feat: Run Polaris scanner for the specified workload (aquasecurity#118)

Resolves: aquasecurity#29 Resolves: aquasecurity#49 Co-authored-by: Daniel Pacak <pacak.daniel@gmail.com>
xmonish · Sep 8, 2020 · c10aa5a · c10aa5a
1 parent 4aa0d52
commit c10aa5a
Show file tree

Hide file tree

Showing 21 changed files with 169 additions and 370 deletions.
diff --git a/Makefile b/Makefile
@@ -47,6 +47,7 @@ integration-tests: check-env get-ginkgo
 	github.com/aquasecurity/starboard/pkg/kubebench \
 	github.com/aquasecurity/starboard/pkg/kubehunter \
 	github.com/aquasecurity/starboard/pkg/polaris \
+	github.com/aquasecurity/starboard/pkg/polaris/crd \
 	github.com/aquasecurity/starboard/pkg/find/vulnerabilities/trivy \
 	github.com/aquasecurity/starboard/pkg/find/vulnerabilities/crd \
 	./itest

diff --git a/pkg/apis/aquasecurity/v1alpha1/common_types.go b/pkg/apis/aquasecurity/v1alpha1/common_types.go
@@ -6,13 +6,3 @@ type Scanner struct {
 	Vendor  string `json:"vendor"`
 	Version string `json:"version"`
 }
-
-type KubernetesResource struct {
-	Kind string `json:"kind"` // Pod, Deployment, Node, etc.
-	Name string `json:"name"` // my-pod, my-deployment, my-node, etc.
-}
-
-type KubernetesNamespacedResource struct {
-	Namespace string `json:"namespace"`
-	KubernetesResource
-}
diff --git a/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go b/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go
@@ -69,10 +69,9 @@ type ConfigAuditReportList struct {
 // TODO by defining scope type (e.g. Pod, Container, Node) and the name of the scope (e.g. my-pod, my-container,
 // TODO my-node)
 type ConfigAudit struct {
-	Scanner         Scanner                      `json:"scanner"`
-	Resource        KubernetesNamespacedResource `json:"resource"`
-	PodChecks       []Check                      `json:"podChecks"`
-	ContainerChecks map[string][]Check           `json:"containerChecks"`
+	Scanner         Scanner            `json:"scanner"`
+	PodChecks       []Check            `json:"podChecks"`
+	ContainerChecks map[string][]Check `json:"containerChecks"`
 }
 
 type Check struct {

diff --git a/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/aquasecurity/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/cmd/commands.go b/pkg/cmd/commands.go
@@ -5,6 +5,9 @@ import (
 	"strings"
 	"time"
 
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
 	"k8s.io/client-go/kubernetes/scheme"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -21,33 +24,34 @@ func SetGlobalFlags(cf *genericclioptions.ConfigFlags, cmd *cobra.Command) {
 	}
 }
 
-func WorkloadFromArgs(namespace string, args []string) (workload kube.Object, err error) {
+func WorkloadFromArgs(mapper meta.RESTMapper, namespace string, args []string) (workload kube.Object, gvk schema.GroupVersionKind, err error) {
 	if len(args) < 1 {
 		err = errors.New("required workload kind and name not specified")
 		return
 	}
 
+	var resource, resourceName string
 	parts := strings.SplitN(args[0], "/", 2)
 	if len(parts) == 1 {
-		workload = kube.Object{
-			Namespace: namespace,
-			Kind:      kube.KindPod,
-			Name:      parts[0],
-		}
-		return
+		resource = "pods"
+		resourceName = parts[0]
+	} else {
+		resource = parts[0]
+		resourceName = parts[1]
 	}
-	kind, err := kube.KindFromResource(parts[0])
+
+	_, gvk, err = kube.GVRForResource(mapper, resource)
 	if err != nil {
 		return
 	}
-	if "" == parts[1] {
+	if "" == resourceName {
 		err = errors.New("required workload name is blank")
 		return
 	}
 	workload = kube.Object{
 		Namespace: namespace,
-		Kind:      kind,
-		Name:      parts[1],
+		Kind:      kube.Kind(gvk.Kind),
+		Name:      resourceName,
 	}
 	return
 }

diff --git a/pkg/cmd/find_vulnerabilities.go b/pkg/cmd/find_vulnerabilities.go
@@ -54,7 +54,11 @@ NAME is the name of a particular Kubernetes workload.
 			if err != nil {
 				return
 			}
-			workload, err := WorkloadFromArgs(ns, args)
+			mapper, err := cf.ToRESTMapper()
+			if err != nil {
+				return
+			}
+			workload, _, err := WorkloadFromArgs(mapper, ns, args)
 			if err != nil {
 				return
 			}

diff --git a/pkg/cmd/get_configaudit.go b/pkg/cmd/get_configaudit.go
@@ -34,7 +34,11 @@ NAME is the name of a particular Kubernetes workload.
 			if err != nil {
 				return
 			}
-			workload, err := WorkloadFromArgs(ns, args)
+			mapper, err := cf.ToRESTMapper()
+			if err != nil {
+				return
+			}
+			workload, _, err := WorkloadFromArgs(mapper, ns, args)
 			if err != nil {
 				return
 			}

diff --git a/pkg/cmd/get_report.go b/pkg/cmd/get_report.go
@@ -36,12 +36,16 @@ NAME is the name of a particular Kubernetes workload.
 			if err != nil {
 				return
 			}
-			workload, err := WorkloadFromArgs(ns, args)
+			mapper, err := cf.ToRESTMapper()
+			if err != nil {
+				return
+			}
+			workload, _, err := WorkloadFromArgs(mapper, ns, args)
 			if err != nil {
 				return
 			}
 
-			caReader := configAuditCrd.NewReadWriter(starboardClientset)
+			caReader := configAuditCrd.NewReadWriter(GetScheme(), starboardClientset)
 			vulnsReader := vulnsCrd.NewReadWriter(GetScheme(), starboardClientset)
 
 			reporter := report.NewHTMLReporter(caReader, vulnsReader, workload)

diff --git a/pkg/cmd/get_vulnerabilities.go b/pkg/cmd/get_vulnerabilities.go
@@ -35,7 +35,11 @@ NAME is the name of a particular Kubernetes workload.
 			if err != nil {
 				return
 			}
-			workload, err := WorkloadFromArgs(ns, args)
+			mapper, err := cf.ToRESTMapper()
+			if err != nil {
+				return
+			}
+			workload, _, err := WorkloadFromArgs(mapper, ns, args)
 			if err != nil {
 				return
 			}

diff --git a/pkg/cmd/polaris.go b/pkg/cmd/polaris.go
@@ -15,8 +15,21 @@ func NewPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "polaris",
 		Short: "Run a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices",
+		Args:  cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) (err error) {
 			ctx := context.Background()
+			ns, _, err := cf.ToRawKubeConfigLoader().Namespace()
+			if err != nil {
+				return err
+			}
+			mapper, err := cf.ToRESTMapper()
+			if err != nil {
+				return
+			}
+			workload, gvk, err := WorkloadFromArgs(mapper, ns, args)
+			if err != nil {
+				return err
+			}
 			config, err := cf.ToRESTConfig()
 			if err != nil {
 				return
@@ -29,15 +42,15 @@ func NewPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 			if err != nil {
 				return
 			}
-			reports, err := polaris.NewScanner(opts, clientset).Scan(ctx)
+			report, owner, err := polaris.NewScanner(opts, clientset).Scan(ctx, workload, gvk)
 			if err != nil {
 				return
 			}
 			starboardClientset, err := starboard.NewForConfig(config)
 			if err != nil {
 				return
 			}
-			err = crd.NewReadWriter(starboardClientset).WriteAll(ctx, reports)
+			err = crd.NewReadWriter(GetScheme(), starboardClientset).Write(ctx, report, owner)
 			if err != nil {
 				return
 			}

diff --git a/pkg/cmd/polaris_test.go b/pkg/cmd/polaris_test.go
@@ -0,0 +1 @@
+package cmd_test