linters: add forbiddenmarkers and nonullable linters

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

Author: everettraven

docs/linters.md

@@ -3,12 +3,14 @@
 - [Conditions](#conditions) - Checks that `Conditions` fields are correctly formatted
 - [CommentStart](#commentstart) - Ensures comments start with the serialized form of the type
 - [DuplicateMarkers](#duplicatemarkers) - Checks for exact duplicates of markers
+- [ForbiddenMarkers](#forbiddenmarkers) - Checks that no forbidden markers are present on types/fields.
 - [Integers](#integers) - Validates usage of supported integer types
 - [JSONTags](#jsontags) - Ensures proper JSON tag formatting
 - [MaxLength](#maxlength) - Checks for maximum length constraints on strings and arrays
 - [NoBools](#nobools) - Prevents usage of boolean types
 - [NoFloats](#nofloats) - Prevents usage of floating-point types
 - [Nomaps](#nomaps) - Restricts usage of map types
+- [NoNullable](#nonullable) - Prevents usage of the nullable marker
 - [Nophase](#nophase) - Prevents usage of 'Phase' fields
 - [Notimestamp](#notimestamp) - Prevents usage of 'TimeStamp' fields
 - [OptionalFields](#optionalfields) - Validates optional field conventions
@@ -98,6 +100,134 @@ will not.
 The `duplicatemarkers` linter can automatically fix all markers that are exact match to another markers.
 If there are duplicates across fields and their underlying type, the marker on the type will be preferred and the marker on the field will be removed.
 
+## ForbiddenMarkers
+
+The `forbiddenmarkers` linter ensures that types and fields do not contain any markers that are forbidden.
+
+By default, `forbiddenmarkers` is not enabled.
+
+### Configuation
+
+It can be configured with a list of marker identifiers and optionally their attributes and values that are forbidden.
+
+Some examples configurations explained:
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker`
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+```
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker` containing the attribute `fruit`
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+        ruleSets:
+          - attributes:
+              - name: "fruit"
+```
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker` containing the `fruit` AND `color` attributes
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+        ruleSets:
+          - attributes:
+              - name: "fruit"
+              - name: "color"
+```
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker` where the `fruit` attribute is set to one of `apple`, `banana`, or `orange`
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+        ruleSets:
+          - attributes:
+              - name: "fruit"
+                values:
+                  - "apple"
+                  - "banana"
+                  - "orange"
+```
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker` where the `fruit` attribute is set to one of `apple`, `banana`, or `orange` AND the `color` attribute is set to one of `red`, `green`, or `blue`
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+        ruleSets:
+          - attributes:
+              - name: "fruit"
+                values:
+                  - "apple"
+                  - "banana"
+                  - "orange"
+              - name: "color"
+                values:
+                  - "red"
+                  - "blue"
+                  - "green"
+```
+
+**Scenario:** forbid all instances of the marker with the identifier `forbidden:marker` where:
+
+- The `fruit` attribute is set to `apple` and the `color` attribute is set to one of `blue` or `orange` (allow any other color apple)
+
+_OR_
+
+- The `fruit` attribute is set to `orange` and the `color` attribute is set to one of `blue`, `red`, or `green` (allow any other color orange)
+
+_OR_
+
+- The `fruit` attribute is set to `banana` (no bananas allowed)
+
+```yaml
+linterConfig:
+  forbiddenmarkers:
+    markers:
+      - identifier: "forbidden:marker"
+        ruleSets:
+          - attributes:
+              - name: "fruit"
+                values:
+                  - "apple"
+              - name: "color"
+                values:
+                  - "blue"
+                  - "orange"
+          - attributes:
+              - name: "fruit"
+                values:
+                  - "orange"
+              - name: "color"
+                values:
+                  - "blue"
+                  - "red"
+                  - "green"
+          - attributes:
+              - name: "fruit"
+                values:
+                  - "banana"
+```
+
+### Fixes
+
+Fixes are suggested to remove all markers that are forbidden.
+
 ## Integers
 
 The `integers` linter checks for usage of unsupported integer types.
@@ -161,6 +291,14 @@ lintersConfig:
     policy: Enforce | AllowStringToStringMaps | Ignore # Determines how the linter should handle maps of simple types. Defaults to AllowStringToStringMaps.
 ```
 
+## NoNullable
+
+The `nonullable` linter ensures that types and fields do not have the `nullable` marker.
+
+### Fixes
+
+Fixes are suggested to remove the `nullable` marker.
+
 ## Notimestamp
 
 The `notimestamp` linter checks that the fields in the API are not named with the word 'Timestamp'.
@@ -334,10 +472,12 @@ linter will suggest adding the comment `// +kubebuilder:subresource:status` abov
 
 The `uniquemarkers` linter ensures that types and fields do not contain more than a single definition of a marker that should only be present once.
 
-Because this linter has no way of determining which marker definition was intended it does not suggest any fixes 
+Because this linter has no way of determining which marker definition was intended it does not suggest any fixes
 
 ### Configuration
+
 It can configured to include a set of custom markers in the analysis by setting:
+
 ```yaml
 lintersConfig:
   uniquemarkers:

pkg/analysis/forbiddenmarkers/analyzer.go

@@ -0,0 +1,167 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package forbiddenmarkers
+
+import (
+	"fmt"
+	"go/ast"
+	"slices"
+
+	"golang.org/x/tools/go/analysis"
+	kalerrors "sigs.k8s.io/kube-api-linter/pkg/analysis/errors"
+	"sigs.k8s.io/kube-api-linter/pkg/analysis/helpers/extractjsontags"
+	"sigs.k8s.io/kube-api-linter/pkg/analysis/helpers/inspector"
+	"sigs.k8s.io/kube-api-linter/pkg/analysis/helpers/markers"
+	"sigs.k8s.io/kube-api-linter/pkg/analysis/utils"
+)
+
+const name = "forbiddenmarkers"
+
+type analyzer struct {
+	forbiddenMarkers []Marker
+}
+
+// NewAnalyzer creates a new analysis.Analyzer for the forbiddenmarkers
+// linter based on the provided config.ForbiddenMarkersConfig.
+func newAnalyzer(cfg *Config) *analysis.Analyzer {
+	a := &analyzer{
+		forbiddenMarkers: cfg.Markers,
+	}
+
+	analyzer := &analysis.Analyzer{
+		Name:     name,
+		Doc:      "Check that no forbidden markers are present on types and fields.",
+		Run:      a.run,
+		Requires: []*analysis.Analyzer{inspector.Analyzer},
+	}
+
+	for _, marker := range a.forbiddenMarkers {
+		markers.DefaultRegistry().Register(marker.Identifier)
+	}
+
+	return analyzer
+}
+
+func (a *analyzer) run(pass *analysis.Pass) (any, error) {
+	inspect, ok := pass.ResultOf[inspector.Analyzer].(inspector.Inspector)
+	if !ok {
+		return nil, kalerrors.ErrCouldNotGetInspector
+	}
+
+	inspect.InspectFields(func(field *ast.Field, stack []ast.Node, _ extractjsontags.FieldTagInfo, markersAccess markers.Markers) {
+		checkField(pass, field, markersAccess, a.forbiddenMarkers)
+	})
+
+	inspect.InspectTypeSpec(func(typeSpec *ast.TypeSpec, markersAccess markers.Markers) {
+		checkType(pass, typeSpec, markersAccess, a.forbiddenMarkers)
+	})
+
+	return nil, nil //nolint:nilnil
+}
+
+func checkField(pass *analysis.Pass, field *ast.Field, markersAccess markers.Markers, forbiddenMarkers []Marker) {
+	if field == nil || len(field.Names) == 0 {
+		return
+	}
+
+	markers := utils.TypeAwareMarkerCollectionForField(pass, markersAccess, field)
+	check(markers, forbiddenMarkers, reportField(pass, field))
+}
+
+func checkType(pass *analysis.Pass, typeSpec *ast.TypeSpec, markersAccess markers.Markers, forbiddenMarkers []Marker) {
+	if typeSpec == nil {
+		return
+	}
+
+	markers := markersAccess.TypeMarkers(typeSpec)
+	check(markers, forbiddenMarkers, reportType(pass, typeSpec))
+}
+
+func check(markerSet markers.MarkerSet, forbiddenMarkers []Marker, reportFunc func(marker markers.Marker)) {
+	for _, marker := range forbiddenMarkers {
+		marks := markerSet.Get(marker.Identifier)
+		for _, mark := range marks {
+			if len(marker.RuleSets) == 0 {
+				reportFunc(mark)
+				continue
+			}
+
+			for _, ruleSet := range marker.RuleSets {
+				if markerMatchesAttributeRules(mark, ruleSet.Attributes...) {
+					reportFunc(mark)
+				}
+			}
+		}
+	}
+}
+
+func markerMatchesAttributeRules(marker markers.Marker, attrRules ...MarkerAttribute) bool {
+	for _, attrRule := range attrRules {
+		// if the marker doesn't contain the attribute for a specified rule it fails the AND
+		// operation.
+		val, ok := marker.Expressions[attrRule.Name]
+		if !ok {
+			return false
+		}
+
+		// if the value doesn't match one of the forbidden ones, this marker is not forbidden
+		if len(attrRule.Values) > 0 && !slices.Contains(attrRule.Values, val) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func reportField(pass *analysis.Pass, field *ast.Field) func(marker markers.Marker) {
+	return func(marker markers.Marker) {
+		pass.Report(analysis.Diagnostic{
+			Pos:     field.Pos(),
+			Message: fmt.Sprintf("field %s has forbidden marker %q", field.Names[0].Name, marker.String()),
+			SuggestedFixes: []analysis.SuggestedFix{
+				{
+					Message: fmt.Sprintf("remove forbidden marker %q", marker.String()),
+					TextEdits: []analysis.TextEdit{
+						{
+							Pos: marker.Pos,
+							End: marker.End,
+						},
+					},
+				},
+			},
+		})
+	}
+}
+
+func reportType(pass *analysis.Pass, typeSpec *ast.TypeSpec) func(marker markers.Marker) {
+	return func(marker markers.Marker) {
+		pass.Report(analysis.Diagnostic{
+			Pos:     typeSpec.Pos(),
+			Message: fmt.Sprintf("type %s has forbidden marker %q", typeSpec.Name, marker.String()),
+			SuggestedFixes: []analysis.SuggestedFix{
+				{
+					Message: fmt.Sprintf("remove forbidden marker %q", marker.String()),
+					TextEdits: []analysis.TextEdit{
+						{
+							Pos: marker.Pos,
+							End: marker.End,
+						},
+					},
+				},
+			},
+		})
+	}
+}