Prior to this change, `pretty-printer` was a special type of Printer
that wrote output to `Stdout`, unless explicitly asked to write to a
given file. Kubescape used `pretty-printer` as an output format by
default. This behavior created the following inconsistencies:
- When invoked as `kubescape scan`, Kubescape would use `pretty-printer`
by default, and it would output the scan resluts in the
`pretty-printer` format to `Stdout`.
- When invoked as `kubescape scan --format=pretty-printer`, the behavior
would be as above.
- When invoked as `kubescape scan --format=FORMAT`, where `FORMAT` is any
format except for `pretty-printer`, Kubescape would write the results
to a sensible default file for the selected format. This is in
contrast to how `--format=pretty-printer` would still output to
`os.Stdout`, and not an output file.
- When invoked as `kubescape scan --format=ANY_FORMAT --output=FILENAME`, where
`ANY_FORMAT` is any format, including `pretty-printer`, Kubescape
would write the results to the provided `FILENAME` in the given
`ANY_FORMAT`, and not write any results to `Stdout`.
The aforementioned situation complicates life for users running
Kubescape in CI, where Kubescape would skip writing the results to
`Stdout` and only write to the provided output file.
Moreover, with the addition of support for multiple output formats and,
hence, files, this introduces the following ambiguity:
- When invoked as `kubescape scan --format=json,pdf,pretty-printer
--output=FILENAME`, should Kubescape treat `pretty-printer` as a
format for the output file, or just an instruction to also print the
results to `Stdout`?
To fix these inconsistencies and ambiguities, this commit introduces the
following changes:
- Kubescape will always print results to `Stdout` using the
PrettyPrinter format.
- The `--format` CLI flag will control the format(s) in which the results
will be written to one or many *output* files. This breaks the
previous behavior that running `kubescape scan
--format=pretty-printer` would not produce an output file, and only
write to `Stdout`. After this change, the same invocation will still
write to `Stdout`, but also produce a `report.txt` file in the
PrettyPrinter format.
Before this change, we used to override a scan info `ScanningTarget` to
submit a result that is compatible with the backend for Kubescape.
However, previously we forgot to change back to the original value.
When printing scan results, if the correct order of events (Print →
Score → Submit) was not enforced, this broke the SARIF printer so that
it did not output results due to incorrect `basePath` for the results.
This change reverts to the original `ScanningTarget` value after
submitting the results and fixes the SARIF printer.
The value of allowPrivilegeEscalation followed implicit default of Kubernetes:
> AllowPrivilegeEscalation is true always when the container is:
> 1) run as Privileged
> 2) has CAP_SYS_ADMIN
For users still using PodSecurityPolicy (or a follow-up product like OPA Gatekeeper or
Kyverno), there might be mutating admission controllers which defaults this field to
`false` if unset. A value of `false` would then conflict with `privileged: true`.
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
