Merge remote-tracking branch 'upstream/dev'

.github/workflows/build.yaml

@@ -20,8 +20,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v1.0.${{ github.run_number }}-beta
-          release_name: Release v1.0.${{ github.run_number }}-beta
+          tag_name: v1.0.${{ github.run_number }}
+          release_name: Release v1.0.${{ github.run_number }}
           draft: false
           prerelease: false
   build:

README.md

@@ -124,6 +124,9 @@ Kubescape is running the following tests according to what is defined by [Kubern
 * Dangerous capabilities
 * Insecure capabilities
 * Linux hardening
+* Ingress and Egress blocked
+* Container hostPort
+* Anonymous requests
 
 
 ## Technology

cautils/k8sinterface/k8sconfig_test.go

@@ -23,4 +23,12 @@ func TestGetGroupVersionResource(t *testing.T) {
 		t.Errorf("wrong Resource")
 	}
 
+	r2, err := GetGroupVersionResource("NetworkPolicy")
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if r2.Resource != "networkpolicies" {
+		t.Errorf("wrong Resource")
+	}
 }

cautils/k8sinterface/resourcegroupmapping.go

@@ -46,10 +46,7 @@ var GroupsClusterScope = []string{}
 var ResourceClusterScope = []string{"nodes", "namespaces", "clusterroles", "clusterrolebindings"}
 
 func GetGroupVersionResource(resource string) (schema.GroupVersionResource, error) {
-	resource = strings.ToLower(resource)
-	if resource != "" && !strings.HasSuffix(resource, "s") {
-		resource = fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
-	}
+	resource = updateResourceKind(resource)
 	if r, ok := ResourceGroupMapping[resource]; ok {
 		gv := strings.Split(r, "/")
 		return schema.GroupVersionResource{Group: gv[0], Version: gv[1], Resource: resource}, nil
@@ -116,10 +113,7 @@ func ResourceGroupToString(group, version, resource string) []string {
 	if resource == "*" {
 		resource = ""
 	}
-	resource = strings.ToLower(resource)
-	if resource != "" && !strings.HasSuffix(resource, "s") {
-		resource = fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
-	}
+	resource = updateResourceKind(resource)
 	return GetResourceTriplets(group, version, resource)
 }
 
@@ -132,3 +126,17 @@ func StringToResourceGroup(str string) (string, string, string) {
 	}
 	return splitted[0], splitted[1], splitted[2]
 }
+
+func updateResourceKind(resource string) string {
+	resource = strings.ToLower(resource)
+
+	if resource != "" && !strings.HasSuffix(resource, "s") {
+		if strings.HasSuffix(resource, "y") {
+			return fmt.Sprintf("%sies", strings.TrimSuffix(resource, "y")) // e.g. NetworkPolicy -> networkpolicies
+		} else {
+			return fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
+		}
+	}
+	return resource
+
+}

cautils/opapolicy/datastructures.go

@@ -48,6 +48,7 @@ type RuleReport struct {
 	RuleStatus         RuleStatus               `json:"ruleStatus"`
 	RuleResponses      []RuleResponse           `json:"ruleResponses"`
 	ListInputResources []map[string]interface{} `json:"-"`
+	ListInputKinds     []string                 `json:"-"`
 }
 type RuleStatus struct {
 	Status  string `json:"status"`

cautils/opapolicy/datastructuresmethods.go

@@ -78,6 +78,13 @@ func (controlReport *ControlReport) GetNumberOfResources() int {
 	return sum
 }
 
+func (controlReport *ControlReport) ListControlsInputKinds() []string {
+	listControlsInputKinds := []string{}
+	for i := range controlReport.RuleReports {
+		listControlsInputKinds = append(listControlsInputKinds, controlReport.RuleReports[i].ListInputKinds...)
+	}
+	return listControlsInputKinds
+}
 func (controlReport *ControlReport) Passed() bool {
 	for i := range controlReport.RuleReports {
 		if len(controlReport.RuleReports[i].RuleResponses) > 0 {

cautils/opapolicy/resources/dependencies.go

@@ -196,6 +196,21 @@ query_all(resource) = http.send({
 	"raise_error": true,
 }) 
 
+
+
+# Query for all resources of type resource in all namespaces - without authentication
+# Example: query_all("deployments")
+query_all_no_auth(resource) = http.send({
+	"url": sprintf("%v/%v/namespaces/default/%v", [
+		host,
+		resource_group_mapping[resource],
+		resource,
+	]),
+	"method": "get",
+	"raise_error": true,
+	"tls_insecure_skip_verify" : true,
+}) 
+
 field_transform_to_qry_param(field,map) = finala {
 	mid := {concat(".",[field,key]): val | val := map[key]}
     finala := label_map_to_query_string(mid)

cmd/framework.go

@@ -29,7 +29,7 @@ type CLIHandler struct {
 var frameworkCmd = &cobra.Command{
 	Use:       "framework <framework name> [`<glob patter>`/`-`] [flags]",
 	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(supportedFrameworks, ", ")),
-	Long:      "Execute a scan on a running Kubernetes cluster or yaml/json files (use glob) or `-` for stdin",
+	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
 	ValidArgs: supportedFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 {
@@ -75,7 +75,7 @@ func init() {
 	scanCmd.AddCommand(frameworkCmd)
 	scanInfo = opapolicy.ScanInfo{}
 	frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "namespaces to exclude from check")
-	frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", "output format. supported formats: `pretty-printer`/`json`/`junit`")
+	frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `output format. supported formats: "pretty-printer"/"json"/"junit"`)
 	frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "output file. print output to file and not stdout")
 	frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "silent progress output")
 }

opaprocessor/processorhandler.go

@@ -87,6 +87,7 @@ func (opap *OPAProcessor) ProcessRulesHandler(opaSessionObj *cautils.OPASessionO
 					ruleReport.RuleStatus.Status = "success"
 				}
 				ruleReport.ListInputResources = k8sObjects
+				ruleReport.ListInputKinds = listMatchKinds(rule.Match)
 				ruleReports = append(ruleReports, ruleReport)
 			}
 			controlReport.RuleReports = ruleReports

opaprocessor/processorhandlerutils.go

@@ -59,3 +59,11 @@ func ruleWithArmoOpaDependency(annotations map[string]interface{}) bool {
 	}
 	return false
 }
+
+func listMatchKinds(match []opapolicy.RuleMatchObjects) []string {
+	matchKinds := []string{}
+	for i := range match {
+		matchKinds = append(matchKinds, match[i].Resources...)
+	}
+	return matchKinds
+}

printer/printresults.go

@@ -95,6 +95,7 @@ func (printer *Printer) SummarySetup(postureReport *opapolicy.PostureReport) {
 				WorkloadSummary: mapResources,
 				Description:     cr.Description,
 				Remediation:     cr.Remediation,
+				ListInputKinds:  cr.ListControlsInputKinds(),
 			}
 		}
 	}
@@ -129,7 +130,7 @@ func (printer *Printer) printSummary(controlName string, controlSummary *Control
 
 func (printer *Printer) printTitle(controlName string, controlSummary *ControlSummary) {
 	cautils.InfoDisplay(printer.writer, "[control: %s] ", controlName)
-	if controlSummary.TotalResources == 0 {
+	if controlSummary.TotalResources == 0 && len(controlSummary.ListInputKinds) > 0 {
 		cautils.InfoDisplay(printer.writer, "resources not found %v\n", emoji.ConfusedFace)
 	} else if controlSummary.TotalFailed == 0 {
 		cautils.SuccessDisplay(printer.writer, "passed %v\n", emoji.ThumbsUp)

printer/summary.go

@@ -15,6 +15,7 @@ type ControlSummary struct {
 	TotalFailed     int
 	Description     string
 	Remediation     string
+	ListInputKinds  []string
 	WorkloadSummary map[string][]WorkloadSummary // <namespace>:[<WorkloadSummary>]
 }