Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port kubesec to golang #3

Merged
merged 21 commits into from
Feb 1, 2019
Merged

Port kubesec to golang #3

merged 21 commits into from
Feb 1, 2019

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jan 29, 2019

This PR implements the following:

  • CLI commands version, scan [file], http [port]
  • packages rules, ruler, server
  • implement kind filter for rules
  • add host network, PID and IPC rules
  • add docker socket rule
  • add security context rules (includes init containers)
  • add CPU and memory requests/limits rules
  • add rules tests
  • CI with Travis, Docker and GoReleaser

To run the CLI:

To run the HTTP server:

  • download deps dep ensure -vendor-only
  • build the image docker build -t kubesec .
  • run it docker run -dp 9090:9090 --name=kubesec kubesec

- add version command
- add GoReleaser config
@stefanprodan
Copy link
Member Author

@sublimino you didn't apply for GitHub actions? Please try to run the version command and let me know if it works

@sublimino
Copy link
Member

sublimino commented Jan 29, 2019

I did apply for GH actions, I'm still on the waitlist though 😿

All the above commands work ✔️

version v0.0.0-next
git commit bcf908b290579849705e0b428e0c4d1c5fc519da
build date 2019-01-29T13:25:22Z

- implement kind filter for rules
- add host network rule and tests
- fix host network rule
- single Kubernetes object for now
@stefanprodan
Copy link
Member Author

stefanprodan commented Jan 29, 2019

Scan command example:

go run cmd/kubesec/* scan ./test/asset/score-0-daemonset-host-network.yml 

Result:

{
  "error": "Failed with a score of -9 points",
  "score": -9,
  "scoring": {
    "critical": [
      {
        "selector": ".spec .hostNetwork",
        "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
        "weight": 0
      }
    ],
    "advise": [
      {
        "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
        "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsNonRoot == true",
        "reason": "Force the running image to run as a non-root user to ensure least privilege",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsUser -gt 10000",
        "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
        "weight": 0
      }
    ]
  }
}

@stefanprodan
Copy link
Member Author

@sublimino the scoring logic from bash needs to be ported to Ruleset.Run. I'm having problems understanding what's going on there...

@stefanprodan stefanprodan changed the title WIP: Init kubesec go CLI WIP: Port kubesec to golang Jan 30, 2019
- add Prometheus instrumentation to http server
- add healthz endpoint to http server
@stefanprodan
Copy link
Member Author

stefanprodan commented Jan 30, 2019

HTTP server example:

Start server:

 go run cmd/kubesec/* http 9090

Or start it as a docker container:

docker build -t kubesec .

docker run -dp 9090:9090 --name=kubesec kubesec

Post file:

curl -sSX POST --data-binary @test/asset/score-0-daemonset-host-network.yml http://localhost:9090/scan 

Result:

{
  "error": "Failed with a score of -9 points",
  "score": -9,
  "scoring": {
    "critical": [
      {
        "selector": ".spec .hostNetwork",
        "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
        "weight": 0
      }
    ],
    "advise": [
      {
        "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
        "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsNonRoot == true",
        "reason": "Force the running image to run as a non-root user to ensure least privilege",
        "weight": 0
      },
      {
        "selector": "containers[] .securityContext .runAsUser -gt 10000",
        "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
        "weight": 0
      }
    ]
  }
}

@stefanprodan stefanprodan changed the title WIP: Port kubesec to golang Port kubesec to golang Jan 31, 2019
@sublimino sublimino merged commit cbf6bdc into master Feb 1, 2019
@sublimino
Copy link
Member

LVGTM 👍👍

@sublimino sublimino deleted the go-init branch February 1, 2019 19:42
sublimino added a commit that referenced this pull request May 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants