Skip to content

Commit

Permalink
chore: re-scaffold project (#109)
Browse files Browse the repository at this point in the history 
## Issue
#108 

## Description
This PR re-scaffolds the project using `kubebuilder alpha generate`. The
2 major changes are:
- Remove all usage of `kube-rbac-proxy` and replace with
[WithAuthenticationAndAuthorization
](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/metrics/filters#WithAuthenticationAndAuthorization)
due to `kube-rbac-proxy` being deprecated
- Initialize e2e tests. For now, we are only testing basic
functionality. The tests should be expanded to cover validator-specific
use-cases.

---------

Signed-off-by: Artur Shad Nik <arturshadnik@gmail.com>
  • Loading branch information
@arturshadnik
arturshadnik authored Dec 10, 2024
1 parent 1ecb02f commit 908d317
Show file tree
Hide file tree
Showing 30 changed files with 1,119 additions and 273 deletions.
11 changes: 10 additions & 1 deletion .golangci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ issues:
# don't skip warning about doc comments
# don't exclude the default set of lint
exclude-use-default: false
# restore some of the defaults
# (fill in the rest as needed)
exclude-dirs:
- tests
exclude-files:
- ".*_test\\.go"

Expand All @@ -14,7 +18,7 @@ linters:
enable:
- dupl
- errcheck
- exportloopref
- copyloopvar
- ginkgolinter
- goconst
- gocyclo
Expand All @@ -32,3 +36,8 @@ linters:
- unconvert
- unparam
- unused

linters-settings:
revive:
rules:
- name: comment-spacings
8 changes: 4 additions & 4 deletions api/v1alpha1/kubescapevalidator_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import (

// KubescapeValidatorSpec defines the desired state of KubescapeValidator
type KubescapeValidatorSpec struct {
//+kubebuilder:default=kubescape
// +kubebuilder:default=kubescape
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
// Global Severity Limit Rule
SeverityLimitRule SeverityLimitRule `json:"severityLimitRule,omitempty" yaml:"severityLimitRule,omitempty"`
Expand Down Expand Up @@ -76,8 +76,8 @@ type KubescapeValidatorStatus struct {
// Important: Run "make" to regenerate code after modifying this file
}

//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status

// KubescapeValidator is the Schema for the kubescapevalidators API
type KubescapeValidator struct {
Expand All @@ -88,7 +88,7 @@ type KubescapeValidator struct {
Status KubescapeValidatorStatus `json:"status,omitempty"`
}

//+kubebuilder:object:root=true
// +kubebuilder:object:root=true

// KubescapeValidatorList contains a list of KubescapeValidator
type KubescapeValidatorList struct {
Expand Down
2 changes: 1 addition & 1 deletion build
Submodule build updated 3 files
+2 −2 .github/workflows/release.yaml
+30 −2 .github/workflows/test.yaml
+15 −2 makelib/common.mk
11 changes: 1 addition & 10 deletions chart/validator-plugin-kubescape/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,7 @@ The following table lists the configurable parameters of the Validator-plugin-ku

| Parameter | Description | Default |
| ------------------------ | ----------------------- | -------------- |
| `controllerManager.kubeRbacProxy.args` | | `["--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", "--logtostderr=true", "--v=0"]` |
| `controllerManager.kubeRbacProxy.containerSecurityContext.allowPrivilegeEscalation` | | `false` |
| `controllerManager.kubeRbacProxy.containerSecurityContext.capabilities.drop` | | `["ALL"]` |
| `controllerManager.kubeRbacProxy.image.repository` | | `"gcr.io/kubebuilder/kube-rbac-proxy"` |
| `controllerManager.kubeRbacProxy.image.tag` | | `"v0.16.0"` |
| `controllerManager.kubeRbacProxy.resources.limits.cpu` | | `"500m"` |
| `controllerManager.kubeRbacProxy.resources.limits.memory` | | `"128Mi"` |
| `controllerManager.kubeRbacProxy.resources.requests.cpu` | | `"5m"` |
| `controllerManager.kubeRbacProxy.resources.requests.memory` | | `"64Mi"` |
| `controllerManager.manager.args` | | `["--health-probe-bind-address=:8081", "--leader-elect"]` |
| `controllerManager.manager.args` | | `["--health-probe-bind-address=:8081", "--metrics-bind-address=:8443", "--leader-elect"]` |
| `controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation` | | `false` |
| `controllerManager.manager.containerSecurityContext.capabilities.drop` | | `["ALL"]` |
| `controllerManager.manager.image.repository` | | `"quay.io/validator-labs/validator-plugin-kubescape"` |
Expand Down
2 changes: 1 addition & 1 deletion chart/validator-plugin-kubescape/crds/validation.spectrocloud.labs_kubescapevalidators.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
controller-gen.kubebuilder.io/version: v0.16.4
name: kubescapevalidators.validation.spectrocloud.labs
spec:
group: validation.spectrocloud.labs
Expand Down
12 changes: 0 additions & 12 deletions chart/validator-plugin-kubescape/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,6 @@ spec:
kubectl.kubernetes.io/default-container: manager
spec:
containers:
- args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }}
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext | nindent 10 }}
- args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
command:
- /manager
Expand Down
12 changes: 3 additions & 9 deletions ...lugin-kubescape/templates/proxy-rbac.yaml → ...ubescape/templates/metrics-auth-rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "chart.fullname" . }}-proxy-role
name: {{ include "chart.fullname" . }}-metrics-auth-role
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: validator-plugin-kubescape
app.kubernetes.io/part-of: validator-plugin-kubescape
{{- include "chart.labels" . | nindent 4 }}
rules:
- apiGroups:
Expand All @@ -24,16 +21,13 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "chart.fullname" . }}-proxy-rolebinding
name: {{ include "chart.fullname" . }}-metrics-auth-rolebinding
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: validator-plugin-kubescape
app.kubernetes.io/part-of: validator-plugin-kubescape
{{- include "chart.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "chart.fullname" . }}-proxy-role'
name: '{{ include "chart.fullname" . }}-metrics-auth-role'
subjects:
- kind: ServiceAccount
name: '{{ include "chart.fullname" . }}-controller-manager'
Expand Down
22 changes: 1 addition & 21 deletions chart/validator-plugin-kubescape/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,8 @@
controllerManager:
kubeRbacProxy:
args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.16.0
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
manager:
args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=:8443
- --leader-elect
containerSecurityContext:
allowPrivilegeEscalation: false
Expand Down
80 changes: 69 additions & 11 deletions cmd/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

// Package main initializes a KubescapeValidator controller.
package main

import (
"crypto/tls"
"flag"
"os"

Expand All @@ -31,11 +31,14 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
"sigs.k8s.io/controller-runtime/pkg/webhook"

validationv1 "github.com/validator-labs/validator-plugin-kubescape/api/v1alpha1"
validationv1alpha1 "github.com/validator-labs/validator-plugin-kubescape/api/v1alpha1"
"github.com/validator-labs/validator-plugin-kubescape/internal/controller"
validatorv1alpha1 "github.com/validator-labs/validator/api/v1alpha1"
//+kubebuilder:scaffold:imports
// +kubebuilder:scaffold:imports
)

var (
Expand All @@ -45,23 +48,28 @@ var (

func init() {
utilruntime.Must(clientgoscheme.AddToScheme(scheme))

utilruntime.Must(validationv1.AddToScheme(scheme))

utilruntime.Must(validatorv1alpha1.AddToScheme(scheme))

//+kubebuilder:scaffold:scheme
utilruntime.Must(validationv1alpha1.AddToScheme(scheme))
// +kubebuilder:scaffold:scheme
}

func main() {
var metricsAddr string
var enableLeaderElection bool
var probeAddr string
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
var secureMetrics bool
var enableHTTP2 bool
var tlsOpts []func(*tls.Config)
flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&secureMetrics, "metrics-secure", true,
"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
flag.BoolVar(&enableHTTP2, "enable-http2", false,
"If set, HTTP/2 will be enabled for the metrics and webhook servers")
opts := zap.Options{
Development: true,
}
Expand All @@ -70,11 +78,61 @@ func main() {

ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

// if the enable-http2 flag is false (the default), http/2 should be disabled
// due to its vulnerabilities. More specifically, disabling http/2 will
// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
// Rapid Reset CVEs. For more information see:
// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
// - https://github.com/advisories/GHSA-4374-p667-p6c8
disableHTTP2 := func(c *tls.Config) {
setupLog.Info("disabling http/2")
c.NextProtos = []string{"http/1.1"}
}

if !enableHTTP2 {
tlsOpts = append(tlsOpts, disableHTTP2)
}

webhookServer := webhook.NewServer(webhook.Options{
TLSOpts: tlsOpts,
})

// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
// More info:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
// - https://book.kubebuilder.io/reference/metrics.html
metricsServerOptions := metricsserver.Options{
BindAddress: metricsAddr,
SecureServing: secureMetrics,
TLSOpts: tlsOpts,
}

if secureMetrics {
// FilterProvider is used to protect the metrics endpoint with authn/authz.
// These configurations ensure that only authorized users and service accounts
// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization

// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
// generate self-signed certificates for the metrics server. While convenient for development and testing,
// this setup is not recommended for production.

// TODO(user): If cert-manager is enabled in config/default/kustomization.yaml,
// you can uncomment the following lines to use the certificate managed by cert-manager.

// metricsServerOptions.CertDir = "/tmp/k8s-metrics-server/metrics-certs"
// metricsServerOptions.CertName = "tls.crt"
// metricsServerOptions.KeyName = "tls.key"
}

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
Metrics: metricsServerOptions,
WebhookServer: webhookServer,
HealthProbeBindAddress: probeAddr,
LeaderElection: enableLeaderElection,
LeaderElectionID: "21f802fb.spectrocloud.labs",
LeaderElectionID: "cf0b361a.spectrocloud.labs",
// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
// when the Manager ends. This requires the binary to immediately end when the
// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
Expand All @@ -100,7 +158,7 @@ func main() {
setupLog.Error(err, "unable to create controller", "controller", "KubescapeValidator")
os.Exit(1)
}
//+kubebuilder:scaffold:builder
// +kubebuilder:scaffold:builder

if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
setupLog.Error(err, "unable to set up health check")
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/validation.spectrocloud.labs_kubescapevalidators.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
controller-gen.kubebuilder.io/version: v0.16.4
name: kubescapevalidators.validation.spectrocloud.labs
spec:
group: validation.spectrocloud.labs
Expand Down
Loading

0 comments on commit 908d317

Please sign in to comment.