Merge pull request #3 from dwertent/master

Update description display

.github/workflows/build.yaml

@@ -18,7 +18,7 @@ jobs:
         go-version: 1.16
 
     - name: Build
-      run: mkdir build  && go mod tidy && go build -o build/kubescape
+      run: mkdir build  && go mod tidy && go build -ldflags "-w -s" -o build/kubescape
     
     - name: Chmod
       run: chmod +x build/kubescape

README.md

@@ -1,8 +1,9 @@
 <img src="docs/kubescape.png" width="300" alt="logo" align="center">
 
-kubescape is a tool for testing Kubernetes clusters against industry accepted security standards and recomendations like:
-* NSA hardening for Kubernetes operators [see here](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF)
-* MITRE threat matrix for Kubernetes [see here](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/)
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
+
+<img src="docs/using-mov.gif">
 
 # TL;DR
 ## Installation
@@ -22,6 +23,7 @@ To get a fast check of the security posture of your Kubernetes cluster, run this
 
 # Status
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
+[![Github All Releases](https://img.shields.io/github/downloads/armosec/kubescape/total.svg)]()
 
 # How to build 
 `go mod tidy && go build -o kubescape` :zany_face:
@@ -29,11 +31,23 @@ To get a fast check of the security posture of your Kubernetes cluster, run this
 # Under the hood
 
 ## Tests
-Defining the tests here...
+Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+* Non-root containers
+* Immutable container filesystem 
+* Privileged containers 
+* hostPID, hostIPC privileges
+* hostNetwork access
+* allowedHostPaths field
+* Protecting pod service account tokens
+* Resource policies
+* Control plane hardening 
+
 
 ## Technology
 Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls. 
 
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by (ARMO)[https://www.armosec.io/]. 
+The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/). 
 
 The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

cautils/opapolicy/datastructures.go

@@ -42,11 +42,11 @@ type ControlReport struct {
 	Description string       `json:"description"`
 }
 type RuleReport struct {
-	Name           string         `json:"name"`
-	Remediation    string         `json:"remediation"`
-	RuleStatus     RuleStatus     `json:"ruleStatus"`
-	RuleResponses  []RuleResponse `json:"ruleResponses"`
-	NumOfResources int
+	Name               string                   `json:"name"`
+	Remediation        string                   `json:"remediation"`
+	RuleStatus         RuleStatus               `json:"ruleStatus"`
+	RuleResponses      []RuleResponse           `json:"ruleResponses"`
+	ListInputResources []map[string]interface{} `json:"-"`
 }
 type RuleStatus struct {
 	Status  string `json:"status"`

cautils/opapolicy/datastructuresmethods.go

@@ -70,7 +70,10 @@ func ParseRegoResult(regoResult *rego.ResultSet) ([]RuleResponse, error) {
 func (controlReport *ControlReport) GetNumberOfResources() int {
 	sum := 0
 	for i := range controlReport.RuleReports {
-		sum += controlReport.RuleReports[i].NumOfResources
+		if controlReport.RuleReports[i].ListInputResources == nil {
+			continue
+		}
+		sum += len(controlReport.RuleReports[i].ListInputResources)
 	}
 	return sum
 }

inputhandler/clihandler/flaghandler.go

@@ -45,7 +45,7 @@ func (flagHandler *FlagHandler) Help() {
 }
 
 func (flagHandler *FlagHandler) Version() {
-	fmt.Println("bla.bla.bla")
+	fmt.Println("")
 }
 
 func (flagHandler *FlagHandler) Scan() {
@@ -71,6 +71,8 @@ func (flagHandler *FlagHandler) ScanFramework() {
 	// 	fmt.Printf("framework %s not supported, supported frameworks: %v", frameworkName, SupportedFrameworks())
 	// 	return
 	// }
+	// excludeSystem := false
+	// flag.BoolVar(&excludeSystem, "exclude-system", false, "")
 	flagHandler.policyIdentifier = &opapolicy.PolicyIdentifier{
 		Kind: opapolicy.KindFramework,
 		Name: frameworkName,

install.sh

@@ -6,14 +6,14 @@ echo
  
 BASE_DIR=~/.kubescape
 KUBESCAPE_EXEC=kubescape
-RELEASE=v0.0.12
+RELEASE=v0.0.18
 DOWNLOAD_URL="https://github.com/armosec/kubescape/releases/download/$RELEASE/kubescape"
 
 mkdir -p $BASE_DIR 
 
 OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC
 
-curl -sL $DOWNLOAD_URL -o $OUTPUT
+curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
 echo -e "\033[32m[V] Downloaded Kubescape"
 
 sudo chmod +x $OUTPUT

opaprocessor/processorhandler.go

@@ -87,7 +87,7 @@ func (opap *OPAProcessor) ProcessRulesHandler(opaSessionObj *cautils.OPASessionO
 				} else {
 					ruleReport.RuleStatus.Status = "success"
 				}
-				ruleReport.NumOfResources = len(k8sObjects)
+				ruleReport.ListInputResources = k8sObjects
 				ruleReports = append(ruleReports, ruleReport)
 			}
 			controlReport.RuleReports = ruleReports

policyhandler/k8sresources.go

@@ -62,6 +62,9 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 	if labels != nil && len(labels) > 0 {
 		set := k8slabels.Set(labels)
 		listOptions.LabelSelector = set.AsSelector().String()
+		// if excludeSystem{
+		// 	listOptions.FieldSelector = "metadata.namespace!=kube-system,metadata.namespace!=cyberarmor-system"
+		// }
 	}
 
 	// set dynamic object

printer/printresults.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"kube-escape/cautils"
 	"os"
-	"strings"
 
 	"kube-escape/cautils/k8sinterface"
 	"kube-escape/cautils/opapolicy"
@@ -62,7 +61,7 @@ func (printer *Printer) SummerySetup(postureReport *opapolicy.PostureReport) {
 				TotalResources:  cr.GetNumberOfResources(),
 				TotalFailed:     len(workloadsSummery),
 				WorkloadSummery: mapResources,
-				Description:     strings.ReplaceAll(cr.Description, ". ", fmt.Sprintf(".\n%s%s", INDENT, INDENT)),
+				Description:     cr.Description,
 			}
 		}
 	}
@@ -72,6 +71,7 @@ func (printer *Printer) PrintResults() {
 	for control, controlSummery := range printer.summery {
 		printer.printTitle(control, &controlSummery)
 		printer.printResult(control, &controlSummery)
+		// printer.printSummery(control, &controlSummery)
 	}
 }
 
@@ -85,7 +85,7 @@ func (printer *Printer) printTitle(controlName string, controlSummery *ControlSu
 		cautils.FailureDisplay(os.Stdout, "failed %v\n", emoji.SadButRelievedFace)
 	}
 
-	cautils.SimpleDisplay(os.Stdout, "%sDescription: %s\n", INDENT, controlSummery.Description)
+	cautils.SimpleDisplay(os.Stdout, "Description: %s\n", controlSummery.Description)
 
 }
 func (printer *Printer) printResult(controlName string, controlSummery *ControlSummery) {

printer/summery.go

@@ -14,7 +14,7 @@ type ControlSummery struct {
 	TotalResources  int
 	TotalFailed     int
 	Description     string
-	WorkloadSummery map[string][]WorkloadSummery
+	WorkloadSummery map[string][]WorkloadSummery // <namespace>:[<WorkloadSummery>]
 }
 
 type WorkloadSummery struct {