feat: Add subcommand to fetch vulnerability reports (#28)

Resolves: #22 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
kzkardes · May 25, 2020 · 8d2b8f0 · 8d2b8f0
1 parent 8dd2c97
commit 8d2b8f0
Show file tree

Hide file tree

Showing 13 changed files with 187 additions and 16 deletions.
diff --git a/cmd/starboard/main.go b/cmd/starboard/main.go
@@ -11,12 +11,21 @@ import (
 	"k8s.io/klog"
 )
 
+var (
+	// These variables are populated by GoReleases via ldflags
+	version = "dev"
+	commit  = "none"
+	date    = "unknown"
+)
+
 func main() {
 	defer klog.Flush()
 
 	initFlags()
 
-	if err := cmd.GetRootCmd().Execute(); err != nil {
+	version := cmd.VersionInfo{Version: version, Commit: commit, Date: date}
+
+	if err := cmd.NewRootCmd(version).Execute(); err != nil {
 		fmt.Printf("error: %v\n", err)
 		os.Exit(1)
 	}

diff --git a/pkg/cmd/cleanup.go b/pkg/cmd/cleanup.go
@@ -8,7 +8,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetCleanupCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewCleanupCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "cleanup",
 		Short: "Delete custom resource definitions created by starboard",

diff --git a/pkg/cmd/find.go b/pkg/cmd/find.go
@@ -5,7 +5,7 @@ import (
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 )
 
-func GetFindCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewFindCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	findCmd := &cobra.Command{
 		Use:   "find",
 		Short: "Manage security scanners",

diff --git a/pkg/cmd/get.go b/pkg/cmd/get.go
@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+func NewGetCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+	getCmd := &cobra.Command{
+		Use:   "get",
+		Short: "Get security reports",
+	}
+	getCmd.AddCommand(NewGetVulnerabilitiesCmd(cf))
+	getCmd.AddCommand(NewGetConfigAuditCmd(cf))
+	getCmd.PersistentFlags().StringP("output", "o", "yaml", "Output format. One of yaml|json")
+
+	return getCmd
+}
diff --git a/pkg/cmd/get_configaudit.go b/pkg/cmd/get_configaudit.go
@@ -0,0 +1,58 @@
+package cmd
+
+import (
+	"fmt"
+	"os/exec"
+
+	starboard "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+func NewGetConfigAuditCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "configaudit (NAME | TYPE/NAME)",
+		Short: "Get configuration audit report",
+		Long: `Get configuration audit report for the specified workload
+
+TYPE is a Kubernetes workload. Shortcuts and API groups will be resolved, e.g. 'po' or 'deployments.apps'.
+NAME is the name of a particular Kubernetes workload.
+`,
+		Example: fmt.Sprintf(`  # Get configuration audit for a Deployment with the specified name
+  %[1]s get configauditreports.aquasecurity.github.io deploy/nginx
+
+  # Get configuration audit for a Deployment with the specified name in the specified namespace
+  %[1]s get configauditreports deploy/nginx -n staging
+
+  # Get configuration audit for a ReplicaSet with the specified name
+  %[1]s get configaudit replicaset/nginx
+
+  # Get vulnerabilities for a CronJob with the specified name in JSON output format
+  %[1]s get configaudit cj/my-job -o json`, "starboard"),
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			ns, _, err := cf.ToRawKubeConfigLoader().Namespace()
+			if err != nil {
+				return
+			}
+			workload, err := WorkloadFromArgs(ns, args)
+			if err != nil {
+				return
+			}
+
+			kubectlCmd := exec.Command("kubectl",
+				"get",
+				starboard.ConfigAuditReportCRName,
+				fmt.Sprintf("-l=starboard.resource.kind=%s,starboard.resource.name=%s", workload.Kind, workload.Name),
+				fmt.Sprintf("--namespace=%s", workload.Namespace),
+				fmt.Sprintf("--output=%s", cmd.Flag("output").Value.String()))
+			stdoutStderr, err := kubectlCmd.CombinedOutput()
+			if err != nil {
+				return
+			}
+			fmt.Printf("%s", stdoutStderr)
+			return
+		},
+	}
+
+	return cmd
+}
diff --git a/pkg/cmd/get_vulnerabilities.go b/pkg/cmd/get_vulnerabilities.go
@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"fmt"
+	"os/exec"
+
+	starboard "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+func NewGetVulnerabilitiesCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+	cmd := &cobra.Command{
+		Aliases: []string{"vulns", "vuln"},
+		Use:     "vulnerabilities (NAME | TYPE/NAME)",
+		Short:   "Get vulnerabilities report",
+		Long: `Get vulnerabilities report for the specified workload
+
+TYPE is a Kubernetes workload. Shortcuts and API groups will be resolved, e.g. 'po' or 'deployments.apps'.
+NAME is the name of a particular Kubernetes workload.
+`,
+		Example: fmt.Sprintf(`  # Get vulnerabilities for a Deployment with the specified name
+  %[1]s get vulnerabilities.aquasecurity.github.io deploy/nginx
+
+  # Get vulnerabilities for a Deployment with the specified name in the specified namespace
+  %[1]s get vulnerabilities deploy/nginx -n staging
+
+  # Get vulnerabilities for a ReplicaSet with the specified name
+  %[1]s get vulns replicaset/nginx
+
+  # Get vulnerabilities for a CronJob with the specified name in JSON output format
+  %[1]s get vuln cj/my-job -o json`, "starboard"),
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			ns, _, err := cf.ToRawKubeConfigLoader().Namespace()
+			if err != nil {
+				return
+			}
+			workload, err := WorkloadFromArgs(ns, args)
+			if err != nil {
+				return
+			}
+
+			kubectlCmd := exec.Command("kubectl",
+				"get",
+				starboard.VulnerabilitiesCRName,
+				fmt.Sprintf("-l=starboard.resource.kind=%s,starboard.resource.name=%s", workload.Kind, workload.Name),
+				fmt.Sprintf("--namespace=%s", workload.Namespace),
+				fmt.Sprintf("--output=%s", cmd.Flag("output").Value.String()))
+			stdoutStderr, err := kubectlCmd.CombinedOutput()
+			if err != nil {
+				return
+			}
+			fmt.Printf("%s", stdoutStderr)
+			return
+		},
+	}
+
+	return cmd
+}
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
@@ -8,7 +8,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetInitCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewInitCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "init",
 		Short: "Create custom resource definitions used by starboard",

diff --git a/pkg/cmd/kube_bench.go b/pkg/cmd/kube_bench.go
@@ -10,7 +10,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetKubeBenchCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewKubeBenchCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "kube-bench",
 		Short: "Run the CIS Kubernetes Benchmark https://www.cisecurity.org/benchmark/kubernetes",

diff --git a/pkg/cmd/kube_hunter.go b/pkg/cmd/kube_hunter.go
@@ -8,7 +8,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetKubeHunterCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewKubeHunterCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "kube-hunter",
 		Short: "Hunt for security weaknesses",

diff --git a/pkg/cmd/polaris.go b/pkg/cmd/polaris.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "polaris",
 		Short: "Run a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices",

diff --git a/pkg/cmd/rbac.go b/pkg/cmd/rbac.go
@@ -5,7 +5,7 @@ import (
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 )
 
-func GetRBACCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+func NewRBACCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "rbac",
 		Short: "Get RBAC config to run starboard",

diff --git a/pkg/cmd/root.go b/pkg/cmd/root.go
@@ -10,7 +10,7 @@ import (
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 )
 
-func GetRootCmd() *cobra.Command {
+func NewRootCmd(version VersionInfo) *cobra.Command {
 	var cf *genericclioptions.ConfigFlags
 
 	rootCmd := &cobra.Command{
@@ -22,13 +22,15 @@ func GetRootCmd() *cobra.Command {
 
 	cf = genericclioptions.NewConfigFlags(true)
 
-	rootCmd.AddCommand(GetInitCmd(cf))
-	rootCmd.AddCommand(GetRBACCmd(cf))
-	rootCmd.AddCommand(GetFindCmd(cf))
-	rootCmd.AddCommand(GetKubeBenchCmd(cf))
-	rootCmd.AddCommand(GetKubeHunterCmd(cf))
-	rootCmd.AddCommand(GetPolarisCmd(cf))
-	rootCmd.AddCommand(GetCleanupCmd(cf))
+	rootCmd.AddCommand(NewVersionCmd(version))
+	rootCmd.AddCommand(NewInitCmd(cf))
+	rootCmd.AddCommand(NewRBACCmd(cf))
+	rootCmd.AddCommand(NewFindCmd(cf))
+	rootCmd.AddCommand(NewKubeBenchCmd(cf))
+	rootCmd.AddCommand(NewKubeHunterCmd(cf))
+	rootCmd.AddCommand(NewPolarisCmd(cf))
+	rootCmd.AddCommand(NewGetCmd(cf))
+	rootCmd.AddCommand(NewCleanupCmd(cf))
 
 	SetFlags(cf, rootCmd)
 

diff --git a/pkg/cmd/version.go b/pkg/cmd/version.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+type VersionInfo struct {
+	Version string
+	Commit  string
+	Date    string
+}
+
+func NewVersionCmd(version VersionInfo) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version information",
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			fmt.Printf("Starboard Version: %+v\n", version)
+			return
+		},
+	}
+	return cmd
+}