diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ecf6592c..17592e0d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -40,9 +40,9 @@ jobs: go-version: 1.16 - name: Build - run: mkdir -p build/${{ matrix.os }} && go mod tidy && go build -ldflags "-w -s" -o build/${{ matrix.os }}/kubescape + run: mkdir -p build/${{ matrix.os }} && go mod tidy && go build -ldflags "-w -s" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5 - - name: Upload Release Asset + - name: Upload Release binaries id: upload-release-asset uses: actions/upload-release-asset@v1 env: diff --git a/README.md b/README.md index a9f75926..641d6193 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ logo [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml) -[![Github All Releases](https://img.shields.io/github/downloads/armosec/kubescape/total.svg)](https://github.com/armosec/kubescape) [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape) Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) @@ -50,7 +49,7 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp kubescape scan framework nsa --exclude-namespaces kube-system,kube-public ``` -* Scan local `yaml`/`json` files before deploying +* Scan local `yaml`/`json` files before deploying ``` kubescape scan framework nsa *.yaml ``` diff --git a/cautils/getter/armoapi.go b/cautils/getter/armoapi.go index d80cfa19..f0e515ec 100644 --- a/cautils/getter/armoapi.go +++ b/cautils/getter/armoapi.go @@ -22,7 +22,7 @@ type ArmoAPI struct { func NewArmoAPI() *ArmoAPI { return &ArmoAPI{ httpClient: &http.Client{}, - baseURL: "https://dashbe.auprod1.cyberarmorsoft.com", + baseURL: "https://dashbe.euprod1.cyberarmorsoft.com", } } func (armoAPI *ArmoAPI) GetFramework(name string) (*opapolicy.Framework, error) { diff --git a/cmd/download.go b/cmd/download.go index d9d67e2e..5131ea33 100644 --- a/cmd/download.go +++ b/cmd/download.go @@ -22,7 +22,7 @@ var downloadCmd = &cobra.Command{ }, RunE: func(cmd *cobra.Command, args []string) error { downloadInfo.FrameworkName = args[1] - g := getter.NewArmoAPI() + g := getter.NewDownloadReleasedPolicy() if downloadInfo.Path == "" { downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName) } diff --git a/install.sh b/install.sh index b997b1b0..c2bc2765 100755 --- a/install.sh +++ b/install.sh @@ -29,6 +29,9 @@ OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT echo -e "\033[32m[V] Downloaded Kubescape" +# Ping download counter +curl --silent https://us-central1-elated-pottery-310110.cloudfunctions.net/kubescape-download-counter -o /dev/null + chmod +x $OUTPUT || sudo chmod +x $OUTPUT rm -f /usr/local/bin/$KUBESCAPE_EXEC || sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC cp $OUTPUT /usr/local/bin || sudo cp $OUTPUT /usr/local/bin diff --git a/opaprocessor/processorhandler.go b/opaprocessor/processorhandler.go index 8c8ee884..3be0c4ca 100644 --- a/opaprocessor/processorhandler.go +++ b/opaprocessor/processorhandler.go @@ -56,12 +56,6 @@ func NewOPAProcessorHandler(processedPolicy, reportResults *chan *cautils.OPASes } func (opaHandler *OPAProcessorHandler) ProcessRulesListenner() { - // recover - defer func() { - if err := recover(); err != nil { - glog.Errorf("RECOVER in ProcessRulesListenner, reason: %v", err) - } - }() for { opaSessionObj := <-*opaHandler.processedPolicy diff --git a/scapepkg/exceptions/exceptionprocessor.go b/scapepkg/exceptions/exceptionprocessor.go new file mode 100644 index 00000000..2c29688a --- /dev/null +++ b/scapepkg/exceptions/exceptionprocessor.go @@ -0,0 +1,136 @@ +package exceptions + +import ( + "github.com/armosec/kubescape/cautils/k8sinterface" + + "github.com/armosec/kubescape/cautils/armotypes" + "github.com/armosec/kubescape/cautils/opapolicy" + "k8s.io/apimachinery/pkg/labels" +) + +func ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) []armotypes.PostureExceptionPolicy { + ruleExceptions := []armotypes.PostureExceptionPolicy{} + for i := range exceptionPolicies { + if ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, ruleName) { + ruleExceptions = append(ruleExceptions, exceptionPolicies[i]) + } + } + + return ruleExceptions + +} + +func ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) bool { + for _, posturePolicy := range exceptionPolicy.PosturePolicies { + if posturePolicy.FrameworkName == "" && posturePolicy.ControlName == "" && posturePolicy.RuleName == "" { + continue // empty policy -> ignore + } + if posturePolicy.FrameworkName != "" && posturePolicy.FrameworkName != frameworkName { + continue // policy does not match + } + if posturePolicy.ControlName != "" && posturePolicy.ControlName != controlName { + continue // policy does not match + } + if posturePolicy.RuleName != "" && posturePolicy.RuleName != ruleName { + continue // policy does not match + } + return true // policies match + } + + return false + +} + +func AddExceptionsToRuleResponses(results []opapolicy.RuleResponse, ruleExceptions []armotypes.PostureExceptionPolicy) { + if len(ruleExceptions) == 0 { + return + } + for i := range results { + workloads := alertObjectToWorkloads(&results[i].AlertObject) + if len(workloads) == 0 { + continue + } + for w := range workloads { + if exception := getException(ruleExceptions, workloads[w]); exception != nil { + results[i].Exception = exception + } + } + results[i].RuleStatus = results[i].GetSingleResultStatus() + } +} + +func alertObjectToWorkloads(obj *opapolicy.AlertObject) []k8sinterface.IWorkload { + resource := []k8sinterface.IWorkload{} + + for i := range obj.K8SApiObjects { + r := k8sinterface.NewWorkloadObj(obj.K8SApiObjects[i]) + if r == nil { + continue + } + resource = append(resource, r) + } + + return resource +} +func getException(ruleExceptions []armotypes.PostureExceptionPolicy, workload k8sinterface.IWorkload) *armotypes.PostureExceptionPolicy { + for e := range ruleExceptions { + for _, resource := range ruleExceptions[e].Resources { + if hasException(&resource, workload) { + return &ruleExceptions[e] // TODO - return disable exception out of all exceptions + } + } + } + return nil +} + +// compareMetadata - compare namespace and kind +func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.IWorkload) bool { + cluster, namespace, kind, name, labels := designator.DigestPortalDesignator() + + if cluster == "" && namespace == "" && kind == "" && name == "" && len(labels) == 0 { + return false // if designators are empty + } + + // if cluster != "" && cluster != ClusterName { // TODO - where do we receive cluster name from? + // return false // cluster name does not match + // } + + if namespace != "" && !compareNamespace(workload, namespace) { + return false // namespaces do not match + } + + if kind != "" && !compareKind(workload, kind) { + return false // kinds do not match + } + + if name != "" && !compareName(workload, name) { + return false // names do not match + } + if len(labels) > 0 && !compareLabels(workload, labels) { + return false // labels do not match + } + + return true // no mismatch found -> the workload has an exception +} + +func compareNamespace(workload k8sinterface.IWorkload, namespace string) bool { + if workload.GetKind() == "Namespace" { + return namespace == workload.GetName() + } + return namespace == workload.GetNamespace() +} + +func compareKind(workload k8sinterface.IWorkload, kind string) bool { + return kind == workload.GetKind() +} + +func compareName(workload k8sinterface.IWorkload, name string) bool { + return name == workload.GetName() +} + +func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string) bool { + workloadLabels := labels.Set(workload.GetLabels()) + designators := labels.Set(attributes).AsSelector() + + return designators.Matches(workloadLabels) +} diff --git a/scapepkg/exceptions/exceptionprocessor_test.go b/scapepkg/exceptions/exceptionprocessor_test.go new file mode 100644 index 00000000..f9efbb44 --- /dev/null +++ b/scapepkg/exceptions/exceptionprocessor_test.go @@ -0,0 +1,59 @@ +package exceptions + +import ( + "testing" + + "github.com/armosec/kubescape/cautils/armotypes" +) + +func PostureExceptionPolicyDisableMock() *armotypes.PostureExceptionPolicy { + return &armotypes.PostureExceptionPolicy{} +} + +func PostureExceptionPolicyAlertOnlyMock() *armotypes.PostureExceptionPolicy { + return &armotypes.PostureExceptionPolicy{ + PortalBase: armotypes.PortalBase{ + Name: "postureExceptionPolicyAlertOnlyMock", + }, + PolicyType: "postureExceptionPolicy", + Actions: []armotypes.PostureExceptionPolicyActions{armotypes.AlertOnly}, + Resources: []armotypes.PortalDesignator{ + { + DesignatorType: armotypes.DesignatorAttributes, + Attributes: map[string]string{ + armotypes.AttributeNamespace: "default", + armotypes.AttributeCluster: "unittest", + }, + }, + }, + PosturePolicies: []armotypes.PosturePolicy{ + { + FrameworkName: "MITRE", + }, + }, + } +} + +func TestListRuleExceptions(t *testing.T) { + exceptionPolicies := []armotypes.PostureExceptionPolicy{*PostureExceptionPolicyAlertOnlyMock()} + res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "") + if len(res1) != 1 { + t.Errorf("expecting 1 exception") + } + res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "") + if len(res2) != 0 { + t.Errorf("expecting 0 exception") + } +} + +// func TestGetException(t *testing.T) { +// exceptionPolicies := []armotypes.PostureExceptionPolicy{*PostureExceptionPolicyAlertOnlyMock()} +// res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "") +// if len(res1) != 1 { +// t.Errorf("expecting 1 exception") +// } +// res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "") +// if len(res2) != 0 { +// t.Errorf("expecting 0 exception") +// } +// } diff --git a/scapepkg/score/frameworkdict.json b/scapepkg/score/frameworkdict.json new file mode 100644 index 00000000..21b5a6c7 --- /dev/null +++ b/scapepkg/score/frameworkdict.json @@ -0,0 +1,232 @@ +{ + "developer_framework": { + "Writable hostPath mount": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Compromised images in registry": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Exposed dashboard": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Network mapping": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access container service account": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access Kubelet API": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Cluster-admin binding": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Kubernetes CronJob": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "SSH server running inside container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Pod / container name similarity": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Cluster internal networking": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access Kubernetes dashboard": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Privileged container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "hostPath mount": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Instance Metadata API": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Applications credentials in configuration files": { + "baseScore": 1.0, + "improvementRatio": 1.0 + } + }, + "MITRE": { + "Writable hostPath mount": { + "baseScore": 8.0, + "improvementRatio": 0.5 + }, + "Sidecar injection": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Compromised images in registry": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access tiller endpoint": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Data Destruction": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Resource Hijacking": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access the Kubernetes API server": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Exposed dashboard": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Backdoor container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Network mapping": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Images from private registry": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Mount service principal": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access container service account": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Malicious admission controller (validating)": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access Kubelet API": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Vulnerable application": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Application exploit (RCE)": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Cluster-admin binding": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Kubernetes CronJob": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "SSH server running inside container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "List Kubernetes secrets": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Pod / container name similarity": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Cluster internal networking": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Exposed sensitive interfaces": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Bash/cmd inside container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Clear container logs": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Access Kubernetes dashboard": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "New container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Privileged container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "CoreDNS poisoning": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "hostPath mount": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Instance Metadata API": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Malicious admission controller (mutating)": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Exec into container": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Delete Kubernetes events": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Applications credentials in configuration files": { + "baseScore": 1.0, + "improvementRatio": 1.0 + } + }, + "NSA": { + "Control plane hardening": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Immutable container filesystem": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Non-root containers": { + "baseScore": 1.0, + "improvementRatio": 1.0 + }, + "Host PID/IPC privileges": { + "baseScore": 1.0, + "improvementRatio": 1.0 + } + } +} \ No newline at end of file diff --git a/scapepkg/score/frameworkmock.json b/scapepkg/score/frameworkmock.json new file mode 100644 index 00000000..3f595c6e --- /dev/null +++ b/scapepkg/score/frameworkmock.json @@ -0,0 +1,1214 @@ +{ + "name": "MITRE", + "controlReports": [{ + "name": "Writable hostPath mount", + "ruleReports": [{ + + "name": "alert-rw-hostpath", + "remediation": "", + "ruleStatus": { + "status": "success", + "message": "" + }, + "ruleResponses": + [ + { + "alertMessage": "pod: etcd-david-virtualbox has: etcd-certs as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubernetes.io/config.hash": "e0fcc6e4323055b5880f8aac4c950836", + "kubernetes.io/config.mirror": "e0fcc6e4323055b5880f8aac4c950836", + "kubernetes.io/config.seen": "2021-06-20T12:06:52.495386281+03:00", + "kubernetes.io/config.source": "file" + }, + "creationTimestamp": "2021-06-20T09:08:22Z", + "labels": { + "component": "etcd", + "tier": "control-plane" + }, + "name": "etcd-david-virtualbox", + "namespace": "kube-system", + "resourceVersion": "1301679", + "selfLink": "/api/v1/namespaces/kube-system/pods/etcd-david-virtualbox", + "uid": "154e7f87-907f-4edb-a73c-26e965d4fe02" + }, + "spec": { + "containers": [{ + "command": ["etcd", "--advertise-client-urls=https://10.0.2.15:2379", "--cert-file=/var/lib/minikube/certs/etcd/server.crt", "--client-cert-auth=true", "--data-dir=/var/lib/minikube/etcd", "--initial-advertise-peer-urls=https://10.0.2.15:2380", "--initial-cluster=david-virtualbox=https://10.0.2.15:2380", "--key-file=/var/lib/minikube/certs/etcd/server.key", "--listen-client-urls=https://127.0.0.1:2379,https://10.0.2.15:2379", "--listen-metrics-urls=http://127.0.0.1:2381,http://10.0.2.15:2381", "--listen-peer-urls=https://10.0.2.15:2380", "--name=david-virtualbox", "--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt", "--peer-client-cert-auth=true", "--peer-key-file=/var/lib/minikube/certs/etcd/peer.key", "--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt", "--snapshot-count=10000", "--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt"], + "image": "k8s.gcr.io/etcd:3.3.15-0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 8, + "httpGet": { + "host": "127.0.0.1", + "path": "/health", + "port": 2381, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 15 + }, + "name": "etcd", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/lib/minikube/etcd", + "name": "etcd-data" + }, { + "mountPath": "/var/lib/minikube/certs/etcd", + "name": "etcd-certs" + }] + }], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "nodeName": "david-virtualbox", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoExecute", + "operator": "Exists" + }], + "volumes": [{ + "hostPath": { + "path": "/var/lib/minikube/certs/etcd", + "type": "DirectoryOrCreate" + }, + "name": "etcd-certs" + }, { + "hostPath": { + "path": "/var/lib/minikube/etcd", + "type": "DirectoryOrCreate" + }, + "name": "etcd-data" + }] + }, + "status": { + "conditions": [{ + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:06Z", + "status": "True", + "type": "Initialized" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:08Z", + "status": "True", + "type": "Ready" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:08Z", + "status": "True", + "type": "ContainersReady" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:06Z", + "status": "True", + "type": "PodScheduled" + }], + "containerStatuses": [{ + "containerID": "docker://bcb9f50b86a6f81026185efdbbc0f1a0d8acee397594916c999000aa07395da5", + "image": "k8s.gcr.io/etcd:3.3.15-0", + "imageID": "docker-pullable://k8s.gcr.io/etcd@sha256:12c2c5e5731c3bcd56e6f1c05c0f9198b6f06793fa7fca2fb43aab9622dc4afa", + "lastState": { + "terminated": { + "containerID": "docker://3d9c0a12b14c9afa88f022f01c70f430a8171f53600b18dc9b74542106ead33b", + "exitCode": 0, + "finishedAt": "2021-08-16T16:16:20Z", + "reason": "Completed", + "startedAt": "2021-08-15T06:14:03Z" + } + }, + "name": "etcd", + "ready": true, + "restartCount": 35, + "started": true, + "state": { + "running": { + "startedAt": "2021-08-17T05:50:07Z" + } + } + }], + "hostIP": "10.0.2.15", + "phase": "Running", + "podIP": "10.0.2.15", + "podIPs": [{ + "ip": "10.0.2.15" + }], + "qosClass": "BestEffort", + "startTime": "2021-08-17T05:50:06Z" + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "pod: etcd-david-virtualbox has: etcd-data as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubernetes.io/config.hash": "e0fcc6e4323055b5880f8aac4c950836", + "kubernetes.io/config.mirror": "e0fcc6e4323055b5880f8aac4c950836", + "kubernetes.io/config.seen": "2021-06-20T12:06:52.495386281+03:00", + "kubernetes.io/config.source": "file" + }, + "creationTimestamp": "2021-06-20T09:08:22Z", + "labels": { + "component": "etcd", + "tier": "control-plane" + }, + "name": "etcd-david-virtualbox", + "namespace": "kube-system", + "resourceVersion": "1301679", + "selfLink": "/api/v1/namespaces/kube-system/pods/etcd-david-virtualbox", + "uid": "154e7f87-907f-4edb-a73c-26e965d4fe02" + }, + "spec": { + "containers": [{ + "command": ["etcd", "--advertise-client-urls=https://10.0.2.15:2379", "--cert-file=/var/lib/minikube/certs/etcd/server.crt", "--client-cert-auth=true", "--data-dir=/var/lib/minikube/etcd", "--initial-advertise-peer-urls=https://10.0.2.15:2380", "--initial-cluster=david-virtualbox=https://10.0.2.15:2380", "--key-file=/var/lib/minikube/certs/etcd/server.key", "--listen-client-urls=https://127.0.0.1:2379,https://10.0.2.15:2379", "--listen-metrics-urls=http://127.0.0.1:2381,http://10.0.2.15:2381", "--listen-peer-urls=https://10.0.2.15:2380", "--name=david-virtualbox", "--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt", "--peer-client-cert-auth=true", "--peer-key-file=/var/lib/minikube/certs/etcd/peer.key", "--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt", "--snapshot-count=10000", "--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt"], + "image": "k8s.gcr.io/etcd:3.3.15-0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 8, + "httpGet": { + "host": "127.0.0.1", + "path": "/health", + "port": 2381, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 15 + }, + "name": "etcd", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/lib/minikube/etcd", + "name": "etcd-data" + }, { + "mountPath": "/var/lib/minikube/certs/etcd", + "name": "etcd-certs" + }] + }], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "nodeName": "david-virtualbox", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoExecute", + "operator": "Exists" + }], + "volumes": [{ + "hostPath": { + "path": "/var/lib/minikube/certs/etcd", + "type": "DirectoryOrCreate" + }, + "name": "etcd-certs" + }, { + "hostPath": { + "path": "/var/lib/minikube/etcd", + "type": "DirectoryOrCreate" + }, + "name": "etcd-data" + }] + }, + "status": { + "conditions": [{ + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:06Z", + "status": "True", + "type": "Initialized" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:08Z", + "status": "True", + "type": "Ready" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:08Z", + "status": "True", + "type": "ContainersReady" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:50:06Z", + "status": "True", + "type": "PodScheduled" + }], + "containerStatuses": [{ + "containerID": "docker://bcb9f50b86a6f81026185efdbbc0f1a0d8acee397594916c999000aa07395da5", + "image": "k8s.gcr.io/etcd:3.3.15-0", + "imageID": "docker-pullable://k8s.gcr.io/etcd@sha256:12c2c5e5731c3bcd56e6f1c05c0f9198b6f06793fa7fca2fb43aab9622dc4afa", + "lastState": { + "terminated": { + "containerID": "docker://3d9c0a12b14c9afa88f022f01c70f430a8171f53600b18dc9b74542106ead33b", + "exitCode": 0, + "finishedAt": "2021-08-16T16:16:20Z", + "reason": "Completed", + "startedAt": "2021-08-15T06:14:03Z" + } + }, + "name": "etcd", + "ready": true, + "restartCount": 35, + "started": true, + "state": { + "running": { + "startedAt": "2021-08-17T05:50:07Z" + } + } + }], + "hostIP": "10.0.2.15", + "phase": "Running", + "podIP": "10.0.2.15", + "podIPs": [{ + "ip": "10.0.2.15" + }], + "qosClass": "BestEffort", + "startTime": "2021-08-17T05:50:06Z" + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "pod: kube-controller-manager-david-virtualbox has: flexvolume-dir as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubernetes.io/config.hash": "a16b2d5766eae37796e4a8ed7f8ce12a", + "kubernetes.io/config.mirror": "a16b2d5766eae37796e4a8ed7f8ce12a", + "kubernetes.io/config.seen": "2021-06-20T12:06:52.495389283+03:00", + "kubernetes.io/config.source": "file" + }, + "creationTimestamp": "2021-06-20T09:08:00Z", + "labels": { + "component": "kube-controller-manager", + "tier": "control-plane" + }, + "name": "kube-controller-manager-david-virtualbox", + "namespace": "kube-system", + "resourceVersion": "1301685", + "selfLink": "/api/v1/namespaces/kube-system/pods/kube-controller-manager-david-virtualbox", + "uid": "6ca9d32c-21c3-4c0e-8087-5445c80a2bcc" + }, + "spec": { + "containers": [{ + "command": ["kube-controller-manager", "--allocate-node-cidrs=true", "--authentication-kubeconfig=/etc/kubernetes/controller-manager.conf", "--authorization-kubeconfig=/etc/kubernetes/controller-manager.conf", "--bind-address=127.0.0.1", "--client-ca-file=/var/lib/minikube/certs/ca.crt", "--cluster-cidr=10.244.0.0/16", "--cluster-signing-cert-file=/var/lib/minikube/certs/ca.crt", "--cluster-signing-key-file=/var/lib/minikube/certs/ca.key", "--controllers=*,bootstrapsigner,tokencleaner", "--kubeconfig=/etc/kubernetes/controller-manager.conf", "--leader-elect=false", "--node-cidr-mask-size=24", "--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt", "--root-ca-file=/var/lib/minikube/certs/ca.crt", "--service-account-private-key-file=/var/lib/minikube/certs/sa.key", "--service-cluster-ip-range=10.96.0.0/12", "--use-service-account-credentials=true"], + "image": "k8s.gcr.io/kube-controller-manager:v1.16.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 8, + "httpGet": { + "host": "127.0.0.1", + "path": "/healthz", + "port": 10252, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 15 + }, + "name": "kube-controller-manager", + "resources": { + "requests": { + "cpu": "200m" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/etc/ssl/certs", + "name": "ca-certs", + "readOnly": true + }, { + "mountPath": "/etc/ca-certificates", + "name": "etc-ca-certificates", + "readOnly": true + }, { + "mountPath": "/etc/pki", + "name": "etc-pki", + "readOnly": true + }, { + "mountPath": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec", + "name": "flexvolume-dir" + }, { + "mountPath": "/var/lib/minikube/certs", + "name": "k8s-certs", + "readOnly": true + }, { + "mountPath": "/etc/kubernetes/controller-manager.conf", + "name": "kubeconfig", + "readOnly": true + }, { + "mountPath": "/usr/local/share/ca-certificates", + "name": "usr-local-share-ca-certificates", + "readOnly": true + }, { + "mountPath": "/usr/share/ca-certificates", + "name": "usr-share-ca-certificates", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "nodeName": "david-virtualbox", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoExecute", + "operator": "Exists" + }], + "volumes": [{ + "hostPath": { + "path": "/etc/ssl/certs", + "type": "DirectoryOrCreate" + }, + "name": "ca-certs" + }, { + "hostPath": { + "path": "/etc/ca-certificates", + "type": "DirectoryOrCreate" + }, + "name": "etc-ca-certificates" + }, { + "hostPath": { + "path": "/etc/pki", + "type": "DirectoryOrCreate" + }, + "name": "etc-pki" + }, { + "hostPath": { + "path": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec", + "type": "DirectoryOrCreate" + }, + "name": "flexvolume-dir" + }, { + "hostPath": { + "path": "/var/lib/minikube/certs", + "type": "DirectoryOrCreate" + }, + "name": "k8s-certs" + }, { + "hostPath": { + "path": "/etc/kubernetes/controller-manager.conf", + "type": "FileOrCreate" + }, + "name": "kubeconfig" + }, { + "hostPath": { + "path": "/usr/local/share/ca-certificates", + "type": "DirectoryOrCreate" + }, + "name": "usr-local-share-ca-certificates" + }, { + "hostPath": { + "path": "/usr/share/ca-certificates", + "type": "DirectoryOrCreate" + }, + "name": "usr-share-ca-certificates" + }] + }, + "status": { + "conditions": [{ + "lastProbeTime": null, + "lastTransitionTime": "2021-08-10T10:06:37Z", + "status": "True", + "type": "Initialized" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-15T06:14:12Z", + "status": "True", + "type": "Ready" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-15T06:14:12Z", + "status": "True", + "type": "ContainersReady" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-10T10:06:37Z", + "status": "True", + "type": "PodScheduled" + }], + "containerStatuses": [{ + "containerID": "docker://bb1975f8808ae29cf443c4dff4e82623850190d7e4247e63571fda6c23ed8bab", + "image": "k8s.gcr.io/kube-controller-manager:v1.16.0", + "imageID": "docker-pullable://k8s.gcr.io/kube-controller-manager@sha256:c156a05ee9d40e3ca2ebf9337f38a10558c1fc6c9124006f128a82e6c38cdf3e", + "lastState": { + "terminated": { + "containerID": "docker://8988b28ff6588090bff373abb4726805716c7623a83364aa29e50a30e0671a81", + "exitCode": 2, + "finishedAt": "2021-08-16T16:16:20Z", + "reason": "Error", + "startedAt": "2021-08-15T06:14:10Z" + } + }, + "name": "kube-controller-manager", + "ready": true, + "restartCount": 38, + "started": true, + "state": { + "running": { + "startedAt": "2021-08-17T05:50:07Z" + } + } + }], + "hostIP": "10.0.2.15", + "phase": "Running", + "podIP": "10.0.2.15", + "podIPs": [{ + "ip": "10.0.2.15" + }], + "qosClass": "Burstable", + "startTime": "2021-08-10T10:06:37Z" + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "pod: storage-provisioner has: tmp as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"integration-test\":\"storage-provisioner\"},\"name\":\"storage-provisioner\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"command\":[\"/storage-provisioner\"],\"image\":\"gcr.io/k8s-minikube/storage-provisioner:v4\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"storage-provisioner\",\"volumeMounts\":[{\"mountPath\":\"/tmp\",\"name\":\"tmp\"}]}],\"hostNetwork\":true,\"serviceAccountName\":\"storage-provisioner\",\"volumes\":[{\"hostPath\":{\"path\":\"/tmp\",\"type\":\"Directory\"},\"name\":\"tmp\"}]}}\n" + }, + "creationTimestamp": "2021-06-20T09:07:09Z", + "labels": { + "addonmanager.kubernetes.io/mode": "Reconcile", + "integration-test": "storage-provisioner" + }, + "name": "storage-provisioner", + "namespace": "kube-system", + "resourceVersion": "1301849", + "selfLink": "/api/v1/namespaces/kube-system/pods/storage-provisioner", + "uid": "ea5dc2e2-4f7a-49f4-9e88-37e8e2d741a5" + }, + "spec": { + "containers": [{ + "command": ["/storage-provisioner"], + "image": "gcr.io/k8s-minikube/storage-provisioner:v4", + "imagePullPolicy": "IfNotPresent", + "name": "storage-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/tmp", + "name": "tmp" + }, { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "storage-provisioner-token-bbjlq", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "nodeName": "david-virtualbox", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "storage-provisioner", + "serviceAccountName": "storage-provisioner", + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + }], + "volumes": [{ + "hostPath": { + "path": "/tmp", + "type": "Directory" + }, + "name": "tmp" + }, { + "name": "storage-provisioner-token-bbjlq", + "secret": { + "defaultMode": 420, + "secretName": "storage-provisioner-token-bbjlq" + } + }] + }, + "status": { + "conditions": [{ + "lastProbeTime": null, + "lastTransitionTime": "2021-06-20T09:07:23Z", + "status": "True", + "type": "Initialized" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:51:01Z", + "status": "True", + "type": "Ready" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T05:51:01Z", + "status": "True", + "type": "ContainersReady" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-06-20T09:07:23Z", + "status": "True", + "type": "PodScheduled" + }], + "containerStatuses": [{ + "containerID": "docker://63ce793c99c71f557901a39c23d5bb6cad98e363fe382371abe38c760a09eee5", + "image": "gcr.io/k8s-minikube/storage-provisioner:v4", + "imageID": "docker-pullable://gcr.io/k8s-minikube/storage-provisioner@sha256:06f83c679a723d938b8776510d979c69549ad7df516279981e23554b3e68572f", + "lastState": { + "terminated": { + "containerID": "docker://b69e8f6288ca615d0292cfd31a9bd3e21b92fcce9152ff9341cdea4aa25b0d04", + "exitCode": 1, + "finishedAt": "2021-08-17T05:50:49Z", + "reason": "Error", + "startedAt": "2021-08-17T05:50:18Z" + } + }, + "name": "storage-provisioner", + "ready": true, + "restartCount": 66, + "started": true, + "state": { + "running": { + "startedAt": "2021-08-17T05:51:00Z" + } + } + }], + "hostIP": "10.0.2.15", + "phase": "Running", + "podIP": "10.0.2.15", + "podIPs": [{ + "ip": "10.0.2.15" + }], + "qosClass": "BestEffort", + "startTime": "2021-06-20T09:07:23Z" + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "Deployment: ca-webhook has: docker-socket-volume as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"ca-webhook\",\"tier\":\"cyberarmor-system-control-plane\"},\"name\":\"ca-webhook\",\"namespace\":\"cyberarmor-system\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"ca-webhook\"}},\"template\":{\"metadata\":{\"annotations\":{\"certificate\":\"395eae367cb93800feb9c64c477f5bf8 ca.crt\"},\"labels\":{\"app\":\"ca-webhook\",\"tier\":\"cyberarmor-system-control-plane\"}},\"spec\":{\"containers\":[{\"args\":[\"-tlsCertFile=/etc/webhook/certs/tls.crt\",\"-tlsKeyFile=/etc/webhook/certs/tls.key\",\"-alsologtostderr\",\"-v=4\",\"2\\u003e\\u00261\"],\"env\":[{\"name\":\"CA_CLUSTER_NAME\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"clusterName\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_CUSTOMER_GUID\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"customerGUID\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_WEBHOOK_NAME\",\"value\":\"ca-webhook\"},{\"name\":\"CA_WEBHOOK_PORT\",\"value\":\"443\"},{\"name\":\"CA_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}},{\"name\":\"CA_DASHBOARD_BACKEND\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"dashboard\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_LOGIN_SECRET_NAME\",\"value\":\"ca-login\"},{\"name\":\"CA_ORACLE_SERVER\",\"value\":\"http://ca-oracle:4000\"},{\"name\":\"CA_NOTIFICATION_SERVER\",\"value\":\"http://ca-notification-server:8001\"},{\"name\":\"CA_OCIMAGE_URL\",\"value\":\"http://ca-ocimage:8080\"},{\"name\":\"CA_USE_DOCKER\",\"value\":\"true\"},{\"name\":\"CA_K8S_REPORT_URL\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"eventReceiverWS\",\"name\":\"armo-be-config\"}}},{\"name\":\"CA_EVENT_RECEIVER_HTTP\",\"valueFrom\":{\"configMapKeyRef\":{\"key\":\"eventReceiverREST\",\"name\":\"armo-be-config\"}}}],\"image\":\"quay.io/armosec/k8s-ca-webhook-ubi:latest\",\"imagePullPolicy\":\"Always\",\"name\":\"ca-webhook\",\"ports\":[{\"containerPort\":443,\"name\":\"mutating-port\"},{\"containerPort\":8000,\"name\":\"readiness-port\"}],\"readinessProbe\":{\"httpGet\":{\"path\":\"/v1/readiness\",\"port\":\"readiness-port\"},\"initialDelaySeconds\":10,\"periodSeconds\":5},\"resources\":{\"limits\":{\"cpu\":\"1500m\",\"memory\":\"600Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"100Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/run/docker.sock\",\"name\":\"docker-socket-volume\"},{\"mountPath\":\"/cazips\",\"name\":\"zip-download\"},{\"mountPath\":\"/etc/webhook/certs\",\"name\":\"ca-cluster-certificate\",\"readOnly\":true},{\"mountPath\":\"/etc/credentials\",\"name\":\"ca-login\",\"readOnly\":true},{\"mountPath\":\"/etc/config\",\"name\":\"armo-be-config\",\"readOnly\":true}]}],\"serviceAccountName\":\"ca-controller-service-account\",\"volumes\":[{\"hostPath\":{\"path\":\"/var/run/docker.sock\"},\"name\":\"docker-socket-volume\"},{\"emptyDir\":{},\"name\":\"zip-download\"},{\"name\":\"ca-cluster-certificate\",\"secret\":{\"secretName\":\"ca-cluster-certificate\"}},{\"name\":\"ca-login\",\"secret\":{\"secretName\":\"ca-login\"}},{\"configMap\":{\"items\":[{\"key\":\"clusterData\",\"path\":\"clusterData.json\"}],\"name\":\"armo-be-config\"},\"name\":\"armo-be-config\"}]}}}}\n" + }, + "creationTimestamp": "2021-08-18T05:22:32Z", + "generation": 1, + "labels": { + "app": "ca-webhook", + "tier": "cyberarmor-system-control-plane" + }, + "name": "ca-webhook", + "namespace": "cyberarmor-system", + "resourceVersion": "1329860", + "selfLink": "/apis/apps/v1/namespaces/cyberarmor-system/deployments/ca-webhook", + "uid": "d7c4231f-b028-4257-a7b4-7bc59cc5c53b" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 1, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "app": "ca-webhook" + } + }, + "strategy": { + "rollingUpdate": { + "maxSurge": "25%", + "maxUnavailable": "25%" + }, + "type": "RollingUpdate" + }, + "template": { + "metadata": { + "annotations": { + "certificate": "395eae367cb93800feb9c64c477f5bf8 ca.crt" + }, + "creationTimestamp": null, + "labels": { + "app": "ca-webhook", + "tier": "cyberarmor-system-control-plane" + } + }, + "spec": { + "containers": [{ + "args": ["-tlsCertFile=/etc/webhook/certs/tls.crt", "-tlsKeyFile=/etc/webhook/certs/tls.key", "-alsologtostderr", "-v=4", "2\u003e\u00261"], + "env": [{ + "name": "CA_CLUSTER_NAME", + "valueFrom": { + "configMapKeyRef": { + "key": "clusterName", + "name": "armo-be-config" + } + } + }, { + "name": "CA_CUSTOMER_GUID", + "valueFrom": { + "configMapKeyRef": { + "key": "customerGUID", + "name": "armo-be-config" + } + } + }, { + "name": "CA_WEBHOOK_NAME", + "value": "ca-webhook" + }, { + "name": "CA_WEBHOOK_PORT", + "value": "443" + }, { + "name": "CA_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, { + "name": "CA_DASHBOARD_BACKEND", + "valueFrom": { + "configMapKeyRef": { + "key": "dashboard", + "name": "armo-be-config" + } + } + }, { + "name": "CA_LOGIN_SECRET_NAME", + "value": "ca-login" + }, { + "name": "CA_ORACLE_SERVER", + "value": "http://ca-oracle:4000" + }, { + "name": "CA_NOTIFICATION_SERVER", + "value": "http://ca-notification-server:8001" + }, { + "name": "CA_OCIMAGE_URL", + "value": "http://ca-ocimage:8080" + }, { + "name": "CA_USE_DOCKER", + "value": "true" + }, { + "name": "CA_K8S_REPORT_URL", + "valueFrom": { + "configMapKeyRef": { + "key": "eventReceiverWS", + "name": "armo-be-config" + } + } + }, { + "name": "CA_EVENT_RECEIVER_HTTP", + "valueFrom": { + "configMapKeyRef": { + "key": "eventReceiverREST", + "name": "armo-be-config" + } + } + }], + "image": "quay.io/armosec/k8s-ca-webhook-ubi:latest", + "imagePullPolicy": "Always", + "name": "ca-webhook", + "ports": [{ + "containerPort": 443, + "name": "mutating-port", + "protocol": "TCP" + }, { + "containerPort": 8000, + "name": "readiness-port", + "protocol": "TCP" + }], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/v1/readiness", + "port": "readiness-port", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "1500m", + "memory": "600Mi" + }, + "requests": { + "cpu": "300m", + "memory": "100Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/run/docker.sock", + "name": "docker-socket-volume" + }, { + "mountPath": "/cazips", + "name": "zip-download" + }, { + "mountPath": "/etc/webhook/certs", + "name": "ca-cluster-certificate", + "readOnly": true + }, { + "mountPath": "/etc/credentials", + "name": "ca-login", + "readOnly": true + }, { + "mountPath": "/etc/config", + "name": "armo-be-config", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "ca-controller-service-account", + "serviceAccountName": "ca-controller-service-account", + "terminationGracePeriodSeconds": 30, + "volumes": [{ + "hostPath": { + "path": "/var/run/docker.sock", + "type": "" + }, + "name": "docker-socket-volume" + }, { + "emptyDir": {}, + "name": "zip-download" + }, { + "name": "ca-cluster-certificate", + "secret": { + "defaultMode": 420, + "secretName": "ca-cluster-certificate" + } + }, { + "name": "ca-login", + "secret": { + "defaultMode": 420, + "secretName": "ca-login" + } + }, { + "configMap": { + "defaultMode": 420, + "items": [{ + "key": "clusterData", + "path": "clusterData.json" + }], + "name": "armo-be-config" + }, + "name": "armo-be-config" + }] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [{ + "lastTransitionTime": "2021-08-18T05:23:08Z", + "lastUpdateTime": "2021-08-18T05:23:08Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, { + "lastTransitionTime": "2021-08-18T05:22:32Z", + "lastUpdateTime": "2021-08-18T05:23:08Z", + "message": "ReplicaSet \"ca-webhook-8595cb4cbb\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + }], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1, + "updatedReplicas": 1 + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "Deployment: ca-websocket has: docker-socket-volume as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"ca-websocket\",\"tier\":\"cyberarmor-system-control-plane\"},\"name\":\"ca-websocket\",\"namespace\":\"cyberarmor-system\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"ca-websocket\"}},\"template\":{\"metadata\":{\"labels\":{\"app\":\"ca-websocket\",\"tier\":\"cyberarmor-system-control-plane\"}},\"spec\":{\"containers\":[{\"args\":[\"-alsologtostderr\",\"-v=4\",\"2\\u003e\\u00261\"],\"env\":[{\"name\":\"CA_NAMESPACE\",\"valueFrom\":{\"fieldRef\":{\"fieldPath\":\"metadata.namespace\"}}},{\"name\":\"CA_USE_DOCKER\",\"value\":\"true\"},{\"name\":\"CA_VULN_SCAN_SCHEDULE\",\"value\":\"@every 11h\"},{\"name\":\"CA_POSTURE_SCAN_SCHEDULE\",\"value\":\"@every 12h\"},{\"name\":\"CA_DEBUG_SIGNER\",\"value\":null}],\"image\":\"quay.io/armosec/k8s-ca-websocket-ubi:latest\",\"imagePullPolicy\":\"Always\",\"name\":\"ca-websocket\",\"ports\":[{\"containerPort\":4002,\"name\":\"trigger-port\"},{\"containerPort\":8000,\"name\":\"readiness-port\"}],\"readinessProbe\":{\"httpGet\":{\"path\":\"/v1/readiness\",\"port\":\"readiness-port\"},\"initialDelaySeconds\":10,\"periodSeconds\":5},\"resources\":{\"limits\":{\"cpu\":\"1500m\",\"memory\":\"1000Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"200Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/run/docker.sock\",\"name\":\"docker-socket-volume\"},{\"mountPath\":\"/etc/credentials\",\"name\":\"ca-login\",\"readOnly\":true},{\"mountPath\":\"/etc/config\",\"name\":\"armo-be-config\",\"readOnly\":true}]}],\"serviceAccountName\":\"ca-controller-service-account\",\"volumes\":[{\"hostPath\":{\"path\":\"/var/run/docker.sock\"},\"name\":\"docker-socket-volume\"},{\"name\":\"ca-login\",\"secret\":{\"secretName\":\"ca-login\"}},{\"configMap\":{\"items\":[{\"key\":\"clusterData\",\"path\":\"clusterData.json\"}],\"name\":\"armo-be-config\"},\"name\":\"armo-be-config\"}]}}}}\n" + }, + "creationTimestamp": "2021-08-18T05:22:31Z", + "generation": 1, + "labels": { + "app": "ca-websocket", + "tier": "cyberarmor-system-control-plane" + }, + "name": "ca-websocket", + "namespace": "cyberarmor-system", + "resourceVersion": "1329790", + "selfLink": "/apis/apps/v1/namespaces/cyberarmor-system/deployments/ca-websocket", + "uid": "81780f9e-2675-41d8-a640-35971377d2a6" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 1, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "app": "ca-websocket" + } + }, + "strategy": { + "rollingUpdate": { + "maxSurge": "25%", + "maxUnavailable": "25%" + }, + "type": "RollingUpdate" + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "app": "ca-websocket", + "tier": "cyberarmor-system-control-plane" + } + }, + "spec": { + "containers": [{ + "args": ["-alsologtostderr", "-v=4", "2\u003e\u00261"], + "env": [{ + "name": "CA_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, { + "name": "CA_USE_DOCKER", + "value": "true" + }, { + "name": "CA_VULN_SCAN_SCHEDULE", + "value": "@every 11h" + }, { + "name": "CA_POSTURE_SCAN_SCHEDULE", + "value": "@every 12h" + }, { + "name": "CA_DEBUG_SIGNER" + }], + "image": "quay.io/armosec/k8s-ca-websocket-ubi:latest", + "imagePullPolicy": "Always", + "name": "ca-websocket", + "ports": [{ + "containerPort": 4002, + "name": "trigger-port", + "protocol": "TCP" + }, { + "containerPort": 8000, + "name": "readiness-port", + "protocol": "TCP" + }], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/v1/readiness", + "port": "readiness-port", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "1500m", + "memory": "1000Mi" + }, + "requests": { + "cpu": "300m", + "memory": "200Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/run/docker.sock", + "name": "docker-socket-volume" + }, { + "mountPath": "/etc/credentials", + "name": "ca-login", + "readOnly": true + }, { + "mountPath": "/etc/config", + "name": "armo-be-config", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "ca-controller-service-account", + "serviceAccountName": "ca-controller-service-account", + "terminationGracePeriodSeconds": 30, + "volumes": [{ + "hostPath": { + "path": "/var/run/docker.sock", + "type": "" + }, + "name": "docker-socket-volume" + }, { + "name": "ca-login", + "secret": { + "defaultMode": 420, + "secretName": "ca-login" + } + }, { + "configMap": { + "defaultMode": 420, + "items": [{ + "key": "clusterData", + "path": "clusterData.json" + }], + "name": "armo-be-config" + }, + "name": "armo-be-config" + }] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [{ + "lastTransitionTime": "2021-08-18T05:22:46Z", + "lastUpdateTime": "2021-08-18T05:22:46Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, { + "lastTransitionTime": "2021-08-18T05:22:31Z", + "lastUpdateTime": "2021-08-18T05:22:46Z", + "message": "ReplicaSet \"ca-websocket-7dd46ffd9c\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + }], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1, + "updatedReplicas": 1 + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }, { + "alertMessage": "DaemonSet: kube-proxy has: xtables-lock as hostPath volume", + "packagename": "armo_builtins", + "alertScore": 0, + "alertObject": { + "k8sApiObjects": [{ + "apiVersion": "apps/v1", + "kind": "DaemonSet", + "metadata": { + "annotations": { + "deprecated.daemonset.template.generation": "1" + }, + "creationTimestamp": "2021-06-20T09:07:08Z", + "generation": 1, + "labels": { + "k8s-app": "kube-proxy" + }, + "name": "kube-proxy", + "namespace": "kube-system", + "resourceVersion": "862497", + "selfLink": "/apis/apps/v1/namespaces/kube-system/daemonsets/kube-proxy", + "uid": "dd1ba553-66da-47bc-8bc1-79c4b2f47dab" + }, + "spec": { + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "k8s-app": "kube-proxy" + } + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "k8s-app": "kube-proxy" + } + }, + "spec": { + "containers": [{ + "command": ["/usr/local/bin/kube-proxy", "--config=/var/lib/kube-proxy/config.conf", "--hostname-override=$(NODE_NAME)"], + "env": [{ + "name": "NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }], + "image": "k8s.gcr.io/kube-proxy:v1.16.0", + "imagePullPolicy": "IfNotPresent", + "name": "kube-proxy", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/lib/kube-proxy", + "name": "kube-proxy" + }, { + "mountPath": "/run/xtables.lock", + "name": "xtables-lock" + }, { + "mountPath": "/lib/modules", + "name": "lib-modules", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "hostNetwork": true, + "nodeSelector": { + "beta.kubernetes.io/os": "linux" + }, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "kube-proxy", + "serviceAccountName": "kube-proxy", + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, { + "operator": "Exists" + }], + "volumes": [{ + "configMap": { + "defaultMode": 420, + "name": "kube-proxy" + }, + "name": "kube-proxy" + }, { + "hostPath": { + "path": "/run/xtables.lock", + "type": "FileOrCreate" + }, + "name": "xtables-lock" + }, { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "lib-modules" + }] + } + }, + "updateStrategy": { + "rollingUpdate": { + "maxUnavailable": 1 + }, + "type": "RollingUpdate" + } + }, + "status": { + "currentNumberScheduled": 1, + "desiredNumberScheduled": 1, + "numberAvailable": 1, + "numberMisscheduled": 0, + "numberReady": 1, + "observedGeneration": 1, + "updatedNumberScheduled": 1 + } + }] + }, + "context": null, + "rulename": "", + "exceptionName": "" + }], + "NumOfResources": 0 + }], + "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host." + } + ] + +} \ No newline at end of file diff --git a/scapepkg/score/resourcemocks.json b/scapepkg/score/resourcemocks.json new file mode 100644 index 00000000..48b1d36a --- /dev/null +++ b/scapepkg/score/resourcemocks.json @@ -0,0 +1,2161 @@ +[ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "Role", + "metadata": { + "creationTimestamp": "2021-07-12T07:33:19Z", + "managedFields": [{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:rules": {} + }, + "manager": "kubeadm", + "operation": "Update", + "time": "2021-07-12T07:33:19Z" + }], + "name": "kubeadm:bootstrap-signer-clusterinfo", + "namespace": "kube-public", + "resourceVersion": "230", + "uid": "142ff891-0d98-4a53-aa0c-5d302faa73ce" + }, + "rules": [{ + "apiGroups": [""], + "resourceNames": ["cluster-info"], + "resources": ["configmaps"], + "verbs": ["get"] + }] +}, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2021-08-17T12:02:20Z", + "generateName": "cart-65ddcdb87d-", + "labels": { + "app": "acmefit", + "pod-template-hash": "65ddcdb87d", + "service": "cart" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:generateName": {}, + "f:labels": { + ".": {}, + "f:app": {}, + "f:pod-template-hash": {}, + "f:service": {} + }, + "f:ownerReferences": { + ".": {}, + "k:{\"uid\":\"7f49212b-e085-4580-b7ba-65de5bccb6ae\"}": { + ".": {}, + "f:apiVersion": {}, + "f:blockOwnerDeletion": {}, + "f:controller": {}, + "f:kind": {}, + "f:name": {}, + "f:uid": {} + } + } + }, + "f:spec": { + "f:containers": { + "k:{\"name\":\"cart\"}": { + ".": {}, + "f:env": { + ".": {}, + "k:{\"name\":\"AUTH_MODE\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"CART_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"JAEGER_AGENT_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"JAEGER_AGENT_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"REDIS_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"REDIS_PASSWORD\"}": { + ".": {}, + "f:name": {}, + "f:valueFrom": { + ".": {}, + "f:secretKeyRef": { + ".": {}, + "f:key": {}, + "f:name": {} + } + } + }, + "k:{\"name\":\"REDIS_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"USER_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"USER_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + } + }, + "f:image": {}, + "f:imagePullPolicy": {}, + "f:name": {}, + "f:ports": { + ".": {}, + "k:{\"containerPort\":5000,\"protocol\":\"TCP\"}": { + ".": {}, + "f:containerPort": {}, + "f:name": {}, + "f:protocol": {} + } + }, + "f:resources": { + ".": {}, + "f:limits": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + }, + "f:requests": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + } + }, + "f:terminationMessagePath": {}, + "f:terminationMessagePolicy": {}, + "f:volumeMounts": { + ".": {}, + "k:{\"mountPath\":\"/data\"}": { + ".": {}, + "f:mountPath": {}, + "f:name": {} + } + } + } + }, + "f:dnsPolicy": {}, + "f:enableServiceLinks": {}, + "f:restartPolicy": {}, + "f:schedulerName": {}, + "f:securityContext": {}, + "f:terminationGracePeriodSeconds": {}, + "f:volumes": { + ".": {}, + "k:{\"name\":\"acmefit-cart-data\"}": { + ".": {}, + "f:emptyDir": {}, + "f:name": {} + } + } + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-08-17T12:02:20Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:conditions": { + "k:{\"type\":\"ContainersReady\"}": { + ".": {}, + "f:lastProbeTime": {}, + "f:lastTransitionTime": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"Initialized\"}": { + ".": {}, + "f:lastProbeTime": {}, + "f:lastTransitionTime": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"Ready\"}": { + ".": {}, + "f:lastProbeTime": {}, + "f:lastTransitionTime": {}, + "f:status": {}, + "f:type": {} + } + }, + "f:containerStatuses": {}, + "f:hostIP": {}, + "f:phase": {}, + "f:podIP": {}, + "f:podIPs": { + ".": {}, + "k:{\"ip\":\"172.17.0.8\"}": { + ".": {}, + "f:ip": {} + } + }, + "f:startTime": {} + } + }, + "manager": "kubelet", + "operation": "Update", + "time": "2021-08-18T06:29:09Z" + }], + "name": "cart-65ddcdb87d-sqv5d", + "namespace": "default", + "ownerReferences": [{ + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "cart-65ddcdb87d", + "uid": "7f49212b-e085-4580-b7ba-65de5bccb6ae" + }], + "resourceVersion": "387152", + "uid": "fc28b9a2-7b76-4c8c-89b9-fa5303363537" + }, + "spec": { + "containers": [{ + "env": [{ + "name": "REDIS_HOST", + "value": "cart-redis" + }, { + "name": "REDIS_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "password", + "name": "cart-redis-pass" + } + } + }, { + "name": "REDIS_PORT", + "value": "6379" + }, { + "name": "CART_PORT", + "value": "5000" + }, { + "name": "USER_HOST", + "value": "users" + }, { + "name": "USER_PORT", + "value": "8083" + }, { + "name": "JAEGER_AGENT_HOST", + "value": "localhost" + }, { + "name": "JAEGER_AGENT_PORT", + "value": "6831" + }, { + "name": "AUTH_MODE", + "value": "1" + }], + "image": "gcr.io/vmwarecloudadvocacy/acmeshop-cart:latest", + "imagePullPolicy": "Always", + "name": "cart", + "ports": [{ + "containerPort": 5000, + "name": "cart", + "protocol": "TCP" + }], + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/data", + "name": "acmefit-cart-data" + }, { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "default-token-wkgcl", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "lior-virtualbox", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + }], + "volumes": [{ + "emptyDir": {}, + "name": "acmefit-cart-data" + }, { + "name": "default-token-wkgcl", + "secret": { + "defaultMode": 420, + "secretName": "default-token-wkgcl" + } + }] + }, + "status": { + "conditions": [{ + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T12:02:20Z", + "status": "True", + "type": "Initialized" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-18T06:29:09Z", + "status": "True", + "type": "Ready" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-18T06:29:09Z", + "status": "True", + "type": "ContainersReady" + }, { + "lastProbeTime": null, + "lastTransitionTime": "2021-08-17T12:02:20Z", + "status": "True", + "type": "PodScheduled" + }], + "containerStatuses": [{ + "containerID": "docker://5b552b3bf700af7748b17052283742e5633d3292ee572f029149d06f7e285522", + "image": "gcr.io/vmwarecloudadvocacy/acmeshop-cart:latest", + "imageID": "docker-pullable://gcr.io/vmwarecloudadvocacy/acmeshop-cart@sha256:9e3eb249f3ad58997248c31872175270aa54065f141f3e5de6455ce7e3804ce2", + "lastState": { + "terminated": { + "containerID": "docker://45ab6408d83f718372641d32bf15ec575eb08ced450d11c0354e80ba27c3defa", + "exitCode": 137, + "finishedAt": "2021-08-18T06:28:29Z", + "reason": "Error", + "startedAt": "2021-08-17T12:03:01Z" + } + }, + "name": "cart", + "ready": true, + "restartCount": 1, + "started": true, + "state": { + "running": { + "startedAt": "2021-08-18T06:29:08Z" + } + } + }], + "hostIP": "10.0.3.15", + "phase": "Running", + "podIP": "172.17.0.8", + "podIPs": [{ + "ip": "172.17.0.8" + }], + "qosClass": "Burstable", + "startTime": "2021-08-17T12:02:20Z" + } +}, + + { + "apiVersion": "v1", + "data": { + "password": "dm13YXJlMSE=" + }, + "kind": "Secret", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"data\":{\"password\":\"dm13YXJlMSE=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"cart-redis-pass\",\"namespace\":\"default\"},\"type\":\"Opaque\"}\n" + }, + "creationTimestamp": "2021-08-17T12:02:19Z", + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:data": { + ".": {}, + "f:password": {} + }, + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + } + }, + "f:type": {} + }, + "manager": "kubectl-client-side-apply", + "operation": "Update", + "time": "2021-08-17T12:02:19Z" + }], + "name": "cart-redis-pass", + "namespace": "default", + "resourceVersion": "378526", + "uid": "265b3499-3380-4f49-80f6-7b912c37d32b" + }, + "type": "Opaque" +}, + + +{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"acmefit\",\"service\":\"cart\"},\"name\":\"cart\",\"namespace\":\"default\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"acmefit\",\"service\":\"cart\"}},\"strategy\":{\"type\":\"Recreate\"},\"template\":{\"metadata\":{\"labels\":{\"app\":\"acmefit\",\"service\":\"cart\"}},\"spec\":{\"containers\":[{\"env\":[{\"name\":\"REDIS_HOST\",\"value\":\"cart-redis\"},{\"name\":\"REDIS_PASSWORD\",\"valueFrom\":{\"secretKeyRef\":{\"key\":\"password\",\"name\":\"cart-redis-pass\"}}},{\"name\":\"REDIS_PORT\",\"value\":\"6379\"},{\"name\":\"CART_PORT\",\"value\":\"5000\"},{\"name\":\"USER_HOST\",\"value\":\"users\"},{\"name\":\"USER_PORT\",\"value\":\"8083\"},{\"name\":\"JAEGER_AGENT_HOST\",\"value\":\"localhost\"},{\"name\":\"JAEGER_AGENT_PORT\",\"value\":\"6831\"},{\"name\":\"AUTH_MODE\",\"value\":\"1\"}],\"image\":\"gcr.io/vmwarecloudadvocacy/acmeshop-cart:latest\",\"imagePullPolicy\":\"Always\",\"name\":\"cart\",\"ports\":[{\"containerPort\":5000,\"name\":\"cart\"}],\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"256Mi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"64Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/data\",\"name\":\"acmefit-cart-data\"}]}],\"volumes\":[{\"emptyDir\":{},\"name\":\"acmefit-cart-data\"}]}}}}\n" + }, + "creationTimestamp": "2021-08-17T12:02:20Z", + "generation": 1, + "labels": { + "app": "acmefit", + "service": "cart" + }, + "managedFields": [{ + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + }, + "f:labels": { + ".": {}, + "f:app": {}, + "f:service": {} + } + }, + "f:spec": { + "f:progressDeadlineSeconds": {}, + "f:replicas": {}, + "f:revisionHistoryLimit": {}, + "f:selector": {}, + "f:strategy": { + "f:type": {} + }, + "f:template": { + "f:metadata": { + "f:labels": { + ".": {}, + "f:app": {}, + "f:service": {} + } + }, + "f:spec": { + "f:containers": { + "k:{\"name\":\"cart\"}": { + ".": {}, + "f:env": { + ".": {}, + "k:{\"name\":\"AUTH_MODE\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"CART_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"JAEGER_AGENT_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"JAEGER_AGENT_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"REDIS_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"REDIS_PASSWORD\"}": { + ".": {}, + "f:name": {}, + "f:valueFrom": { + ".": {}, + "f:secretKeyRef": { + ".": {}, + "f:key": {}, + "f:name": {} + } + } + }, + "k:{\"name\":\"REDIS_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"USER_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"USER_PORT\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + } + }, + "f:image": {}, + "f:imagePullPolicy": {}, + "f:name": {}, + "f:ports": { + ".": {}, + "k:{\"containerPort\":5000,\"protocol\":\"TCP\"}": { + ".": {}, + "f:containerPort": {}, + "f:name": {}, + "f:protocol": {} + } + }, + "f:resources": { + ".": {}, + "f:limits": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + }, + "f:requests": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + } + }, + "f:terminationMessagePath": {}, + "f:terminationMessagePolicy": {}, + "f:volumeMounts": { + ".": {}, + "k:{\"mountPath\":\"/data\"}": { + ".": {}, + "f:mountPath": {}, + "f:name": {} + } + } + } + }, + "f:dnsPolicy": {}, + "f:restartPolicy": {}, + "f:schedulerName": {}, + "f:securityContext": {}, + "f:terminationGracePeriodSeconds": {}, + "f:volumes": { + ".": {}, + "k:{\"name\":\"acmefit-cart-data\"}": { + ".": {}, + "f:emptyDir": {}, + "f:name": {} + } + } + } + } + } + }, + "manager": "kubectl-client-side-apply", + "operation": "Update", + "time": "2021-08-17T12:02:20Z" + }, { + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:deployment.kubernetes.io/revision": {} + } + }, + "f:status": { + "f:availableReplicas": {}, + "f:conditions": { + ".": {}, + "k:{\"type\":\"Available\"}": { + ".": {}, + "f:lastTransitionTime": {}, + "f:lastUpdateTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"Progressing\"}": { + ".": {}, + "f:lastTransitionTime": {}, + "f:lastUpdateTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + } + }, + "f:observedGeneration": {}, + "f:readyReplicas": {}, + "f:replicas": {}, + "f:updatedReplicas": {} + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-08-17T12:03:01Z" + }], + "name": "cart", + "namespace": "default", + "resourceVersion": "378747", + "uid": "eaafecc9-1309-447f-a5dc-80e2ea936407" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 3, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "app": "acmefit", + "service": "cart" + } + }, + "strategy": { + "type": "Recreate" + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "app": "acmefit", + "service": "cart" + } + }, + "spec": { + "containers": [{ + "env": [{ + "name": "REDIS_HOST", + "value": "cart-redis" + }, { + "name": "REDIS_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "password", + "name": "cart-redis-pass" + } + } + }, { + "name": "REDIS_PORT", + "value": "6379" + }, { + "name": "CART_PORT", + "value": "5000" + }, { + "name": "USER_HOST", + "value": "users" + }, { + "name": "USER_PORT", + "value": "8083" + }, { + "name": "JAEGER_AGENT_HOST", + "value": "localhost" + }, { + "name": "JAEGER_AGENT_PORT", + "value": "6831" + }, { + "name": "AUTH_MODE", + "value": "1" + }], + "image": "gcr.io/vmwarecloudadvocacy/acmeshop-cart:latest", + "imagePullPolicy": "Always", + "name": "cart", + "ports": [{ + "containerPort": 5000, + "name": "cart", + "protocol": "TCP" + }], + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/data", + "name": "acmefit-cart-data" + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "volumes": [{ + "emptyDir": {}, + "name": "acmefit-cart-data" + }] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [{ + "lastTransitionTime": "2021-08-17T12:03:01Z", + "lastUpdateTime": "2021-08-17T12:03:01Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, { + "lastTransitionTime": "2021-08-17T12:02:20Z", + "lastUpdateTime": "2021-08-17T12:03:01Z", + "message": "ReplicaSet \"cart-65ddcdb87d\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + }], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 6, + "updatedReplicas": 1 + } +}, + + +{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "RoleBinding", + "metadata": { + "creationTimestamp": "2021-07-12T07:33:19Z", + "managedFields": [{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:roleRef": { + "f:apiGroup": {}, + "f:kind": {}, + "f:name": {} + }, + "f:subjects": {} + }, + "manager": "kubeadm", + "operation": "Update", + "time": "2021-07-12T07:33:19Z" + }], + "name": "kubeadm:bootstrap-signer-clusterinfo", + "namespace": "kube-public", + "resourceVersion": "231", + "uid": "0c6242e0-28e1-4efe-acd5-c26d7233c695" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Role", + "name": "kubeadm:bootstrap-signer-clusterinfo" + }, + "subjects": [{ + "apiGroup": "rbac.authorization.k8s.io", + "kind": "User", + "name": "system:anonymous" + }] +}, + + +{ + "apiVersion": "apps/v1", + "kind": "DaemonSet", + "metadata": { + "annotations": { + "deprecated.daemonset.template.generation": "1", + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"DaemonSet\",\"metadata\":{\"annotations\":{},\"labels\":{\"k8s-app\":\"fluentd-logging\"},\"name\":\"fluentd-elasticsearch\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"name\":\"fluentd-elasticsearch\"}},\"template\":{\"metadata\":{\"labels\":{\"name\":\"fluentd-elasticsearch\"}},\"spec\":{\"containers\":[{\"image\":\"quay.io/fluentd_elasticsearch/fluentd:v2.5.2\",\"name\":\"fluentd-elasticsearch\",\"resources\":{\"limits\":{\"memory\":\"200Mi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"200Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/log\",\"name\":\"varlog\"},{\"mountPath\":\"/var/lib/docker/containers\",\"name\":\"varlibdockercontainers\",\"readOnly\":true}]}],\"terminationGracePeriodSeconds\":30,\"tolerations\":[{\"effect\":\"NoSchedule\",\"key\":\"node-role.kubernetes.io/master\",\"operator\":\"Exists\"}],\"volumes\":[{\"hostPath\":{\"path\":\"/var/log\"},\"name\":\"varlog\"},{\"hostPath\":{\"path\":\"/var/lib/docker/containers\"},\"name\":\"varlibdockercontainers\"}]}}}}\n" + }, + "creationTimestamp": "2021-08-17T12:03:57Z", + "generation": 1, + "labels": { + "k8s-app": "fluentd-logging" + }, + "managedFields": [{ + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:deprecated.daemonset.template.generation": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + }, + "f:labels": { + ".": {}, + "f:k8s-app": {} + } + }, + "f:spec": { + "f:revisionHistoryLimit": {}, + "f:selector": {}, + "f:template": { + "f:metadata": { + "f:labels": { + ".": {}, + "f:name": {} + } + }, + "f:spec": { + "f:containers": { + "k:{\"name\":\"fluentd-elasticsearch\"}": { + ".": {}, + "f:image": {}, + "f:imagePullPolicy": {}, + "f:name": {}, + "f:resources": { + ".": {}, + "f:limits": { + ".": {}, + "f:memory": {} + }, + "f:requests": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + } + }, + "f:terminationMessagePath": {}, + "f:terminationMessagePolicy": {}, + "f:volumeMounts": { + ".": {}, + "k:{\"mountPath\":\"/var/lib/docker/containers\"}": { + ".": {}, + "f:mountPath": {}, + "f:name": {}, + "f:readOnly": {} + }, + "k:{\"mountPath\":\"/var/log\"}": { + ".": {}, + "f:mountPath": {}, + "f:name": {} + } + } + } + }, + "f:dnsPolicy": {}, + "f:restartPolicy": {}, + "f:schedulerName": {}, + "f:securityContext": {}, + "f:terminationGracePeriodSeconds": {}, + "f:tolerations": {}, + "f:volumes": { + ".": {}, + "k:{\"name\":\"varlibdockercontainers\"}": { + ".": {}, + "f:hostPath": { + ".": {}, + "f:path": {}, + "f:type": {} + }, + "f:name": {} + }, + "k:{\"name\":\"varlog\"}": { + ".": {}, + "f:hostPath": { + ".": {}, + "f:path": {}, + "f:type": {} + }, + "f:name": {} + } + } + } + }, + "f:updateStrategy": { + "f:rollingUpdate": { + ".": {}, + "f:maxUnavailable": {} + }, + "f:type": {} + } + } + }, + "manager": "kubectl-client-side-apply", + "operation": "Update", + "time": "2021-08-17T12:03:57Z" + }, { + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:currentNumberScheduled": {}, + "f:desiredNumberScheduled": {}, + "f:numberAvailable": {}, + "f:numberReady": {}, + "f:observedGeneration": {}, + "f:updatedNumberScheduled": {} + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-08-17T12:06:18Z" + }], + "name": "fluentd-elasticsearch", + "namespace": "kube-system", + "resourceVersion": "379003", + "uid": "724bf99c-a713-4b02-a5ea-2763fa098868" + }, + "spec": { + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "name": "fluentd-elasticsearch" + } + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "name": "fluentd-elasticsearch" + } + }, + "spec": { + "containers": [{ + "image": "quay.io/fluentd_elasticsearch/fluentd:v2.5.2", + "imagePullPolicy": "IfNotPresent", + "name": "fluentd-elasticsearch", + "resources": { + "limits": { + "memory": "200Mi" + }, + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/log", + "name": "varlog" + }, { + "mountPath": "/var/lib/docker/containers", + "name": "varlibdockercontainers", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }], + "volumes": [{ + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "varlibdockercontainers" + }] + } + }, + "updateStrategy": { + "rollingUpdate": { + "maxUnavailable": 1 + }, + "type": "RollingUpdate" + } + }, + "status": { + "currentNumberScheduled": 1, + "desiredNumberScheduled": 13, + "numberAvailable": 1, + "numberMisscheduled": 0, + "numberReady": 1, + "observedGeneration": 1, + "updatedNumberScheduled": 1 + } +}, + +{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "annotations": { + "rbac.authorization.kubernetes.io/autoupdate": "true" + }, + "creationTimestamp": "2021-07-12T07:33:18Z", + "labels": { + "kubernetes.io/bootstrapping": "rbac-defaults" + }, + "managedFields": [{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:rbac.authorization.kubernetes.io/autoupdate": {} + }, + "f:labels": { + ".": {}, + "f:kubernetes.io/bootstrapping": {} + } + }, + "f:roleRef": { + "f:apiGroup": {}, + "f:kind": {}, + "f:name": {} + }, + "f:subjects": {} + }, + "manager": "kube-apiserver", + "operation": "Update", + "time": "2021-07-12T07:33:18Z" + }], + "name": "cluster-admin", + "resourceVersion": "143", + "uid": "79a51ce4-5eed-430d-a690-00d0a4a4c6e5" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "cluster-admin" + }, + "subjects": [{ + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:masters" + }] +}, + + +{ + "apiVersion": "apps/v1", + "data": { + "spec": { + "template": { + "$patch": "replace", + "metadata": { + "creationTimestamp": null, + "labels": { + "name": "fluentd-elasticsearch" + } + }, + "spec": { + "containers": [{ + "image": "quay.io/fluentd_elasticsearch/fluentd:v2.5.2", + "imagePullPolicy": "IfNotPresent", + "name": "fluentd-elasticsearch", + "resources": { + "limits": { + "memory": "200Mi" + }, + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/log", + "name": "varlog" + }, { + "mountPath": "/var/lib/docker/containers", + "name": "varlibdockercontainers", + "readOnly": true + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "tolerations": [{ + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }], + "volumes": [{ + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "varlibdockercontainers" + }] + } + } + } + }, + "kind": "ControllerRevision", + "metadata": { + "annotations": { + "deprecated.daemonset.template.generation": "1", + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"DaemonSet\",\"metadata\":{\"annotations\":{},\"labels\":{\"k8s-app\":\"fluentd-logging\"},\"name\":\"fluentd-elasticsearch\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"name\":\"fluentd-elasticsearch\"}},\"template\":{\"metadata\":{\"labels\":{\"name\":\"fluentd-elasticsearch\"}},\"spec\":{\"containers\":[{\"image\":\"quay.io/fluentd_elasticsearch/fluentd:v2.5.2\",\"name\":\"fluentd-elasticsearch\",\"resources\":{\"limits\":{\"memory\":\"200Mi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"200Mi\"}},\"volumeMounts\":[{\"mountPath\":\"/var/log\",\"name\":\"varlog\"},{\"mountPath\":\"/var/lib/docker/containers\",\"name\":\"varlibdockercontainers\",\"readOnly\":true}]}],\"terminationGracePeriodSeconds\":30,\"tolerations\":[{\"effect\":\"NoSchedule\",\"key\":\"node-role.kubernetes.io/master\",\"operator\":\"Exists\"}],\"volumes\":[{\"hostPath\":{\"path\":\"/var/log\"},\"name\":\"varlog\"},{\"hostPath\":{\"path\":\"/var/lib/docker/containers\"},\"name\":\"varlibdockercontainers\"}]}}}}\n" + }, + "creationTimestamp": "2021-08-17T12:03:57Z", + "labels": { + "controller-revision-hash": "5f876c985", + "name": "fluentd-elasticsearch" + }, + "managedFields": [{ + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:data": {}, + "f:metadata": { + "f:annotations": { + ".": {}, + "f:deprecated.daemonset.template.generation": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + }, + "f:labels": { + ".": {}, + "f:controller-revision-hash": {}, + "f:name": {} + }, + "f:ownerReferences": { + ".": {}, + "k:{\"uid\":\"724bf99c-a713-4b02-a5ea-2763fa098868\"}": { + ".": {}, + "f:apiVersion": {}, + "f:blockOwnerDeletion": {}, + "f:controller": {}, + "f:kind": {}, + "f:name": {}, + "f:uid": {} + } + } + }, + "f:revision": {} + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-08-17T12:03:57Z" + }], + "name": "fluentd-elasticsearch-5f876c985", + "namespace": "kube-system", + "ownerReferences": [{ + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "fluentd-elasticsearch", + "uid": "724bf99c-a713-4b02-a5ea-2763fa098868" + }], + "resourceVersion": "378795", + "uid": "c7007792-ab43-4947-9ec9-ac4f2cfed502" + }, + "revision": 1 +}, + + +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "creationTimestamp": "2021-07-12T07:33:35Z", + "name": "default", + "namespace": "default", + "resourceVersion": "401", + "uid": "e1fb9ec5-11df-4617-a89b-a93987fafe16" + }, + "secrets": [{ + "name": "default-token-wkgcl" + }] +}, + + { + "apiVersion": "v1", + "data": { + "seed.js": "db.catalog.insertMany([\n {\"name\":\"Yoga Mat\",\"shortdescription\":\"Magic Yoga Mat!\",\"description\":\"Our Yoga Mat is magic. You will twist into a human pretzel with the greatest of ease. Never done Yoga before? This mat will turn you into an instant professional with barely any work. It’s the American way!. Namaste!\",\"imageurl1\":\"/static/images/yogamat_square.jpg\",\"imageurl2\":\"/static/images/yogamat_thumb2.jpg\",\"imageurl3\":\"/static/images/yogamat_thumb3.jpg\",\"price\":62.5,\"tags\":[\"mat\"]}\n ,{\"name\":\"Water Bottle\",\"shortdescription\":\"The last Water Bottle you'll ever buy!\",\"description\":\"Our Water Bottle only has to be filled once! That's right. ONCE. Unlimited water, for the rest of your life. Doesn't that $34.99 seem a lot more reasonable now? Stop buying all those other water bottles that you have to keep refilling like a sucker. Get the ACME bottle today!\",\"imageurl1\":\"/static/images/bottle_square.jpg\",\"imageurl2\":\"/static/images/bottle_thumb2.jpg\",\"imageurl3\":\"/static/images/bottle_thumb3.jpg\",\"price\":34.9900016784668,\"tags\":[\"bottle\"]}\n ,{\"name\":\"Fit Bike\",\"shortdescription\":\"Get Light on our Fit Bike!\", \"description\":\"Ride like the wind on your very own ACME Fit Bike. Have you ever wanted to travel as fast as a MotoGP racer on a bicycle with tiny tires?! Me too! Get the Fit Bike, and you'll vroom your way into fitness in 30 seconds flat!\",\"imageurl1\":\"/static/images/bicycle_square.jpg\",\"imageurl2\":\"/static/images/bicycle_thumb2.jpg\",\"imageurl3\":\"/static/images/bicycle_thumb3.jpg\", \"price\":499.99,\"tags\":[\"bicycle\"]}\n ,{\"name\":\"Basket Ball\",\"shortdescription\":\"World's Roundest Basketball!\",\"description\":\"That's right. You heard me correctly. The worlds ROUNDEST basketball. Are you tired of your current basketball simply not being round enough. Then it's time to step up to the ACME Basketball. Get your round on!\",\"imageurl1\":\"/static/images/basketball_square.jpg\",\"imageurl2\":\"/static/images/basketball_thumb2.jpg\",\"imageurl3\":\"/static/images/basketball_thumb3.jpg\",\"price\":110.75,\"tags\":[\"basketball\"]}\n ,{\"name\":\"Smart Watch\",\"shortdescription\":\"The watch that makes you smarter!\",\"description\":\"Do you have trouble remembering things? Can you not remember what day it is? Do you need a robot with a cute women's voice to tell you when to stand up and walk around? Then boy do we have the watch for you! Get the ACME Smart Watch, and never have to remember anything ever again!\",\"imageurl1\":\"/static/images/smartwatch_square.jpg\",\"imageurl2\":\"/static/images/smartwatch_thumb2.jpg\",\"imageurl3\":\"/static/images/smartwatch_thumb3.jpg\",\"price\":399.5899963378906,\"tags\":[\"watch\"]}\n ,{\"name\":\"Red Pants\",\"shortdescription\":\"Because who doesn't need red pants??\", \"description\":\"Have you found yourself walking around tech conferences in the same old jeans and vendor t-shirt? Do you need to up your pants game? ACME Red Pants are 100% GUARANTEED to take you to a whole new level. Women will want to meet you. Men will want to be you. You are... Fancy Pants. What are you waiting for??\",\"imageurl1\":\"/static/images/redpants_square.jpg\",\"imageurl2\":\"/static/images/redpants_thumb2.jpg\",\"imageurl3\":\"/static/images/redpants_thumb3.jpg\", \"price\":99.0,\"tags\":[\"clothing\"]}\n ,{\"name\":\"Running shoes\",\"shortdescription\":\"Mama says they was magic shoes!\", \"description\":\"And she was right! Are you slow? Out of shape? But still ready to take on Usain Bolt in the 100? Then strap up your ACME Running Shoes and Run Forest, Run! These shoes will make you run the 100 in 2.5 flat!\",\"imageurl1\":\"/static/images/shoes_square.jpg\",\"imageurl2\":\"/static/images/shoes_thumb2.jpg\",\"imageurl3\":\"/static/images/shoes_thumb3.jpg\", \"price\":120.00,\"tags\":[\"running\"]}\n ,{\"name\":\"Weights\",\"shortdescription\":\"Get ripped without breaking a sweat!\",\"description\":\"Are you ready to get Pumped Up with Hanz and Franz? Or get swole like Arnold? It's time to hit the Add to Cart button on the ACME Weights. Just 45 seconds a day, 3 days a week, and you'll be showing those Muscle Beach clowns how it's done in no time!\",\"imageurl1\":\"/static/images/weights_square.jpg\",\"imageurl2\":\"/static/images/weights_thumb2.jpg\",\"imageurl3\":\"/static/images/weights_thumb3.jpg\", \"price\":49.99,\"tags\":[\"weight\"]} ]);\n" + }, + "kind": "ConfigMap", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"data\":{\"seed.js\":\"db.catalog.insertMany([\\n {\\\"name\\\":\\\"Yoga Mat\\\",\\\"shortdescription\\\":\\\"Magic Yoga Mat!\\\",\\\"description\\\":\\\"Our Yoga Mat is magic. You will twist into a human pretzel with the greatest of ease. Never done Yoga before? This mat will turn you into an instant professional with barely any work. It’s the American way!. Namaste!\\\",\\\"imageurl1\\\":\\\"/static/images/yogamat_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/yogamat_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/yogamat_thumb3.jpg\\\",\\\"price\\\":62.5,\\\"tags\\\":[\\\"mat\\\"]}\\n ,{\\\"name\\\":\\\"Water Bottle\\\",\\\"shortdescription\\\":\\\"The last Water Bottle you'll ever buy!\\\",\\\"description\\\":\\\"Our Water Bottle only has to be filled once! That's right. ONCE. Unlimited water, for the rest of your life. Doesn't that $34.99 seem a lot more reasonable now? Stop buying all those other water bottles that you have to keep refilling like a sucker. Get the ACME bottle today!\\\",\\\"imageurl1\\\":\\\"/static/images/bottle_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/bottle_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/bottle_thumb3.jpg\\\",\\\"price\\\":34.9900016784668,\\\"tags\\\":[\\\"bottle\\\"]}\\n ,{\\\"name\\\":\\\"Fit Bike\\\",\\\"shortdescription\\\":\\\"Get Light on our Fit Bike!\\\", \\\"description\\\":\\\"Ride like the wind on your very own ACME Fit Bike. Have you ever wanted to travel as fast as a MotoGP racer on a bicycle with tiny tires?! Me too! Get the Fit Bike, and you'll vroom your way into fitness in 30 seconds flat!\\\",\\\"imageurl1\\\":\\\"/static/images/bicycle_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/bicycle_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/bicycle_thumb3.jpg\\\", \\\"price\\\":499.99,\\\"tags\\\":[\\\"bicycle\\\"]}\\n ,{\\\"name\\\":\\\"Basket Ball\\\",\\\"shortdescription\\\":\\\"World's Roundest Basketball!\\\",\\\"description\\\":\\\"That's right. You heard me correctly. The worlds ROUNDEST basketball. Are you tired of your current basketball simply not being round enough. Then it's time to step up to the ACME Basketball. Get your round on!\\\",\\\"imageurl1\\\":\\\"/static/images/basketball_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/basketball_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/basketball_thumb3.jpg\\\",\\\"price\\\":110.75,\\\"tags\\\":[\\\"basketball\\\"]}\\n ,{\\\"name\\\":\\\"Smart Watch\\\",\\\"shortdescription\\\":\\\"The watch that makes you smarter!\\\",\\\"description\\\":\\\"Do you have trouble remembering things? Can you not remember what day it is? Do you need a robot with a cute women's voice to tell you when to stand up and walk around? Then boy do we have the watch for you! Get the ACME Smart Watch, and never have to remember anything ever again!\\\",\\\"imageurl1\\\":\\\"/static/images/smartwatch_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/smartwatch_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/smartwatch_thumb3.jpg\\\",\\\"price\\\":399.5899963378906,\\\"tags\\\":[\\\"watch\\\"]}\\n ,{\\\"name\\\":\\\"Red Pants\\\",\\\"shortdescription\\\":\\\"Because who doesn't need red pants??\\\", \\\"description\\\":\\\"Have you found yourself walking around tech conferences in the same old jeans and vendor t-shirt? Do you need to up your pants game? ACME Red Pants are 100% GUARANTEED to take you to a whole new level. Women will want to meet you. Men will want to be you. You are... Fancy Pants. What are you waiting for??\\\",\\\"imageurl1\\\":\\\"/static/images/redpants_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/redpants_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/redpants_thumb3.jpg\\\", \\\"price\\\":99.0,\\\"tags\\\":[\\\"clothing\\\"]}\\n ,{\\\"name\\\":\\\"Running shoes\\\",\\\"shortdescription\\\":\\\"Mama says they was magic shoes!\\\", \\\"description\\\":\\\"And she was right! Are you slow? Out of shape? But still ready to take on Usain Bolt in the 100? Then strap up your ACME Running Shoes and Run Forest, Run! These shoes will make you run the 100 in 2.5 flat!\\\",\\\"imageurl1\\\":\\\"/static/images/shoes_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/shoes_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/shoes_thumb3.jpg\\\", \\\"price\\\":120.00,\\\"tags\\\":[\\\"running\\\"]}\\n ,{\\\"name\\\":\\\"Weights\\\",\\\"shortdescription\\\":\\\"Get ripped without breaking a sweat!\\\",\\\"description\\\":\\\"Are you ready to get Pumped Up with Hanz and Franz? Or get swole like Arnold? It's time to hit the Add to Cart button on the ACME Weights. Just 45 seconds a day, 3 days a week, and you'll be showing those Muscle Beach clowns how it's done in no time!\\\",\\\"imageurl1\\\":\\\"/static/images/weights_square.jpg\\\",\\\"imageurl2\\\":\\\"/static/images/weights_thumb2.jpg\\\",\\\"imageurl3\\\":\\\"/static/images/weights_thumb3.jpg\\\", \\\"price\\\":49.99,\\\"tags\\\":[\\\"weight\\\"]} ]);\\n\"},\"kind\":\"ConfigMap\",\"metadata\":{\"annotations\":{},\"name\":\"catalog-initdb-config\",\"namespace\":\"default\"}}\n" + }, + "creationTimestamp": "2021-08-17T12:02:19Z", + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:data": { + ".": {}, + "f:seed.js": {} + }, + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + } + } + }, + "manager": "kubectl-client-side-apply", + "operation": "Update", + "time": "2021-08-17T12:02:19Z" + }], + "name": "catalog-initdb-config", + "namespace": "default", + "resourceVersion": "378528", + "uid": "f6985871-9627-4430-bcdb-389fb8b5c645" + } +}, + +{ + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "armo.job/action": "3", + "armo.job/id": "6ac344c1-ebd9-4563-9e23-cc6a377e7de1", + "armo.job/parent": "" + }, + "creationTimestamp": "2021-07-12T07:33:18Z", + "labels": { + "armo.attach": "true" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:status": { + "f:phase": {} + } + }, + "manager": "kube-apiserver", + "operation": "Update", + "time": "2021-07-12T07:33:18Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:armo.job/action": {}, + "f:armo.job/id": {}, + "f:armo.job/parent": {} + }, + "f:labels": { + ".": {}, + "f:armo.attach": {} + } + } + }, + "manager": "k8s-ca-websocket", + "operation": "Update", + "time": "2021-08-05T09:04:49Z" + }], + "name": "default", + "resourceVersion": "231059", + "uid": "35dd8eec-6e97-40d8-805e-aaf6c5cff54b" + }, + "spec": { + "finalizers": ["kubernetes"] + }, + "status": { + "phase": "Active" + } +}, + + + +{ + "apiVersion": "v1", + "kind": "Node", + "metadata": { + "annotations": { + "kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock", + "node.alpha.kubernetes.io/ttl": "0", + "volumes.kubernetes.io/controller-managed-attach-detach": "true" + }, + "creationTimestamp": "2021-07-12T07:33:16Z", + "labels": { + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/os": "linux", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "lior-virtualbox", + "kubernetes.io/os": "linux", + "minikube.k8s.io/commit": "c61663e942ec43b20e8e70839dcca52e44cd85ae", + "minikube.k8s.io/name": "minikube", + "minikube.k8s.io/updated_at": "2021_07_12T10_33_20_0700", + "minikube.k8s.io/version": "v1.20.0", + "node-role.kubernetes.io/control-plane": "", + "node-role.kubernetes.io/master": "" + }, + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:volumes.kubernetes.io/controller-managed-attach-detach": {} + }, + "f:labels": { + ".": {}, + "f:beta.kubernetes.io/arch": {}, + "f:beta.kubernetes.io/os": {}, + "f:kubernetes.io/arch": {}, + "f:kubernetes.io/hostname": {}, + "f:kubernetes.io/os": {} + } + }, + "f:status": { + "f:addresses": { + ".": {}, + "k:{\"type\":\"Hostname\"}": { + ".": {}, + "f:address": {}, + "f:type": {} + }, + "k:{\"type\":\"InternalIP\"}": { + ".": {}, + "f:address": {}, + "f:type": {} + } + }, + "f:allocatable": { + ".": {}, + "f:cpu": {}, + "f:ephemeral-storage": {}, + "f:hugepages-2Mi": {}, + "f:memory": {}, + "f:pods": {} + }, + "f:capacity": { + ".": {}, + "f:cpu": {}, + "f:ephemeral-storage": {}, + "f:hugepages-2Mi": {}, + "f:memory": {}, + "f:pods": {} + }, + "f:conditions": { + ".": {}, + "k:{\"type\":\"DiskPressure\"}": { + ".": {}, + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"MemoryPressure\"}": { + ".": {}, + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"PIDPressure\"}": { + ".": {}, + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + }, + "k:{\"type\":\"Ready\"}": { + ".": {}, + "f:lastHeartbeatTime": {}, + "f:lastTransitionTime": {}, + "f:message": {}, + "f:reason": {}, + "f:status": {}, + "f:type": {} + } + }, + "f:daemonEndpoints": { + "f:kubeletEndpoint": { + "f:Port": {} + } + }, + "f:images": {}, + "f:nodeInfo": { + "f:architecture": {}, + "f:bootID": {}, + "f:containerRuntimeVersion": {}, + "f:kernelVersion": {}, + "f:kubeProxyVersion": {}, + "f:kubeletVersion": {}, + "f:machineID": {}, + "f:operatingSystem": {}, + "f:osImage": {}, + "f:systemUUID": {} + } + } + }, + "manager": "kubelet", + "operation": "Update", + "time": "2021-07-12T07:33:16Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:kubeadm.alpha.kubernetes.io/cri-socket": {} + }, + "f:labels": { + "f:node-role.kubernetes.io/control-plane": {}, + "f:node-role.kubernetes.io/master": {} + } + } + }, + "manager": "kubeadm", + "operation": "Update", + "time": "2021-07-12T07:33:19Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:labels": { + "f:minikube.k8s.io/commit": {}, + "f:minikube.k8s.io/name": {}, + "f:minikube.k8s.io/updated_at": {}, + "f:minikube.k8s.io/version": {} + } + } + }, + "manager": "kubectl-label", + "operation": "Update", + "time": "2021-07-12T07:33:20Z" + }, { + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + "f:node.alpha.kubernetes.io/ttl": {} + } + }, + "f:spec": { + "f:podCIDR": {}, + "f:podCIDRs": { + ".": {}, + "v:\"10.244.0.0/24\"": {} + } + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-07-12T07:33:35Z" + }], + "name": "lior-virtualbox", + "resourceVersion": "389826", + "uid": "fdadbd66-9d15-4f6d-ac8a-4e4d0a506300" + }, + "spec": { + "podCIDR": "10.244.0.0/24", + "podCIDRs": ["10.244.0.0/24"] + }, + "status": { + "addresses": [{ + "address": "10.0.3.15", + "type": "InternalIP" + }, { + "address": "lior-virtualbox", + "type": "Hostname" + }], + "allocatable": { + "cpu": "4", + "ephemeral-storage": "250365848Ki", + "hugepages-2Mi": "0", + "memory": "11271416Ki", + "pods": "110" + }, + "capacity": { + "cpu": "4", + "ephemeral-storage": "250365848Ki", + "hugepages-2Mi": "0", + "memory": "11271416Ki", + "pods": "110" + }, + "conditions": [{ + "lastHeartbeatTime": "2021-08-18T07:29:47Z", + "lastTransitionTime": "2021-07-12T07:33:10Z", + "message": "kubelet has sufficient memory available", + "reason": "KubeletHasSufficientMemory", + "status": "False", + "type": "MemoryPressure" + }, { + "lastHeartbeatTime": "2021-08-18T07:29:47Z", + "lastTransitionTime": "2021-07-12T07:33:10Z", + "message": "kubelet has no disk pressure", + "reason": "KubeletHasNoDiskPressure", + "status": "False", + "type": "DiskPressure" + }, { + "lastHeartbeatTime": "2021-08-18T07:29:47Z", + "lastTransitionTime": "2021-07-12T07:33:10Z", + "message": "kubelet has sufficient PID available", + "reason": "KubeletHasSufficientPID", + "status": "False", + "type": "PIDPressure" + }, { + "lastHeartbeatTime": "2021-08-18T07:29:47Z", + "lastTransitionTime": "2021-07-12T07:33:17Z", + "message": "kubelet is posting ready status. AppArmor enabled", + "reason": "KubeletReady", + "status": "True", + "type": "Ready" + }], + "daemonEndpoints": { + "kubeletEndpoint": { + "Port": 10250 + } + }, + "images": [{ + "names": ["gcr.io/k8s-minikube/kicbase@sha256:7cc3a3cb6e51c628d8ede157ad9e1f797e8d22a1b3cedc12d3f1999cb52f962e", "gcr.io/k8s-minikube/kicbase:v0.0.22"], + "sizeBytes": 1090052513 + }, { + "names": ["gcr.io/vmwarecloudadvocacy/acmeshop-order@sha256:0349106521d476e8a833088c33f6db5ac4c898f00d1b6b6f15d9902ff5fdd0f4", "gcr.io/vmwarecloudadvocacy/acmeshop-order:latest"], + "sizeBytes": 942198284 + }, { + "names": ["python@sha256:83d2246349a8b864288bf9c0b193ce640b08889c14961b1925b47a9e5c9911b4", "python:3.8"], + "sizeBytes": 883561568 + }, { + "names": ["dreg.armo.cloud:443/caabuildenv@sha256:abaf4bc96090bfd3df2bf686308ffbf0584bc2d029b4c04fc6ea75fae5ffe035", "dreg.armo.cloud:443/caabuildenv:centos7"], + "sizeBytes": 805426117 + }, { + "names": ["docker.elastic.co/elasticsearch/elasticsearch@sha256:2be3302537236874fdeca184c78a49aed17d5aca0f8fc3f6192a80e93e817cb4", "docker.elastic.co/elasticsearch/elasticsearch:7.9.2"], + "sizeBytes": 762872650 + }, { + "names": ["mongo@sha256:8fcada817a57b2a2efc82055b06c3d359141f70b1137aff37957fdfddc2b8225", "mongo:latest"], + "sizeBytes": 681764941 + }, { + "names": ["mongo@sha256:2bf2258cb12f8d4086965fe794605571c715fa4815dbcc299ea9768783bf4fa1"], + "sizeBytes": 671460535 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 605333409 + }, { + "names": ["quay.io/armosec/k8s-ca-webhook-ubi:test"], + "sizeBytes": 605331345 + }, { + "names": ["gcr.io/vmwarecloudadvocacy/acmeshop-front-end@sha256:7e98287b06bcda9b19ce5be45a012bc19505724b89c4afe17e130c8b7b0223bc", "gcr.io/vmwarecloudadvocacy/acmeshop-front-end:latest"], + "sizeBytes": 596932216 + }, { + "names": ["gcr.io/vmwarecloudadvocacy/acmeshop-payment@sha256:2d4b798b3e0651cadb00c2568fec841f4008bfd5ac976a0c0e8553e4923ef70c", "gcr.io/vmwarecloudadvocacy/acmeshop-payment:latest"], + "sizeBytes": 569236203 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560854915 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560853723 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560853723 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560853723 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560849915 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560849803 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560848196 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560848196 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560846916 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 560771900 + }, { + "names": ["dreg.armo.cloud:443/caabuildenv@sha256:810aa5161c9433cdc4f105a6ce4e73f42a662d2d0ecc55cd04136ff4ead275a3", "dreg.armo.cloud:443/caabuildenv:ubuntu"], + "sizeBytes": 560670657 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555294211 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292671 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292335 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292335 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292279 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292279 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555292279 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555291291 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555291227 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555289643 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555289643 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555289616 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555289595 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555289587 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555288539 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555288299 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555286319 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555282883 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555281987 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555141856 + }, { + "names": ["\u003cnone\u003e@\u003cnone\u003e", "\u003cnone\u003e:\u003cnone\u003e"], + "sizeBytes": 555141856 + }, { + "names": ["quay.io/armosec/k8s-ca-webhook-ubi@sha256:246634f573f7fef3ec3e2e247d28d9d8617d902e6431e4ea0499a21943b87779", "quay.io/armosec/k8s-ca-webhook-ubi:latest"], + "sizeBytes": 547880417 + }, { + "names": ["quay.io/armosec/k8s-ca-webhook-ubi@sha256:7b7aacc5d6b4e417804fe42f30fd88c79439c2ea6d36ac8a4cb16dd50563ad8c"], + "sizeBytes": 547880407 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:24a7afbe96748d7e24dc03e51194f021002330dafc792383e3f241983f8b79e5"], + "sizeBytes": 539635608 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:6343764cc8b801d0621daaabb5160c9f29afe2f05e363bf86e9a40058f11da6c", "quay.io/armosec/k8s-ca-websocket-ubi:latest"], + "sizeBytes": 539522617 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:678a7f35e56cefd82bf96f76521ca143ab82a074a9a078e8958deccf82a527b2"], + "sizeBytes": 539495840 + }, { + "names": ["quay.io/armosec/k8s-ca-websocket-ubi@sha256:d8d43973607bbf625224d68bde8ae0ea3c00ff603d4c9629cdd1a8cecd114079"], + "sizeBytes": 539495838 + }, { + "names": ["quay.io/armosec/k8s-ca-posture-ubi@sha256:a335df36a2da7470c91166db77543158ecad56315a4ba290a82c12aa5a9c74cd"], + "sizeBytes": 526477093 + }], + "nodeInfo": { + "architecture": "amd64", + "bootID": "ca4eb213-f335-496f-b46f-ed0408085ea1", + "containerRuntimeVersion": "docker://20.10.7", + "kernelVersion": "5.11.0-25-generic", + "kubeProxyVersion": "v1.20.2", + "kubeletVersion": "v1.20.2", + "machineID": "bfb29814d3374f499d93f70f82d1cd92", + "operatingSystem": "linux", + "osImage": "Ubuntu 20.04.2 LTS", + "systemUUID": "461af32d-b8d3-4749-a200-c2a3d9349d4b" + } + } +}, + + +{ + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"name\":\"adservice\",\"namespace\":\"default\"},\"spec\":{\"ports\":[{\"name\":\"grpc\",\"port\":9555,\"targetPort\":9555}],\"selector\":{\"app\":\"adservice\"},\"type\":\"ClusterIP\"}}\n" + }, + "creationTimestamp": "2021-07-12T08:04:17Z", + "managedFields": [{ + "apiVersion": "v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:kubectl.kubernetes.io/last-applied-configuration": {} + } + }, + "f:spec": { + "f:ports": { + ".": {}, + "k:{\"port\":9555,\"protocol\":\"TCP\"}": { + ".": {}, + "f:name": {}, + "f:port": {}, + "f:protocol": {}, + "f:targetPort": {} + } + }, + "f:selector": { + ".": {}, + "f:app": {} + }, + "f:sessionAffinity": {}, + "f:type": {} + } + }, + "manager": "kubectl-client-side-apply", + "operation": "Update", + "time": "2021-07-12T08:04:17Z" + }], + "name": "adservice", + "namespace": "default", + "resourceVersion": "2468", + "uid": "8e9343f8-b2b0-4987-a94d-2dff4b1d439a" + }, + "spec": { + "clusterIP": "10.109.0.118", + "clusterIPs": ["10.109.0.118"], + "ports": [{ + "name": "grpc", + "port": 9555, + "protocol": "TCP", + "targetPort": 9555 + }], + "selector": { + "app": "adservice" + }, + "sessionAffinity": "None", + "type": "ClusterIP" + }, + "status": { + "loadBalancer": {} + } +}, + + + +{ + "aggregationRule": { + "clusterRoleSelectors": [{ + "matchLabels": { + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + } + }] + }, + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "annotations": { + "rbac.authorization.kubernetes.io/autoupdate": "true" + }, + "creationTimestamp": "2021-07-12T07:33:17Z", + "labels": { + "kubernetes.io/bootstrapping": "rbac-defaults" + }, + "managedFields": [{ + "apiVersion": "rbac.authorization.k8s.io/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:aggregationRule": { + ".": {}, + "f:clusterRoleSelectors": {} + }, + "f:metadata": { + "f:annotations": { + ".": {}, + "f:rbac.authorization.kubernetes.io/autoupdate": {} + }, + "f:labels": { + ".": {}, + "f:kubernetes.io/bootstrapping": {} + } + } + }, + "manager": "kube-apiserver", + "operation": "Update", + "time": "2021-07-12T07:33:17Z" + }, { + "apiVersion": "rbac.authorization.k8s.io/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:rules": {} + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-07-12T07:33:35Z" + }], + "name": "admin", + "resourceVersion": "378", + "uid": "89a10dc9-c4dd-4a58-9a8e-39ec99453e95" + }, + "rules": [{ + "apiGroups": [""], + "resources": ["pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "secrets", "services/proxy"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": [""], + "resources": ["serviceaccounts"], + "verbs": ["impersonate"] + }, { + "apiGroups": [""], + "resources": ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": [""], + "resources": ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["apps"], + "resources": ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets", "statefulsets/scale"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["autoscaling"], + "resources": ["horizontalpodautoscalers"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["batch"], + "resources": ["cronjobs", "jobs"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["extensions"], + "resources": ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "ingresses", "networkpolicies", "replicasets", "replicasets/scale", "replicationcontrollers/scale"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["policy"], + "resources": ["poddisruptionbudgets"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": ["networking.k8s.io"], + "resources": ["ingresses", "networkpolicies"], + "verbs": ["create", "delete", "deletecollection", "patch", "update"] + }, { + "apiGroups": [""], + "resources": ["configmaps", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", "services", "services/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": [""], + "resources": ["bindings", "events", "limitranges", "namespaces/status", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": [""], + "resources": ["namespaces"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["apps"], + "resources": ["controllerrevisions", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "replicasets", "replicasets/scale", "replicasets/status", "statefulsets", "statefulsets/scale", "statefulsets/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["autoscaling"], + "resources": ["horizontalpodautoscalers", "horizontalpodautoscalers/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["batch"], + "resources": ["cronjobs", "cronjobs/status", "jobs", "jobs/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["extensions"], + "resources": ["daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "ingresses", "ingresses/status", "networkpolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["policy"], + "resources": ["poddisruptionbudgets", "poddisruptionbudgets/status"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["networking.k8s.io"], + "resources": ["ingresses", "ingresses/status", "networkpolicies"], + "verbs": ["get", "list", "watch"] + }, { + "apiGroups": ["authorization.k8s.io"], + "resources": ["localsubjectaccessreviews"], + "verbs": ["create"] + }, { + "apiGroups": ["rbac.authorization.k8s.io"], + "resources": ["rolebindings", "roles"], + "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] + }] +}, + +{ + "apiVersion": "apps/v1", + "kind": "ReplicaSet", + "metadata": { + "annotations": { + "deployment.kubernetes.io/desired-replicas": "1", + "deployment.kubernetes.io/max-replicas": "2", + "deployment.kubernetes.io/revision": "1" + }, + "creationTimestamp": "2021-08-17T12:02:20Z", + "generation": 1, + "labels": { + "app": "acmefit", + "pod-template-hash": "69d757ddbd", + "service": "cart-redis" + }, + "managedFields": [{ + "apiVersion": "apps/v1", + "fieldsType": "FieldsV1", + "fieldsV1": { + "f:metadata": { + "f:annotations": { + ".": {}, + "f:deployment.kubernetes.io/desired-replicas": {}, + "f:deployment.kubernetes.io/max-replicas": {}, + "f:deployment.kubernetes.io/revision": {} + }, + "f:labels": { + ".": {}, + "f:app": {}, + "f:pod-template-hash": {}, + "f:service": {} + }, + "f:ownerReferences": { + ".": {}, + "k:{\"uid\":\"9cf59ad9-26c7-4646-be57-f1e3eda6e86e\"}": { + ".": {}, + "f:apiVersion": {}, + "f:blockOwnerDeletion": {}, + "f:controller": {}, + "f:kind": {}, + "f:name": {}, + "f:uid": {} + } + } + }, + "f:spec": { + "f:replicas": {}, + "f:selector": {}, + "f:template": { + "f:metadata": { + "f:labels": { + ".": {}, + "f:app": {}, + "f:pod-template-hash": {}, + "f:service": {} + } + }, + "f:spec": { + "f:containers": { + "k:{\"name\":\"cart-redis\"}": { + ".": {}, + "f:env": { + ".": {}, + "k:{\"name\":\"REDIS_HOST\"}": { + ".": {}, + "f:name": {}, + "f:value": {} + }, + "k:{\"name\":\"REDIS_PASSWORD\"}": { + ".": {}, + "f:name": {}, + "f:valueFrom": { + ".": {}, + "f:secretKeyRef": { + ".": {}, + "f:key": {}, + "f:name": {} + } + } + } + }, + "f:image": {}, + "f:imagePullPolicy": {}, + "f:name": {}, + "f:ports": { + ".": {}, + "k:{\"containerPort\":6379,\"protocol\":\"TCP\"}": { + ".": {}, + "f:containerPort": {}, + "f:name": {}, + "f:protocol": {} + } + }, + "f:resources": { + ".": {}, + "f:requests": { + ".": {}, + "f:cpu": {}, + "f:memory": {} + } + }, + "f:terminationMessagePath": {}, + "f:terminationMessagePolicy": {}, + "f:volumeMounts": { + ".": {}, + "k:{\"mountPath\":\"/var/lib/redis\"}": { + ".": {}, + "f:mountPath": {}, + "f:name": {} + } + } + } + }, + "f:dnsPolicy": {}, + "f:restartPolicy": {}, + "f:schedulerName": {}, + "f:securityContext": {}, + "f:terminationGracePeriodSeconds": {}, + "f:volumes": { + ".": {}, + "k:{\"name\":\"cart-redis-data\"}": { + ".": {}, + "f:emptyDir": {}, + "f:name": {} + } + } + } + } + }, + "f:status": { + "f:availableReplicas": {}, + "f:fullyLabeledReplicas": {}, + "f:observedGeneration": {}, + "f:readyReplicas": {}, + "f:replicas": {} + } + }, + "manager": "kube-controller-manager", + "operation": "Update", + "time": "2021-08-18T06:29:21Z" + }], + "name": "cart-redis-69d757ddbd", + "namespace": "default", + "ownerReferences": [{ + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Deployment", + "name": "cart-redis", + "uid": "9cf59ad9-26c7-4646-be57-f1e3eda6e86e" + }], + "resourceVersion": "387297", + "uid": "7f2f0c6e-5301-40b5-b8d2-7828fd3c8a32" + }, + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "acmefit", + "pod-template-hash": "69d757ddbd", + "service": "cart-redis" + } + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "app": "acmefit", + "pod-template-hash": "69d757ddbd", + "service": "cart-redis" + } + }, + "spec": { + "containers": [{ + "env": [{ + "name": "REDIS_HOST", + "value": "cart-redis" + }, { + "name": "REDIS_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "password", + "name": "cart-redis-pass" + } + } + }], + "image": "bitnami/redis", + "imagePullPolicy": "Always", + "name": "cart-redis", + "ports": [{ + "containerPort": 6379, + "name": "redis", + "protocol": "TCP" + }], + "resources": { + "requests": { + "cpu": "100m", + "memory": "100Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [{ + "mountPath": "/var/lib/redis", + "name": "cart-redis-data" + }] + }], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "terminationGracePeriodSeconds": 30, + "volumes": [{ + "emptyDir": {}, + "name": "cart-redis-data" + }] + } + } + }, + "status": { + "availableReplicas": 1, + "fullyLabeledReplicas": 1, + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1 + } +}] \ No newline at end of file diff --git a/scapepkg/score/resourcesdict.json b/scapepkg/score/resourcesdict.json new file mode 100644 index 00000000..02a48c0f --- /dev/null +++ b/scapepkg/score/resourcesdict.json @@ -0,0 +1,22 @@ +{ + "pod": 1.0, + "service": 1.0, + "daemonset": 1.0, + "deployment": 1.0, + "replicaset": 1.1, + "statefulset": 1.0, + "job": 1.0, + "secret": 1.0, + "cronjob": 1.0, + "clusterrolebinding": 1.0, + "clusterrole": 1.0, + "rolebinding": 1.0, + "role": 1.0, + "networkpolicy": 1.0, + "controllerrevision": 1.0, + "namespace": 1.0, + "serviceaccount": 1.0, + "configmap": 1.0, + "node": 1.0 + +} diff --git a/scapepkg/score/score.go b/scapepkg/score/score.go new file mode 100644 index 00000000..6bdf687a --- /dev/null +++ b/scapepkg/score/score.go @@ -0,0 +1,201 @@ +package score + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "strings" + + appsv1 "k8s.io/api/apps/v1" + + // corev1 "k8s.io/api/core/v1" + k8sinterface "github.com/armosec/kubescape/cautils/k8sinterface" + "github.com/armosec/kubescape/cautils/opapolicy" +) + +type ControlScoreWeights struct { + BaseScore float32 `json:"baseScore"` + RuntimeImprovementMultiplier float32 `json:"improvementRatio"` +} + +type ScoreUtil struct { + ResourceTypeScores map[string]float32 + FrameworksScore map[string]map[string]ControlScoreWeights + K8SApoObj *k8sinterface.KubernetesApi + configPath string +} + +var postureScore *ScoreUtil + +func (su *ScoreUtil) Calculate(frameworksReports []opapolicy.FrameworkReport) error { + for i := range frameworksReports { + su.CalculateFrameworkScore(&frameworksReports[i]) + } + + return nil +} + +func (su *ScoreUtil) CalculateFrameworkScore(framework *opapolicy.FrameworkReport) error { + for i := range framework.ControlReports { + framework.WCSScore += su.ControlScore(&framework.ControlReports[i], framework.Name) + framework.Score += framework.ControlReports[i].Score + framework.ARMOImprovement += framework.ControlReports[i].ARMOImprovement + } + if framework.WCSScore > 0 { + framework.Score = (framework.Score * 100) / framework.WCSScore + framework.ARMOImprovement = (framework.ARMOImprovement * 100) / framework.WCSScore + } + + return fmt.Errorf("unable to calculate score for framework %s due to bad wcs score", framework.Name) + +} + +/* +daemonset: daemonsetscore*#nodes +workloads: if replicas: + replicascore*workloadkindscore*#replicas + else: + regular + +*/ +func (su *ScoreUtil) resourceRules(resources []map[string]interface{}) float32 { + var weight float32 = 0 + + for _, v := range resources { + var score float32 = 0 + wl := k8sinterface.NewWorkloadObj(v) + kind := "" + if wl != nil { + kind = strings.ToLower(wl.GetKind()) + replicas := wl.GetReplicas() + score = su.ResourceTypeScores[kind] + if replicas > 1 { + score *= su.ResourceTypeScores["replicaset"] * float32(replicas) + } + + } else { + epsilon := float32(0.00001) + keys := make([]string, 0, len(v)) + for k := range v { + keys = append(keys, k) + } + kind = keys[0] + score = su.ResourceTypeScores[kind] + if score == 0.0 || (score > -1*epsilon && score < epsilon) { + score = 1 + } + } + + if kind == "daemonset" { + b, err := json.Marshal(v) + if err == nil { + dmnset := appsv1.DaemonSet{} + json.Unmarshal(b, &dmnset) + score *= float32(dmnset.Status.DesiredNumberScheduled) + } + } + weight += score + } + + return weight +} + +func (su *ScoreUtil) externalResourceConverter(rscs map[string]interface{}) []map[string]interface{} { + resources := make([]map[string]interface{}, 0) + for atype, v := range rscs { + resources = append(resources, map[string]interface{}{atype: v}) + } + return resources +} + +/* +ControlScore: +@input: +ctrlReport - opapolicy.ControlReport object, must contain down the line the Input resources and the output resources +frameworkName - calculate this control according to a given framework weights + +ctrl.score = baseScore * SUM_resource (resourceWeight*min(#replicas*replicaweight,1)(nodes if daemonset) + +returns control score ***for the input resources*** + +*/ +func (su *ScoreUtil) ControlScore(ctrlReport *opapolicy.ControlReport, frameworkName string) float32 { + + aggregatedInputs := make([]map[string]interface{}, 0) + aggregatedResponses := make([]map[string]interface{}, 0) + for _, ruleReport := range ctrlReport.RuleReports { + status, _, _ := ruleReport.GetRuleStatus() + if status != "warning" { + for _, ruleResponse := range ruleReport.RuleResponses { + aggregatedResponses = append(aggregatedResponses, ruleResponse.AlertObject.K8SApiObjects...) + aggregatedResponses = append(aggregatedResponses, su.externalResourceConverter(ruleResponse.AlertObject.ExternalObjects)...) + } + } + + aggregatedInputs = append(aggregatedInputs, ruleReport.ListInputResources...) + + } + improvementRatio := float32(1) + if ctrls, isOk := su.FrameworksScore[frameworkName]; isOk { + if scoreobj, isOk2 := ctrls[ctrlReport.Name]; isOk2 { + ctrlReport.BaseScore = scoreobj.BaseScore + improvementRatio -= scoreobj.RuntimeImprovementMultiplier + } + } else { + ctrlReport.BaseScore = 1.0 + } + + ctrlReport.Score = ctrlReport.BaseScore * su.resourceRules(aggregatedResponses) + ctrlReport.ARMOImprovement = ctrlReport.Score * improvementRatio + + return ctrlReport.BaseScore * su.resourceRules(aggregatedInputs) + +} + +func getPostureFrameworksScores(weightPath string) map[string]map[string]ControlScoreWeights { + if len(weightPath) != 0 { + weightPath = weightPath + "/" + } + frameworksScoreMap := make(map[string]map[string]ControlScoreWeights) + dat, err := ioutil.ReadFile(weightPath + "frameworkdict.json") + if err != nil { + return nil + } + if err := json.Unmarshal(dat, &frameworksScoreMap); err != nil { + return nil + } + + return frameworksScoreMap + +} + +func getPostureResourceScores(weightPath string) map[string]float32 { + if len(weightPath) != 0 { + weightPath = weightPath + "/" + } + resourceScoreMap := make(map[string]float32) + dat, err := ioutil.ReadFile(weightPath + "resourcesdict.json") + if err != nil { + return nil + } + if err := json.Unmarshal(dat, &resourceScoreMap); err != nil { + return nil + } + + return resourceScoreMap + +} + +func NewScore(k8sapiobj *k8sinterface.KubernetesApi, configPath string) *ScoreUtil { + if postureScore == nil { + + postureScore = &ScoreUtil{ + ResourceTypeScores: getPostureResourceScores(configPath), + FrameworksScore: getPostureFrameworksScores(configPath), + configPath: configPath, + } + + } + + return postureScore +} diff --git a/scapepkg/score/score_mocks.go b/scapepkg/score/score_mocks.go new file mode 100644 index 00000000..fdf2ea32 --- /dev/null +++ b/scapepkg/score/score_mocks.go @@ -0,0 +1,77 @@ +package score + +import ( + "encoding/json" + "io/ioutil" + "strings" + + k8sinterface "github.com/armosec/kubescape/cautils/k8sinterface" + "github.com/armosec/kubescape/cautils/opapolicy" +) + +func loadResourcesMock() []map[string]interface{} { + resources := make([]map[string]interface{}, 0) + + dat, err := ioutil.ReadFile("resourcemocks.json") + + if err != nil { + return resources + } + if err := json.Unmarshal(dat, &resources); err != nil { + return resources + } + + return resources +} + +func getResouceByType(desiredType string) map[string]interface{} { + rsrcs := loadResourcesMock() + if rsrcs == nil { + return nil + } + for _, v := range rsrcs { + wl := k8sinterface.NewWorkloadObj(v) + if wl != nil { + if strings.ToLower(wl.GetKind()) == desiredType { + return v + } + continue + + } else { + for k := range v { + if k == desiredType { + return v + } + } + } + } + return nil +} + +func loadFrameworkMock() *opapolicy.FrameworkReport { + report := &opapolicy.FrameworkReport{} + + dat, err := ioutil.ReadFile("frameworkmock.json") + + if err != nil { + return report + } + if err := json.Unmarshal(dat, &report); err != nil { + return report + } + + return report +} +func getMITREFrameworkResultMock() []opapolicy.FrameworkReport { + l := make([]opapolicy.FrameworkReport, 0) + report := loadFrameworkMock() + resources := loadResourcesMock() + if report != nil && resources != nil { + + report.ControlReports[0].RuleReports[0].ListInputResources = resources + l = append(l, *report) + + } + + return l +} diff --git a/scapepkg/score/score_test.go b/scapepkg/score/score_test.go new file mode 100644 index 00000000..6a5ed6c7 --- /dev/null +++ b/scapepkg/score/score_test.go @@ -0,0 +1,65 @@ +package score + +import ( + "testing" +) + +func TestFrameworkMock(t *testing.T) { + r := getMITREFrameworkResultMock() + su := NewScore(nil, "") + var epsilon float32 = 0.001 + su.Calculate(r) + var sumweights float32 = 0.0 + for _, v := range su.ResourceTypeScores { + sumweights += v + } + + for _, framework := range r { + if framework.Score < 1 { + t.Errorf("framework %s invalid calculation1: %v", framework.Name, framework) + } + + if framework.Score > framework.WCSScore+epsilon { + t.Errorf("framework %s invalid calculation2: %v", framework.Name, framework) + } + if framework.ARMOImprovement > framework.Score+epsilon { + t.Errorf("framework %s invalid calculation3: %v", framework.Name, framework) + } + if framework.ControlReports[0].Score*sumweights <= 0+epsilon { + t.Errorf("framework %s invalid calculation4: %v", framework.Name, framework) + } + } + // +} + +func TestDaemonsetRule(t *testing.T) { + desiredType := "daemonset" + r := getResouceByType(desiredType) + if r == nil { + t.Errorf("no %v was found in the mock, should be 1", desiredType) + } + su := NewScore(nil, "") + + resources := []map[string]interface{}{r} + weights := su.resourceRules(resources) + expecting := 13 * su.ResourceTypeScores[desiredType] + if weights != expecting { + t.Errorf("no %v unexpected weights were calculated expecting: %v got %v", desiredType, expecting, weights) + } +} + +func TestMultipleReplicasRule(t *testing.T) { + desiredType := "deployment" + r := getResouceByType(desiredType) + if r == nil { + t.Errorf("no %v was found in the mock, should be 1", desiredType) + } + su := NewScore(nil, "") + + resources := []map[string]interface{}{r} + weights := su.resourceRules(resources) + expecting := 3 * su.ResourceTypeScores[desiredType] * su.ResourceTypeScores["replicaset"] + if weights != expecting { + t.Errorf("no %v unexpected weights were calculated expecting: %v got %v", desiredType, expecting, weights) + } +} diff --git a/scapepkg/score/scoremethods.go b/scapepkg/score/scoremethods.go new file mode 100644 index 00000000..323f8eed --- /dev/null +++ b/scapepkg/score/scoremethods.go @@ -0,0 +1 @@ +package score