Merge pull request #82 from fjogeleit/dependency-updates

Dependency Updates and Timeout config

.gitignore

@@ -3,4 +3,5 @@
 build
 /values.yaml
 coverage.out
-heap*
+heap*
+.vscode

CHANGELOG.md

@@ -1,3 +1,11 @@
+# 0.4.0
+
+* Add TrivyOperator APIs to the project to reduce not needed dependencies
+* Add PolicyReport CRD API and Client code to remove kyverno dependencies
+* Support configure `CacheSyncTimeout` for the different clients
+* Use `scope` instead of repeating the related `resource` in each result
+    * If you use PolicyReporter, it requires AppVerion >= v2.13.0 to process the scope properly
+
 # 0.3.2
 
 * Fixed RBAC permssions for InfraAssementReport

Makefile

@@ -32,3 +32,11 @@ docker-push:
 .PHONY: docker-push-dev
 docker-push-dev:
 	@docker buildx build --progress plane --platform $(PLATFORMS) --tag $(REPO):dev . --build-arg LD_FLAGS='$(LD_FLAGS) -X main.Version=$(IMAGE_TAG)' --push
+
+.PHONY: fmt
+fmt:
+	$(call print-target)
+	@echo "Running gci"
+	@go run github.com/daixiang0/gci@v0.9.1 write -s standard -s default -s "prefix(github.com/fjogeleit/trivy-operator-polr-adapter)" .
+	@echo "Running gofumpt"
+	@go run mvdan.cc/gofumpt@v0.4.0 -w .

README.md

@@ -48,6 +48,18 @@ Sources of the PolicyReportResults can be used to filter different Reports from
 | Trivy Compliance       | ClusterComplianceReport                            |
 | Trivy InfraAssessment  | InfraAssessmentReports                             |
 
+## Support Matrix
+
+| Report CRD              | Trivy Operator Polr Adapter | Trivy Opervator                    |
+|-------------------------|-----------------------------|------------------------------------|
+| CISKubeBenchReport      | `>= 0.0.1`                  | `0.0.1` (removed in newer versions)|
+| VulnerabilityReport     | `>= 0.0.1`                  | `>= 0.0.1`                         |
+| ConfigAuditReport       | `>= 0.0.1`                  | `>= 0.0.1`                         |
+| ExposedSecretReport     | `>= 0.1.0`                  | `>= 0.1.0`                         |
+| RbacAssessmentReport    | `>= 0.1.0`                  | `>= 0.1.4`                         |
+| InfraAssessmentReports  | `>= 0.3.1`                  | `>= 0.7.0`                         |
+| ClusterComplianceReport | `>= 0.3.1`                  | `>= 0.9.0`                         |
+
 ## Integreted Adapters
 ### VulnerabilityReports
 
@@ -71,6 +83,12 @@ metadata:
     uid: 710f2142-7613-4cf5-aef7-dc65306626e2
   resourceVersion: "122118"
   uid: 2ea883ef-c060-4e80-ae34-3f9b527c02bc
+scope:
+  apiVersion: apps/v1
+  kind: ReplicaSet
+  name: nginx-5fbc65fff
+  namespace: test
+  uid: 710f2142-7613-4cf5-aef7-dc65306626e2
 results:
 - category: Vulnerability Scan
   message: 'apt: integer overflows and underflows while parsing .deb packages'
@@ -84,12 +102,6 @@ results:
     registry.server: index.docker.io
     resource: apt
     score: "5.7"
-  resources:
-  - apiVersion: apps/v1
-    kind: ReplicaSet
-    name: nginx-5fbc65fff
-    namespace: test
-    uid: 710f2142-7613-4cf5-aef7-dc65306626e2
   result: warn
   severity: medium
   source: Trivy Vulnerability
@@ -124,19 +136,19 @@ metadata:
     kind: ReplicaSet
     name: nginx-5fbc65fff
     uid: 710f2142-7613-4cf5-aef7-dc65306626e2
+scope:
+  apiVersion: apps/v1
+  kind: ReplicaSet
+  name: nginx-5fbc65fff
+  namespace: test
+  uid: 710f2142-7613-4cf5-aef7-dc65306626e2
 results:
 - category: Kubernetes Security Check
   message: Sysctls can disable security mechanisms or affect all containers on a host,
     and should be disallowed except for an allowed 'safe' subset. A sysctl is considered
     safe if it is namespaced in the container or the Pod, and it is isolated from
     other Pods or processes on the same Node.
   policy: Unsafe sysctl options set
-  resources:
-  - apiVersion: apps/v1
-    kind: ReplicaSet
-    name: nginx-5fbc65fff
-    namespace: test
-    uid: 710f2142-7613-4cf5-aef7-dc65306626e2
   result: pass
   rule: KSV026
   severity: medium
@@ -172,19 +184,19 @@ metadata:
     kind: Role
     name: kyverno:leaderelection
     uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
+scope:
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  name: kyverno:leaderelection
+  namespace: kyverno
+  uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
 results:
 - category: Kubernetes Security Check
   message: Check whether role permits update/create of a malicious pod
   policy: Do not allow update/create of a malicious pod
   properties:
     1. message: Role permits create/update of a malicious pod
     resultID: 5d52ad869c9da5e8533ae31a62b8e5a8a2f1838f
-  resources:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    name: kyverno:leaderelection
-    namespace: kyverno
-    uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
   result: fail
   rule: KSV048
   severity: high
@@ -198,12 +210,6 @@ results:
   policy: Do not allow users in a rolebinding to add other users to their rolebindings
   properties:
     resultID: 3de0c6a7f01df775fad425283b2cf56771e10902
-  resources:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    name: kyverno:leaderelection
-    namespace: kyverno
-    uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
   result: pass
   rule: KSV055
   severity: low
@@ -240,6 +246,11 @@ metadata:
     uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
   resourceVersion: "39436"
   uid: 2296a252-b108-4d4a-b705-4b8983babe2b
+scope:
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  name: system:certificates.k8s.io:kubelet-serving-approver
+  uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
 results:
 - category: Kubernetes Security Check
   message: Some workloads leverage configmaps to store sensitive data or configuration
@@ -248,11 +259,6 @@ results:
   policy: Do not allow management of configmaps
   properties:
     resultID: d06e66683ee5de1136d5996ae0f4e1ae9b5d85c7
-  resources:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    name: system:certificates.k8s.io:kubelet-serving-approver
-    uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
   result: pass
   rule: KSV049
   severity: medium
@@ -265,11 +271,6 @@ results:
   policy: Do not allow privilege escalation from node proxy
   properties:
     resultID: 519454bf1ec35b55d0d8041fb191017bf83519d3
-  resources:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    name: system:certificates.k8s.io:kubelet-serving-approver
-    uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
   result: pass
   rule: KSV047
   severity: high
@@ -365,6 +366,12 @@ metadata:
     kind: InfraAssessmentReport
     name: pod-kube-apiserver-minikube
     uid: 37266479-d784-4ed9-a4c6-9dda5dff488b
+scope:
+  apiVersion: v1
+  kind: Pod
+  name: kube-apiserver-minikube
+  namespace: kube-system
+  uid: 5a50c600-4dff-42fd-a0c2-6734bb07ab0e
 results:
 - category: Kubernetes Security Check
   message: Ensure that the admission control plugin SecurityContextDeny is set if
@@ -375,12 +382,6 @@ results:
       pods which make use of some SecurityContext fields which could allow for privilege
       escalation in the cluster. This should be used where PodSecurityPolicy is not
       in place within the cluster.
-  resources:
-  - apiVersion: v1
-    kind: Pod
-    name: kube-apiserver-minikube
-    namespace: kube-system
-    uid: 5a50c600-4dff-42fd-a0c2-6734bb07ab0e
   result: fail
   rule: Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy
     is not used

charts/trivy-operator-polr-adapter/Chart.yaml

@@ -3,5 +3,5 @@ name: trivy-operator-polr-adapter
 description: Helm Chart to install the trivy-operator PolicyReport adapter
 
 type: application
-version: "0.3.2"
-appVersion: "0.3.1"
+version: "0.4.0"
+appVersion: "0.4.0"

charts/trivy-operator-polr-adapter/values.yaml

@@ -4,7 +4,7 @@ image:
   registry: ghcr.io
   repository: fjogeleit/trivy-operator-polr-adapter
   pullPolicy: IfNotPresent
-  tag: 0.3.1
+  tag: 0.4.0
 
 imagePullSecrets: []
 nameOverride: ""
@@ -13,25 +13,32 @@ fullnameOverride: ""
 adapters:
   vulnerabilityReports:
     enabled: true
+    timeout: 2
     # apply labels from the source report
     applyLabels: []
   configAuditReports:
     enabled: true
+    timeout: 2
     applyLabels: []
   cisKubeBenchReports:
     enabled: false
+    timeout: 2
     applyLabels: []
   complianceReports:
     enabled: false
+    timeout: 2
     applyLabels: []
   rbacAssessmentReports:
     enabled: false
+    timeout: 2
     applyLabels: []
   exposedSecretReports:
     enabled: false
+    timeout: 2
     applyLabels: []
   infraAssessmentReports:
     enabled: false
+    timeout: 2
     applyLabels: []
 
 rbac:

cmd/load.go

@@ -1,9 +1,10 @@
 package cmd
 
 import (
-	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/config"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+
+	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/config"
 )
 
 func loadConfig(cmd *cobra.Command) (*config.Config, error) {

cmd/run.go

@@ -4,10 +4,11 @@ import (
 	"flag"
 	"fmt"
 
-	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/config"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/config"
 )
 
 func newRunCMD() *cobra.Command {