-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port kubesec to golang #3
Conversation
- add version command - add GoReleaser config
@sublimino you didn't apply for GitHub actions? Please try to run the version command and let me know if it works |
I did apply for GH actions, I'm still on the waitlist though 😿 All the above commands work ✔️
|
- implement kind filter for rules - add host network rule and tests
- fix host network rule
- single Kubernetes object for now
Scan command example: go run cmd/kubesec/* scan ./test/asset/score-0-daemonset-host-network.yml Result: {
"error": "Failed with a score of -9 points",
"score": -9,
"scoring": {
"critical": [
{
"selector": ".spec .hostNetwork",
"reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
"weight": 0
}
],
"advise": [
{
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
"weight": 0
},
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"weight": 0
},
{
"selector": "containers[] .securityContext .runAsUser -gt 10000",
"reason": "Run as a high-UID user to avoid conflicts with the host's user table",
"weight": 0
}
]
}
} |
@sublimino the scoring logic from bash needs to be ported to |
- determine spec selector based on kind
- add Prometheus instrumentation to http server - add healthz endpoint to http server
HTTP server example: Start server: go run cmd/kubesec/* http 9090 Or start it as a docker container: docker build -t kubesec .
docker run -dp 9090:9090 --name=kubesec kubesec Post file: curl -sSX POST --data-binary @test/asset/score-0-daemonset-host-network.yml http://localhost:9090/scan Result: {
"error": "Failed with a score of -9 points",
"score": -9,
"scoring": {
"critical": [
{
"selector": ".spec .hostNetwork",
"reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
"weight": 0
}
],
"advise": [
{
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
"weight": 0
},
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"weight": 0
},
{
"selector": "containers[] .securityContext .runAsUser -gt 10000",
"reason": "Run as a high-UID user to avoid conflicts with the host's user table",
"weight": 0
}
]
}
} |
LVGTM 👍👍 |
This PR implements the following:
version
,scan [file]
,http [port]
rules
,ruler
,server
To run the CLI:
goreleaser --snapshot --rm-dist
./dist/linux_amd64/kubesec version
To run the HTTP server:
dep ensure -vendor-only
docker build -t kubesec .
docker run -dp 9090:9090 --name=kubesec kubesec