Add exemptions to config (#204)

* first pass at adding exemptions * Update config.yaml * make config_test more reliable * add flag to disallow exemptions in dashboard * add disallow-exemptions flag to CLI * add comments * fix exemptions flag * fix alert on dashboard * minor style changes
FairwindsOps · Oct 23, 2019 · 2b15f11 · 2b15f11
1 parent b172f61
commit 2b15f11
Show file tree

Hide file tree

Showing 16 changed files with 575 additions and 161 deletions.
diff --git a/examples/config-full.yaml b/examples/config-full.yaml
@@ -63,3 +63,73 @@ security:
     warning:
       ifAnyAddedBeyond:
         - NONE
+exemptions:
+  - controllerNames:
+    - dns-controller
+    - datadog-datadog
+    - kube-flannel-ds
+    - kube2iam
+    - aws-iam-authenticator
+    - datadog
+    - kube2iam
+    rules:
+    - hostNetworkSet
+  - controllerNames:
+    - aws-iam-authenticator
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - dnsmasq
+    - autoscaler
+    - kubernetes-dashboard
+    - install-cni
+    - kube2iam
+    rules:
+    - readinessProbeMissing
+    - livenessProbeMissing
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - runAsRootAllowed
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - notReadOnlyRootFileSystem
+  - controllerNames:
+    - cert-manager
+    - dns-controller
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    rules:
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+  - controllerNames:
+    - kube2iam
+    rules:
+    - runAsPrivileged
diff --git a/examples/config.yaml b/examples/config.yaml
@@ -48,3 +48,73 @@ controllers_to_scan:
   - CronJobs
   - Jobs
   - ReplicationControllers
+exemptions:
+  - controllerNames:
+    - dns-controller
+    - datadog-datadog
+    - kube-flannel-ds
+    - kube2iam
+    - aws-iam-authenticator
+    - datadog
+    - kube2iam
+    rules:
+    - hostNetworkSet
+  - controllerNames:
+    - aws-iam-authenticator
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - dnsmasq
+    - autoscaler
+    - kubernetes-dashboard
+    - install-cni
+    - kube2iam
+    rules:
+    - readinessProbeMissing
+    - livenessProbeMissing
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - runAsRootAllowed
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - notReadOnlyRootFileSystem
+  - controllerNames:
+    - cert-manager
+    - dns-controller
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    rules:
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+  - controllerNames:
+    - kube2iam
+    rules:
+    - runAsPrivileged
diff --git a/main.go b/main.go
@@ -62,53 +62,51 @@ func main() {
 	loadAuditFile := flag.String("load-audit-file", "", "Runs the dashboard with data saved from a past audit.")
 	displayName := flag.String("display-name", "", "An optional identifier for the audit")
 	configPath := flag.String("config", "", "Location of Polaris configuration file")
+	disallowExemptions := flag.Bool("disallow-exemptions", false, "Location of Polaris configuration file")
 	logLevel := flag.String("log-level", logrus.InfoLevel.String(), "Logrus log level")
 	version := flag.Bool("version", false, "Prints the version of Polaris")
 	disableWebhookConfigInstaller := flag.Bool("disable-webhook-config-installer", false,
 		"disable the installer in the webhook server, so it won't install webhook configuration resources during bootstrapping")
 
 	flag.Parse()
 
-	// if version is specified anywhere, print and exit
 	if *version {
 		fmt.Printf("Polaris version %s\n", Version)
 		os.Exit(0)
 	}
 
-	// Set logging level
 	parsedLevel, err := logrus.ParseLevel(*logLevel)
 	if err != nil {
 		logrus.Errorf("log-level flag has invalid value %s", *logLevel)
 	} else {
 		logrus.SetLevel(parsedLevel)
 	}
 
-	// Parse the config file
 	c, err := conf.ParseFile(*configPath)
 	if err != nil {
 		logrus.Errorf("Error parsing config at %s: %v", *configPath, err)
 		os.Exit(1)
 	}
 
-	// Override display name on reports if defined in CLI flags
 	if *displayName != "" {
 		c.DisplayName = *displayName
 	}
 
-	// default to run as audit if no "run-mode" is defined
+	if *disallowExemptions {
+		c.DisallowExemptions = true
+	}
+
 	if !*dashboard && !*webhook && !*audit {
 		*audit = true
 	}
 
-	// perform the action for the desired "run-mode"
 	if *webhook {
 		startWebhookServer(c, *disableWebhookConfigInstaller, *webhookPort)
 	} else if *dashboard {
 		startDashboardServer(c, *auditPath, *loadAuditFile, *dashboardPort, *dashboardBasePath)
 	} else if *audit {
 		auditData := runAndReportAudit(c, *auditPath, *auditOutputFile, *auditOutputURL, *auditOutputFormat)
 
-		// exit code 3 if any errors in the audit else if score is under desired minimum, exit 4
 		if *setExitCode && auditData.ClusterSummary.Results.Totals.Errors > 0 {
 			logrus.Infof("%d errors found in audit", auditData.ClusterSummary.Results.Totals.Errors)
 			os.Exit(3)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -30,13 +30,21 @@ import (
 
 // Configuration contains all of the config for the validation checks.
 type Configuration struct {
-	DisplayName       string                `json:"displayName"`
-	Resources         Resources             `json:"resources"`
-	HealthChecks      HealthChecks          `json:"healthChecks"`
-	Images            Images                `json:"images"`
-	Networking        Networking            `json:"networking"`
-	Security          Security              `json:"security"`
-	ControllersToScan []SupportedController `json:"controllers_to_scan"`
+	DisplayName        string                `json:"displayName"`
+	Resources          Resources             `json:"resources"`
+	HealthChecks       HealthChecks          `json:"healthChecks"`
+	Images             Images                `json:"images"`
+	Networking         Networking            `json:"networking"`
+	Security           Security              `json:"security"`
+	ControllersToScan  []SupportedController `json:"controllers_to_scan"`
+	Exemptions         []Exemption           `json:"exemptions"`
+	DisallowExemptions bool                  `json:"disallowExemptions"`
+}
+
+// Exemption represents an exemption to normal rules
+type Exemption struct {
+	Rules           []string `json:"rules"`
+	ControllerNames []string `json:"controllerNames"`
 }
 
 // Resources contains config for resource requests and limits.

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"regexp"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -146,6 +147,7 @@ func TestConfigFromURL(t *testing.T) {
 			log.Fatalf("ListenAndServe(): %s", err)
 		}
 	}()
+	time.Sleep(time.Second)
 
 	parsedConf, err = ParseFile("http://localhost:8081/exampleURL")
 	assert.NoError(t, err, "Expected no error when parsing YAML from URL")

diff --git a/pkg/config/exemptions.go b/pkg/config/exemptions.go
@@ -0,0 +1,31 @@
+package config
+
+import (
+	"reflect"
+)
+
+// IsActionable determines whether a check is actionable given the current configuration
+func (conf *Configuration) IsActionable(subConf interface{}, ruleName, controllerName string) bool {
+	ruleID := GetIDFromField(subConf, ruleName)
+	subConfRef := reflect.ValueOf(subConf)
+	severity, ok := reflect.Indirect(subConfRef).FieldByName(ruleName).Interface().(Severity)
+	if ok && !severity.IsActionable() {
+		return false
+	}
+	if conf.DisallowExemptions {
+		return true
+	}
+	for _, example := range conf.Exemptions {
+		for _, rule := range example.Rules {
+			if rule != ruleID {
+				continue
+			}
+			for _, controller := range example.ControllerNames {
+				if controller == controllerName {
+					return false
+				}
+			}
+		}
+	}
+	return true
+}
diff --git a/pkg/validator/ids.go → pkg/config/ids.go b/pkg/validator/ids.go → pkg/config/ids.go
@@ -1,10 +1,11 @@
-package validator
+package config
 
 import (
 	"reflect"
 )
 
-func getIDFromField(config interface{}, name string) string {
+// GetIDFromField returns the JSON key associated with a particular field, which serves as the check ID.
+func GetIDFromField(config interface{}, name string) string {
 	t := reflect.TypeOf(config)
 	field, ok := t.FieldByName(name)
 	if !ok {

diff --git a/pkg/dashboard/assets/css/main.css b/pkg/dashboard/assets/css/main.css
@@ -57,3 +57,13 @@ body {
   text-decoration: underline;
 }
 
+.exemption-alert {
+  margin-top: 15px;
+  padding: 15px;
+  border: 1px solid #f26c21;
+  border-radius: 2px;
+}
+.exemption-alert .fa-exclamation {
+  margin-right: 10px;
+  color: #f26c21;
+}