added rules to detect ingress nginx as it is being deprecated (#71)

kendrickcurtis · web-flow · commit a6e38dcd0188 · 2025-11-18T13:50:01.000Z
diff --git a/docs/codacy-rules.yaml b/docs/codacy-rules.yaml
@@ -511,3 +511,99 @@ rules:
       description: Classes with 'Exception' in their name should inherit from Exception or its subclasses
       impact: LOW
       confidence: HIGH
+  - id: codacy.k8s.ingress.nginx.retirement.ingress-resource
+    languages:
+      - yaml
+    severity: WARNING
+    message: >
+      This Ingress is configured to use the Ingress NGINX controller
+      (kubernetes.io/ingress.class: nginx or ingressClassName: nginx).
+      Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      Plan to migrate to Gateway API or another Ingress controller.
+    patterns:
+      - pattern-either:
+        # Classic way: annotation kubernetes.io/ingress.class: nginx
+        - pattern: |
+            apiVersion: ...
+            kind: Ingress
+            metadata:
+              ...
+              annotations:
+                ...
+                kubernetes.io/ingress.class: nginx
+            ...
+        # Newer way: spec.ingressClassName: nginx
+        - pattern: |
+            apiVersion: ...
+            kind: Ingress
+            spec:
+              ...
+              ingressClassName: nginx
+            ...
+    metadata:
+      category: security
+      technology:
+        - kubernetes
+      description: >
+        Detects Ingress resources configured to use the Ingress NGINX controller.
+        Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      impact: MEDIUM
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/
+        - https://kubernetes.github.io/ingress-nginx/user-guide/basic-usage/
+  - id: codacy.k8s.ingress.nginx.retirement.ingress-class
+    languages:
+      - yaml
+    severity: WARNING
+    message: >
+      This IngressClass is wired to the Ingress NGINX controller
+      (spec.controller: k8s.io/ingress-nginx).
+      Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      Plan to migrate to Gateway API or another Ingress controller.
+    pattern: |
+      apiVersion: networking.k8s.io/v1
+      kind: IngressClass
+      ...
+      spec:
+        controller: k8s.io/ingress-nginx
+    metadata:
+      category: security
+      technology:
+        - kubernetes
+      description: >
+        Detects IngressClass objects wired to the Ingress NGINX controller.
+        Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      impact: MEDIUM
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/
+  - id: codacy.k8s.ingress.nginx.retirement.workload
+    languages:
+      - yaml
+    severity: WARNING
+    message: >
+      This Kubernetes resource is labelled as part of the Ingress NGINX
+      controller stack (app.kubernetes.io/name: ingress-nginx).
+      Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      Plan to migrate to Gateway API or another Ingress controller.
+    pattern: |
+      apiVersion: ...
+      kind: $KIND
+      metadata:
+        ...
+        labels:
+          ...
+          app.kubernetes.io/name: ingress-nginx
+      ...
+    metadata:
+      category: security
+      technology:
+        - kubernetes
+      description: >
+        Detects Kubernetes resources labelled as part of the Ingress NGINX
+        controller stack. Ingress NGINX is scheduled for retirement (no fixes after March 2026).
+      impact: MEDIUM
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/
diff --git a/docs/multiple-tests/codacy-rules/patterns.xml b/docs/multiple-tests/codacy-rules/patterns.xml
@@ -12,4 +12,7 @@
     <module name="codacy.python.openai.import-without-guardrails"/>
     <module name="codacy.csharp.security.sql-injection.dynamic-query"/>
     <module name="codacy.csharp.best-practice.misleading-exception-class-name" />
+    <module name="codacy.k8s.ingress.nginx.retirement.ingress-resource" />
+    <module name="codacy.k8s.ingress.nginx.retirement.ingress-class" />
+    <module name="codacy.k8s.ingress.nginx.retirement.workload" />
 </module>
diff --git a/docs/multiple-tests/codacy-rules/results.xml b/docs/multiple-tests/codacy-rules/results.xml
@@ -44,4 +44,10 @@
         <error source="codacy.csharp.best-practice.misleading-exception-class-name" line="26" message="Class name contains 'Exception' but does not inherit from System.Exception or its subclasses." severity="warning" />
         <error source="codacy.csharp.best-practice.misleading-exception-class-name" line="33" message="Class name contains 'Exception' but does not inherit from System.Exception or its subclasses." severity="warning" />
     </file>
+    <file name="codacy.k8s.ingress.nginx.retirement.yaml">
+        <error source="codacy.k8s.ingress.nginx.retirement.ingress-resource" line="5" message="This Ingress is configured to use the Ingress NGINX controller (kubernetes.io/ingress.class: nginx or ingressClassName: nginx). Ingress NGINX is scheduled for retirement (no fixes after March 2026). Plan to migrate to Gateway API or another Ingress controller." severity="warning" />
+        <error source="codacy.k8s.ingress.nginx.retirement.ingress-resource" line="26" message="This Ingress is configured to use the Ingress NGINX controller (kubernetes.io/ingress.class: nginx or ingressClassName: nginx). Ingress NGINX is scheduled for retirement (no fixes after March 2026). Plan to migrate to Gateway API or another Ingress controller." severity="warning" />
+        <error source="codacy.k8s.ingress.nginx.retirement.ingress-class" line="46" message="This IngressClass is wired to the Ingress NGINX controller (spec.controller: k8s.io/ingress-nginx). Ingress NGINX is scheduled for retirement (no fixes after March 2026). Plan to migrate to Gateway API or another Ingress controller." severity="warning" />
+        <error source="codacy.k8s.ingress.nginx.retirement.workload" line="55" message="This Kubernetes resource is labelled as part of the Ingress NGINX controller stack (app.kubernetes.io/name: ingress-nginx). Ingress NGINX is scheduled for retirement (no fixes after March 2026). Plan to migrate to Gateway API or another Ingress controller." severity="warning" />
+    </file>
 </checkstyle>
diff --git a/docs/multiple-tests/codacy-rules/src/codacy.k8s.ingress.nginx.retirement.yaml b/docs/multiple-tests/codacy-rules/src/codacy.k8s.ingress.nginx.retirement.yaml
@@ -0,0 +1,75 @@
+# Test file for k8s.ingress.nginx.retirement rules
+
+---
+# Test case 1: Ingress with annotation (should trigger ingress-resource rule)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test-ingress-annotation
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: test-service
+                port:
+                  number: 80
+
+---
+# Test case 2: Ingress with ingressClassName (should trigger ingress-resource rule)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test-ingress-classname
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: test-service
+                port:
+                  number: 80
+
+---
+# Test case 3: IngressClass (should trigger ingress-class rule)
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: nginx
+spec:
+  controller: k8s.io/ingress-nginx
+
+---
+# Test case 4: Deployment with ingress-nginx label (should trigger workload rule)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-nginx-controller
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/component: controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ingress-nginx
+    spec:
+      containers:
+        - name: controller
+          image: registry.k8s.io/ingress-nginx/controller:v1.8.1
+
