ignore klint binary in case of running go build in dir; added IAM rul…

…e checker to ensure that if a role is specified that it exists on AWS
uswitch · Aug 11, 2017 · a8c5438 · a8c5438
1 parent bf97689
commit a8c5438
Show file tree

Hide file tree

Showing 10 changed files with 28,491 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+klint
diff --git a/alerts/slack.go b/alerts/slack.go
@@ -6,12 +6,12 @@ import (
 )
 
 type SlackOutput struct {
-	client   *slack.Client
+	client *slack.Client
 }
 
 func NewSlackOutput(token string) *SlackOutput {
 	return &SlackOutput{
-		client:   slack.New(token),
+		client: slack.New(token),
 	}
 }
 
@@ -25,8 +25,10 @@ func (s *SlackOutput) Send(val string, message string) error {
 
 	var err error = nil
 
+	log.Debugf("sending alert \"%s\" to '%s'", message, val)
+
 	if _, _, err = s.client.PostMessage(val, message, messageParameters); err != nil {
-		log.Warnf("Failed to send message to '%s': %s", val, err)
+		log.Warnf("Failed to send message \"%s\" to '%s': %s", message, val, err)
 	}
 
 	return err

diff --git a/main.go b/main.go
@@ -76,6 +76,7 @@ func main() {
 	engine.AddRule(rules.UnsuccessfulExitRule)
 	engine.AddRule(rules.ResourceAnnotationRule)
 	engine.AddRule(rules.ScrapeNeedsPortsRule)
+	engine.AddRule(rules.ValidIAMRoleRule)
 
 	engine.AddOutput(alerts.NewSlackOutput(opts.slackToken))
 	engine.AddOutput(alerts.NewSNSOutput(opts.awsRegion))

diff --git a/rules/iam_role.go b/rules/iam_role.go
@@ -0,0 +1,71 @@
+package rules
+
+import (
+	"fmt"
+
+	log "github.com/Sirupsen/logrus"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/uswitch/klint/alerts"
+
+	extv1 "k8s.io/api/extensions/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const AnnotationName = "iam.amazonaws.com/role"
+
+func alertNoRole(deployment *extv1.Deployment, out chan *alerts.Alert) {
+	roleName := role(deployment)
+	message := fmt.Sprintf("IAM role %s specified for pods but doesn't exist", roleName)
+	out <- &alerts.Alert{
+		deployment,
+		message,
+	}
+}
+
+func role(deployment *extv1.Deployment) string {
+	return deployment.Spec.Template.GetAnnotations()[AnnotationName]
+}
+
+func fields(deployment *extv1.Deployment) log.Fields {
+	return log.Fields{
+		"namespace": deployment.GetNamespace(),
+		"name":      deployment.GetName(),
+		"role":      role(deployment),
+	}
+}
+
+var ValidIAMRoleRule = NewRule(
+	func(old runtime.Object, new runtime.Object, out chan *alerts.Alert) {
+		deployment := new.(*extv1.Deployment)
+		logger := log.WithFields(fields(deployment))
+
+		logger.Debugf("checking deployment for iam infringement")
+
+		roleName := role(deployment)
+		if roleName == "" {
+			return
+		}
+
+		session := session.New()
+		svc := iam.New(session)
+
+		_, err := svc.GetRole(&iam.GetRoleInput{RoleName: aws.String(roleName)})
+		if err != nil {
+			e, _ := err.(awserr.Error)
+			if e.Code() == iam.ErrCodeNoSuchEntityException {
+				alertNoRole(deployment, out)
+				return
+			}
+
+			logger.Errorf("error finding role: %s", err.Error())
+			return
+		}
+
+		logger.Debugf("iam configured correctly, huzzah!")
+	},
+	WantDeployments,
+)