.md#ttlsecondsafterfinished-impact-for-standalone-and-managed-job-objects)
 ## latest-tag
 
 **Enabled by default**: Yes
diff --git a/docs/generated/templates.md b/docs/generated/templates.md
@@ -414,6 +414,15 @@ KubeLinter supports the following templates:
   type: array
 ```
 
+## ttlSecondsAfterFinished impact for standalone and managed Job objects
+
+**Key**: `job-ttl-seconds-after-finished`
+
+**Description**: Flag standalone Job objects not setting ttlSecondsAfterFinished. Flag CronJob objects setting ttlSecondsAfterFinished
+
+**Supported Objects**: JobLike
+
+
 ## Latest Tag
 
 **Key**: `latest-tag`
diff --git a/e2etests/bats-tests.sh b/e2etests/bats-tests.sh
@@ -394,6 +394,21 @@ get_value_from() {
   [[ "${actual_messages[3]}" == "Deployment: port name \"123456\" in container \"invalid-target-ports\" must contain at least one letter (a-z)" ]]
 }
 
+@test "job-ttl-seconds-after-finished" {
+  tmp="tests/checks/job-ttl-seconds-after-finished.yaml"
+  cmd="${KUBE_LINTER_BIN} lint --include job-ttl-seconds-after-finished --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + " " + .Reports[0].Object.K8sObject.Name + ": " + .Reports[0].Diagnostic.Message')
+  message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + " " + .Reports[1].Object.K8sObject.Name + ": " + .Reports[1].Diagnostic.Message')
+
+  [[ "${message1}" == "Job bad-job: Standalone Job does not specify ttlSecondsAfterFinished" ]]
+  [[ "${message2}" == "CronJob bad-cronjob: Managed Job specifies ttlSecondsAfterFinished which might conflict with successfulJobsHistoryLimit and failedJobsHistoryLimit from CronJob that have default values. Final behaviour is determined by the strictest parameter, and therefore, setting ttlSecondsAfterFinished at the job level can result with unexpected behaviour with regard to finished jobs removal" ]]
+
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+  [[ "${count}" == "2" ]]
+}
+
 @test "latest-tag" {
   tmp="tests/checks/latest-tag.yml"
   cmd="${KUBE_LINTER_BIN} lint --include latest-tag --do-not-auto-add-defaults --format json ${tmp}"
diff --git a/internal/defaultchecks/default_checks.go b/internal/defaultchecks/default_checks.go
@@ -17,6 +17,7 @@ var (
 		"host-network",
 		"host-pid",
 		"invalid-target-ports",
+		"job-ttl-seconds-after-finished",
 		"latest-tag",
 		"liveness-port",
 		"mismatching-selector",
diff --git a/pkg/builtinchecks/yamls/job-ttl-seconds-after-finished.yaml b/pkg/builtinchecks/yamls/job-ttl-seconds-after-finished.yaml
@@ -0,0 +1,7 @@
+name: "job-ttl-seconds-after-finished"
+description: "Indicates when standalone jobs do not set ttlSecondsAfterFinished and when jobs managed by cronjob do set ttlSecondsAfterFinished."
+remediation: "Set Job.spec.ttlSecondsAfterFinished. Unset CronJob.Spec.JobTemplate.Spec.ttlSecondsAfterFinished."
+scope:
+  objectKinds:
+    - JobLike
+template: "job-ttl-seconds-after-finished"
diff --git a/pkg/extract/job_spec.go b/pkg/extract/job_spec.go
@@ -0,0 +1,18 @@
+package extract
+
+import (
+	"golang.stackrox.io/kube-linter/pkg/k8sutil"
+	batchV1 "k8s.io/api/batch/v1"
+)
+
+// JobSpec extracts a job template spec from Job or CronJob objects
+func JobSpec(obj k8sutil.Object) (batchV1.JobSpec, string, bool) {
+	switch obj := obj.(type) {
+	case *batchV1.Job:
+		return obj.Spec, "Job", true
+	case *batchV1.CronJob:
+		return obj.Spec.JobTemplate.Spec, "CronJob", true
+	default:
+		return batchV1.JobSpec{}, "", false
+	}
+}
diff --git a/pkg/lintcontext/mocks/cronjob.go b/pkg/lintcontext/mocks/cronjob.go
@@ -0,0 +1,24 @@
+package mocks
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	batchV1 "k8s.io/api/batch/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AddMockCronJob adds a mock CronJob to LintContext
+func (l *MockLintContext) AddMockCronJob(t *testing.T, name string) {
+	require.NotEmpty(t, name)
+	l.objects[name] = &batchV1.CronJob{
+		ObjectMeta: metaV1.ObjectMeta{Name: name},
+	}
+}
+
+// ModifyCronJob modifies a given CronJob in the context via the passed function
+func (l *MockLintContext) ModifyCronJob(t *testing.T, name string, f func(cronjob *batchV1.CronJob)) {
+	dep, ok := l.objects[name].(*batchV1.CronJob)
+	require.True(t, ok)
+	f(dep)
+}
diff --git a/pkg/lintcontext/mocks/job.go b/pkg/lintcontext/mocks/job.go
@@ -0,0 +1,24 @@
+package mocks
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	batchV1 "k8s.io/api/batch/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// AddMockJob adds a mock Job to LintContext
+func (l *MockLintContext) AddMockJob(t *testing.T, name string) {
+	require.NotEmpty(t, name)
+	l.objects[name] = &batchV1.Job{
+		ObjectMeta: metaV1.ObjectMeta{Name: name},
+	}
+}
+
+// ModifyJob modifies a given Job in the context via the passed function
+func (l *MockLintContext) ModifyJob(t *testing.T, name string, f func(job *batchV1.Job)) {
+	dep, ok := l.objects[name].(*batchV1.Job)
+	require.True(t, ok)
+	f(dep)
+}
diff --git a/pkg/objectkinds/job_like.go b/pkg/objectkinds/job_like.go
@@ -0,0 +1,23 @@
+package objectkinds
+
+import (
+	batchV1 "k8s.io/api/batch/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	JobLike = "JobLike"
+)
+
+var (
+	jobGVK = batchV1.SchemeGroupVersion.WithKind("Job")
+)
+var (
+	cronJobGVK = batchV1.SchemeGroupVersion.WithKind("CronJob")
+)
+
+func init() {
+	RegisterObjectKind(JobLike, MatcherFunc(func(gvk schema.GroupVersionKind) bool {
+		return gvk == jobGVK || gvk == cronJobGVK
+	}))
+}
diff --git a/pkg/templates/all/all.go b/pkg/templates/all/all.go
@@ -25,6 +25,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hostpid"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hpareplicas"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/imagepullpolicy"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/jobttlsecondsafterfinished"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/latesttag"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/livenessport"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/livenessprobe"
diff --git a/pkg/templates/jobttlsecondsafterfinished/internal/params/gen-params.go b/pkg/templates/jobttlsecondsafterfinished/internal/params/gen-params.go
diff --git a/pkg/templates/jobttlsecondsafterfinished/internal/params/params.go b/pkg/templates/jobttlsecondsafterfinished/internal/params/params.go
@@ -0,0 +1,5 @@
+package params
+
+// Params represents the params accepted by this template.
+type Params struct {
+}
diff --git a/pkg/templates/jobttlsecondsafterfinished/template.go b/pkg/templates/jobttlsecondsafterfinished/template.go
@@ -0,0 +1,46 @@
+package jobttlsecondsafterfinished
+
+import (
+	"golang.stackrox.io/kube-linter/pkg/check"
+	"golang.stackrox.io/kube-linter/pkg/config"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/extract"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext"
+	"golang.stackrox.io/kube-linter/pkg/objectkinds"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/jobttlsecondsafterfinished/internal/params"
+)
+
+const templateKey = "job-ttl-seconds-after-finished"
+
+func init() {
+	templates.Register(check.Template{
+		HumanName:   "ttlSecondsAfterFinished impact for standalone and managed Job objects",
+		Key:         templateKey,
+		Description: "Flag standalone Job objects not setting ttlSecondsAfterFinished. Flag CronJob objects setting ttlSecondsAfterFinished",
+		SupportedObjectKinds: config.ObjectKindsDesc{
+			ObjectKinds: []string{objectkinds.JobLike},
+		},
+		Parameters:             params.ParamDescs,
+		ParseAndValidateParams: params.ParseAndValidate,
+		Instantiate: params.WrapInstantiateFunc(func(_ params.Params) (check.Func, error) {
+			return func(lintCtx lintcontext.LintContext, object lintcontext.Object) []diagnostic.Diagnostic {
+				jobSpec, kind, ok := extract.JobSpec(object.K8sObject)
+				if !ok {
+					return nil
+				}
+				switch kind {
+				case "Job":
+					if jobSpec.TTLSecondsAfterFinished == nil {
+						return []diagnostic.Diagnostic{{Message: "Standalone Job does not specify ttlSecondsAfterFinished"}}
+					}
+				case "CronJob":
+					if jobSpec.TTLSecondsAfterFinished != nil {
+						return []diagnostic.Diagnostic{{Message: "Managed Job specifies ttlSecondsAfterFinished which might conflict with successfulJobsHistoryLimit and failedJobsHistoryLimit from CronJob that have default values. Final behaviour is determined by the strictest parameter, and therefore, setting ttlSecondsAfterFinished at the job level can result with unexpected behaviour with regard to finished jobs removal"}}
+					}
+				}
+				return nil
+			}, nil
+		}),
+	})
+}
diff --git a/pkg/templates/jobttlsecondsafterfinished/template_test.go b/pkg/templates/jobttlsecondsafterfinished/template_test.go
@@ -0,0 +1,109 @@
+package jobttlsecondsafterfinished
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"golang.stackrox.io/kube-linter/pkg/diagnostic"
+	"golang.stackrox.io/kube-linter/pkg/lintcontext/mocks"
+	"golang.stackrox.io/kube-linter/pkg/templates"
+	"golang.stackrox.io/kube-linter/pkg/templates/jobttlsecondsafterfinished/internal/params"
+	batchV1 "k8s.io/api/batch/v1"
+)
+
+const (
+	JobKind      = "Job"
+	CronJobKind  = "CronJob"
+	jobNoTTL     = "job_no_ttl"
+	jobTTL       = "job_ttl"
+	cronjobNoTTL = "cronjob_no_ttl"
+	cronjobTTL   = "cronjob_ttl"
+)
+
+type JobTTLSecondsAfterFinishedTestSuite struct {
+	templates.TemplateTestSuite
+
+	ctx *mocks.MockLintContext
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) SetupTest() {
+	s.Init(templateKey)
+	s.ctx = mocks.NewMockContext()
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) AddJobLike(kind, name string, ttl *int32) {
+	switch kind {
+	case JobKind:
+		s.ctx.AddMockJob(s.T(), name)
+		if ttl != nil {
+			s.ctx.ModifyJob(s.T(), name, func(job *batchV1.Job) {
+				job.Spec.TTLSecondsAfterFinished = ttl
+			})
+		}
+	case CronJobKind:
+		s.ctx.AddMockCronJob(s.T(), name)
+		if ttl != nil {
+			s.ctx.ModifyCronJob(s.T(), name, func(cronjob *batchV1.CronJob) {
+				cronjob.Spec.JobTemplate.Spec.TTLSecondsAfterFinished = ttl
+			})
+		}
+	}
+}
+
+func TestJobTTLSecondsAfterFinished(t *testing.T) {
+	suite.Run(t, new(JobTTLSecondsAfterFinishedTestSuite))
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) TestJobTTL() {
+	ttl := int32(100)
+	s.AddJobLike(JobKind, jobTTL, &ttl)
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				jobTTL: nil,
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) TestJobNoTTL() {
+	s.AddJobLike(JobKind, jobNoTTL, nil)
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				jobNoTTL: {{Message: "Standalone Job does not specify ttlSecondsAfterFinished"}},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) TestCronJobTTL() {
+	ttl := int32(100)
+	s.AddJobLike(CronJobKind, cronjobTTL, &ttl)
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				cronjobTTL: {{Message: "Managed Job specifies ttlSecondsAfterFinished which might conflict with successfulJobsHistoryLimit and failedJobsHistoryLimit from CronJob that have default values. Final behaviour is determined by the strictest parameter, and therefore, setting ttlSecondsAfterFinished at the job level can result with unexpected behaviour with regard to finished jobs removal"}},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *JobTTLSecondsAfterFinishedTestSuite) TestCronJobNoTTL() {
+	s.AddJobLike(CronJobKind, cronjobNoTTL, nil)
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				cronjobNoTTL: nil,
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
diff --git a/tests/checks/job-ttl-seconds-after-finished.yaml b/tests/checks/job-ttl-seconds-after-finished.yaml
