after merge with dev branch

2026-02-14 09:59:54 +00:00 · 2021-12-09 14:10:44 +02:00
parent 3ca61b218e a5f7f8bbe4
commit a1555bb9cd
6 changed files with 107 additions and 12 deletions
--- a/cautils/rbac.go
+++ b/cautils/rbac.go
@@ -65,6 +65,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRole")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -74,6 +75,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("Role")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -83,6 +85,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("ClusterRoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta
@@ -92,6 +95,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
 		if err != nil {
 			return nil, err
 		}
+		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
 		crIMeta := workloadinterface.NewWorkloadObj(crmap)
 		crIMeta.SetKind("RoleBinding")
 		allresources[crIMeta.GetID()] = crIMeta
--- a/clihandler/cmd/control.go
+++ b/clihandler/cmd/control.go
@@ -16,7 +16,7 @@ import (
 // controlCmd represents the control command
 var controlCmd = &cobra.Command{
 	Use:   "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", getter.NativeFrameworks),
+	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks),
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) > 0 {
 			controls := strings.Split(args[0], ",")
--- a/hostsensorutils/hostsensordeploy.go
+++ b/hostsensorutils/hostsensordeploy.go
@@ -39,7 +39,7 @@ func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandle
 		gracePeriod:        int64(15),
 	}
 	// Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!!
-	if nodeList, err := k8sObj.KubernetesClient.NodeV1().RuntimeClasses().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 {
+	if nodeList, err := k8sObj.KubernetesClient.CoreV1().Nodes().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 {
 		if err == nil {
 			err = fmt.Errorf("no nodes to scan")
 		}
@@ -137,7 +137,7 @@ func (hsh *HostSensorHandler) checkPodForEachNode() error {
 		if time.Now().After(deadline) {
 			return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items))
 		}
-		time.Sleep(500 * time.Millisecond)
+		time.Sleep(100 * time.Millisecond)
 	}
 	return nil
 }
--- a/hostsensorutils/hostsensorgetfrompod.go
+++ b/hostsensorutils/hostsensorgetfrompod.go
@@ -83,6 +83,66 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path string) ([]HostSens
 	return res, nil
 }

+// return list of
+func (hsh *HostSensorHandler) GetOpenPortsList() ([]HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/openedPorts")
+	for resIdx := range res {
+		res[resIdx].GroupVersionResource.Resource = "OpenPortsList"
+		res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
+		res[resIdx].GroupVersionResource.Version = "v1beta0"
+	}
+	return res, err
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetLinuxSecurityHardeningStatus() ([]HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/linuxSecurityHardening")
+	for resIdx := range res {
+		res[resIdx].GroupVersionResource.Resource = "LinuxSecurityHardeningStatus"
+		res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
+		res[resIdx].GroupVersionResource.Version = "v1beta0"
+	}
+	return res, err
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetKubeletCommandLine() ([]HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine")
+	for resIdx := range res {
+		res[resIdx].GroupVersionResource.Resource = "KubeletCommandLine"
+		res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
+		res[resIdx].GroupVersionResource.Version = "v1beta0"
+	}
+	return res, err
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetKernelVersion() ([]HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/kernelVersion")
+	for resIdx := range res {
+		res[resIdx].GroupVersionResource.Resource = "KernelVersion"
+		res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
+		res[resIdx].GroupVersionResource.Version = "v1beta0"
+	}
+	return res, err
+}
+
+// return list of
+func (hsh *HostSensorHandler) GetOsReleaseFile() ([]HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	res, err := hsh.sendAllPodsHTTPGETRequest("/osRelease")
+	for resIdx := range res {
+		res[resIdx].GroupVersionResource.Resource = "OsReleaseFile"
+		res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
+		res[resIdx].GroupVersionResource.Version = "v1beta0"
+	}
+	return res, err
+}
+
 // return list of
 func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]HostSensorDataEnvelope, error) {
 	// loop over pods and port-forward it to each of them
@@ -119,6 +179,37 @@ func (hsh *HostSensorHandler) CollectResources() ([]HostSensorDataEnvelope, erro
 		return kcData, err
 	}
 	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetKubeletCommandLine()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetOsReleaseFile()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetKernelVersion()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetLinuxSecurityHardeningStatus()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	//
+	kcData, err = hsh.GetOpenPortsList()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
+	// finish
 	cautils.SuccessTextDisplay("Read host information from host sensor")
 	return res, nil
 }
--- a/smoke_testing/smoke_utils.py
+++ b/smoke_testing/smoke_utils.py
@@ -5,9 +5,9 @@ def get_exec_from_args(args: list):
    return args[1]


-def run_command(command):
+def run_command(command, stdin=subprocess.PIPE, stderr=subprocess.STDOUT):
    try:
-        return f"{subprocess.check_output(command, stdin=subprocess.PIPE, stderr=subprocess.STDOUT)}"
+        return f"{subprocess.check_output(command, stdin=stdin, stderr=stderr)}"
    except Exception as e:
        return f"{e}"

--- a/smoke_testing/test_scan.py
+++ b/smoke_testing/test_scan.py
@@ -9,31 +9,31 @@ single_file = os.path.join("..", "examples", "online-boutique", "frontend.yaml")


 def scan_all(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files, "--enable-host-scan=false"])


 def scan_control_name(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath', all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath', all_files, "--enable-host-scan=false"])


 def scan_control_id(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0006', all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0006', all_files, "--enable-host-scan=false"])


 def scan_controls(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath,Allow privilege escalation', all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath,Allow privilege escalation', all_files, "--enable-host-scan=false"])


 def scan_framework(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files, "--enable-host-scan=false"])


 def scan_frameworks(kubescape_exec: str):
-    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre,armobest", all_files])
+    return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre,armobest", all_files, "--enable-host-scan=false"])


 def scan_from_stdin(kubescape_exec: str):
-    return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-"])
+    return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-", "--enable-host-scan=false"])


 def run(kubescape_exec: str):