From 1ceac2a0a04dd0c20f3dc646a2c33a9255552f66 Mon Sep 17 00:00:00 2001 From: Bezalel Brandwine Date: Tue, 7 Dec 2021 12:48:45 +0200 Subject: [PATCH 1/4] take node list from core v1 --- hostsensorutils/hostsensordeploy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hostsensorutils/hostsensordeploy.go b/hostsensorutils/hostsensordeploy.go index 6911da56..83a6d020 100644 --- a/hostsensorutils/hostsensordeploy.go +++ b/hostsensorutils/hostsensordeploy.go @@ -39,7 +39,7 @@ func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandle gracePeriod: int64(15), } // Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!! - if nodeList, err := k8sObj.KubernetesClient.NodeV1().RuntimeClasses().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 { + if nodeList, err := k8sObj.KubernetesClient.CoreV1().Nodes().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 { if err == nil { err = fmt.Errorf("no nodes to scan") } @@ -137,7 +137,7 @@ func (hsh *HostSensorHandler) checkPodForEachNode() error { if time.Now().After(deadline) { return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items)) } - time.Sleep(500 * time.Millisecond) + time.Sleep(100 * time.Millisecond) } return nil } From a095634755b27fc509ad90894c56310a1081f26b Mon Sep 17 00:00:00 2001 From: Alex Jones Date: Tue, 7 Dec 2021 13:03:44 +0000 Subject: [PATCH 2/4] spelling mistake on clihandler/cmd/control.go:19 --- clihandler/cmd/control.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clihandler/cmd/control.go b/clihandler/cmd/control.go index a0772767..bc0cb876 100644 --- a/clihandler/cmd/control.go +++ b/clihandler/cmd/control.go @@ -16,7 +16,7 @@ import ( // controlCmd represents the control command var controlCmd = &cobra.Command{ Use: "control /.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]", - Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", getter.NativeFrameworks), + Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks), Args: func(cmd *cobra.Command, args []string) error { if len(args) > 0 { controls := strings.Split(args[0], ",") From 51322e72709d880f1e3d029ebe9ffe7365fac418 Mon Sep 17 00:00:00 2001 From: yiscah Date: Tue, 7 Dec 2021 19:50:14 +0200 Subject: [PATCH 3/4] add apiVersion to rbac objs --- clihandler/cmd/rbac.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clihandler/cmd/rbac.go b/clihandler/cmd/rbac.go index fdfc5aeb..56a988f7 100644 --- a/clihandler/cmd/rbac.go +++ b/clihandler/cmd/rbac.go @@ -72,6 +72,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac if err != nil { return nil, err } + crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta.SetKind("ClusterRole") allresources[crIMeta.GetID()] = crIMeta @@ -81,6 +82,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac if err != nil { return nil, err } + crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta.SetKind("Role") allresources[crIMeta.GetID()] = crIMeta @@ -90,6 +92,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac if err != nil { return nil, err } + crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta.SetKind("ClusterRoleBinding") allresources[crIMeta.GetID()] = crIMeta @@ -99,6 +102,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac if err != nil { return nil, err } + crmap["apiVersion"] = "rbac.authorization.k8s.io/v1" crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta.SetKind("RoleBinding") allresources[crIMeta.GetID()] = crIMeta From 420e49196336b1dc17b8902047f16463f3077149 Mon Sep 17 00:00:00 2001 From: Bezalel Brandwine Date: Wed, 8 Dec 2021 08:58:07 +0200 Subject: [PATCH 4/4] add some more host sensor data --- hostsensorutils/hostsensorgetfrompod.go | 91 +++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/hostsensorutils/hostsensorgetfrompod.go b/hostsensorutils/hostsensorgetfrompod.go index 509eb747..865bf276 100644 --- a/hostsensorutils/hostsensorgetfrompod.go +++ b/hostsensorutils/hostsensorgetfrompod.go @@ -83,6 +83,66 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path string) ([]HostSens return res, nil } +// return list of +func (hsh *HostSensorHandler) GetOpenPortsList() ([]HostSensorDataEnvelope, error) { + // loop over pods and port-forward it to each of them + res, err := hsh.sendAllPodsHTTPGETRequest("/openedPorts") + for resIdx := range res { + res[resIdx].GroupVersionResource.Resource = "OpenPortsList" + res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud" + res[resIdx].GroupVersionResource.Version = "v1beta0" + } + return res, err +} + +// return list of +func (hsh *HostSensorHandler) GetLinuxSecurityHardeningStatus() ([]HostSensorDataEnvelope, error) { + // loop over pods and port-forward it to each of them + res, err := hsh.sendAllPodsHTTPGETRequest("/linuxSecurityHardening") + for resIdx := range res { + res[resIdx].GroupVersionResource.Resource = "LinuxSecurityHardeningStatus" + res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud" + res[resIdx].GroupVersionResource.Version = "v1beta0" + } + return res, err +} + +// return list of +func (hsh *HostSensorHandler) GetKubeletCommandLine() ([]HostSensorDataEnvelope, error) { + // loop over pods and port-forward it to each of them + res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine") + for resIdx := range res { + res[resIdx].GroupVersionResource.Resource = "KubeletCommandLine" + res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud" + res[resIdx].GroupVersionResource.Version = "v1beta0" + } + return res, err +} + +// return list of +func (hsh *HostSensorHandler) GetKernelVersion() ([]HostSensorDataEnvelope, error) { + // loop over pods and port-forward it to each of them + res, err := hsh.sendAllPodsHTTPGETRequest("/kernelVersion") + for resIdx := range res { + res[resIdx].GroupVersionResource.Resource = "KernelVersion" + res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud" + res[resIdx].GroupVersionResource.Version = "v1beta0" + } + return res, err +} + +// return list of +func (hsh *HostSensorHandler) GetOsReleaseFile() ([]HostSensorDataEnvelope, error) { + // loop over pods and port-forward it to each of them + res, err := hsh.sendAllPodsHTTPGETRequest("/osRelease") + for resIdx := range res { + res[resIdx].GroupVersionResource.Resource = "OsReleaseFile" + res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud" + res[resIdx].GroupVersionResource.Version = "v1beta0" + } + return res, err +} + // return list of func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]HostSensorDataEnvelope, error) { // loop over pods and port-forward it to each of them @@ -119,6 +179,37 @@ func (hsh *HostSensorHandler) CollectResources() ([]HostSensorDataEnvelope, erro return kcData, err } res = append(res, kcData...) + // + kcData, err = hsh.GetKubeletCommandLine() + if err != nil { + return kcData, err + } + res = append(res, kcData...) + // + kcData, err = hsh.GetOsReleaseFile() + if err != nil { + return kcData, err + } + res = append(res, kcData...) + // + kcData, err = hsh.GetKernelVersion() + if err != nil { + return kcData, err + } + res = append(res, kcData...) + // + kcData, err = hsh.GetLinuxSecurityHardeningStatus() + if err != nil { + return kcData, err + } + res = append(res, kcData...) + // + kcData, err = hsh.GetOpenPortsList() + if err != nil { + return kcData, err + } + res = append(res, kcData...) + // finish cautils.SuccessTextDisplay("Read host information from host sensor") return res, nil }