-
Notifications
You must be signed in to change notification settings - Fork 185
support for CRD's that extend common types #373
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
I think this is the issue here: kubeaudit/internal/k8sinternal/client.go Lines 113 to 121 in b68cabd
the filtering of resources removes any resources that are based on CRD's. This can include templated out and extended resources, leaving a blind spot for anyone that's running resources that extend that base resources. |
Hey @nobletrout , thanks for opening an issue! I think you are right and we want the |
that does sound right. I could keep working on the diff I've provided, but I think dumping out all the records, duplicated or not, is still valuable in case there's a risk of the excludeGenerated function removing a resource that has a security violation. |
The current check looks to see if the The only stuff I have to check against is proprietary and I can't share. Can you give a generic example of when that array is populated with duplicates? |
The
result for the Deployment. Even though the deployment created pods in the cluster, those get ignored by kubeaudit. If you were to remove the
multiple times, once for the deployment, and once for each generated pod. This is not useful to the user since, in order to fix the issue, they need to edit the Deployment, not any of the pods. Showing the results for the pod just makes it harder to find the root cause. Fyi I'm out most of this week so I will likely be slow to respond. I can give you a more concrete example next week! I would be ok adding a flag for Here is an example of what the
I wonder if we could use the If we are able to apply this to kubeaudit's default behaviour, I would like a concrete example of when having an additional Thanks for working on this! |
So here is my (sanitized) output for ownerReferences array for a CRD deployment
The problem is that there isn't a good way to extract all resources from kubernetes. That said, you could do a somewhat intelligent feature that when parsing
I think having an exludeGenerated flag would be handy for times when you might have orphaned resources that no longer have their deployment templates or otherwise available. In this case, the pod is still running with an old deployment template, but the operator is unaware of it. The PR I submitted leaves the default behavior alone, the flag disables filtering of assets based on ownerRefs count if used so I think it'll have minimal impact on default user behavior. |
ISSUE TYPE
SUMMARY
I've noticed that Kubeaudit doesn't catch CRDS that are extending typical k8s resources, like apps/v1.
It looks like either with finagling the data out with kubectl and scanning you can still get to the original source of truth.
STEPS TO REPRODUCE
create a custom CRD based off apps
scan k8s
don't find anything wrong with deploy applications
EXPECTED RESULTS
It should find them
other stuff
if you guys want to point me in the direction of where in the code one can specify a custom CRD, that'll work for me and I'll add a flag to support it.
The text was updated successfully, but these errors were encountered: