Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port kubesec to golang #3

Merged
merged 21 commits into from
Feb 1, 2019
Merged

Port kubesec to golang #3

merged 21 commits into from
Feb 1, 2019

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jan 29, 2019
edited
Loading

This PR implements the following:

  • CLI commands version, scan [file], http [port]
  • packages rules, ruler, server
  • implement kind filter for rules
  • add host network, PID and IPC rules
  • add docker socket rule
  • add security context rules (includes init containers)
  • add CPU and memory requests/limits rules
  • add rules tests
  • CI with Travis, Docker and GoReleaser

To run the CLI:

To run the HTTP server:

  • download deps dep ensure -vendor-only
  • build the image docker build -t kubesec .
  • run it docker run -dp 9090:9090 --name=kubesec kubesec

@stefanprodan
Init kubesec go CLI
bcf908b 
- add version command
- add GoReleaser config
@stefanprodan
Copy link
Member Author

@sublimino you didn't apply for GitHub actions? Please try to run the version command and let me know if it works

@sublimino
Copy link
Member

sublimino commented Jan 29, 2019
edited
Loading

I did apply for GH actions, I'm still on the waitlist though 😿

All the above commands work ✔️

version v0.0.0-next
git commit bcf908b290579849705e0b428e0c4d1c5fc519da
build date 2019-01-29T13:25:22Z

@stefanprodan
Add ruler package
4a13dcb 
- implement kind filter for rules
- add host network rule and tests
@stefanprodan
Run tests in TravisCI
0225707
@stefanprodan
Add security context rules
c3edbad 
- fix host network rule
@stefanprodan
Add ruleset and result
e646691
@stefanprodan
Add scan command for YAML and JSON files
f1c6d0a 
- single Kubernetes object for now
@stefanprodan
Copy link
Member Author

stefanprodan commented Jan 29, 2019
edited
Loading

Scan command example:

go run cmd/kubesec/* scan ./test/asset/score-0-daemonset-host-network.yml

Result:

{
  "error": "Failed with a score of -9 points",
  "score": -9,
  "scoring": {
    "critical": [
      {
        "selector": ".spec .hostNetwork",
        "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
        "weight": 0
      }
    ],
    "advise": [
      {
        "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
        "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsNonRoot == true",
        "reason": "Force the running image to run as a non-root user to ensure least privilege",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsUser -gt 10000",
        "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
        "weight": 0
      }
    ]
  }
}

@stefanprodan
Copy link
Member Author

@sublimino the scoring logic from bash needs to be ported to Ruleset.Run. I'm having problems understanding what's going on there...

@stefanprodan stefanprodan changed the title WIP: Init kubesec go CLI WIP: Port kubesec to golang Jan 30, 2019
@stefanprodan
Add kubesec HTTP server
b540e03 
- add Prometheus instrumentation to http server
- add healthz endpoint to http server
@stefanprodan
Add scan handler to HTTP server
1c3d6c5
@stefanprodan
Copy link
Member Author

stefanprodan commented Jan 30, 2019
edited
Loading

HTTP server example:

Start server:

 go run cmd/kubesec/* http 9090

Or start it as a docker container:

docker build -t kubesec .

docker run -dp 9090:9090 --name=kubesec kubesec

Post file:

curl -sSX POST --data-binary @test/asset/score-0-daemonset-host-network.yml http://localhost:9090/scan

Result:

{
  "error": "Failed with a score of -9 points",
  "score": -9,
  "scoring": {
    "critical": [
      {
        "selector": ".spec .hostNetwork",
        "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
        "weight": 0
      }
    ],
    "advise": [
      {
        "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
        "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsNonRoot == true",
        "reason": "Force the running image to run as a non-root user to ensure least privilege",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsUser -gt 10000",
        "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
        "weight": 0
      }
    ]
  }
}

This was referenced Jan 30, 2019
Closed
Closed
@stefanprodan stefanprodan changed the title WIP: Port kubesec to golang Port kubesec to golang Jan 31, 2019
@sublimino sublimino merged commit cbf6bdc into master Feb 1, 2019
@sublimino
Copy link
Member

LVGTM 👍👍

@sublimino sublimino deleted the go-init branch February 1, 2019 19:42
sublimino added a commit that referenced this pull request May 12, 2019
@sublimino
Merge pull request #3 from sublimino/go-init
5e0d4c9 
Port kubesec to golang
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sublimino sublimino Awaiting requested review from sublimino

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stefanprodan @sublimino