feat: Add support for Kubernetes 1.31, drop support for versions 1.23…

…-1.25

eksup/Cargo.toml

@@ -34,18 +34,18 @@ aws-sdk-eks = "1.14"
 aws-types = "1.1"
 clap = { version = "4.5", features = ["derive", "string", "color", "unstable-styles"] }
 clap-verbosity-flag = "2.1"
-handlebars = { version = "5.1", features = ["rust-embed"] }
+handlebars = { version = "6.1", features = ["rust-embed"] }
 itertools = "0.13"
 # https://kube.rs/kubernetes-version/
-k8s-openapi = { version = "0.22.0", default-features = false, features = ["earliest"] }
-kube = { version = "0.92", default-features = false, features = [ "client", "derive", "rustls-tls" ] }
+k8s-openapi = { version = "0.23.0", default-features = false, features = ["earliest"] }
+kube = { version = "0.95", default-features = false, features = [ "client", "derive", "rustls-tls" ] }
 rust-embed = { version = "8.2", features = ["compression"] }
 schemars = "0.8"
 seq-macro = "0.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 serde_yaml = "0.9"
-tabled = "0.15"
+tabled = "0.16"
 tokio = { version = "1.36", default-features = false, features = ["macros", "rt-multi-thread"] }
 tracing = {version = "0.1", features = ["log-always"] }
 tracing-log = "0.2"

eksup/src/analysis.rs

@@ -38,7 +38,6 @@ impl Results {
     output.push_str(&self.kubernetes.readiness_probe.to_stdout_table()?);
     output.push_str(&self.kubernetes.termination_grace_period.to_stdout_table()?);
     output.push_str(&self.kubernetes.docker_socket.to_stdout_table()?);
-    output.push_str(&self.kubernetes.pod_security_policy.to_stdout_table()?);
     output.push_str(&self.kubernetes.kube_proxy_version_skew.to_stdout_table()?);
 
     Ok(output)

eksup/src/k8s/checks.rs

@@ -394,45 +394,6 @@ impl Findings for Vec<DockerSocket> {
   }
 }
 
-#[derive(Debug, Serialize, Deserialize, Tabled)]
-#[tabled(rename_all = "UpperCase")]
-pub struct PodSecurityPolicy {
-  #[tabled(inline)]
-  pub finding: finding::Finding,
-
-  #[tabled(inline)]
-  pub resource: Resource,
-}
-
-impl Findings for Vec<PodSecurityPolicy> {
-  fn to_markdown_table(&self, leading_whitespace: &str) -> Result<String> {
-    if self.is_empty() {
-      return Ok(format!(
-        "{leading_whitespace}✅ - No PodSecurityPolicys were found within the cluster"
-      ));
-    }
-
-    let mut table = Table::new(self);
-    table
-      .with(Disable::column(ByColumnName::new("CHECK")))
-      .with(Margin::new(1, 0, 0, 0).fill('\t', 'x', 'x', 'x'))
-      .with(Style::markdown());
-
-    Ok(format!("{table}\n"))
-  }
-
-  fn to_stdout_table(&self) -> Result<String> {
-    if self.is_empty() {
-      return Ok("".to_owned());
-    }
-
-    let mut table = Table::new(self);
-    table.with(Style::sharp());
-
-    Ok(format!("{table}\n"))
-  }
-}
-
 #[derive(Clone, Debug, Serialize, Deserialize, Tabled)]
 #[tabled(rename_all = "UpperCase")]
 pub struct KubeProxyVersionSkew {

eksup/src/k8s/findings.rs

@@ -20,7 +20,6 @@ pub struct KubernetesFindings {
   pub pod_topology_distribution: Vec<checks::PodTopologyDistribution>,
   pub termination_grace_period: Vec<checks::TerminationGracePeriod>,
   pub docker_socket: Vec<checks::DockerSocket>,
-  pub pod_security_policy: Vec<checks::PodSecurityPolicy>,
   pub kube_proxy_version_skew: Vec<checks::KubeProxyVersionSkew>,
 }
 
@@ -45,7 +44,6 @@ pub async fn get_kubernetes_findings(
     .iter()
     .filter_map(|s| s.docker_socket(target_version))
     .collect();
-  let pod_security_policy = resources::get_podsecuritypolicies(client, target_version, cluster_version).await?;
   let kube_proxy_version_skew = checks::kube_proxy_version_skew(&resources, cluster_version).await?;
 
   Ok(KubernetesFindings {
@@ -56,7 +54,6 @@ pub async fn get_kubernetes_findings(
     pod_topology_distribution,
     termination_grace_period,
     docker_socket,
-    pod_security_policy,
     kube_proxy_version_skew,
   })
 }

eksup/src/k8s/resources.rs

@@ -351,63 +351,6 @@ async fn get_cronjobs(client: &Client) -> Result<Vec<StdResource>> {
   Ok(cronjobs)
 }
 
-// // https://github.com/kube-rs/kube/issues/428
-// // https://github.com/kubernetes/apimachinery/blob/373a5f752d44989b9829888460844849878e1b6e/pkg/apis/meta/v1/helpers.go#L34
-// pub(crate) async fn get_pod_disruption_budgets(client: &Client) -> Result<Vec<PodDisruptionBudget>> {
-//   let api: Api<policy::v1beta1::PodDisruptionBudget> = Api::all(client.to_owned());
-//   let pdb_list = api.list(&Default::default()).await?;
-
-//   Ok(pdb_list.items)
-// }
-
-pub(crate) async fn get_podsecuritypolicies(
-  client: &Client,
-  target_version: &str,
-  current_version: &str,
-) -> Result<Vec<checks::PodSecurityPolicy>> {
-  let current_version = version::parse_minor(current_version)?;
-  if current_version >= 25 {
-    // Pod Security Policy support is removed starting in 1.25
-    return Ok(vec![]);
-  }
-
-  let api: Api<policy::v1beta1::PodSecurityPolicy> = Api::all(client.to_owned());
-  let psp_list = api
-    .list(&Default::default())
-    .await
-    .context("Failed to list PodSecurityPolicies")?;
-
-  let target_version = version::parse_minor(target_version)?;
-  let remediation = if target_version >= 25 {
-    finding::Remediation::Required
-  } else {
-    finding::Remediation::Recommended
-  };
-
-  let psps = psp_list
-    .items
-    .iter()
-    .map(|psp| {
-      let objmeta = psp.metadata.clone();
-
-      let resource = Resource {
-        name: objmeta.name.unwrap_or_default(),
-        namespace: objmeta.namespace.unwrap_or_default(),
-        kind: Kind::PodSecurityPolicy,
-      };
-
-      let finding = finding::Finding {
-        code: finding::Code::K8S009,
-        symbol: remediation.symbol(),
-        remediation: remediation.to_owned(),
-      };
-      checks::PodSecurityPolicy { finding, resource }
-    })
-    .collect();
-
-  Ok(psps)
-}
-
 #[derive(Debug, Serialize, Deserialize, Tabled)]
 #[tabled(rename_all = "UpperCase")]
 pub struct Resource {

eksup/src/playbook.rs

@@ -61,7 +61,6 @@ pub struct TemplateData {
   readiness_probe: String,
   termination_grace_period: String,
   docker_socket: String,
-  pod_security_policy: String,
   kube_proxy_version_skew: String,
 }
 
@@ -186,7 +185,6 @@ pub(crate) fn create(args: Playbook, region: String, cluster: &Cluster, analysis
     readiness_probe: kubernetes_findings.readiness_probe.to_markdown_table("\t")?,
     termination_grace_period: kubernetes_findings.termination_grace_period.to_markdown_table("\t")?,
     docker_socket: kubernetes_findings.docker_socket.to_markdown_table("\t")?,
-    pod_security_policy: kubernetes_findings.pod_security_policy.to_markdown_table("\t")?,
     kube_proxy_version_skew: kubernetes_findings.kube_proxy_version_skew.to_markdown_table("\t")?,
   };
 

eksup/src/version.rs

@@ -6,15 +6,15 @@ use seq_macro::seq;
 use serde::{Deserialize, Serialize};
 
 /// Latest support version
-pub const LATEST: &str = "1.30";
+pub const LATEST: &str = "1.31";
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Versions {
   pub current: String,
   pub target: String,
 }
 
-seq!(N in 23..=30 {
+seq!(N in 26..=31 {
     /// Kubernetes version(s) supported
     #[derive(Clone, Copy, Debug, Serialize, Deserialize)]
     pub enum KubernetesVersion {

eksup/templates/data.yaml

@@ -1,23 +1,3 @@
-'1.20':
-    release_url: https://kubernetes.io/blog/2020/12/08/kubernetes-1-20-release-announcement/
-
-'1.21':
-    release_url: https://kubernetes.io/blog/2021/04/08/kubernetes-1-21-release-announcement/
-
-'1.22':
-    release_url: https://kubernetes.io/blog/2021/08/04/kubernetes-1-22-release-announcement/
-    deprecation_url: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22
-
-'1.23':
-    release_url: https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/
-
-'1.24':
-    release_url: https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/
-
-'1.25':
-    release_url: https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/
-    deprecation_url: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-25
-
 '1.26':
     release_url: https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/
     deprecation_url: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26
@@ -37,7 +17,7 @@
     release_url: https://kubernetes.io/blog/2024/04/17/kubernetes-v1-30-release/
 
 '1.31':
-    release_url: TBD
+    release_url: https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/
 
 '1.32':
     release_url: TBD

eksup/templates/playbook.md

@@ -194,9 +194,6 @@ When upgrading the control plane, Amazon EKS performs standard infrastructure an
     #### Check [[K8S008]](https://clowdhaus.github.io/eksup/info/checks/#k8s008)
 {{ docker_socket }}
 
-    #### Check [[K8S009]](https://clowdhaus.github.io/eksup/info/checks/#k8s009)
-{{ pod_security_policy }}
-
     #### Check [[K8S0011]](https://clowdhaus.github.io/eksup/info/checks/#k8s011)
 {{ kube_proxy_version_skew }}