feat: Audit configuration of other K8s objects (aquasecurity#644)

- [x] Services
- [x] ConfigMaps
- [x] Roles
- [x] RoleBindings
- [x] ClusterRole
- [x] ClusterRoleBindings
- [x] CustomResourceDefinitions

Resolves: aquasecurity#559

Co-authored-by: deven0t
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

deploy/helm/templates/rbac.yaml

@@ -33,14 +33,15 @@ rules:
       - pods
       - pods/log
       - replicationcontrollers
+      - services
     verbs:
       - get
       - list
       - watch
   - apiGroups:
       - ""
     resources:
-      - "nodes"
+      - nodes
     verbs:
       - get
       - list
@@ -71,7 +72,7 @@ rules:
       - create
   - apiGroups:
       - apps
-    resources: # resources that own pods are inspected
+    resources:
       - replicasets
       - statefulsets
       - daemonsets
@@ -82,26 +83,44 @@ rules:
   - apiGroups:
       - batch
     resources:
+      - jobs
       - cronjobs
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - batch
-    resources: # jobs are inspected and directly used by the starboard-operator
-      - jobs
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - rolebindings
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
       - create
       - delete
   - apiGroups:
       - aquasecurity.github.io
     resources:
       - vulnerabilityreports
       - configauditreports
+      - clusterconfigauditreports
       - ciskubebenchreports
     verbs:
       - get

deploy/static/03-starboard-operator.clusterrole.yaml

@@ -11,14 +11,15 @@ rules:
       - pods
       - pods/log
       - replicationcontrollers
+      - services
     verbs:
       - get
       - list
       - watch
   - apiGroups:
       - ""
     resources:
-      - "nodes"
+      - nodes
     verbs:
       - get
       - list
@@ -60,26 +61,44 @@ rules:
   - apiGroups:
       - batch
     resources:
+      - jobs
       - cronjobs
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - batch
+      - rbac.authorization.k8s.io
     resources:
-      - jobs
+      - roles
+      - rolebindings
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
       - create
       - delete
   - apiGroups:
       - aquasecurity.github.io
     resources:
       - vulnerabilityreports
       - configauditreports
+      - clusterconfigauditreports
       - ciskubebenchreports
     verbs:
       - get

docs/crds/configaudit-report.md

@@ -22,7 +22,7 @@ metadata:
     starboard.resource.name: nginx-6d4cf56db6
     starboard.resource.namespace: default
     plugin-config-hash: 7f65d98b75
-    pod-spec-hash: 7cb64cb677
+    resource-spec-hash: 7cb64cb677
   uid: d5cf8847-c96d-4534-beb9-514a34230302
   ownerReferences:
     - apiVersion: apps/v1

docs/crds/vulnerability-report.md

@@ -20,7 +20,7 @@ metadata:
     starboard.resource.kind: ReplicaSet
     starboard.resource.name: nginx-6d4cf56db6
     starboard.resource.namespace: default
-    pod-spec-hash: 7cb64cb677
+    resource-spec-hash: 7cb64cb677
   uid: 8aa1a7cb-a319-4b93-850d-5a67827dfbbf
   ownerReferences:
     - apiVersion: apps/v1

itest/starboard-operator/behavior/behavior.go

@@ -13,6 +13,7 @@ import (
 	batchv1beta1 "k8s.io/api/batch/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -415,6 +416,45 @@ func ConfigurationCheckerBehavior(inputs *Inputs) func() {
 		// TODO Add scenario for StatefulSet
 
 		// TODO Add scenario for DaemonSet
+
+		Context("When Service is created", func() {
+			var ctx context.Context
+			var svc *corev1.Service
+
+			BeforeEach(func() {
+				ctx = context.Background()
+				svc = &corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: inputs.PrimaryNamespace,
+						Name:      "nginx-" + rand.String(5),
+					},
+					Spec: corev1.ServiceSpec{
+						Selector: map[string]string{
+							"app": "nginx",
+						},
+						Ports: []corev1.ServicePort{
+							{
+								Port:       80,
+								TargetPort: intstr.FromInt(80),
+								Protocol:   corev1.ProtocolTCP,
+							},
+						},
+					},
+				}
+				err := inputs.Create(ctx, svc)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
+			It("Should create ConfigAuditReport", func() {
+				Eventually(inputs.HasConfigAuditReportOwnedBy(svc), inputs.AssertTimeout).Should(BeTrue())
+			})
+
+			AfterEach(func() {
+				err := inputs.Delete(ctx, svc)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
+		})
 	}
 }
 

pkg/cmd/scan_configauditreports.go

@@ -73,11 +73,11 @@ func ScanConfigAuditReports(buildInfo starboard.BuildInfo, cf *genericclioptions
 			return err
 		}
 		scanner := configauditreport.NewScanner(kubeClientset, kubeClient, plugin, pluginContext, config, opts)
-		report, err := scanner.Scan(ctx, workload)
+		reportBuilder, err := scanner.Scan(ctx, workload)
 		if err != nil {
 			return err
 		}
 		writer := configauditreport.NewReadWriter(kubeClient)
-		return writer.WriteReport(ctx, report)
+		return reportBuilder.Write(ctx, writer)
 	}
 }