package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import java.util.Set;
import java.util.stream.Stream;
import javax.enterprise.context.Dependent;
import javax.json.JsonArray;
import javax.json.JsonObject;

@Dependent
/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/UnsafeSysctls.class */
public class UnsafeSysctls extends ContainerValueValidator {
    private final Set<String> forbidden = Set.of("kernel.msg", "kernel.sem", "kernel.shm", "fs.mqueue.");

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String name() {
        return "unsafe-sysctls";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String description() {
        return "Alert on deployments specifying unsafe sysctls that may lead to severe problems like wrong behavior of containers";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String remediation() {
        return "Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations.\nFor more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/\nhttps://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected boolean supportsInitContainers() {
        return true;
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected Stream<LintError> validate(JsonObject jsonObject, LintingCheck.LintableDescriptor lintableDescriptor) {
        JsonArray jsonArray;
        JsonObject jsonObject2 = jsonObject.getJsonObject("securityContext");
        if (jsonObject2 != null && (jsonArray = jsonObject2.getJsonArray("sysctls")) != null) {
            return jsonArray.stream().map((v0) -> {
                return v0.asJsonObject();
            }).map(jsonObject3 -> {
                return jsonObject3.getString("name", "");
            }).filter(str -> {
                return this.forbidden.contains(str) || str.startsWith("net.");
            }).map(str2 -> {
                return new LintError(LintError.LintLevel.ERROR, "Sysctls '" + str2 + "' is not recommended");
            });
        }
        return Stream.empty();
    }
}
