first pass at adding exemptions

FairwindsOps · Oct 14, 2019 · e97a863 · e97a863
1 parent 150b812
commit e97a863
Show file tree

Hide file tree

Showing 11 changed files with 454 additions and 122 deletions.
diff --git a/examples/config-full.yaml b/examples/config-full.yaml
@@ -63,3 +63,73 @@ security:
     warning:
       ifAnyAddedBeyond:
         - NONE
+exemptions:
+  - controllerNames:
+    - dns-controller
+    - datadog-datadog
+    - kube-flannel-ds
+    - kube2iam
+    - aws-iam-authenticator
+    - datadog
+    - kube2iam
+    rules:
+    - hostNetworkSet
+  - controllerNames:
+    - aws-iam-authenticator
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - dnsmasq
+    - autoscaler
+    - kubernetes-dashboard
+    - install-cni
+    - kube2iam
+    rules:
+    - readinessProbeMissing
+    - livenessProbeMissing
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - runAsRootAllowed
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - notReadOnlyRootFileSystem
+  - controllerNames:
+    - cert-manager
+    - dns-controller
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    rules:
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+  - controllerNames:
+    - kube2iam
+    rules:
+    - runAsPrivileged
diff --git a/examples/config.yaml b/examples/config.yaml
@@ -48,3 +48,73 @@ controllers_to_scan:
   - CronJobs
   - Jobs
   - ReplicationControllers
+exemptions2:
+  - controllerNames:
+    - dns-controller
+    - datadog-datadog
+    - kube-flannel-ds
+    - kube2iam
+    - aws-iam-authenticator
+    - datadog
+    - kube2iam
+    rules:
+    - hostNetworkSet
+  - controllerNames:
+    - aws-iam-authenticator
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - dnsmasq
+    - autoscaler
+    - kubernetes-dashboard
+    - install-cni
+    - kube2iam
+    rules:
+    - readinessProbeMissing
+    - livenessProbeMissing
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - runAsRootAllowed
+  - controllerNames:
+    - aws-iam-authenticator
+    - nginx-ingress-controller
+    - nginx-ingress-default-backend
+    - aws-cluster-autoscaler
+    - kube-state-metrics
+    - dns-controller
+    - external-dns
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    - tiller
+    - kube2iam
+    rules:
+    - notReadOnlyRootFileSystem
+  - controllerNames:
+    - cert-manager
+    - dns-controller
+    - kubedns
+    - dnsmasq
+    - autoscaler
+    rules:
+    - cpuRequestsMissing
+    - cpuLimitsMissing
+    - memoryRequestsMissing
+    - memoryLimitsMissing
+  - controllerNames:
+    - kube2iam
+    rules:
+    - runAsPrivileged
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -37,6 +37,13 @@ type Configuration struct {
 	Networking        Networking            `json:"networking"`
 	Security          Security              `json:"security"`
 	ControllersToScan []SupportedController `json:"controllers_to_scan"`
+	Exemptions        []Exemption           `json:"exemptions"`
+}
+
+// Exemption represents an exemption to normal rules
+type Exemption struct {
+	Rules           []string `json:"rules"`
+	ControllerNames []string `json:"controllerNames"`
 }
 
 // Resources contains config for resource requests and limits.

diff --git a/pkg/config/exemptions.go b/pkg/config/exemptions.go
@@ -0,0 +1,27 @@
+package config
+
+import (
+	"reflect"
+)
+
+func IsActionable(conf *Configuration, subConf interface{}, ruleName, controllerName string) bool {
+	ruleID := GetIDFromField(subConf, ruleName)
+	subConfRef := reflect.ValueOf(subConf)
+	severity, ok := reflect.Indirect(subConfRef).FieldByName(ruleName).Interface().(Severity)
+	if ok && !severity.IsActionable() {
+		return false
+	}
+	for _, example := range conf.Exemptions {
+		for _, rule := range example.Rules {
+			if rule != ruleID {
+				continue
+			}
+			for _, controller := range example.ControllerNames {
+				if controller == controllerName {
+					return false
+				}
+			}
+		}
+	}
+	return true
+}
diff --git a/pkg/validator/ids.go → pkg/config/ids.go b/pkg/validator/ids.go → pkg/config/ids.go
@@ -1,10 +1,10 @@
-package validator
+package config
 
 import (
 	"reflect"
 )
 
-func getIDFromField(config interface{}, name string) string {
+func GetIDFromField(config interface{}, name string) string {
 	t := reflect.TypeOf(config)
 	field, ok := t.FieldByName(name)
 	if !ok {