feat: built-in OPA Rego policy-based configuration audit scanner

1. Perform synchronous configuration audit within reconciliation loop instead of creating Kubernetes Job objects and associated Secrets. 2. Configuration audits at scale with build-in controller-runtime workers. 3. Support NetworkPolicies, PodSecurityPolicies, Ingress, ResourceQuota and possibly other resources. 4. Use OPA Go SDK to evaluate policies read from the `starboard-policy-config` ConfigMap, which is compatible with Conftest plugin and KubeEnforcer. This is just an MVP, but for production workloads OPA policies can be prepared for evaluation and cached similarly to what OPA server does. 5. Preinstall all Kubernetes policies from https://github.com/aquasecurity/defsec/tree/v0.14.0/rules/kubernetes 6. First step to deprecate and remove Polaris and Conftest plugins to streamline code, usages, and documentation. Resolves: #889 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Mar 7, 2022 · 461d763 · 461d763
1 parent afe2521
commit 461d763
Show file tree

Hide file tree

Showing 30 changed files with 4,683 additions and 26 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -160,7 +160,8 @@ jobs:
             -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
             -f deploy/static/02-starboard-operator.rbac.yaml
-          kubectl apply -f deploy/static/03-starboard-operator.config.yaml
+          kubectl apply -f deploy/static/03-starboard-operator.config.yaml \
+            -f deploy/static/04-starboard-operator.policies.yaml
           make itests-starboard-operator
         env:
           KUBECONFIG: /home/runner/.kube/config

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -222,7 +222,8 @@ kubectl delete -k deploy/static
      OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED=true \
      OPERATOR_VULNERABILITY_SCANNER_ENABLED=true \
      OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS=false \
-     OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED=true \
+     OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED=false \
+     OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN=true \
      OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL="" \
      OPERATOR_BATCH_DELETE_LIMIT=3 \
      OPERATOR_BATCH_DELETE_DELAY="30s" \

diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
@@ -81,6 +81,8 @@ spec:
               value: {{ .Values.operator.vulnerabilityScannerReportTTL | quote }}
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: {{ .Values.operator.configAuditScannerEnabled | quote }}
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
+              value: {{ .Values.operator.configAuditScannerBuiltIn | quote }}
             {{- if gt (int .Values.operator.replicas) 1 }}
             - name: OPERATOR_LEADER_ELECTION_ENABLED
               value: "true"

diff --git a/deploy/helm/templates/policies.yaml b/deploy/helm/templates/policies.yaml
diff --git a/deploy/helm/templates/rbac.yaml b/deploy/helm/templates/rbac.yaml
@@ -34,6 +34,7 @@ rules:
       - pods/log
       - replicationcontrollers
       - services
+      - resourcequotas
     verbs:
       - get
       - list
@@ -116,6 +117,23 @@ rules:
     verbs:
       - create
       - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - aquasecurity.github.io
     resources:

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -38,7 +38,9 @@ operator:
   # vulnerabilityScannerReportTTL the flag to set how long a vulnerability report should exist. "" means that the vulnerabilityScannerReportTTL feature is disabled
   vulnerabilityScannerReportTTL: ""
   # configAuditScannerEnabled the flag to enable configuration audit scanner
-  configAuditScannerEnabled: true
+  configAuditScannerEnabled: false
+  # configAuditScannerBuiltIn the flag to enable built-in configuration audit scanner
+  configAuditScannerBuiltIn: true
   # kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner
   kubernetesBenchmarkEnabled: true
   # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.

diff --git a/deploy/static/02-starboard-operator.rbac.yaml b/deploy/static/02-starboard-operator.rbac.yaml
@@ -27,6 +27,7 @@ rules:
       - pods/log
       - replicationcontrollers
       - services
+      - resourcequotas
     verbs:
       - get
       - list
@@ -109,6 +110,23 @@ rules:
     verbs:
       - create
       - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - aquasecurity.github.io
     resources:

diff --git a/deploy/static/04-starboard-operator.policies.yaml b/deploy/static/04-starboard-operator.policies.yaml
diff --git a/...tic/04-starboard-operator.deployment.yaml → ...tic/05-starboard-operator.deployment.yaml b/...tic/04-starboard-operator.deployment.yaml → ...tic/05-starboard-operator.deployment.yaml
@@ -84,6 +84,8 @@ spec:
             - name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
               value: ""
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
+              value: "false"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
               value: "true"
           ports:
             - name: metrics

diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml
diff --git a/docs/operator/configuration.md b/docs/operator/configuration.md
@@ -15,7 +15,8 @@ Configuration of the operator's Pod is done via environment variables at startup
 | `OPERATOR_HEALTH_PROBE_BIND_ADDRESS`                         | `:9090`              | The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints.                                                                                                             |
 | `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED`                  | `true`               | The flag to enable CIS Kubernetes Benchmark scanner                                                                                                                                                          |
 | `OPERATOR_VULNERABILITY_SCANNER_ENABLED`                     | `true`               | The flag to enable vulnerability scanner                                                                                                                                                                     |
-| `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`                      | `true`               | The flag to enable configuration audit scanner                                                                                                                                                               |
+| `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`                      | `false`              | The flag to enable plugin-based configuration audit scanner                                                                                                                                                  |
+| `OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN`                      | `true`               | The flag to enable built-in configuration audit scanner                                                                                                                                                      |
 | `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` | `false`              | The flag to enable vulnerability scanner to only scan the current revision of a deployment                                                                                                                   |
 | `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL`                  | `""`                 | The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to `""` to disabled the TTL for vulnerability scanner. |
 | `OPERATOR_LEADER_ELECTION_ENABLED`                           | `false`              | The flag to enable operator replica leader election                                                                                                                                                          |

diff --git a/go.mod b/go.mod
@@ -5,12 +5,13 @@ go 1.17
 require (
 	github.com/caarlos0/env/v6 v6.9.1
 	github.com/davecgh/go-spew v1.1.1
-	github.com/go-logr/logr v1.2.0
+	github.com/go-logr/logr v1.2.2
 	github.com/google/go-containerregistry v0.8.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-version v1.4.0
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
+	github.com/open-policy-agent/opa v0.37.2
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
@@ -35,6 +36,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -43,12 +45,14 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-logr/zapr v1.2.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -72,12 +76,16 @@ require (
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.11.0 // indirect
+	github.com/prometheus/client_golang v1.12.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.28.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
@@ -86,7 +94,7 @@ require (
 	golang.org/x/mod v0.5.1 // indirect
 	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect