package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import java.util.stream.Stream;
import javax.enterprise.context.Dependent;
import javax.json.JsonObject;

@Dependent
/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/UnsafeProcMount.class */
public class UnsafeProcMount extends ContainerValueValidator {
    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String name() {
        return "unsafe-proc-mount";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String description() {
        return "Alert on deployments with unsafe /proc mount (procMount=Unmasked) that will bypass the default masking behavior of the container runtime";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String remediation() {
        return "Ensure container does not unsafely exposes parts of /proc by setting procMount=Default. \nUnmasked ProcMount bypasses the default masking behavior of the container runtime.\nSee https://kubernetes.io/docs/concepts/security/pod-security-standards/ for more details.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected boolean supportsInitContainers() {
        return true;
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected Stream<LintError> validate(JsonObject jsonObject, LintingCheck.LintableDescriptor lintableDescriptor) {
        return Stream.ofNullable(jsonObject.getJsonObject("securityContext")).filter(jsonObject2 -> {
            return "Unmasked".equals(jsonObject2.getString("procMount", ""));
        }).map(jsonObject3 -> {
            return new LintError(LintError.LintLevel.ERROR, "procMount=Unmasked is used");
        });
    }
}
