github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 18:09:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

after merge with dev branch

Browse Source
This commit is contained in:
dwertent
2021-12-09 14:10:44 +02:00
parent 3ca61b218e a5f7f8bbe4
commit a1555bb9cd
6 changed files with 107 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cautils/rbac.go
View File

@@ -65,6 +65,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
if err != nil { if err != nil {
return nil, err return nil, err
} }
crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta := workloadinterface.NewWorkloadObj(crmap)
crIMeta.SetKind("ClusterRole") crIMeta.SetKind("ClusterRole")
allresources[crIMeta.GetID()] = crIMeta allresources[crIMeta.GetID()] = crIMeta
@@ -74,6 +75,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
if err != nil { if err != nil {
return nil, err return nil, err
} }
crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta := workloadinterface.NewWorkloadObj(crmap)
crIMeta.SetKind("Role") crIMeta.SetKind("Role")
allresources[crIMeta.GetID()] = crIMeta allresources[crIMeta.GetID()] = crIMeta
@@ -83,6 +85,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
if err != nil { if err != nil {
return nil, err return nil, err
} }
crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta := workloadinterface.NewWorkloadObj(crmap)
crIMeta.SetKind("ClusterRoleBinding") crIMeta.SetKind("ClusterRoleBinding")
allresources[crIMeta.GetID()] = crIMeta allresources[crIMeta.GetID()] = crIMeta
@@ -92,6 +95,7 @@ func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.Rbac
if err != nil { if err != nil {
return nil, err return nil, err
} }
crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
crIMeta := workloadinterface.NewWorkloadObj(crmap) crIMeta := workloadinterface.NewWorkloadObj(crmap)
crIMeta.SetKind("RoleBinding") crIMeta.SetKind("RoleBinding")
allresources[crIMeta.GetID()] = crIMeta allresources[crIMeta.GetID()] = crIMeta

2
clihandler/cmd/control.go
View File

@@ -16,7 +16,7 @@ import (
// controlCmd represents the control command // controlCmd represents the control command
var controlCmd = &cobra.Command{ var controlCmd = &cobra.Command{
Use: "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]", Use: "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the folloiwng frameworks: %s", getter.NativeFrameworks), Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks),
Args: func(cmd *cobra.Command, args []string) error { Args: func(cmd *cobra.Command, args []string) error {
if len(args) > 0 { if len(args) > 0 {
controls := strings.Split(args[0], ",") controls := strings.Split(args[0], ",")

4
hostsensorutils/hostsensordeploy.go
View File

@@ -39,7 +39,7 @@ func NewHostSensorHandler(k8sObj *k8sinterface.KubernetesApi) (*HostSensorHandle
gracePeriod: int64(15), gracePeriod: int64(15),
} }
// Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!! // Don't deploy on cluster with no nodes. Some cloud providers prevents termination of K8s objects for cluster with no nodes!!!
if nodeList, err := k8sObj.KubernetesClient.NodeV1().RuntimeClasses().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 { if nodeList, err := k8sObj.KubernetesClient.CoreV1().Nodes().List(k8sObj.Context, metav1.ListOptions{}); err != nil || len(nodeList.Items) == 0 {
if err == nil { if err == nil {
err = fmt.Errorf("no nodes to scan") err = fmt.Errorf("no nodes to scan")
} }
@@ -137,7 +137,7 @@ func (hsh *HostSensorHandler) checkPodForEachNode() error {
if time.Now().After(deadline) { if time.Now().After(deadline) {
return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items)) return fmt.Errorf("host-sensor pods number (%d) differ than nodes number (%d) after deadline exceded", podsNum, len(nodesList.Items))
} }
time.Sleep(500 * time.Millisecond) time.Sleep(100 * time.Millisecond)
} }
return nil return nil
} }

91
hostsensorutils/hostsensorgetfrompod.go
View File

@@ -83,6 +83,66 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path string) ([]HostSens
return res, nil return res, nil
} }
// return list of
func (hsh *HostSensorHandler) GetOpenPortsList() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them
res, err := hsh.sendAllPodsHTTPGETRequest("/openedPorts")
for resIdx := range res {
res[resIdx].GroupVersionResource.Resource = "OpenPortsList"
res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
res[resIdx].GroupVersionResource.Version = "v1beta0"
}
return res, err
}
// return list of
func (hsh *HostSensorHandler) GetLinuxSecurityHardeningStatus() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them
res, err := hsh.sendAllPodsHTTPGETRequest("/linuxSecurityHardening")
for resIdx := range res {
res[resIdx].GroupVersionResource.Resource = "LinuxSecurityHardeningStatus"
res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
res[resIdx].GroupVersionResource.Version = "v1beta0"
}
return res, err
}
// return list of
func (hsh *HostSensorHandler) GetKubeletCommandLine() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them
res, err := hsh.sendAllPodsHTTPGETRequest("/kubeletCommandLine")
for resIdx := range res {
res[resIdx].GroupVersionResource.Resource = "KubeletCommandLine"
res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
res[resIdx].GroupVersionResource.Version = "v1beta0"
}
return res, err
}
// return list of
func (hsh *HostSensorHandler) GetKernelVersion() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them
res, err := hsh.sendAllPodsHTTPGETRequest("/kernelVersion")
for resIdx := range res {
res[resIdx].GroupVersionResource.Resource = "KernelVersion"
res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
res[resIdx].GroupVersionResource.Version = "v1beta0"
}
return res, err
}
// return list of
func (hsh *HostSensorHandler) GetOsReleaseFile() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them
res, err := hsh.sendAllPodsHTTPGETRequest("/osRelease")
for resIdx := range res {
res[resIdx].GroupVersionResource.Resource = "OsReleaseFile"
res[resIdx].GroupVersionResource.Group = "hostdata.armo.cloud"
res[resIdx].GroupVersionResource.Version = "v1beta0"
}
return res, err
}
// return list of // return list of
func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]HostSensorDataEnvelope, error) { func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]HostSensorDataEnvelope, error) {
// loop over pods and port-forward it to each of them // loop over pods and port-forward it to each of them
@@ -119,6 +179,37 @@ func (hsh *HostSensorHandler) CollectResources() ([]HostSensorDataEnvelope, erro
return kcData, err return kcData, err
} }
res = append(res, kcData...) res = append(res, kcData...)
//
kcData, err = hsh.GetKubeletCommandLine()
if err != nil {
return kcData, err
}
res = append(res, kcData...)
//
kcData, err = hsh.GetOsReleaseFile()
if err != nil {
return kcData, err
}
res = append(res, kcData...)
//
kcData, err = hsh.GetKernelVersion()
if err != nil {
return kcData, err
}
res = append(res, kcData...)
//
kcData, err = hsh.GetLinuxSecurityHardeningStatus()
if err != nil {
return kcData, err
}
res = append(res, kcData...)
//
kcData, err = hsh.GetOpenPortsList()
if err != nil {
return kcData, err
}
res = append(res, kcData...)
// finish
cautils.SuccessTextDisplay("Read host information from host sensor") cautils.SuccessTextDisplay("Read host information from host sensor")
return res, nil return res, nil
} }

4
smoke_testing/smoke_utils.py
View File

@@ -5,9 +5,9 @@ def get_exec_from_args(args: list):
return args[1] return args[1]
def run_command(command): def run_command(command, stdin=subprocess.PIPE, stderr=subprocess.STDOUT):
try: try:
return f"{subprocess.check_output(command, stdin=subprocess.PIPE, stderr=subprocess.STDOUT)}" return f"{subprocess.check_output(command, stdin=stdin, stderr=stderr)}"
except Exception as e: except Exception as e:
return f"{e}" return f"{e}"

14
smoke_testing/test_scan.py
View File

@@ -9,31 +9,31 @@ single_file = os.path.join("..", "examples", "online-boutique", "frontend.yaml")
def scan_all(kubescape_exec: str): def scan_all(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files, "--enable-host-scan=false"])
def scan_control_name(kubescape_exec: str): def scan_control_name(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath', all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath', all_files, "--enable-host-scan=false"])
def scan_control_id(kubescape_exec: str): def scan_control_id(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0006', all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0006', all_files, "--enable-host-scan=false"])
def scan_controls(kubescape_exec: str): def scan_controls(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath,Allow privilege escalation', all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'Allowed hostPath,Allow privilege escalation', all_files, "--enable-host-scan=false"])
def scan_framework(kubescape_exec: str): def scan_framework(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files, "--enable-host-scan=false"])
def scan_frameworks(kubescape_exec: str): def scan_frameworks(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre,armobest", all_files]) return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre,armobest", all_files, "--enable-host-scan=false"])
def scan_from_stdin(kubescape_exec: str): def scan_from_stdin(kubescape_exec: str):
return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-"]) return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-", "--enable-host-scan=false"])
def run(kubescape_exec: str): def run(kubescape_exec: str):