Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Single workload scanning with polaris #118

Merged
merged 21 commits into from
Sep 8, 2020
Merged

Feature: Single workload scanning with polaris #118

merged 21 commits into from
Sep 8, 2020

Conversation

danielsagi
Copy link
Contributor

@danielsagi danielsagi commented Aug 13, 2020
edited
Loading

Due to the new release of the single workload scanning method of polaris (in version 1.2),
This PR integrates this feature.
From now on, instead of scanning the entire cluster for config audits, you just run:

$ kubectl starboard polaris deploy/my-deployment

Internal change

This introduced a change in the way we map aliases of kinds to full kinds QN
Up until now we used a switch case for resolving kind names. this method is not robust enough and can fail in some situations.
The correct way to do that, (and what this PR is introducing) is to use RESTMapper

Other than the general correctness of using a Mapper instead of a switch case,
We needed a way to figure out the api version and group name for kinds/resources when we pass the resource argument to polaris.

Tests change

Because we now use a RESTMapper rather than a static function. the test for resolving kinds has changed to be an integration test.

closes #29

Daniel Sagi added 13 commits July 4, 2020 16:26
changed polaris version to 1.1.0, also added a --config flag when run…
e230e46 
…ning polaris to explicitly specify the audit config path
updated default audit config yaml file for polaris, to match with the…
2cd8b66 
… new features, (some names changed)
fixed bug in parsing the config yaml file for polaris
456ea03
removed a TODO comment
9406b6c
added workload argument to polaris cmd, also added a max argument spe…
515a9dc 
…cification of 1
modified polaris scanner to reference given specific workload
dd3f8fb
changed consts string kinds, to be singular with api extension, this …
1c33b95 
…is necessary for polaris to understand the correct type of the kind
added workload argument to polaris cmd, also added a max argument spe…
624bf6b 
…cification of 1
modified polaris scanner to reference given specific workload
5aa36c7
changed consts string kinds, to be singular with api extension, this …
514efdc 
…is necessary for polaris to understand the correct type of the kind
updated polaris to version 1.2 which supports single workload scanning
9e7a5c8
Merge branch 'polaris-single-workload' of github.com:aquasecurity/sta…
41199d1 
…rboard into polaris-single-workload
Merge branch 'master' of github.com:aquasecurity/starboard into polar…
ceaf219 
…is-single-workload
@danielsagi danielsagi requested a review from danielpacak August 13, 2020 18:20
@danielsagi danielsagi self-assigned this Aug 13, 2020
@danielsagi danielsagi changed the title Feature: now scanning single workload using polaris Feature: Single workload scanning with polaris Aug 13, 2020
danielpacak
danielpacak suggested changes Aug 14, 2020
View reviewed changes
pkg/kube/object.go Outdated Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Sep 5, 2020
edited
Loading

Codecov Report

Merging #118 into master will decrease coverage by 1.27%.
The diff coverage is 19.04%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #118      +/-   ##
==========================================
- Coverage   39.86%   38.58%   -1.28%     
==========================================
  Files          33       33              
  Lines        1801     1827      +26     
==========================================
- Hits          718      705      -13     
- Misses       1003     1034      +31     
- Partials       80       88       +8
Impacted Files Coverage Δ
pkg/cmd/get_configaudit.go 44.73% <0.00%> (-3.84%) ⬇️
pkg/cmd/get_report.go 34.37% <0.00%> (-3.56%) ⬇️
pkg/cmd/get_vulnerabilities.go 46.15% <0.00%> (-3.85%) ⬇️
pkg/polaris/converter.go 5.00% <0.00%> (+1.15%) ⬆️
pkg/polaris/scanner.go 0.00% <0.00%> (ø)
pkg/cmd/polaris.go 18.91% <8.33%> (-3.31%) ⬇️
pkg/cmd/find_vulnerabilities.go 71.92% <50.00%> (-2.15%) ⬇️
pkg/kube/object.go 63.15% <50.00%> (+0.41%) ⬆️
pkg/cmd/commands.go 61.90% <63.63%> (-28.34%) ⬇️
pkg/scanners/base.go 0.00% <0.00%> (ø)
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e5963e5...394edff. Read the comment docs.

@danielpacak
feat: Set owner ref for ConfigAudit reports
394edff 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
@danielpacak danielpacak force-pushed the polaris-single-workload branch from 441b017 to 394edff Compare September 8, 2020 14:28
@danielpacak danielpacak merged commit c10aa5a into master Sep 8, 2020
@danielpacak danielpacak deleted the polaris-single-workload branch September 8, 2020 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielpacak danielpacak danielpacak approved these changes

Assignees

@danielsagi danielsagi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Run Polaris for the specified workload
2 participants
@danielsagi @danielpacak