From 257359339d3274df725532c89c85a278de05cb65 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Wed, 12 Apr 2023 00:47:12 +0200 Subject: [PATCH] Add basis for CI --- .github/workflows/release.yml | 33 +++++++++++++ .github/workflows/static-analysis.yml | 26 +++++++++++ .github/workflows/test.yml | 27 +++++++++++ .goreleaser.yaml | 41 +++++++++++++++++ Makefile | 3 +- .../eks/main.go | 2 +- .../main.go | 9 ++-- docs/mkat.md | 17 ------- docs/mkat_autogen-docs.md | 19 -------- docs/mkat_completion.md | 25 ---------- docs/mkat_completion_bash.md | 44 ------------------ docs/mkat_completion_fish.md | 35 -------------- docs/mkat_completion_powershell.md | 32 ------------- docs/mkat_completion_zsh.md | 46 ------------------- docs/mkat_eks.md | 18 -------- docs/mkat_eks_find-role-relationships.md | 31 ------------- docs/mkat_eks_find-secrets.md | 29 ------------ docs/mkat_eks_test-imds-access.md | 29 ------------ .../eks/role_relationships/roles_resolver.go | 7 ++- .../eks/secrets/aws_secrets.go | 2 +- 20 files changed, 140 insertions(+), 335 deletions(-) create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/static-analysis.yml create mode 100644 .github/workflows/test.yml create mode 100644 .goreleaser.yaml delete mode 100644 docs/mkat.md delete mode 100644 docs/mkat_autogen-docs.md delete mode 100644 docs/mkat_completion.md delete mode 100644 docs/mkat_completion_bash.md delete mode 100644 docs/mkat_completion_fish.md delete mode 100644 docs/mkat_completion_powershell.md delete mode 100644 docs/mkat_completion_zsh.md delete mode 100644 docs/mkat_eks.md delete mode 100644 docs/mkat_eks_find-role-relationships.md delete mode 100644 docs/mkat_eks_find-secrets.md delete mode 100644 docs/mkat_eks_test-imds-access.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..4f1edff --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,33 @@ +name: release + +on: + push: + tags: + - "v*" + +permissions: + contents: read + +jobs: + goreleaser: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v2.5.0 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v3.3.1 + with: + go-version: 1.19 + - name: Run GoReleaser + timeout-minutes: 60 + uses: goreleaser/goreleaser-action@v3.2.0 + with: + distribution: goreleaser + version: latest + args: release --rm-dist --config .goreleaser.yaml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 0000000..de8fd03 --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,26 @@ +name: "go static analysis" + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + static-analysis: + name: "Run Go static analysis" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + with: + fetch-depth: 1 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.18 + - uses: dominikh/staticcheck-action@v1.2.0 + with: + version: "2022.1" + install-go: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..7056536 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,27 @@ +name: Tests + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + unit-test: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.18 + + - name: Run unit tests + run: make test diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..49c17ba --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,41 @@ +before: + hooks: + - go mod tidy +builds: + - env: + - CGO_ENABLED=0 + goos: + - linux + - windows + - darwin + ldflags: + - -X main.BuildVersion={{.Version}} + + dir: cmd/managed-kubernetes-auditing-toolkit + binary: mkat +brews: + - name: managed-kubernetes-auditing-toolkit + tap: + owner: datadog + name: managed-kubernetes-auditing-toolkit + folder: Formula + url_template: "https://github.com/DataDog/managed-kubernetes-auditing-toolkit/releases/download/{{ .Tag }}/{{ .ArtifactName }}" + license: Apache-2.0 + homepage: "https://github.com/DataDog/managed-kubernetes-auditing-toolkit" +archives: + - replacements: + darwin: Darwin + linux: Linux + windows: Windows + 386: i386 + amd64: x86_64 +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ incpatch .Version }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' diff --git a/Makefile b/Makefile index 116d905..fb64374 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,10 @@ MAKEFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) ROOT_DIR := $(dir $(MAKEFILE_PATH)) +BUILD_VERSION=dev-snapshot all: mkdir -p bin - go build -o bin/mkat ./cmd/managed-kubernetes-auditing-toolkit/main.go + go build -ldflags="-X main.BuildVersion=$(BUILD_VERSION)" -o bin/mkat ./cmd/managed-kubernetes-auditing-toolkit/main.go test: go test ./... -v diff --git a/cmd/managed-kubernetes-auditing-toolkit/eks/main.go b/cmd/managed-kubernetes-auditing-toolkit/eks/main.go index c50fad8..1182017 100644 --- a/cmd/managed-kubernetes-auditing-toolkit/eks/main.go +++ b/cmd/managed-kubernetes-auditing-toolkit/eks/main.go @@ -16,7 +16,7 @@ func BuildEksSubcommand() *cobra.Command { figure.NewFigure("mkat", "", true).Print() println() if !utils.IsEKS() { - return errors.New("You do not seem to be connected to an EKS cluster. Connect to an EKS cluster and try again") + return errors.New("you do not seem to be connected to an EKS cluster. Connect to an EKS cluster and try again") } clusterName := utils.GetEKSClusterName() if clusterName != "" { diff --git a/cmd/managed-kubernetes-auditing-toolkit/main.go b/cmd/managed-kubernetes-auditing-toolkit/main.go index 7b4d2ea..6de5586 100644 --- a/cmd/managed-kubernetes-auditing-toolkit/main.go +++ b/cmd/managed-kubernetes-auditing-toolkit/main.go @@ -3,9 +3,11 @@ package main import ( "github.com/datadog/managed-kubernetes-auditing-toolkit/cmd/managed-kubernetes-auditing-toolkit/eks" "github.com/spf13/cobra" - "github.com/spf13/cobra/doc" ) +// BuildVersion is injected at compilation time +var BuildVersion = "" + var rootCmd = &cobra.Command{ Use: "mkat", DisableFlagsInUseLine: true, @@ -17,9 +19,10 @@ func init() { rootCmd.AddCommand(eks.BuildEksSubcommand()) rootCmd.AddCommand(&cobra.Command{ - Use: "autogen-docs", + Use: "version", + Short: "Display the current CLI version", Run: func(cmd *cobra.Command, args []string) { - doc.GenMarkdownTree(rootCmd, "./docs") + println(BuildVersion) }, }) } diff --git a/docs/mkat.md b/docs/mkat.md deleted file mode 100644 index 9729ea9..0000000 --- a/docs/mkat.md +++ /dev/null @@ -1,17 +0,0 @@ -## mkat - - - -### Options - -``` - -h, --help help for mkat -``` - -### SEE ALSO - -* [mkat autogen-docs](mkat_autogen-docs.md) - -* [mkat completion](mkat_completion.md) - Generate the autocompletion script for the specified shell -* [mkat eks](mkat_eks.md) - - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_autogen-docs.md b/docs/mkat_autogen-docs.md deleted file mode 100644 index 0ef4ee8..0000000 --- a/docs/mkat_autogen-docs.md +++ /dev/null @@ -1,19 +0,0 @@ -## mkat autogen-docs - - - -``` -mkat autogen-docs [flags] -``` - -### Options - -``` - -h, --help help for autogen-docs -``` - -### SEE ALSO - -* [mkat](mkat.md) - - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_completion.md b/docs/mkat_completion.md deleted file mode 100644 index 7ec1856..0000000 --- a/docs/mkat_completion.md +++ /dev/null @@ -1,25 +0,0 @@ -## mkat completion - -Generate the autocompletion script for the specified shell - -### Synopsis - -Generate the autocompletion script for mkat for the specified shell. -See each sub-command's help for details on how to use the generated script. - - -### Options - -``` - -h, --help help for completion -``` - -### SEE ALSO - -* [mkat](mkat.md) - -* [mkat completion bash](mkat_completion_bash.md) - Generate the autocompletion script for bash -* [mkat completion fish](mkat_completion_fish.md) - Generate the autocompletion script for fish -* [mkat completion powershell](mkat_completion_powershell.md) - Generate the autocompletion script for powershell -* [mkat completion zsh](mkat_completion_zsh.md) - Generate the autocompletion script for zsh - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_completion_bash.md b/docs/mkat_completion_bash.md deleted file mode 100644 index 4caed6a..0000000 --- a/docs/mkat_completion_bash.md +++ /dev/null @@ -1,44 +0,0 @@ -## mkat completion bash - -Generate the autocompletion script for bash - -### Synopsis - -Generate the autocompletion script for the bash shell. - -This script depends on the 'bash-completion' package. -If it is not installed already, you can install it via your OS's package manager. - -To load completions in your current shell session: - - source <(mkat completion bash) - -To load completions for every new session, execute once: - -#### Linux: - - mkat completion bash > /etc/bash_completion.d/mkat - -#### macOS: - - mkat completion bash > $(brew --prefix)/etc/bash_completion.d/mkat - -You will need to start a new shell for this setup to take effect. - - -``` -mkat completion bash -``` - -### Options - -``` - -h, --help help for bash - --no-descriptions disable completion descriptions -``` - -### SEE ALSO - -* [mkat completion](mkat_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_completion_fish.md b/docs/mkat_completion_fish.md deleted file mode 100644 index b145dbb..0000000 --- a/docs/mkat_completion_fish.md +++ /dev/null @@ -1,35 +0,0 @@ -## mkat completion fish - -Generate the autocompletion script for fish - -### Synopsis - -Generate the autocompletion script for the fish shell. - -To load completions in your current shell session: - - mkat completion fish | source - -To load completions for every new session, execute once: - - mkat completion fish > ~/.config/fish/completions/mkat.fish - -You will need to start a new shell for this setup to take effect. - - -``` -mkat completion fish [flags] -``` - -### Options - -``` - -h, --help help for fish - --no-descriptions disable completion descriptions -``` - -### SEE ALSO - -* [mkat completion](mkat_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_completion_powershell.md b/docs/mkat_completion_powershell.md deleted file mode 100644 index ad2daa7..0000000 --- a/docs/mkat_completion_powershell.md +++ /dev/null @@ -1,32 +0,0 @@ -## mkat completion powershell - -Generate the autocompletion script for powershell - -### Synopsis - -Generate the autocompletion script for powershell. - -To load completions in your current shell session: - - mkat completion powershell | Out-String | Invoke-Expression - -To load completions for every new session, add the output of the above command -to your powershell profile. - - -``` -mkat completion powershell [flags] -``` - -### Options - -``` - -h, --help help for powershell - --no-descriptions disable completion descriptions -``` - -### SEE ALSO - -* [mkat completion](mkat_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_completion_zsh.md b/docs/mkat_completion_zsh.md deleted file mode 100644 index b5dfff7..0000000 --- a/docs/mkat_completion_zsh.md +++ /dev/null @@ -1,46 +0,0 @@ -## mkat completion zsh - -Generate the autocompletion script for zsh - -### Synopsis - -Generate the autocompletion script for the zsh shell. - -If shell completion is not already enabled in your environment you will need -to enable it. You can execute the following once: - - echo "autoload -U compinit; compinit" >> ~/.zshrc - -To load completions in your current shell session: - - source <(mkat completion zsh); compdef _mkat mkat - -To load completions for every new session, execute once: - -#### Linux: - - mkat completion zsh > "${fpath[1]}/_mkat" - -#### macOS: - - mkat completion zsh > $(brew --prefix)/share/zsh/site-functions/_mkat - -You will need to start a new shell for this setup to take effect. - - -``` -mkat completion zsh [flags] -``` - -### Options - -``` - -h, --help help for zsh - --no-descriptions disable completion descriptions -``` - -### SEE ALSO - -* [mkat completion](mkat_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_eks.md b/docs/mkat_eks.md deleted file mode 100644 index 3c639c7..0000000 --- a/docs/mkat_eks.md +++ /dev/null @@ -1,18 +0,0 @@ -## mkat eks - - - -### Options - -``` - -h, --help help for eks -``` - -### SEE ALSO - -* [mkat](mkat.md) - -* [mkat eks find-role-relationships](mkat_eks_find-role-relationships.md) - Find relationships between your EKS service accounts and IAM roles -* [mkat eks find-secrets](mkat_eks_find-secrets.md) - Find hardcoded AWS secrets in your EKS cluster -* [mkat eks test-imds-access](mkat_eks_test-imds-access.md) - Test if your EKS cluster allows pod access to the IMDS - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_eks_find-role-relationships.md b/docs/mkat_eks_find-role-relationships.md deleted file mode 100644 index 3fccacf..0000000 --- a/docs/mkat_eks_find-role-relationships.md +++ /dev/null @@ -1,31 +0,0 @@ -## mkat eks find-role-relationships - -Find relationships between your EKS service accounts and IAM roles - -### Synopsis - -Analyzes your EKS cluster and finds all service accounts that can assume AWS roles, based on their trust policies - -``` -mkat eks find-role-relationships -``` - -### Examples - -``` -mkat eks find-role-relationships -``` - -### Options - -``` - -h, --help help for find-role-relationships - -o, --output-file string Output file. If not specified, output will be printed to stdout. - -f, --output-format string Output format. Supported formats: csv, text, dot (default "text") -``` - -### SEE ALSO - -* [mkat eks](mkat_eks.md) - - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_eks_find-secrets.md b/docs/mkat_eks_find-secrets.md deleted file mode 100644 index d042a17..0000000 --- a/docs/mkat_eks_find-secrets.md +++ /dev/null @@ -1,29 +0,0 @@ -## mkat eks find-secrets - -Find hardcoded AWS secrets in your EKS cluster - -### Synopsis - -find-secret will scan your EKS cluster for hardcoded AWS secrets in pod environment variables, configmaps and secrets - -``` -mkat eks find-secrets -``` - -### Examples - -``` -mkat eks find-secrets -``` - -### Options - -``` - -h, --help help for find-secrets -``` - -### SEE ALSO - -* [mkat eks](mkat_eks.md) - - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/docs/mkat_eks_test-imds-access.md b/docs/mkat_eks_test-imds-access.md deleted file mode 100644 index d0e17fd..0000000 --- a/docs/mkat_eks_test-imds-access.md +++ /dev/null @@ -1,29 +0,0 @@ -## mkat eks test-imds-access - -Test if your EKS cluster allows pod access to the IMDS - -### Synopsis - -test-imds-access will check if your EKS cluster allows pods to access the IMDS by running a pod and executing a curl command hitting the IMDS - -``` -mkat eks test-imds-access -``` - -### Examples - -``` -mkat eks test-imds-access -``` - -### Options - -``` - -h, --help help for test-imds-access -``` - -### SEE ALSO - -* [mkat eks](mkat_eks.md) - - -###### Auto generated by spf13/cobra on 5-Apr-2023 diff --git a/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships/roles_resolver.go b/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships/roles_resolver.go index f19d40e..ad4ee2d 100644 --- a/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships/roles_resolver.go +++ b/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships/roles_resolver.go @@ -52,6 +52,9 @@ func (m *EKSClusterRolesResolver) ResolveClusterRoles(clusterName string) (*eks2 // Find all service accounts serviceAccountsByNamespace, err := m.getServiceAccountsByNamespace() + if err != nil { + return nil, fmt.Errorf("unable to retrieve service accounts: %v", err) + } cluster.ServiceAccountsByNamespace = serviceAccountsByNamespace // Resolve service accounts assumable roles @@ -154,10 +157,6 @@ func (m *EKSClusterRolesResolver) getRolesAssumableByServiceAccount(cluster *eks return assumableRoles, nil } -func (m *EKSClusterRolesResolver) resolvePodRoles() error { - return nil -} - func (m *EKSClusterRolesResolver) getPodsByNamespace(cluster *eks2.EKSCluster) (map[string][]eks2.K8sPod, error) { pods, err := m.K8sClient.CoreV1().Pods("").List(context.Background(), v1.ListOptions{}) if err != nil { diff --git a/pkg/managed-kubernetes-auditing-toolkit/eks/secrets/aws_secrets.go b/pkg/managed-kubernetes-auditing-toolkit/eks/secrets/aws_secrets.go index a973961..1c9c4de 100644 --- a/pkg/managed-kubernetes-auditing-toolkit/eks/secrets/aws_secrets.go +++ b/pkg/managed-kubernetes-auditing-toolkit/eks/secrets/aws_secrets.go @@ -29,7 +29,7 @@ func FindAwsCredentialsInUnstructuredString(input string) *AwsSecretScanningResu } func match(regex *regexp.Regexp, input string) *string { - tokens := regexp.MustCompile("(?s)\\s*[^a-zA-Z0-9./+)_-]+\\s*").Split(input, -1) + tokens := regexp.MustCompile(`(?s)\s*[^a-zA-Z0-9./+)_-]+\s*`).Split(input, -1) for _, token := range tokens { if token == "" { continue