Merge pull request #1941 from kubescape/semver

fix isRuleKubescapeVersionCompatible bug with version 4.0.0

.gitattributes

@@ -0,0 +1,2 @@
+# Keep CRLF newlines in appropriate test files to have reproducible tests
+core/pkg/fixhandler/testdata/inserts/*-crlf-newlines.yaml text eol=crlf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+# Description
+<!-- A clear and concise description of what the bug is. -->
+
+# Environment
+OS: ` ` <!-- the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS  -->
+Version: ` ` <!-- the version that Kubescape reports when you run `kubescape version`  -->
+ 
+# Steps To Reproduce
+<!--
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+-->
+
+# Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+# Actual Behavior
+<!-- A clear and concise description of what happened. If applicable, add screenshots to help explain your  problem. -->
+
+# Additional context
+<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'feature'
+assignees: ''
+
+---
+
+## Overview
+<!-- A brief overview of the related current state -->
+
+## Problem
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+## Solution
+<!-- A clear and concise description of what you want to happen. -->
+
+## Alternatives
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+<!-- Add any other context or screenshots about the feature request here. -->
+ 

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,44 @@
+## Overview
+<!-- Please provide a brief overview of the changes made in this pull request. e.g. current behavior/future behavior -->
+
+<!-- 
+## Additional Information
+
+> Any additional information that may be useful for reviewers to know 
+-->
+
+<!--
+## How to Test
+
+> Please provide instructions on how to test the changes made in this pull request
+-->
+
+<!--
+## Examples/Screenshots
+
+> Here you add related screenshots 
+-->
+
+<!-- 
+## Related issues/PRs:
+
+Here you add related issues and PRs.
+If this resolved an issue, write "Resolved #<issue number>
+
+e.g. If this PR resolves issues 1 and 2, it should look as follows:
+* Resolved #1
+* Resolved #2
+-->
+
+<!--
+## Checklist before requesting a review
+
+put an [x] in the box to get it checked 
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have commented on my code, particularly in hard-to-understand areas
+- [ ] I have performed a self-review of my code
+- [ ] If it is a core feature, I have added thorough tests.
+- [ ] New and existing unit tests pass locally with my changes
+
+--> 

.github/actions/tag-action/action.yaml

@@ -0,0 +1,44 @@
+name: 'Tag validator and retag'
+description: 'This action will check if the tag is rc and create a new tag for release'
+inputs:
+  ORIGINAL_TAG:  # id of input
+    description: 'Original tag'
+    required: true
+    default: ${{ github.ref_name }}
+  SUB_STRING: 
+    description: 'Sub string for rc tag'
+    required: true
+    default: "-rc"
+outputs:
+  NEW_TAG:
+    description: "The new tag for release"
+    value: ${{ steps.retag.outputs.NEW_TAG }}
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        if [[ -z "${{ inputs.ORIGINAL_TAG }}" ]]; then
+          echo "The value of ORIGINAL_TAG is ${{ inputs.ORIGINAL_TAG }}"
+          echo "Setting the value of ORIGINAL_TAG to ${{ github.ref_name }}"
+          echo ORIGINAL_TAG="${{ github.ref_name }}" >> $GITHUB_ENV
+        fi
+      shell: bash
+
+    - run: |
+        if [[ "${{ inputs.ORIGINAL_TAG }}" == *"${{ inputs.SUB_STRING }}"* ]]; then
+            echo "Release candidate tag found."
+        else
+            echo "Release candidate tag not found."
+            exit 1
+        fi
+      shell: bash
+
+
+    - id: retag
+      run: | 
+          NEW_TAG=
+          echo "Original tag: ${{ inputs.ORIGINAL_TAG }}"
+          NEW_TAG=$(echo ${{ inputs.ORIGINAL_TAG }} | awk -F '-rc' '{print $1}')
+          echo "New tag: $NEW_TAG"
+          echo "NEW_TAG=$NEW_TAG" >> $GITHUB_OUTPUT
+      shell: bash

.github/dependabot.yaml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/00-pr-scanner.yaml

@@ -0,0 +1,243 @@
+name: 00-pr_scanner
+permissions: read-all
+on:
+    workflow_dispatch: {}
+    pull_request:
+        types: [opened, reopened, synchronize, ready_for_review]
+        paths-ignore:
+            - "**.yaml"
+            - "**.yml"
+            - "**.md"
+            - "**.sh"
+            - "website/*"
+            - "examples/*"
+            - "docs/*"
+            - "build/*"
+            - ".github/*"
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+jobs:
+    pr-scanner:
+        permissions:
+            actions: read
+            artifact-metadata: read
+            attestations: read
+            checks: read
+            contents: write
+            deployments: read
+            discussions: read
+            id-token: write
+            issues: read
+            models: read
+            packages: read
+            pages: read
+            pull-requests: write
+            repository-projects: read
+            security-events: read
+            statuses: read
+        uses: ./.github/workflows/a-pr-scanner.yaml
+        with:
+            RELEASE: ""
+            CLIENT: test
+            CGO_ENABLED: 0
+            GO111MODULE: ""
+        secrets: inherit
+
+    wf-preparation:
+        name: secret-validator
+        runs-on: ubuntu-latest
+        outputs:
+            is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
+
+        steps:
+            - name: check if the necessary secrets are set in github secrets
+              id: check-secret-set
+              env:
+                  CUSTOMER: ${{ secrets.CUSTOMER }}
+                  USERNAME: ${{ secrets.USERNAME }}
+                  PASSWORD: ${{ secrets.PASSWORD }}
+                  CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+                  SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+                  REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+                  REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+              run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && env.USERNAME != '' && env.PASSWORD != '' && env.CLIENT_ID != '' && env.SECRET_KEY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}\" >> $GITHUB_OUTPUT\n"
+
+
+    run-system-tests:
+        needs: [wf-preparation, pr-scanner]
+        if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
+        runs-on: ubuntu-latest
+        permissions:
+            actions: read
+            contents: read
+            pull-requests: write
+        steps:
+            - name: Set dispatch info
+              id: dispatch-info
+              run: |
+                  # Correlation ID WITHOUT attempt - so re-runs can find the original run
+                  CORRELATION_ID="${GITHUB_REPOSITORY##*/}-${{ github.run_id }}"
+                  echo "correlation_id=${CORRELATION_ID}" >> "$GITHUB_OUTPUT"
+                  echo "Correlation ID: ${CORRELATION_ID}, Attempt: ${{ github.run_attempt }}"
+
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v1
+              with:
+                  app-id: ${{ secrets.E2E_DISPATCH_APP_ID }}
+                  private-key: ${{ secrets.E2E_DISPATCH_APP_PRIVATE_KEY }}
+                  owner: armosec
+                  repositories: shared-workflows
+
+            - name: Dispatch system tests to private repo
+              if: ${{ github.run_attempt == 1 }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  CORRELATION_ID: ${{ steps.dispatch-info.outputs.correlation_id }}
+                  KS_BRANCH: ${{ github.head_ref || github.ref_name }}
+              run: |
+                  echo "Dispatching E2E tests with correlation_id: ${CORRELATION_ID}"
+                  echo "Using test group: KUBESCAPE_CLI_E2E"
+
+                  gh api "repos/armosec/shared-workflows/dispatches" \
+                    -f event_type="e2e-test-trigger" \
+                    -f "client_payload[correlation_id]=${CORRELATION_ID}" \
+                    -f "client_payload[github_repository]=${GITHUB_REPOSITORY}" \
+                    -f "client_payload[environment]=production" \
+                    -f "client_payload[tests_groups]=KUBESCAPE_CLI_E2E" \
+                    -f "client_payload[systests_branch]=master" \
+                    -f "client_payload[ks_branch]=${KS_BRANCH}"
+
+                  echo "Dispatch completed"
+
+            - name: Find E2E workflow run
+              id: find-run
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  CORRELATION_ID: ${{ steps.dispatch-info.outputs.correlation_id }}
+              run: |
+                  for i in {1..15}; do
+                    run_id=$(gh api "repos/armosec/shared-workflows/actions/runs?event=repository_dispatch&per_page=30" \
+                      --jq '.workflow_runs | map(select(.name | contains("'"$CORRELATION_ID"'"))) | first | .id // empty')
+
+                    if [ -n "$run_id" ]; then
+                      echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
+                      gh api "repos/armosec/shared-workflows/actions/runs/${run_id}" --jq '"url=" + .html_url' >> "$GITHUB_OUTPUT"
+                      exit 0
+                    fi
+                    echo "Attempt $i: waiting for run..."
+                    sleep $((i < 5 ? 10 : 30))
+                  done
+                  echo "::error::Could not find workflow run"
+                  exit 1
+
+            - name: Re-run failed jobs in private repo
+              id: rerun
+              if: ${{ github.run_attempt > 1 }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  RUN_ID: ${{ steps.find-run.outputs.run_id }}
+              run: |
+                  conclusion=$(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" --jq '.conclusion')
+                  echo "Previous conclusion: $conclusion"
+
+                  if [ "$conclusion" = "success" ]; then
+                    echo "Previous run passed. Nothing to re-run."
+                    echo "skip=true" >> "$GITHUB_OUTPUT"
+                    exit 0
+                  fi
+
+                  # Full rerun if cancelled, partial if failed
+                  if [ "$conclusion" = "cancelled" ]; then
+                    echo "Run was cancelled - triggering full re-run"
+                    gh api --method POST "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/rerun"
+                  else
+                    echo "Re-running failed jobs only"
+                    gh api --method POST "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/rerun-failed-jobs"
+                  fi
+
+                  # Wait for status to flip from 'completed'
+                  for i in {1..30}; do
+                    [ "$(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" --jq '.status')" != "completed" ] && break
+                    sleep 2
+                  done
+
+            - name: Wait for E2E tests to complete
+              if: ${{ steps.rerun.outputs.skip != 'true' }}
+              env:
+                  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+                  RUN_ID: ${{ steps.find-run.outputs.run_id }}
+                  URL: ${{ steps.find-run.outputs.url }}
+              run: |
+                  echo "Monitoring: ${URL}"
+
+                  for i in {1..60}; do  # 60 iterations × 60s = 1 hour max
+                    read status conclusion < <(gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}" \
+                      --jq '[.status, .conclusion // "null"] | @tsv')
+
+                    echo "Status: ${status} | Conclusion: ${conclusion}"
+
+                    if [ "$status" = "completed" ]; then
+                      if [ "$conclusion" = "success" ]; then
+                        echo "E2E tests passed!"
+                        exit 0
+                      fi
+
+                      echo "::error::E2E tests failed: ${conclusion}"
+                      echo ""
+
+                      # Get failed job IDs to a file first
+                      gh api "repos/armosec/shared-workflows/actions/runs/${RUN_ID}/jobs" \
+                        --jq '.jobs[] | select(.conclusion == "failure") | [.id, .name, (.steps[] | select(.conclusion == "failure") | .name)] | @tsv' > /tmp/failed_jobs.txt
+
+                      # Process each failed job
+                      while IFS=$'\t' read -r job_id job_name step_name; do
+                        # Extract test name: "run-helm-e2e / ST (relevancy_python)" → "relevancy_python"
+                        test_name=$(echo "$job_name" | sed 's/.*(\(.*\))/\1/')
+
+                        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+                        echo "${job_name}"
+                        echo "   Step: ${step_name}"
+                        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+                        # Fetch logs to temp file
+                        gh api "repos/armosec/shared-workflows/actions/jobs/${job_id}/logs" 2>/dev/null > /tmp/job_logs.txt
+
+                        # Show summary in console
+                        grep -E "(ERROR|FAILURE)" /tmp/job_logs.txt | tail -10
+                        echo ""
+
+                        # Save to separate file per test
+                        log_file="failed_${test_name}.txt"
+                        echo "════════════════════════════════════════" > "$log_file"
+                        echo "${job_name}" >> "$log_file"
+                        echo "   Step: ${step_name}" >> "$log_file"
+                        echo "════════════════════════════════════════" >> "$log_file"
+                        last_endgroup=$(grep -n "##\\[endgroup\\]" /tmp/job_logs.txt | tail -1 | cut -d: -f1)
+                        if [ -n "$last_endgroup" ]; then
+                          tail -n +$((last_endgroup + 1)) /tmp/job_logs.txt >> "$log_file"
+                        else
+                          tail -500 /tmp/job_logs.txt >> "$log_file"
+                        fi
+                      done < /tmp/failed_jobs.txt
+
+                      echo "View full logs: ${URL}"
+                      exit 1
+                    fi
+
+                    sleep 60
+                  done
+
+                  echo "::error::Timeout waiting for tests"
+                  exit 1
+
+            - name: Upload failed step logs
+              if: failure()
+              uses: actions/upload-artifact@v4
+              with:
+                  name: failed-e2e-logs-attempt-${{ github.run_attempt }}
+                  path: failed_*.txt
+                  retention-days: 7

.github/workflows/02-release.yaml

@@ -0,0 +1,125 @@
+name: 02-create_release
+permissions: read-all
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+    inputs:
+      skip_publish:
+        description: "Skip publishing artifacts"
+        required: false
+        default: true
+        type: boolean
+jobs:
+  release:
+    permissions:
+      actions: read
+      checks: read
+      contents: write
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      models: read
+      packages: write
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      attestations: read
+      artifact-metadata: read
+    runs-on: ubuntu-large
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.25"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - name: Install system dependencies for system-tests
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            libpq5 \
+            libpq-dev \
+            gcc \
+            python3-dev
+          sudo rm -rf /var/lib/apt/lists/*
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Create Cosign Key
+        run: echo "${{ secrets.COSIGN_PRIVATE_KEY_V1 }}" > cosign.key
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
+          password: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
+
+      - uses: anchore/sbom-action/download-syft@v0
+        name: Setup Syft
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.10.0
+        with:
+          cluster_name: kubescape-e2e
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean ${{ inputs.skip_publish == true && '--skip=publish' || '' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PRIVATE_KEY_V1_PASSWORD }}
+          RELEASE: ${{ github.ref_name }}
+          CLIENT: release
+          RUN_E2E: "true"
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+          CUSTOMER: ${{ secrets.CUSTOMER }}
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.PASSWORD }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Update new version in krew-index
+        if: github.event_name != 'workflow_dispatch' || inputs.skip_publish != true
+        uses: rajatjindal/krew-release-bot@v0.0.47
+        with:
+          krew_template_file: .krew.yaml
+
+      - name: List collected system-test results (debug)
+        if: always()
+        run: |
+          echo "Listing test-results/system-tests (if any):"
+          ls -laR test-results/system-tests || true
+
+      - name: System Tests Report
+        uses: mikepenz/action-junit-report@v5
+        if: always()
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          report_paths: "test-results/system-tests/**/results_xml_format/**.xml"
+          annotate_only: true
+          job_summary: true

.github/workflows/README.md

@@ -0,0 +1,52 @@
+# Kubescape workflows
+
+Tag terminology: `v<major>.<minor>.<patch>`
+
+## Developing process
+
+Kubescape's main branch is `main`, any PR will be opened against the main branch.
+
+### Opening a PR
+
+When a user opens a PR, this will trigger some basic tests (units, license, etc.)
+
+### Reviewing a PR
+
+The reviewer/maintainer of a PR will decide whether the PR introduces changes that require running the E2E system tests. If so, the reviewer will add the `trigger-integration-test` label.
+
+### Approving a PR
+
+Once a maintainer approves the PR, if the `trigger-integration-test` label was added to the PR, the GitHub actions will trigger the system test. The PR will be merged only after the system tests passed successfully. If the label was not added, the PR can be merged. 
+
+### Merging a PR
+
+The code is merged, no other actions are needed
+
+
+## Release process
+
+Every two weeks, we will create a new tag by bumping the minor version, this will create the release and publish the artifacts. 
+If we are introducing breaking changes, we will update the `major` version instead.
+
+When we wish to push a hot-fix/feature within the two weeks, we will bump the `patch`.
+
+### Creating a new tag
+Every two weeks or upon the decision of the maintainers, a maintainer can create a tag.
+
+The tag should look as follows: `v<A>.<B>.<C>-rc.D` (release candidate). 
+
+When creating a tag, GitHub will trigger the following actions:
+1. Basic tests - unit tests, license, etc.
+2. System tests (integration tests). If the tests fail, the actions will stop here.
+3. Create a new tag: `v<A>.<B>.<C>` (same tag just without the `rc` suffix)
+4. Create a release
+5. Publish artifacts
+6. Build and publish the docker image (this is meanwhile until we separate the microservice code from the LCI codebase)
+ 
+## Additional Information
+
+The "callers" have the alphabetic prefix and the "executes" have the numeric prefix
+
+## Screenshot
+
+<img width="1469" alt="image" src="https://user-images.githubusercontent.com/64066841/212532727-e82ec9e7-263d-408b-b4b0-a8c943f0109a.png">

.github/workflows/a-pr-scanner.yaml

@@ -0,0 +1,76 @@
+name: a-pr-scanner
+permissions: read-all
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        description: 'release'
+        required: true
+        type: string
+      CLIENT:
+        description: 'Client name'
+        required: true
+        type: string
+      UNIT_TESTS_PATH:
+        required: false
+        type: string
+        default: "./..."
+      GO111MODULE:
+        required: true
+        type: string
+      CGO_ENABLED:
+        type: number
+        default: 1
+jobs:
+  unit-tests:
+    if: ${{ github.actor != 'kubescape' }}
+    name: Create cross-platform build
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-large
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: actions/setup-go@v4
+        name: Installing go
+        with:
+          go-version: ${{ inputs.GO_VERSION }}
+
+      - name: Test core pkg
+        run: ${{ env.DOCKER_CMD }} go test -v ./...
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: Test httphandler pkg
+        run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test -v ./...'
+        if: startsWith(github.ref, 'refs/tags')
+
+      - uses: anchore/sbom-action/download-syft@v0
+        name: Setup Syft
+
+      - uses: goreleaser/goreleaser-action@v6
+        name: Build
+        with:
+          distribution: goreleaser
+          version: latest
+          args: build --clean --snapshot --single-target
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          CLIENT: ${{ inputs.CLIENT }}
+          CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
+
+      - name: Smoke Testing
+        env:
+          RELEASE: ${{ inputs.RELEASE }}
+          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
+        run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/dist/cli_linux_amd64_v1/kubescape
+
+      - name: golangci-lint
+        continue-on-error: false
+        uses: golangci/golangci-lint-action@v9
+        with:
+          args: --timeout 10m
+          only-new-issues: true

.github/workflows/build.yaml

@@ -1,53 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: 1.16
-
-    - name: Build
-      run: mkdir build  && go mod tidy && go build -ldflags "-w -s" -o build/kubescape
-    
-    - name: Chmod
-      run: chmod +x build/kubescape
-
-    - name: List
-      run: ls -la
-      
-    - name: Create Release
-      id: create_release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: v0.0.${{ github.run_number }}
-        release_name: Release v0.0.${{ github.run_number }}
-        body: |
-          Changes in this Release
-          - First Change
-          - Second Change
-        draft: false
-        prerelease: false
- 
-    - name: Upload Release Asset
-      id: upload-release-asset 
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps 
-        asset_path: build/kubescape
-        asset_name: kubescape
-        asset_content_type: application/octet-stream

.github/workflows/comments.yaml

@@ -0,0 +1,20 @@
+name: pr-agent
+permissions: read-all
+on:
+  issue_comment:
+
+jobs:
+  pr_agent:
+    permissions:
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    name: Run pr agent on every pull request, respond to user comments
+    steps:
+      - name: PR Agent action step
+        continue-on-error: true
+        id: pragent
+        uses: Codium-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '0 00 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -1,3 +1,18 @@
 *.vs*
-*go.sum*
-*kubescape*
+*kubescape*
+!*Dockerfile*
+*debug*
+*vendor*
+*.pyc*
+.idea
+.history
+ca.srl
+*.out
+ks
+cosign.key
+
+dist/
+
+# Test output files
+customFilename.pdf
+customFilename.xml

.gitmodules

@@ -1,4 +0,0 @@
-[submodule "vendor/github.com/armosec/capacketsgo"]
-	path = vendor/github.com/armosec/capacketsgo
-	url = git@github.com:armosec/capacketsgo.git
-	branch = master

.golangci.yml

@@ -0,0 +1,57 @@
+version: "2"
+linters:
+  enable:
+    - bodyclose
+    - gosec
+    - nolintlint
+  disable:
+    - dupl
+    - errcheck
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit
+    - gocritic
+    - lll
+    - nakedret
+    - revive
+    - unconvert
+    - unparam
+  settings:
+    dupl:
+      threshold: 200
+    gocognit:
+      min-complexity: 65
+    goconst:
+      min-len: 3
+      min-occurrences: 2
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - revive
+        text: var-naming
+      - linters:
+          - revive
+        text: type name will be used as (.+?) by other packages, and that stutters
+      - linters:
+          - staticcheck
+        text: ST1003
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.goreleaser.yaml

@@ -0,0 +1,148 @@
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    - go test -v ./...
+    - go -C httphandler test -v ./...
+
+archives:
+  - id: cli
+    ids:
+      - cli
+
+    formats:
+      - binary
+      - tar.gz
+
+builds:
+  - id: cli
+    binary: kubescape
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+      - -X github.com/kubescape/backend/pkg/versioncheck.Client={{.Env.CLIENT}}
+    hooks:
+      post:
+        - cmd: >
+            {{ if eq .Arch "amd64" }}
+            /bin/sh -lc 'sh build/goreleaser-post-e2e.sh'
+            {{ end }}
+  - id: downloader
+    dir: downloader
+    binary: downloader
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+  - id: http
+    dir: httphandler
+    binary: ksserver
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+nfpms:
+  - id: cli
+    package_name: kubescape
+    ids:
+      - cli
+    vendor: Kubescape
+    homepage: https://kubescape.io/
+    maintainer: matthiasb@kubescape.io
+    formats:
+      - apk
+      - deb
+      - rpm
+    bindir: /usr/bin
+
+docker_signs:
+  - stdin: "{{ .Env.COSIGN_PWD }}"
+
+dockers_v2:
+  - id: cli
+    images:
+      - "quay.io/kubescape/kubescape-cli"
+    tags:
+      - "{{ .Tag }}"
+    labels:
+      "org.opencontainers.image.description": "Kubescape CLI"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+    ids:
+      - cli
+    dockerfile: build/kubescape-cli.Dockerfile
+  - id: http
+    images:
+      - "quay.io/kubescape/kubescape"
+    tags:
+      - "{{ .Tag }}"
+    labels:
+      "org.opencontainers.image.description": "Kubescape microservice"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+    ids:
+      - downloader
+      - http
+    dockerfile: build/Dockerfile
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+checksum:
+  name_template: "checksums.sha256"
+
+sboms:
+  - artifacts: binary
+
+krews:
+  - name: kubescape
+    ids:
+      - cli
+    skip_upload: true
+    homepage: https://kubescape.io/
+    description: It includes risk analysis, security compliance, and misconfiguration scanning with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+    short_description: Scan resources and cluster configs against security frameworks.
+
+release:
+  draft: false
+  footer: >-
+
+    ---
+
+    Released by [GoReleaser](https://github.com/goreleaser/goreleaser).

.krew.yaml

@@ -0,0 +1,60 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  version: {{ .TagName }}
+  platforms:
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_amd64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_arm64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_amd64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_arm64.tar.gz" .TagName) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_amd64.tar.gz" .TagName) .TagName }}
+    bin: kubescape.exe
+  - selector:
+      matchLabels:
+        os: windows
+        arch: arm64
+    {{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_arm64.tar.gz" .TagName) .TagName }}
+    bin: kubescape.exe
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  description: |
+    Kubescape is the first tool for testing if Kubernetes is deployed securely
+    according to mitigations and best practices. It includes risk analysis,
+    security compliance, and misconfiguration scanning with an easy-to-use
+    CLI interface, flexible output formats, and automated scanning capabilities.
+
+    Features:
+    - Risk analysis: Identify vulnerabilities and security risks in your cluster
+    - Security compliance: Check your cluster against multiple security frameworks
+    - Misconfiguration scanning: Detect security misconfigurations in your workloads
+    - Flexible output: Results in JSON, SARIF, HTML, JUnit, and Prometheus formats
+    - CI/CD integration: Easily integrate into your CI/CD pipeline
+  homepage: https://kubescape.io/
+  caveats: |
+    Requires kubectl and basic knowledge of Kubernetes.
+    Run 'kubescape scan' to scan your Kubernetes cluster or manifests.

ADOPTERS.md

@@ -0,0 +1,5 @@
+# Adopters
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md)

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+# Code of Conduct
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md)

COMMUNITY.md

@@ -0,0 +1,5 @@
+# Community
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)

GOVERNANCE.md

@@ -0,0 +1,5 @@
+# Governance
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)

KREW_RELEASE.md

@@ -0,0 +1,273 @@
+# Krew Release Automation Guide
+
+This document explains how kubescape automates publishing to the Kubernetes plugin package manager, krew.
+
+## What is Krew?
+
+Krew is a plugin manager for `kubectl`. It allows users to discover and install `kubectl` plugins easily. You can learn more about krew at [https://krew.sigs.k8s.io/](https://krew.sigs.k8s.io/).
+
+## How kubescape publishes to krew
+
+We use the [krew-release-bot](https://github.com/rajatjindal/krew-release-bot) to automatically create pull requests to the [kubernetes-sigs/krew-index](https://github.com/kubernetes-sigs/krew-index) repository whenever a new release of kubescape is published.
+
+### Setup Overview
+
+The automation consists of three components:
+
+1. **`.krew.yaml`** - A template file that the bot uses to generate the krew plugin manifest
+2. **`.github/workflows/02-release.yaml`** - GitHub Actions workflow that runs the krew-release-bot after a successful release
+3. **`.goreleaser.yaml`** - GoReleaser configuration that defines the krew manifest (though upload is skipped)
+
+### Why Use krew-release-bot Instead of GoReleaser's Built-in Krew Support?
+
+You might have noticed that **GoReleaser has built-in krew support** in its `krews` section. However, almost all projects (including stern) use `skip_upload: true` and rely on **krew-release-bot** instead. Here's why:
+
+#### Problems with GoReleaser's Built-in Krew Publishing
+
+To use GoReleaser's direct krew publishing, you would need to:
+
+```yaml
+krews:
+  - name: kubescape
+    skip_upload: false  # Instead of true
+    repository:
+      owner: kubernetes-sigs
+      name: krew-index
+      token: "{{ .Env.KREW_INDEX_TOKEN }}"  # Required!
+      pull_request:
+        enabled: true  # Requires GoReleaser Pro for cross-repo PRs
+```
+
+This approach has several critical issues:
+
+1. **Permission Barrier**: Almost no one has write access to `kubernetes-sigs/krew-index`. You would need special permissions from the Krew maintainers, which is rarely granted.
+
+2. **Security Risk**: You'd need to store a GitHub personal access token with write access to the krew-index in your repository secrets. This token could be compromised and used to make unauthorized changes to the krew-index.
+
+3. **GoReleaser Pro Required**: To create pull requests to a different repository (cross-repository), you need GoReleaser Pro, which is a paid product.
+
+4. **Manual Work**: Even if you had access, you'd need to manually configure and maintain the repository settings, tokens, and potentially deal with rate limits and authentication issues.
+
+#### Why krew-release-bot is the Right Solution
+
+The **krew-release-bot** was created by the Kubernetes community (in collaboration with the Krew team) specifically to solve these problems:
+
+- **No Repository Access Required**: The bot acts as an intermediary with pre-configured access to krew-index. You don't need write permissions.
+
+- **No Tokens Needed**: It uses GitHub's `GITHUB_TOKEN` (automatically available in GitHub Actions) via webhooks and events. No personal access tokens required.
+
+- **Designed for Krew**: It's specifically built for the krew-index workflow and integrates with Krew's automation.
+
+- **Automatic Merging**: The Krew team has configured their CI to automatically test and merge PRs from krew-release-bot (usually within 5-10 minutes).
+
+- **Officially Recommended**: The Krew team explicitly recommends this approach in their documentation as the standard way to automate plugin updates.
+
+- **Free and Open Source**: No paid subscriptions required.
+
+#### The Real-World Evidence
+
+Looking at recent pull requests to `kubernetes-sigs/krew-index`, **almost all automated plugin updates are created by krew-release-bot**. You'll see patterns like:
+
+```
+Author: krew-release-bot
+Title: "release new version v0.6.11 of radar"
+```
+
+This demonstrates that the entire Kubernetes ecosystem has standardized on krew-release-bot, not GoReleaser's built-in publishing.
+
+#### Summary
+
+While GoReleaser's built-in krew support exists in the code, it's **practically unusable for the krew-index repository** due to permission and security constraints. The krew-release-bot is the de facto standard because:
+- It works without special permissions
+- It's more secure
+- It integrates with Krew's automation
+- It's free and recommended by the Krew team
+
+This is why we use `skip_upload: true` in GoReleaser and let krew-release-bot handle the actual publishing.
+
+### The Template File
+
+The `.krew.yaml` file in the repository root is a Go template that contains placeholders for dynamic values:
+
+```yaml
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: kubescape
+spec:
+  version: {{ .TagName }}
+  platforms:
+  - selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_linux_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_darwin_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape
+  - selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_amd64.tar.gz" $version) .TagName }}
+    bin: kubescape.exe
+  - selector:
+      matchLabels:
+        os: windows
+        arch: arm64
+    {{ $version := trimPrefix "v" .TagName }}{{ addURIAndSha "https://github.com/kubescape/kubescape/releases/download/" .TagName (printf "kubescape_%s_windows_arm64.tar.gz" $version) .TagName }}
+    bin: kubescape.exe
+  shortDescription: Scan resources and cluster configs against security frameworks.
+  description: |
+    Kubescape is the first tool for testing if Kubernetes is deployed securely
+    according to mitigations and best practices. It includes risk analysis,
+    security compliance, and misconfiguration scanning with an easy-to-use
+    CLI interface, flexible output formats, and automated scanning capabilities.
+
+    Features:
+    - Risk analysis: Identify vulnerabilities and security risks in your cluster
+    - Security compliance: Check your cluster against multiple security frameworks
+    - Misconfiguration scanning: Detect security misconfigurations in your workloads
+    - Flexible output: Results in JSON, SARIF, HTML, JUnit, and Prometheus formats
+    - CI/CD integration: Easily integrate into your CI/CD pipeline
+  homepage: https://kubescape.io/
+  caveats: |
+    Requires kubectl and basic knowledge of Kubernetes.
+    Run 'kubescape scan' to scan your Kubernetes cluster or manifests.
+```
+
+The `{{ .TagName }}` is replaced with the release tag (e.g., `v3.0.0`), `{{ trimPrefix "v" .TagName }}` removes the version prefix, and `{{ addURIAndSha ... }}` calculates the SHA256 checksum for the binary archive.
+
+### Release Workflow
+
+The release workflow (`.github/workflows/02-release.yaml`) can be triggered in two ways:
+
+1. **Automatic**: When a new tag matching the pattern `v[0-9]+.[0-9]+.[0-9]+` is pushed to the repository
+2. **Manual**: Via `workflow_dispatch` with an optional `skip_publish` input
+
+When the workflow is triggered:
+
+1. GoReleaser builds and publishes the release artifacts (unless `skip_publish=true` is set)
+2. The krew-release-bot step runs conditionally:
+   - It **runs** when triggered by a tag push OR by `workflow_dispatch` with `skip_publish=false`
+   - It **skips** when triggered by `workflow_dispatch` with `skip_publish=true` (default)
+3. When it runs, the bot:
+   - Reads the `.krew.yaml` template
+   - Fills in the template with release information
+   - Creates a pull request to the `kubernetes-sigs/krew-index` repository
+   - The PR is automatically tested and merged by krew's infrastructure
+
+### Workflow Permissions
+
+The release job has the following permissions:
+
+```yaml
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  discussions: read
+  id-token: write
+  issues: read
+  models: read
+  packages: write
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  attestations: read
+  artifact-metadata: read
+```
+
+These permissions are necessary for GoReleaser to create releases and upload artifacts.
+
+### Testing the Template
+
+Before committing changes to `.krew.yaml`, you can test how the template will be rendered using Docker:
+
+```bash
+docker run -v $(pwd)/.krew.yaml:/tmp/.krew.yaml ghcr.io/rajatjindal/krew-release-bot:v0.0.47 \
+  krew-release-bot template --tag v3.0.0 --template-file /tmp/.krew.yaml
+```
+
+This will output the generated krew manifest file, allowing you to verify:
+- The version field is correct
+- All download URLs are properly formatted
+- The SHA256 checksum will be calculated correctly
+
+### Why skip_upload in GoReleaser?
+
+In `.goreleaser.yaml`, the `krews` section has `skip_upload: true`:
+
+```yaml
+krews:
+  - name: kubescape
+    ids:
+      - cli
+    skip_upload: true  # We use krew-release-bot instead
+    homepage: https://kubescape.io/
+    description: It includes risk analysis, security compliance, and misconfiguration scanning with an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
+    short_description: Scan resources and cluster configs against security frameworks.
+```
+
+This is intentional because:
+- GoReleaser generates the manifest but doesn't have built-in support for submitting PRs to krew-index
+- krew-release-bot is the recommended tool for krew automation by the Krew team
+- Using krew-release-bot provides automatic testing and merging of version bump PRs
+
+### Manual Release Testing
+
+You can test the release workflow manually without publishing to krew by using `workflow_dispatch`:
+
+1. Go to Actions tab in GitHub
+2. Select "02-create_release" workflow
+3. Click "Run workflow"
+4. The `skip_publish` input defaults to `true` (publishing will be skipped)
+5. Set `skip_publish` to `false` if you want to test the full release process including krew indexing
+
+### Making Changes to the Template
+
+If you need to update the krew manifest (e.g., change the description, add platforms, or update the binary location):
+
+1. Edit the `.krew.yaml` file
+2. Test your changes with the Docker command shown above
+3. Commit and push the changes
+4. The next release will use the updated template
+
+### Installing kubescape via krew
+
+Once the plugin is indexed in krew, users can install it with:
+
+```bash
+kubectl krew install kubernetes-sigs/kubescape
+```
+
+Or after index update:
+
+```bash
+kubectl krew install kubescape
+```
+
+### Further Reading
+
+- [Krew official documentation](https://krew.sigs.k8s.io/docs/developer-guide/)
+- [krew-release-bot repository](https://github.com/rajatjindal/krew-release-bot)
+- [Krew plugin submission guide](https://krew.sigs.k8s.io/docs/developer-guide/develop/plugins/)

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

MAINTAINERS.md

@@ -0,0 +1,5 @@
+# Maintainers
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)

Makefile

@@ -0,0 +1,12 @@
+.PHONY: test all build
+
+# default task invoked while running make
+all: build
+
+export CGO_ENABLED=0
+
+build:
+	go build -v .
+
+test:
+	go test -v ./...

README.md

@@ -1,56 +1,500 @@
-<img src="docs/kubescape.png" width="300" alt="logo" align="center">
+[![Version](https://img.shields.io/github/v/release/kubescape/kubescape)](https://github.com/kubescape/kubescape/releases)
+[![build](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/02-release.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
+[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
+[![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
+[![CNCF](https://shields.io/badge/CNCF-Incubating%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/?item=provisioning--security-compliance--kubescape)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubescape)](https://artifacthub.io/packages/search?repo=kubescape)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fkubescape?ref=badge_shield&issueType=license)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6944/badge)](https://www.bestpractices.dev/projects/6944)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubescape/kubescape/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubescape/kubescape)
+[![Docs](https://img.shields.io/badge/docs-latest-brightgreen?logo=gitbook)](https://kubescape.io/docs/)
+[![Stars](https://img.shields.io/github/stars/kubescape/kubescape?style=social)](https://github.com/kubescape/kubescape/stargazers)
+[![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
+[![Slack](https://img.shields.io/badge/slack-kubescape-blueviolet?logo=slack)](https://cloud-native.slack.com/archives/C04EY3ZF9GE)
 
-Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
-Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
+# Kubescape
 
-<img src="docs/using-mov.gif">
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+  <img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
+</picture>
 
-# TL;DR
-## Installation
-To install the tool locally, run this:
+_Comprehensive Kubernetes Security from Development to Runtime_
 
-`curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash`
+Kubescape is an open-source Kubernetes security platform that provides comprehensive security coverage, from left to right across the entire development and deployment lifecycle. It offers hardening, posture management, and runtime security capabilities to ensure robust protection for Kubernetes environments.
 
-<img src="docs/install.jpeg">
+Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/).
 
-## Run
-To get a fast check of the security posture of your Kubernetes cluster, run this:
+_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape!_
 
-`kubescape scan framework nsa`
+---
 
-<img src="docs/run.jpeg">
+## 📑 Table of Contents
 
+- [Features](#-features)
+- [Demo](#-demo)
+- [Quick Start](#-quick-start)
+- [Installation](#-installation)
+- [CLI Commands](#%EF%B8%8F-cli-commands)
+- [Usage Examples](#-usage-examples)
+- [Architecture](#%EF%B8%8F-architecture)
+- [In-Cluster Operator](#%EF%B8%8F-in-cluster-operator)
+- [Integrations](#-integrations)
+- [Community](#-community)
+- [Changelog](#changelog)
+- [License](#license)
 
-# Status
-[![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
+---
 
-# How to build 
-`go mod tidy && go build -o kubescape` :zany_face:
+## ✨ Features
 
-# Under the hood
+| Feature | Description |
+|---------|-------------|
+| 🔍 **Misconfiguration Scanning** | Scan clusters, YAML files, and Helm charts against NSA-CISA, MITRE ATT&CK®, and CIS Benchmarks |
+| 🐳 **Image Vulnerability Scanning** | Detect CVEs in container images using [Grype](https://github.com/anchore/grype) |
+| 🩹 **Image Patching** | Automatically patch vulnerable images using [Copacetic](https://github.com/project-copacetic/copacetic) |
+| 🔧 **Auto-Remediation** | Automatically fix misconfigurations in Kubernetes manifests |
+| 🛡️ **Admission Control** | Enforce security policies with Validating Admission Policies (VAP) |
+| 📊 **Runtime Security** | eBPF-based runtime monitoring via [Inspektor Gadget](https://github.com/inspektor-gadget) |
+| 🤖 **AI Integration** | MCP server for AI assistant integration |
 
-## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
-* Non-root containers
-* Immutable container filesystem 
-* Building secure container images
-* Privileged containers 
-* hostPID, hostIPC privileges
-* hostNetwork access
-* allowedHostPaths field
-* Protecting pod service account tokens
-* Pods in kube-system and kube-public
-* Resource policies
-* Control plane hardening 
-* Encrypted secrets 
-* Anonymous Requests
+---
 
+## 🎬 Demo
 
-## Technology
-Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls. 
+<img src="docs/img/demo-v3.gif" alt="Kubescape CLI demo">
 
-The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/). 
+---
 
-The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
+## 🚀 Quick Start
 
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
+### 1. Install Kubescape
+
+```sh
+curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
+```
+
+> 💡 See [Installation](#-installation) for more options (Homebrew, Krew, Windows, etc.)
+
+### 2. Run Your First Scan
+
+```sh
+# Scan your current cluster
+kubescape scan
+
+# Scan a specific YAML file or directory
+kubescape scan /path/to/manifests/
+
+# Scan a container image for vulnerabilities
+kubescape scan image nginx:latest
+```
+
+### 3. Explore the Results
+
+Kubescape provides a detailed security posture overview including:
+- Control plane security status
+- Access control risks
+- Workload misconfigurations
+- Network policy gaps
+- Compliance scores (MITRE, NSA)
+
+---
+
+## 📦 Installation
+
+### One-Line Install (Linux/macOS)
+
+```bash
+curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
+```
+
+### Package Managers
+
+| Platform | Command |
+|----------|---------|
+| **Homebrew** | `brew install kubescape` |
+| **Krew** | `kubectl krew install kubescape` |
+| **Arch Linux** | `yay -S kubescape` |
+| **Ubuntu** | `sudo add-apt-repository ppa:kubescape/kubescape && sudo apt install kubescape` |
+| **NixOS** | `nix-shell -p kubescape` |
+| **Chocolatey** | `choco install kubescape` |
+| **Scoop** | `scoop install kubescape` |
+
+### Windows (PowerShell)
+
+```powershell
+iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
+```
+
+📖 **[Full Installation Guide →](docs/installation.md)**
+
+---
+
+## 🛠️ CLI Commands
+
+Kubescape provides a comprehensive CLI with the following commands:
+
+| Command | Description |
+|---------|-------------|
+| [`kubescape scan`](#scanning) | Scan cluster, files, or images for security issues |
+| [`kubescape scan image`](#image-scanning) | Scan container images for vulnerabilities |
+| [`kubescape fix`](#auto-fix) | Auto-fix misconfigurations in manifest files |
+| [`kubescape patch`](#image-patching) | Patch container images to fix vulnerabilities |
+| [`kubescape list`](#list-frameworks-and-controls) | List available frameworks and controls |
+| [`kubescape download`](#offline-support) | Download artifacts for offline/air-gapped use |
+| [`kubescape config`](#configuration) | Manage cached configurations |
+| [`kubescape operator`](#operator-commands) | Interact with in-cluster Kubescape operator |
+| [`kubescape vap`](#validating-admission-policies) | Manage Validating Admission Policies |
+| [`kubescape mcpserver`](#mcp-server) | Start MCP server for AI assistant integration |
+| `kubescape completion` | Generate shell completion scripts |
+| `kubescape version` | Display version information |
+
+---
+
+## 📖 Usage Examples
+
+### Scanning
+
+#### Scan a Running Cluster
+
+```bash
+# Default scan (all frameworks)
+kubescape scan
+
+# Scan with a specific framework
+kubescape scan framework nsa
+kubescape scan framework mitre
+kubescape scan framework cis-v1.23-t1.0.1
+
+# Scan a specific control
+kubescape scan control C-0005 -v
+```
+
+#### Scan Files and Repositories
+
+```bash
+# Scan local YAML files
+kubescape scan /path/to/manifests/
+
+# Scan a Helm chart
+kubescape scan /path/to/helm/chart/
+
+# Scan a Git repository
+kubescape scan https://github.com/kubescape/kubescape
+
+# Scan with Kustomize
+kubescape scan /path/to/kustomize/directory/
+```
+
+#### Scan Options
+
+```bash
+# Include/exclude namespaces
+kubescape scan --include-namespaces production,staging
+kubescape scan --exclude-namespaces kube-system,kube-public
+
+# Use alternative kubeconfig
+kubescape scan --kubeconfig /path/to/kubeconfig
+
+# Set compliance threshold (exit code 1 if below threshold)
+kubescape scan --compliance-threshold 80
+
+# Set severity threshold
+kubescape scan --severity-threshold high
+```
+
+#### Output Formats
+
+```bash
+# JSON output
+kubescape scan --format json --output results.json
+
+# JUnit XML (for CI/CD)
+kubescape scan --format junit --output results.xml
+
+# SARIF (for GitHub Code Scanning)
+kubescape scan --format sarif --output results.sarif
+
+# HTML report
+kubescape scan --format html --output report.html
+
+# PDF report
+kubescape scan --format pdf --output report.pdf
+```
+
+### Image Scanning
+
+```bash
+# Scan a public image
+kubescape scan image nginx:1.21
+
+# Scan with verbose output
+kubescape scan image nginx:1.21 -v
+
+# Scan a private registry image
+kubescape scan image myregistry/myimage:tag --username user --password pass
+```
+
+### Auto-Fix
+
+Automatically fix misconfigurations in your manifest files:
+
+```bash
+# First, scan and save results to JSON
+kubescape scan /path/to/manifests --format json --output results.json
+
+# Then apply fixes
+kubescape fix results.json
+
+# Dry run (preview changes without applying)
+kubescape fix results.json --dry-run
+
+# Apply fixes without confirmation prompts
+kubescape fix results.json --no-confirm
+```
+
+### Image Patching
+
+Patch container images to fix OS-level vulnerabilities:
+
+```bash
+# Start buildkitd (required)
+sudo buildkitd &
+
+# Patch an image
+sudo kubescape patch --image docker.io/library/nginx:1.22
+
+# Specify custom output tag
+sudo kubescape patch --image nginx:1.22 --tag nginx:1.22-patched
+
+# See detailed vulnerability report
+sudo kubescape patch --image nginx:1.22 -v
+```
+
+📖 **[Full Patch Command Documentation →](cmd/patch/README.md)**
+
+### List Frameworks and Controls
+
+```bash
+# List available frameworks
+kubescape list frameworks
+
+# List all controls
+kubescape list controls
+
+# Output as JSON
+kubescape list controls --format json
+```
+
+### Offline Support
+
+Download artifacts for air-gapped environments:
+
+```bash
+# Download all artifacts
+kubescape download artifacts --output /path/to/offline/dir
+
+# Download a specific framework
+kubescape download framework nsa --output /path/to/nsa.json
+
+# Scan using downloaded artifacts
+kubescape scan --use-artifacts-from /path/to/offline/dir
+```
+
+### Configuration
+
+```bash
+# View current configuration
+kubescape config view
+
+# Set account ID
+kubescape config set accountID <your-account-id>
+
+# Delete cached configuration
+kubescape config delete
+```
+
+### Operator Commands
+
+Interact with the in-cluster Kubescape operator:
+
+```bash
+# Trigger a configuration scan
+kubescape operator scan configurations
+
+# Trigger a vulnerability scan
+kubescape operator scan vulnerabilities
+```
+
+### Validating Admission Policies
+
+Manage Kubernetes Validating Admission Policies:
+
+```bash
+# Deploy the Kubescape CEL admission policy library
+kubescape vap deploy-library | kubectl apply -f -
+
+# Create a policy binding
+kubescape vap create-policy-binding \
+  --name my-policy-binding \
+  --policy c-0016 \
+  --namespace my-namespace | kubectl apply -f -
+```
+
+### MCP Server
+
+Start an MCP (Model Context Protocol) server for AI assistant integration:
+
+```bash
+kubescape mcpserver
+```
+
+The MCP server exposes Kubescape's vulnerability and configuration scan data to AI assistants, enabling natural language queries about your cluster's security posture.
+
+**Available MCP Tools:**
+- `list_vulnerability_manifests` - Discover vulnerability manifests
+- `list_vulnerabilities_in_manifest` - List CVEs in a manifest
+- `list_vulnerability_matches_for_cve` - Get details for a specific CVE
+- `list_configuration_security_scan_manifests` - List configuration scan results
+- `get_configuration_security_scan_manifest` - Get configuration scan details
+
+---
+
+## 🏗️ Architecture
+
+Kubescape can run in two modes:
+
+### CLI Mode
+
+The CLI is a standalone tool that scans clusters, files, and images on-demand.
+
+<div align="center">
+    <img src="docs/img/ks-cli-arch.png" width="600" alt="CLI Architecture">
+</div>
+
+**Key Components:**
+- **[Open Policy Agent (OPA)](https://github.com/open-policy-agent/opa)** - Policy evaluation engine
+- **[Regolibrary](https://github.com/kubescape/regolibrary)** - Library of security controls
+- **[Grype](https://github.com/anchore/grype)** - Image vulnerability scanning
+- **[Copacetic](https://github.com/project-copacetic/copacetic)** - Image patching
+
+### Operator Mode (In-Cluster)
+
+For continuous monitoring, deploy the Kubescape operator via Helm.
+
+<div align="center">
+    <img src="docs/img/ks-operator-arch.png" width="600" alt="Operator Architecture">
+</div>
+
+**Additional Capabilities:**
+- Continuous configuration scanning
+- Image vulnerability scanning
+- Runtime analysis with eBPF
+- Network policy generation
+
+📖 **[Full Architecture Documentation →](docs/architecture.md)**
+
+---
+
+## ☸️ In-Cluster Operator
+
+The Kubescape operator provides continuous security monitoring in your cluster:
+
+```bash
+# Add the Kubescape Helm repository
+helm repo add kubescape https://kubescape.github.io/helm-charts/
+
+# Install the operator
+helm upgrade --install kubescape kubescape/kubescape-operator \
+  --namespace kubescape \
+  --create-namespace
+```
+
+**Operator Features:**
+- 🔄 Continuous misconfiguration scanning
+- 🐳 Image vulnerability scanning for all workloads
+- 🔍 Runtime threat detection (eBPF-based)
+- 🌐 Network policy generation
+- 📈 Prometheus metrics integration
+
+📖 **[Operator Installation Guide →](https://kubescape.io/docs/operator/)**
+
+---
+
+## 🔌 Integrations
+
+### CI/CD
+
+| Platform | Integration |
+|----------|-------------|
+| **GitHub Actions** | [kubescape/github-action](https://github.com/marketplace/actions/kubescape) |
+| **GitLab CI** | [Documentation](https://kubescape.io/docs/integrations/gitlab/) |
+| **Jenkins** | [Documentation](https://kubescape.io/docs/integrations/jenkins/) |
+
+### IDE Extensions
+
+| IDE | Extension |
+|-----|-----------|
+| **VS Code** | [Kubescape Extension](https://marketplace.visualstudio.com/items?itemName=kubescape.kubescape) |
+| **Lens** | [Kubescape Lens Extension](https://github.com/armosec/lens-kubescape) |
+
+### Where You Can Use Kubescape
+
+<div align="center">
+    <img src="docs/img/ksfromcodetodeploy.png" alt="Kubescape integration points: IDE, CI, CD, Runtime">
+</div>
+
+---
+
+## 👥 Community
+
+Kubescape is a CNCF incubating project with an active community.
+
+### Get Involved
+
+- 💬 **[Slack - Users Channel](https://cloud-native.slack.com/archives/C04EY3ZF9GE)** - Ask questions, get help
+- 💬 **[Slack - Developers Channel](https://cloud-native.slack.com/archives/C04GY6H082K)** - Contribute to development
+- 🐛 **[GitHub Issues](https://github.com/kubescape/kubescape/issues)** - Report bugs and request features
+- 📋 **[Project Board](https://github.com/orgs/kubescape/projects/4)** - See what we're working on
+- 🗺️ **[Roadmap](https://github.com/kubescape/project-governance/blob/main/ROADMAP.md)** - Future plans
+
+### Contributing
+
+We welcome contributions! Please see our:
+- **[Contributing Guide](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)**
+- **[Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)**
+
+### Community Resources
+
+- **[Community Info](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md)**
+- **[Governance](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md)**
+- **[Security Policy](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)**
+- **[Maintainers](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md)**
+
+### Contributors
+
+<a href="https://github.com/kubescape/kubescape/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=kubescape/kubescape"/>
+</a>
+
+---
+
+## Changelog
+
+Kubescape changes are tracked on the [releases page](https://github.com/kubescape/kubescape/releases).
+
+---
+
+## License
+
+Copyright 2021-2025, the Kubescape Authors. All rights reserved.
+
+Kubescape is released under the [Apache 2.0 license](LICENSE).
+
+Kubescape is a [Cloud Native Computing Foundation (CNCF) incubating project](https://www.cncf.io/projects/kubescape/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
+
+<div align="center">
+    <img src="https://raw.githubusercontent.com/cncf/artwork/refs/heads/main/other/cncf-member/incubating/color/cncf-incubating-color.svg" width="300" alt="CNCF Incubating Project">
+</div>

SECURITY-INSIGHTS.yml

@@ -0,0 +1,56 @@
+header:
+  schema-version: 1.0.0
+  last-updated: '2023-10-12'
+  last-reviewed: '2023-10-12'
+  expiration-date: '2024-10-12T01:00:00.000Z'
+  project-url: https://github.com/kubescape/kubescape/
+  project-release: 1.0.0
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - github:amirmalka
+  - github:amitschendel
+  - github:bezbran
+  - github:craigbox
+  - github:dwertent
+  - github:matthyx
+  - github:rotemamsa
+  - github:slashben
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: false
+  code-of-conduct: https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/kubescape/kubescape/blob/master/go.mod
+  - https://github.com/kubescape/kubescape/blob/master/httphandler/go.mod
+  env-dependencies-policy:
+    policy-url: https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md
+documentation:
+- https://github.com/kubescape/kubescape/tree/master/docs
+distribution-points:
+- https://github.com/kubescape/kubescape/
+security-artifacts:
+  threat-model:
+    threat-model-created: false
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: latest
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: true
+  comment: |
+    Dependabot is enabled for this repo.
+security-contacts:
+- type: email
+  value: cncf-kubescape-maintainers@lists.cncf.io
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/kubescape/kubescape/security/policy
+  email-contact: cncf-kubescape-maintainers@lists.cncf.io
+  comment: |
+    The first and best way to report a vulnerability is by using private security issues in GitHub.

SECURITY.md

@@ -0,0 +1,5 @@
+# Security
+
+The Kubescape project manages this document in the central project repository.
+
+Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md)

build/Dockerfile

@@ -0,0 +1,14 @@
+FROM gcr.io/distroless/static-debian13:nonroot
+
+USER nonroot
+WORKDIR /home/nonroot/
+
+ARG TARGETPLATFORM
+COPY $TARGETPLATFORM/downloader /usr/bin/downloader
+RUN ["downloader"]
+COPY $TARGETPLATFORM/ksserver /usr/bin/ksserver
+
+ARG image_version client
+ENV RELEASE=$image_version CLIENT=$client
+
+ENTRYPOINT ["ksserver"]

build/Dockerfile.dockerignore

@@ -0,0 +1,2 @@
+.git
+kubescape*

build/README.md

@@ -0,0 +1,241 @@
+# Building Kubescape
+
+This guide covers how to build Kubescape from source.
+
+## Table of Contents
+
+- [Prerequisites](#prerequisites)
+- [Building the CLI](#building-the-cli)
+- [Building Docker Images](#building-docker-images)
+- [Build Options](#build-options)
+- [Development Setup](#development-setup)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Prerequisites
+
+### Required
+
+- **Go 1.23+** - [Installation Guide](https://golang.org/doc/install)
+- **Git** - For cloning the repository
+- **Make** - For running build commands
+
+### Optional (for Docker builds)
+
+- **Docker** - [Installation Guide](https://docs.docker.com/get-docker/)
+- **Docker Buildx** - For multi-platform builds (included with Docker Desktop)
+- **GoReleaser** - [Installation Guide](https://goreleaser.com/install/)
+
+### Verify Prerequisites
+
+```bash
+go version    # Should be 1.23 or higher
+git --version
+make --version
+docker --version      # Optional
+goreleaser --version  # Optional
+```
+
+---
+
+## Building the CLI
+
+### Clone the Repository
+
+```bash
+git clone https://github.com/kubescape/kubescape.git
+cd kubescape
+```
+
+### Build with Make
+
+```bash
+# Build for your current platform
+make build
+
+# The binary will be at ./kubescape
+./kubescape version
+```
+
+### Build Directly with Go
+
+```bash
+go build -o kubescape .
+```
+
+### Build with GoReleaser
+
+```bash
+# Build for your current platform
+RELEASE=v0.0.1 CLIENT=local goreleaser build --snapshot --clean --single-target
+```
+
+### Cross-Compilation
+
+Build for different platforms:
+
+```bash
+# Linux (amd64)
+GOOS=linux GOARCH=amd64 go build -o kubescape-linux-amd64 .
+
+# Linux (arm64)
+GOOS=linux GOARCH=arm64 go build -o kubescape-linux-arm64 .
+
+# macOS (amd64)
+GOOS=darwin GOARCH=amd64 go build -o kubescape-darwin-amd64 .
+
+# macOS (arm64 / Apple Silicon)
+GOOS=darwin GOARCH=arm64 go build -o kubescape-darwin-arm64 .
+
+# Windows (amd64)
+GOOS=windows GOARCH=amd64 go build -o kubescape-windows-amd64.exe .
+```
+
+---
+
+## Building Docker Images
+
+Kubescape uses [GoReleaser](https://goreleaser.com/) to build its Docker images. The Dockerfiles are specifically designed to work with GoReleaser's build pipeline, which handles cross-compilation and places binaries in the expected directory structure.
+
+### Build with GoReleaser
+
+The recommended way to build Docker images locally is using GoReleaser. Note that `RELEASE`, `CLIENT`, and `RUN_E2E` environment variables are required:
+
+```bash
+# Build all artifacts and Docker images locally without publishing
+# --skip=before,krew,nfpm,sbom skips unnecessary steps for faster local builds
+RELEASE=v0.0.1 CLIENT=local RUN_E2E=false goreleaser release --snapshot --clean --skip=before,nfpm,sbom
+```
+
+Please read the [GoReleaser documentation](https://goreleaser.com/customization/dockers_v2/#testing-locally) for more details on using it for local testing.
+
+---
+
+## Build Options
+
+### Make Targets
+
+| Target | Description |
+|--------|-------------|
+| `make build` | Build the Kubescape binary |
+| `make test` | Run unit tests |
+| `make all` | Build everything |
+| `make clean` | Remove build artifacts |
+
+### Build Tags
+
+You can use Go build tags to customize the build:
+
+```bash
+# Example with build tags
+go build -tags "netgo" -o kubescape .
+```
+
+### Version Information
+
+To embed version information in the build:
+
+```bash
+VERSION=$(git describe --tags --always)
+BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+COMMIT=$(git rev-parse HEAD)
+
+go build -ldflags "-X main.version=$VERSION -X main.buildDate=$BUILD_DATE -X main.commit=$COMMIT" -o kubescape .
+```
+
+---
+
+## Development Setup
+
+### Install Development Dependencies
+
+```bash
+# Install golangci-lint for linting
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
+# Install other tools as needed
+go mod download
+```
+
+### Run Tests
+
+```bash
+# Run all tests
+make test
+
+# Run tests with coverage
+go test -cover ./...
+
+# Run specific package tests
+go test ./core/...
+```
+
+### Run Linter
+
+```bash
+golangci-lint run
+```
+
+### Code Formatting
+
+```bash
+go fmt ./...
+```
+
+---
+
+## Troubleshooting
+
+### Build Fails with "module not found"
+
+```bash
+# Update dependencies
+go mod tidy
+go mod download
+```
+
+### CGO-related Errors
+
+If you encounter CGO errors, try building with CGO disabled:
+
+```bash
+CGO_ENABLED=0 go build -o kubescape .
+```
+
+### Docker Build Fails
+
+Ensure Docker daemon is running and you have sufficient permissions.
+
+If you encounter an error like `failed to calculate checksum ... "/linux/amd64/kubescape": not found`, it usually means you are trying to run `docker build` manually. Because the Dockerfiles are optimized for GoReleaser, you should use the `goreleaser release --snapshot` command described in the [Building Docker Images](#building-docker-images) section instead.
+
+```bash
+# Check Docker status
+docker info
+```
+
+### Out of Memory During Build
+
+For systems with limited memory:
+
+```bash
+# Limit Go's memory usage
+GOGC=50 go build -o kubescape .
+```
+
+---
+
+## Dockerfiles
+
+| File | Description |
+|------|-------------|
+| `build/Dockerfile` | Full Kubescape image with HTTP handler |
+| `build/kubescape-cli.Dockerfile` | Minimal CLI-only image |
+
+---
+
+## Related Documentation
+
+- [Contributing Guide](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md)
+- [Architecture](../docs/architecture.md)
+- [Getting Started](../docs/getting-started.md)

build/goreleaser-post-e2e.sh

@@ -0,0 +1,151 @@
+#!/usr/bin/env sh
+#
+# goreleaser-post-e2e.sh
+#
+# A small, robust POSIX shell script intended to be called from the goreleaser
+# `builds[].hooks.post` entry. It is responsible for optionally running the
+# repository smoke tests against the artifact produced in `dist/`.
+#
+# Usage:
+#   RUN_E2E=true        -> enable running smoke tests
+#   E2E_FAIL_ON_ERROR=1 -> (default) treat test failures as fatal (exit non-zero)
+#   E2E_FAIL_ON_ERROR=0 -> treat test failures as non-fatal (log, but exit 0)
+#
+# The script is written to be defensive and to work under /bin/sh on CI runners.
+# Use POSIX-safe flags only.
+set -eu
+
+# Helper for logging
+_now() {
+  date --iso-8601=seconds 2>/dev/null || date
+}
+log() {
+  printf '%s [goreleaser-post-e2e] %s\n' "$(_now)" "$*"
+}
+
+# GitHub Actions log grouping helpers (no-op outside Actions)
+gha_group_start() {
+  if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
+    # Titles must be on a single line
+    printf '::group::%s\n' "$*"
+  fi
+}
+gha_group_end() {
+  if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
+    printf '::endgroup::\n'
+  fi
+}
+
+# Small helper to interpret various truthy forms (1/true/yes/y)
+is_true() {
+  case "${1:-}" in
+    1|true|TRUE|yes|YES|y|Y) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# Determine repo root relative to this script (script is expected to live in kubescape/build/)
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+: "${RUN_E2E:=false}"
+# Default to fatal E2E failures.
+: "${E2E_FAIL_ON_ERROR:=1}"
+
+log "Starting goreleaser post-build e2e script"
+log "RUN_E2E=${RUN_E2E}"
+log "E2E_FAIL_ON_ERROR=${E2E_FAIL_ON_ERROR}"
+
+# Only run on linux/amd64 to avoid running multiple times (once per build)
+# and to ensure we can run the binary on the current host (assuming host is amd64).
+if [ -n "${GOARCH:-}" ] && [ "${GOARCH}" != "amd64" ]; then
+  log "Skipping smoke tests for non-amd64 build (GOARCH=${GOARCH})."
+  exit 0
+fi
+
+if ! is_true "${RUN_E2E}"; then
+  log "RUN_E2E is not enabled. Skipping smoke tests. (RUN_E2E=${RUN_E2E})"
+  exit 0
+fi
+
+# Locate the amd64 artifact in dist/.
+# Goreleaser v2 puts binaries in dist/<id>_<os>_<arch>_<version>/<binary>
+# Example: dist/cli_linux_amd64_v1/kubescape
+ART_PATH=""
+if [ -d "$REPO_ROOT/dist" ]; then
+  # Find any file named 'kubescape' inside a directory containing 'linux_amd64' inside 'dist'
+  # We use 'find' for robustness against varying directory names
+  ART_PATH=$(find "$REPO_ROOT/dist" -type f -name "kubescape" -path "*linux_amd64*" | head -n 1)
+fi
+
+if [ -z "$ART_PATH" ] || [ ! -f "$ART_PATH" ]; then
+  log "No kubescape artifact found in dist/ matching *linux_amd64*/kubescape. Skipping smoke tests."
+  # If we are supposed to run E2E, not finding the artifact is probably an error.
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+     log "E2E_FAIL_ON_ERROR enabled -> failing because artifact was not found."
+     exit 1
+  fi
+  exit 0
+fi
+
+log "Using artifact: $ART_PATH"
+# Make binary executable if it is a binary
+chmod +x "$ART_PATH" >/dev/null 2>&1 || true
+
+# Locate python runner
+PYTHON=""
+if command -v python3 >/dev/null 2>&1; then
+  PYTHON=python3
+elif command -v python >/dev/null 2>&1; then
+  PYTHON=python
+fi
+
+if [ -z "$PYTHON" ]; then
+  log "python3 (or python) not found in PATH."
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release because python is missing."
+    exit 2
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing without running tests."
+    exit 0
+  fi
+fi
+
+# Check for smoke test runner
+SMOKE_RUNNER="$REPO_ROOT/smoke_testing/init.py"
+if [ ! -f "$SMOKE_RUNNER" ]; then
+  log "Smoke test runner not found at $SMOKE_RUNNER"
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release because smoke runner is missing."
+    exit 3
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing without running tests."
+    exit 0
+  fi
+fi
+
+gha_group_start "Smoke tests"
+log "Running smoke tests with $PYTHON $SMOKE_RUNNER \"$ART_PATH\""
+# Run the test runner, propagate exit code
+set +e
+RELEASE="${RELEASE:-}" "$PYTHON" "$SMOKE_RUNNER" "$ART_PATH"
+rc=$?
+set -e
+
+if [ $rc -eq 0 ]; then
+  log "Smoke tests passed (exit code 0)."
+fi
+
+log "Smoke tests exited with code: $rc"
+gha_group_end
+
+if [ $rc -ne 0 ]; then
+  if is_true "${E2E_FAIL_ON_ERROR}"; then
+    log "E2E_FAIL_ON_ERROR enabled -> failing the release (exit code $rc)."
+    exit $rc
+  else
+    log "E2E_FAIL_ON_ERROR disabled -> continuing despite test failures."
+  fi
+fi
+
+exit 0

build/kubescape-cli.Dockerfile

@@ -0,0 +1,13 @@
+FROM gcr.io/distroless/static-debian13:debug-nonroot
+
+USER nonroot
+WORKDIR /home/nonroot/
+
+ARG image_version client TARGETARCH
+ENV RELEASE=$image_version CLIENT=$client
+
+ARG TARGETPLATFORM
+COPY $TARGETPLATFORM/kubescape /usr/bin/kubescape
+RUN ["kubescape", "download", "artifacts"]
+
+ENTRYPOINT ["kubescape"]

build/kubescape-cli.Dockerfile.dockerignore

@@ -0,0 +1 @@
+.git

cautils/apis/backendconnector.go

@@ -1,101 +0,0 @@
-package apis
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-)
-
-// HTTPReqFunc allows you to insert query params and more to aggregation message while using update aggregator
-type HTTPReqFunc func(req *http.Request, qryData interface{})
-
-func BasicBEQuery(req *http.Request, qryData interface{}) {
-
-	q := req.URL.Query()
-
-	if notificationData, isok := qryData.(*LoginObject); isok {
-		q.Add("customerGUID", notificationData.GUID)
-	}
-
-	req.URL.RawQuery = q.Encode()
-}
-
-func EmptyQuery(req *http.Request, qryData interface{}) {
-	q := req.URL.Query()
-	req.URL.RawQuery = q.Encode()
-}
-
-func MapQuery(req *http.Request, qryData interface{}) {
-	q := req.URL.Query()
-	if qryMap, isok := qryData.(map[string]string); isok {
-		for k, v := range qryMap {
-			q.Add(k, v)
-		}
-
-	}
-	req.URL.RawQuery = q.Encode()
-}
-
-func BEHttpRequest(loginobj *LoginObject, beURL,
-	httpverb string,
-	endpoint string,
-	payload []byte,
-	f HTTPReqFunc,
-	qryData interface{}) ([]byte, error) {
-	client := &http.Client{}
-
-	beURL = fmt.Sprintf("%v/%v", beURL, endpoint)
-	req, err := http.NewRequest(httpverb, beURL, bytes.NewReader(payload))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Authorization", loginobj.Authorization)
-	f(req, qryData)
-
-	for _, cookie := range loginobj.Cookies {
-		req.AddCookie(cookie)
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		fmt.Printf("req:\n%v\nresp:%v\n", req, resp)
-		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-type BELoginResponse struct {
-	Name              string `json:"name"`
-	PreferredUsername string `json:"preferred_username"`
-	Email             string `json:"email"`
-	CustomerGuid      string `json:"customerGuid"`
-	Expires           string `json:"expires"`
-	Authorization     string `json:"authorization"`
-	Cookies           []*http.Cookie
-}
-
-func (r *BELoginResponse) ToLoginObject() *LoginObject {
-	l := &LoginObject{}
-	l.Authorization = r.Authorization
-	l.Cookies = r.Cookies
-	l.Expires = r.Expires
-	l.GUID = r.CustomerGuid
-
-	return l
-}
-
-type BackendConnector struct {
-	BaseURL         string
-	BELoginResponse *BELoginResponse
-	Credentials     *CustomerLoginDetails
-	HTTPClient      *http.Client
-}

cautils/apis/backendconnectormethods.go

@@ -1,128 +0,0 @@
-package apis
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"strings"
-)
-
-func MakeBackendConnector(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) (*BackendConnector, error) {
-	if err := ValidateBEConnectorMakerInput(client, baseURL, loginDetails); err != nil {
-		return nil, err
-	}
-	conn := &BackendConnector{BaseURL: baseURL, Credentials: loginDetails, HTTPClient: client}
-	err := conn.Login()
-
-	return conn, err
-}
-
-func ValidateBEConnectorMakerInput(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) error {
-	if client == nil {
-		fmt.Errorf("You must provide an initialized httpclient")
-	}
-	if len(baseURL) == 0 {
-		return fmt.Errorf("you must provide a valid backend url")
-	}
-
-	if loginDetails == nil || (len(loginDetails.Email) == 0 && len(loginDetails.Password) == 0) {
-		return fmt.Errorf("you must provide valid login details")
-	}
-	return nil
-
-}
-
-func (r *BackendConnector) Login() error {
-	if !r.IsExpired() {
-		return nil
-	}
-
-	loginInfoBytes, err := json.Marshal(r.Credentials)
-	if err != nil {
-		return fmt.Errorf("unable to marshal credentials properly")
-	}
-
-	beURL := fmt.Sprintf("%v/%v", r.BaseURL, "login")
-
-	req, err := http.NewRequest("POST", beURL, bytes.NewReader(loginInfoBytes))
-	if err != nil {
-		return err
-	}
-
-	req.Header.Set("Referer", strings.Replace(beURL, "dashbe", "cpanel", 1))
-	resp, err := r.HTTPClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("unable to read login response")
-	}
-
-	loginS := &BELoginResponse{}
-	json.Unmarshal(body, &loginS)
-
-	loginS.Cookies = resp.Cookies()
-	r.BELoginResponse = loginS
-
-	return nil
-}
-
-func (r *BackendConnector) IsExpired() bool {
-	return r.BELoginResponse == nil || r.BELoginResponse.ToLoginObject().IsExpired()
-}
-
-func (r *BackendConnector) GetBaseURL() string {
-	return r.BaseURL
-}
-func (r *BackendConnector) GetLoginObj() *LoginObject {
-	return r.BELoginResponse.ToLoginObject()
-}
-func (r *BackendConnector) GetClient() *http.Client {
-	return r.HTTPClient
-}
-
-func (r *BackendConnector) HTTPSend(httpverb string,
-	endpoint string,
-	payload []byte,
-	f HTTPReqFunc,
-	qryData interface{}) ([]byte, error) {
-
-	beURL := fmt.Sprintf("%v/%v", r.GetBaseURL(), endpoint)
-	req, err := http.NewRequest(httpverb, beURL, bytes.NewReader(payload))
-	if err != nil {
-		return nil, err
-	}
-
-	if r.IsExpired() {
-		r.Login()
-	}
-
-	loginobj := r.GetLoginObj()
-	req.Header.Set("Authorization", loginobj.Authorization)
-	f(req, qryData)
-	q := req.URL.Query()
-	q.Set("customerGUID", loginobj.GUID)
-	req.URL.RawQuery = q.Encode()
-
-	for _, cookie := range loginobj.Cookies {
-		req.AddCookie(cookie)
-	}
-	resp, err := r.GetClient().Do(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		fmt.Printf("req:\n%v\nresp:%v\n", req, resp)
-		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}

cautils/apis/clusterapis.go

@@ -1,25 +0,0 @@
-package apis
-
-// WebsocketScanCommand api
-const (
-	WebsocketScanCommandVersion string = "v1"
-	WebsocketScanCommandPath    string = "scanImage"
-)
-
-// commands send via websocket
-const (
-	UPDATE            string = "update"
-	ATTACH            string = "Attach"
-	REMOVE            string = "remove"
-	DETACH            string = "Detach"
-	INCOMPATIBLE      string = "Incompatible"
-	REPLACE_HEADERS   string = "ReplaceHeaders"
-	IMAGE_UNREACHABLE string = "ImageUnreachable"
-	SIGN              string = "sign"
-	UNREGISTERED      string = "unregistered"
-	INJECT            string = "inject"
-	RESTART           string = "restart"
-	ENCRYPT           string = "encryptSecret"
-	DECRYPT           string = "decryptSecret"
-	SCAN              string = "scan"
-)

cautils/apis/datastructures.go

@@ -1,78 +0,0 @@
-package apis
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/docker/docker/api/types"
-)
-
-// WebsocketScanCommand trigger scan thru the websocket
-type WebsocketScanCommand struct {
-	// CustomerGUID string `json:"customerGUID"`
-	ImageTag      string `json:"imageTag"`
-	Wlid          string `json:"wlid"`
-	IsScanned     bool   `json:"isScanned"`
-	ContainerName string `json:"containerName"`
-	JobID         string `json:"jobID,omitempty"`
-	LastAction    int    `json:"actionIDN"`
-	// ImageHash     string `json:"imageHash"`
-	Credentials *types.AuthConfig `json:"credentials,omitempty"`
-}
-
-//taken from BE
-// ElasticRespTotal holds the total struct in Elastic array response
-type ElasticRespTotal struct {
-	Value    int    `json:"value"`
-	Relation string `json:"relation"`
-}
-
-// V2ListResponse holds the response of some list request with some metadata
-type V2ListResponse struct {
-	Total    ElasticRespTotal `json:"total"`
-	Response interface{}      `json:"response"`
-	// Cursor for quick access to the next page. Not supported yet
-	Cursor string `json:"cursor"`
-}
-
-// Oauth2Customer returns inside the "ca_groups" field in claims section of
-// Oauth2 verification process
-type Oauth2Customer struct {
-	CustomerName string `json:"customerName"`
-	CustomerGUID string `json:"customerGUID"`
-}
-
-type LoginObject struct {
-	Authorization string `json:"authorization"`
-	GUID          string
-	Cookies       []*http.Cookie
-	Expires       string
-}
-
-type SafeMode struct {
-	Reporter        string `json:"reporter"`                // "Agent"
-	Action          string `json:"action,omitempty"`        // "action"
-	Wlid            string `json:"wlid"`                    // CAA_WLID
-	PodName         string `json:"podName"`                 // CAA_POD_NAME
-	InstanceID      string `json:"instanceID"`              // CAA_POD_NAME
-	ContainerName   string `json:"containerName,omitempty"` // CAA_CONTAINER_NAME
-	ProcessName     string `json:"processName,omitempty"`
-	ProcessID       int    `json:"processID,omitempty"`
-	ProcessCMD      string `json:"processCMD,omitempty"`
-	ComponentGUID   string `json:"componentGUID,omitempty"` // CAA_GUID
-	StatusCode      int    `json:"statusCode"`              // 0/1/2
-	ProcessExitCode int    `json:"processExitCode"`         // 0 +
-	Timestamp       int64  `json:"timestamp"`
-	Message         string `json:"message,omitempty"` // any string
-	JobID           string `json:"jobID,omitempty"`   // any string
-	Compatible      *bool  `json:"compatible,omitempty"`
-}
-
-func (safeMode *SafeMode) Json() string {
-	b, err := json.Marshal(*safeMode)
-	if err != nil {
-		return ""
-	}
-	return fmt.Sprintf("%s", b)
-}

cautils/apis/datastructures_test.go

@@ -1,26 +0,0 @@
-package apis
-
-// import (
-// 	"fmt"
-// 	"net/http"
-// 	"testing"
-// )
-
-// func TestAuditStructure(t *testing.T) {
-// 	c := http.Client{}
-// 	be, err := MakeBackendConnector(&c, "https://dashbe.eudev3.cyberarmorsoft.com", &CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "*", CustomerName: "CyberArmorTests"})
-// 	if err != nil {
-// 		t.Errorf("sad1")
-
-// 	}
-
-// 	b, err := be.HTTPSend("GET", "v1/microservicesOverview", nil, MapQuery, map[string]string{"wlid": "wlid://cluster-childrenofbodom/namespace-default/deployment-pos"})
-// 	if err != nil {
-// 		t.Errorf("sad2")
-
-// 	}
-// 	fmt.Printf("%v", string(b))
-
-// 	t.Errorf("sad")
-
-// }

cautils/apis/interfaces.go

@@ -1,27 +0,0 @@
-package apis
-
-import (
-	"net/http"
-)
-
-// type Dashboard interface {
-// 	OPAFRAMEWORKGet(string, bool) ([]opapolicy.Framework, error)
-// }
-
-// Connector - interface for any connector (BE/Portal and so on)
-type Connector interface {
-
-	//may used for a more generic httpsend interface based method
-	GetBaseURL() string
-	GetLoginObj() *LoginObject
-	GetClient() *http.Client
-
-	Login() error
-	IsExpired() bool
-
-	HTTPSend(httpverb string,
-		endpoint string,
-		payload []byte,
-		f HTTPReqFunc,
-		qryData interface{}) ([]byte, error)
-}

cautils/apis/login.go

@@ -1,256 +0,0 @@
-package apis
-
-import (
-	"bytes"
-	"net/http"
-	"time"
-
-	"io/ioutil"
-
-	oidc "github.com/coreos/go-oidc"
-	uuid "github.com/satori/go.uuid"
-
-	// "go.uber.org/zap"
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"golang.org/x/oauth2"
-)
-
-func GetOauth2TokenURL() string {
-	return "https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites"
-}
-
-func GetLoginStruct() (LoginAux, error) {
-
-	return LoginAux{Referer: "https://cpanel.eudev3.cyberarmorsoft.com/login", Url: "https://cpanel.eudev3.cyberarmorsoft.com/login"}, nil
-}
-
-func LoginWithKeycloak(loginDetails CustomerLoginDetails) ([]uuid.UUID, *oidc.IDToken, error) {
-	// var custGUID uuid.UUID
-	// config.Oauth2TokenURL
-	if GetOauth2TokenURL() == "" {
-		return nil, nil, fmt.Errorf("missing oauth2 token URL")
-	}
-	urlaux, _ := GetLoginStruct()
-	conf, err := getOauth2Config(urlaux)
-	if err != nil {
-		return nil, nil, err
-	}
-	ctx := context.Background()
-	provider, err := oidc.NewProvider(ctx, GetOauth2TokenURL())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	// "Oauth2ClientID": "golang-client"
-	oidcConfig := &oidc.Config{
-		ClientID:          "golang-client",
-		SkipClientIDCheck: true,
-	}
-
-	verifier := provider.Verifier(oidcConfig)
-	ouToken, err := conf.PasswordCredentialsToken(ctx, loginDetails.Email, loginDetails.Password)
-	if err != nil {
-		return nil, nil, err
-	}
-	// "Authorization",
-	authorization := fmt.Sprintf("%s %s", ouToken.Type(), ouToken.AccessToken)
-	// oidc.IDTokenVerifier
-	tkn, err := verifier.Verify(ctx, ouToken.AccessToken)
-	if err != nil {
-		return nil, tkn, err
-	}
-	tkn.Nonce = authorization
-	if loginDetails.CustomerName == "" {
-		customers, err := getCustomersNames(tkn)
-		if err != nil {
-			return nil, tkn, err
-		}
-		if len(customers) == 1 {
-			loginDetails.CustomerName = customers[0]
-		} else {
-			return nil, tkn, fmt.Errorf("login with one of the following customers: %v", customers)
-		}
-	}
-	custGUID, err := getCustomerGUID(tkn, &loginDetails)
-	if err != nil {
-		return nil, tkn, err
-	}
-	return []uuid.UUID{custGUID}, tkn, nil
-}
-
-func getOauth2Config(urlaux LoginAux) (*oauth2.Config, error) {
-	reURLSlices := strings.Split(urlaux.Referer, "/")
-	if len(reURLSlices) == 0 {
-		reURLSlices = strings.Split(urlaux.Url, "/")
-	}
-	// zapLogger.With(zap.Strings("referer", reURLSlices)).Info("Searching oauth2Config for")
-	if len(reURLSlices) < 3 {
-		reURLSlices = []string{reURLSlices[0], reURLSlices[0], reURLSlices[0]}
-	}
-	lg, _ := GetLoginStruct()
-	provider, _ := oidc.NewProvider(context.Background(), GetOauth2TokenURL())
-	//provider.Endpoint {"AuthURL":"https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites/protocol/openid-connect/auth","TokenURL":"https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites/protocol/openid-connect/token","AuthStyle":0}
-	conf := oauth2.Config{
-		ClientID:     "golang-client",
-		ClientSecret: "4e33bad2-3491-41a6-b486-93c492cfb4a2",
-		RedirectURL:  lg.Referer,
-		// Discovery returns the OAuth2 endpoints.
-		Endpoint: provider.Endpoint(),
-		// "openid" is a required scope for OpenID Connect flows.
-		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
-	}
-	return &conf, nil
-	// return nil, fmt.Errorf("canno't find oauth2Config for referer '%+v'.\nPlease set referer or origin headers", reURLSlices)
-}
-
-func getCustomersNames(oauth2Details *oidc.IDToken) ([]string, error) {
-	var claimsJSON Oauth2Claims
-	if err := oauth2Details.Claims(&claimsJSON); err != nil {
-		return nil, err
-	}
-
-	customersList := make([]string, 0, len(claimsJSON.CAGroups))
-	for _, v := range claimsJSON.CAGroups {
-		var caCustomer Oauth2Customer
-		if err := json.Unmarshal([]byte(v), &caCustomer); err == nil {
-			customersList = append(customersList, caCustomer.CustomerName)
-		}
-	}
-	return customersList, nil
-}
-
-func getCustomerGUID(tkn *oidc.IDToken, loginDetails *CustomerLoginDetails) (uuid.UUID, error) {
-
-	customers, err := getCustomersList(tkn)
-	if err != nil {
-		return uuid.UUID{}, err
-	}
-
-	// if customer name not provided - use default customer
-	if loginDetails.CustomerName == "" && len(customers) > 0 {
-		return uuid.FromString(customers[0].CustomerGUID)
-	}
-
-	for _, i := range customers {
-		if i.CustomerName == loginDetails.CustomerName {
-			return uuid.FromString(i.CustomerGUID)
-		}
-	}
-	return uuid.UUID{}, fmt.Errorf("customer name not found in customer list")
-}
-
-func getCustomersList(oauth2Details *oidc.IDToken) ([]Oauth2Customer, error) {
-	var claimsJSON Oauth2Claims
-	if err := oauth2Details.Claims(&claimsJSON); err != nil {
-		return nil, err
-	}
-
-	customersList := make([]Oauth2Customer, 0, len(claimsJSON.CAGroups))
-	for _, v := range claimsJSON.CAGroups {
-		var caCustomer Oauth2Customer
-		if err := json.Unmarshal([]byte(v), &caCustomer); err == nil {
-			customersList = append(customersList, caCustomer)
-		}
-	}
-	return customersList, nil
-}
-
-// func MakeAuthCookies(custGUID uuid.UUID, ouToken *oidc.IDToken) (*http.Cookie, error) {
-// 	var ccc http.Cookie
-// 	var responseData AuthenticationCookie
-// 	expireDate := time.Now().UTC().Add(time.Duration(config.CookieExpirationHours) * time.Hour)
-// 	if ouToken != nil {
-// 		expireDate = ouToken.Expiry
-// 	}
-// 	ccc.Expires = expireDate
-// 	responseData.CustomerGUID = custGUID
-// 	responseData.Expires = ccc.Expires
-// 	responseData.Version = 0
-// 	authorizationStr := ""
-// 	if ouToken != nil {
-// 		authorizationStr = ouToken.Nonce
-// 		if err := ouToken.Claims(&responseData.Oauth2Claims); err != nil {
-// 			errStr := fmt.Sprintf("failed to get claims from JWT")
-// 			return nil, fmt.Errorf("%v", errStr)
-// 		}
-// 	}
-// 	jsonBytes, err := json.Marshal(responseData)
-// 	if err != nil {
-// 		errStr := fmt.Sprintf("failed to get claims from JWT")
-// 		return nil, fmt.Errorf("%v", errStr)
-// 	}
-// 	ccc.Name = "auth"
-// 	ccc.Value = hex.EncodeToString(jsonBytes) + "." + cacheaccess.CalcHmac256(jsonBytes)
-// 	// TODO: HttpOnly for security...
-// 	ccc.HttpOnly = false
-// 	ccc.Path = "/"
-// 	ccc.Secure = true
-// 	ccc.SameSite = http.SameSiteNoneMode
-// 	http.SetCookie(w, &ccc)
-// 	responseData.Authorization = authorizationStr
-// 	jsonBytes, err = json.Marshal(responseData)
-// 	if err != nil {
-// 		w.WriteHeader(http.StatusInternalServerError)
-// 		fmt.Fprintf(w, "error while marshaling response(2) %s", err)
-// 		return
-// 	}
-// 	w.Write(jsonBytes)
-// }
-
-func Login(loginDetails CustomerLoginDetails) (*LoginObject, error) {
-
-	return nil, nil
-}
-
-func GetBEInfo(cfgFile string) string {
-	return "https://dashbe.eudev3.cyberarmorsoft.com"
-}
-
-func BELogin(loginDetails *CustomerLoginDetails, login string, cfg string) (*BELoginResponse, error) {
-	client := &http.Client{}
-
-	basebeURL := GetBEInfo(cfg)
-	beURL := fmt.Sprintf("%v/%v", basebeURL, login)
-
-	loginInfoBytes, err := json.Marshal(loginDetails)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("POST", beURL, bytes.NewReader(loginInfoBytes))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Referer", strings.Replace(beURL, "dashbe", "cpanel", 1))
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	loginS := &BELoginResponse{}
-	json.Unmarshal(body, &loginS)
-
-	loginS.Cookies = resp.Cookies()
-	return loginS, nil
-}
-
-func (r *LoginObject) IsExpired() bool {
-	if r == nil {
-		return true
-	}
-	t, err := time.Parse(time.RFC3339, r.Expires)
-	if err != nil {
-		return true
-	}
-
-	return t.UTC().Before(time.Now().UTC())
-}

cautils/apis/login_test.go

@@ -1,41 +0,0 @@
-package apis
-
-// func TestLogin2BE(t *testing.T) {
-
-// 	loginDetails := CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "***", CustomerName: "CyberArmorTests"}
-// 	res, err := BELogin(loginDetails, "login")
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-// 	k := res.ToLoginObject()
-
-// 	fmt.Printf("%v\n", k)
-
-// }
-
-// func TestGetMicroserviceOverview(t *testing.T) {
-// 	// client := &http.Client{}
-// 	loginDetails := CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "***", CustomerName: "CyberArmorTests"}
-// 	loginobj, err := BELogin(loginDetails, "login")
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-// 	k := loginobj.ToLoginObject()
-// 	beURL := GetBEInfo("")
-
-// 	res, err := BEHttpRequest(k, beURL,
-// 		"GET",
-// 		"v1/microservicesOverview",
-// 		nil,
-// 		BasicBEQuery,
-// 		k)
-
-// 	if err != nil {
-// 		t.Errorf("failed to get raw audit is different ")
-// 	}
-
-// 	s := string(res)
-
-// 	fmt.Printf("%v\n", s)
-
-// }

cautils/apis/logindatastructures.go

@@ -1,38 +0,0 @@
-package apis
-
-import (
-	"time"
-
-	"github.com/gofrs/uuid"
-)
-
-// AuthenticationCookie is what it is
-type AuthenticationCookie struct {
-	Oauth2Claims  `json:",inline"`
-	CustomerGUID  uuid.UUID `json:"customerGuid"`
-	Expires       time.Time `json:"expires"`
-	Version       int       `json:"version"`
-	Authorization string    `json:"authorization,omitempty"`
-}
-
-type LoginAux struct {
-	Referer string
-	Url     string
-}
-
-// CustomerLoginDetails is what it is
-type CustomerLoginDetails struct {
-	Email        string    `json:"email"`
-	Password     string    `json:"password"`
-	CustomerName string    `json:"customer,omitempty"`
-	CustomerGUID uuid.UUID `json:"customerGuid,omitempty"`
-}
-
-// Oauth2Claims returns in claims section of Oauth2 verification process
-type Oauth2Claims struct {
-	Sub               string   `json:"sub"`
-	Name              string   `json:"name"`
-	PreferredUserName string   `json:"preferred_username"`
-	CAGroups          []string `json:"ca_groups"`
-	Email             string   `json:"email"`
-}

cautils/apis/websocketdatastructures.go

@@ -1,132 +0,0 @@
-package apis
-
-import (
-	"encoding/json"
-	"fmt"
-)
-
-// Commands list of commands received from websocket
-type Commands struct {
-	Commands []Command `json:"commands"`
-}
-
-// Command structure of command received from websocket
-type Command struct {
-	CommandName string                 `json:"commandName"`
-	ResponseID  string                 `json:"responseID"`
-	Wlid        string                 `json:"wlid,omitempty"`
-	WildWlid    string                 `json:"wildWlid,omitempty"`
-	Sid         string                 `json:"sid,omitempty"`
-	WildSid     string                 `json:"wildSid,omitempty"`
-	JobTracking JobTracking            `json:"jobTracking"`
-	Args        map[string]interface{} `json:"args,omitempty"`
-}
-
-type JobTracking struct {
-	JobID            string `json:"jobID,omitempty"`
-	ParentID         string `json:"parentAction,omitempty"`
-	LastActionNumber int    `json:"numSeq,omitempty"`
-}
-
-func (c *Command) DeepCopy() *Command {
-	newCommand := &Command{}
-	newCommand.CommandName = c.CommandName
-	newCommand.ResponseID = c.ResponseID
-	newCommand.Wlid = c.Wlid
-	newCommand.WildWlid = c.WildWlid
-	if c.Args != nil {
-		newCommand.Args = make(map[string]interface{})
-		for i, j := range c.Args {
-			newCommand.Args[i] = j
-		}
-	}
-	return newCommand
-}
-
-func (c *Command) GetLabels() map[string]string {
-	if c.Args != nil {
-		if ilabels, ok := c.Args["labels"]; ok {
-			labels := map[string]string{}
-			if b, e := json.Marshal(ilabels); e == nil {
-				if e = json.Unmarshal(b, &labels); e == nil {
-					return labels
-				}
-			}
-		}
-	}
-	return map[string]string{}
-}
-
-func (c *Command) SetLabels(labels map[string]string) {
-	if c.Args == nil {
-		c.Args = make(map[string]interface{})
-	}
-	c.Args["labels"] = labels
-}
-
-func (c *Command) GetFieldSelector() map[string]string {
-	if c.Args != nil {
-		if ilabels, ok := c.Args["fieldSelector"]; ok {
-			labels := map[string]string{}
-			if b, e := json.Marshal(ilabels); e == nil {
-				if e = json.Unmarshal(b, &labels); e == nil {
-					return labels
-				}
-			}
-		}
-	}
-	return map[string]string{}
-}
-
-func (c *Command) SetFieldSelector(labels map[string]string) {
-	if c.Args == nil {
-		c.Args = make(map[string]interface{})
-	}
-	c.Args["fieldSelector"] = labels
-}
-
-func (c *Command) GetID() string {
-	if c.WildWlid != "" {
-		return c.WildWlid
-	}
-	if c.WildSid != "" {
-		return c.WildSid
-	}
-	if c.Wlid != "" {
-		return c.Wlid
-	}
-	if c.Sid != "" {
-		return c.Sid
-	}
-	return ""
-}
-
-func (c *Command) Json() string {
-	b, _ := json.Marshal(*c)
-	return fmt.Sprintf("%s", b)
-}
-
-func SIDFallback(c *Command) {
-	if c.GetID() == "" {
-		sid, err := getSIDFromArgs(c.Args)
-		if err != nil || sid == "" {
-			return
-		}
-		c.Sid = sid
-	}
-}
-
-func getSIDFromArgs(args map[string]interface{}) (string, error) {
-	sidInterface, ok := args["sid"]
-	if !ok {
-		return "", nil
-	}
-	sid, ok := sidInterface.(string)
-	if !ok || sid == "" {
-		return "", fmt.Errorf("sid found in args but empty")
-	}
-	// if _, err := secrethandling.SplitSecretID(sid); err != nil {
-	// 	return "", err
-	// }
-	return sid, nil
-}

cautils/armotypes/executionpolicytypes.go

@@ -1,16 +0,0 @@
-package armotypes
-
-type EnforcmentsRule struct {
-	MonitoredObject          []string `json:"monitoredObject"`
-	MonitoredObjectExistence []string `json:"objectExistence"`
-	MonitoredObjectEvent     []string `json:"event"`
-	Action                   []string `json:"action"`
-}
-
-type ExecutionPolicy struct {
-	PortalBase                `json:",inline"`
-	Designators               []PortalDesignator `json:"designators"`
-	PolicyType                string             `json:"policyType"`
-	CreationTime              string             `json:"creation_time"`
-	ExecutionEnforcmentsRules []EnforcmentsRule  `json:"enforcementRules"`
-}

cautils/armotypes/portaltypes.go

@@ -1,57 +0,0 @@
-package armotypes
-
-const (
-	CostumerGuidQuery   = "costumerGUID"
-	ClusterNameQuery    = "cluster"
-	DatacenterNameQuery = "datacenter"
-	NamespaceQuery      = "namespace"
-	ProjectQuery        = "project"
-	WlidQuery           = "wlid"
-	SidQuery            = "sid"
-)
-
-// PortalBase holds basic items data from portal BE
-type PortalBase struct {
-	GUID       string                 `json:"guid"`
-	Name       string                 `json:"name"`
-	Attributes map[string]interface{} `json:"attributes,omitempty"` // could be string
-}
-
-type DesignatorType string
-
-// Supported designators
-const (
-	DesignatorAttributes DesignatorType = "Attributes"
-	/*
-		WorkloadID format.
-		k8s format: wlid://cluster-<cluster>/namespace-<namespace>/<kind>-<name>
-		native format: wlid://datacenter-<datacenter>/project-<project>/native-<name>
-	*/
-	DesignatorWlid DesignatorType = "Wlid"
-	/*
-		Wild card - subset of wlid. e.g.
-		1. Include cluster:
-			wlid://cluster-<cluster>/
-		2. Include cluster and namespace (filter out all other namespaces):
-			wlid://cluster-<cluster>/namespace-<namespace>/
-	*/
-	DesignatorWildWlid      DesignatorType = "WildWlid"
-	DesignatorWlidContainer DesignatorType = "WlidContainer"
-	DesignatorWlidProcess   DesignatorType = "WlidProcess"
-	DesignatorSid           DesignatorType = "Sid" // secret id
-)
-
-// attributes
-const (
-	AttributeCluster   = "cluster"
-	AttributeNamespace = "namespace"
-)
-
-// PortalDesignator represented single designation options
-type PortalDesignator struct {
-	DesignatorType DesignatorType    `json:"designatorType"`
-	WLID           string            `json:"wlid"`
-	WildWLID       string            `json:"wildwlid"`
-	SID            string            `json:"sid"`
-	Attributes     map[string]string `json:"attributes"`
-}

cautils/armotypes/portaltypes_mock.go

@@ -1,18 +0,0 @@
-package armotypes
-
-func MockPortalBase(customerGUID, name string, attributes map[string]interface{}) *PortalBase {
-	if customerGUID == "" {
-		customerGUID = "36b6f9e1-3b63-4628-994d-cbe16f81e9c7"
-	}
-	if name == "" {
-		name = "portalbase-a"
-	}
-	if attributes == nil {
-		attributes = make(map[string]interface{})
-	}
-	return &PortalBase{
-		GUID:       customerGUID,
-		Name:       name,
-		Attributes: attributes,
-	}
-}

cautils/armotypes/portaltypesutils.go

@@ -1,39 +0,0 @@
-package armotypes
-
-import "github.com/golang/glog"
-
-var IgnoreLabels = []string{AttributeCluster, AttributeNamespace}
-
-// DigestPortalDesignator - get cluster namespace and labels from designator
-func DigestPortalDesignator(designator *PortalDesignator) (string, string, map[string]string) {
-	switch designator.DesignatorType {
-	case DesignatorAttributes:
-		return DigestAttributesDesignator(designator.Attributes)
-	// case DesignatorWlid: TODO
-	// case DesignatorWildWlid: TODO
-	default:
-		glog.Warningf("in 'digestPortalDesignator' designator type: '%v' not yet supported. please contact Armo team", designator.DesignatorType)
-	}
-	return "", "", nil
-}
-
-func DigestAttributesDesignator(attributes map[string]string) (string, string, map[string]string) {
-	cluster := ""
-	namespace := ""
-	labels := map[string]string{}
-	if attributes == nil || len(attributes) == 0 {
-		return cluster, namespace, labels
-	}
-	for k, v := range attributes {
-		labels[k] = v
-	}
-	if v, ok := attributes[AttributeNamespace]; ok {
-		namespace = v
-		delete(labels, AttributeNamespace)
-	}
-	if v, ok := attributes[AttributeCluster]; ok {
-		cluster = v
-		delete(labels, AttributeCluster)
-	}
-	return cluster, namespace, labels
-}

cautils/cautils/armometadata.go

@@ -1,197 +0,0 @@
-package cautils
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
-
-	"github.com/golang/glog"
-)
-
-// labels added to the workload
-const (
-	ArmoPrefix          string = "armo"
-	ArmoAttach          string = ArmoPrefix + ".attach"
-	ArmoInitialSecret   string = ArmoPrefix + ".initial"
-	ArmoSecretStatus    string = ArmoPrefix + ".secret"
-	ArmoCompatibleLabel string = ArmoPrefix + ".compatible"
-
-	ArmoSecretProtectStatus string = "protect"
-	ArmoSecretClearStatus   string = "clear"
-)
-
-// annotations added to the workload
-const (
-	ArmoUpdate               string = ArmoPrefix + ".last-update"
-	ArmoWlid                 string = ArmoPrefix + ".wlid"
-	ArmoSid                  string = ArmoPrefix + ".sid"
-	ArmoJobID                string = ArmoPrefix + ".job"
-	ArmoJobIDPath            string = ArmoJobID + "/id"
-	ArmoJobParentPath        string = ArmoJobID + "/parent"
-	ArmoJobActionPath        string = ArmoJobID + "/action"
-	ArmoCompatibleAnnotation string = ArmoAttach + "/compatible"
-	ArmoReplaceheaders       string = ArmoAttach + "/replaceheaders"
-)
-
-const ( // DEPRECATED
-
-	CAAttachLabel string = "cyberarmor"
-	Patched       string = "Patched"
-	Done          string = "Done"
-	Encrypted     string = "Protected"
-
-	CAInjectOld = "injectCyberArmor"
-
-	CAPrefix          string = "cyberarmor"
-	CAProtectedSecret string = CAPrefix + ".secret"
-	CAInitialSecret   string = CAPrefix + ".initial"
-	CAInject          string = CAPrefix + ".inject"
-	CAIgnore          string = CAPrefix + ".ignore"
-	CAReplaceHeaders  string = CAPrefix + ".removeSecurityHeaders"
-)
-
-const ( // DEPRECATED
-	CAUpdate string = CAPrefix + ".last-update"
-	CAStatus string = CAPrefix + ".status"
-	CAWlid   string = CAPrefix + ".wlid"
-)
-
-type ClusterConfig struct {
-	EventReceiverREST       string `json:"eventReceiverREST"`
-	EventReceiverWS         string `json:"eventReceiverWS"`
-	MaserNotificationServer string `json:"maserNotificationServer"`
-	Postman                 string `json:"postman"`
-	Dashboard               string `json:"dashboard"`
-	Portal                  string `json:"portal"`
-	CustomerGUID            string `json:"customerGUID"`
-	ClusterGUID             string `json:"clusterGUID"`
-	ClusterName             string `json:"clusterName"`
-	OciImageURL             string `json:"ociImageURL"`
-	NotificationWSURL       string `json:"notificationWSURL"`
-	NotificationRestURL     string `json:"notificationRestURL"`
-	VulnScanURL             string `json:"vulnScanURL"`
-	OracleURL               string `json:"oracleURL"`
-	ClairURL                string `json:"clairURL"`
-}
-
-// represents workload basic info
-type SpiffeBasicInfo struct {
-	//cluster/datacenter
-	Level0     string `json:"level0"`
-	Level0Type string `json:"level0Type"`
-
-	//namespace/project
-	Level1     string `json:"level0"`
-	Level1Type string `json:"level0Type"`
-
-	Kind string `json:"kind"`
-	Name string `json:"name"`
-}
-
-type ImageInfo struct {
-	Registry     string `json:"registry"`
-	VersionImage string `json:"versionImage"`
-}
-
-func IsAttached(labels map[string]string) *bool {
-	attach := false
-	if labels == nil {
-		return nil
-	}
-	if attached, ok := labels[ArmoAttach]; ok {
-		if strings.ToLower(attached) == "true" {
-			attach = true
-			return &attach
-		} else {
-			return &attach
-		}
-	}
-
-	// deprecated
-	if _, ok := labels[CAAttachLabel]; ok {
-		attach = true
-		return &attach
-	}
-
-	// deprecated
-	if inject, ok := labels[CAInject]; ok {
-		if strings.ToLower(inject) == "true" {
-			attach = true
-			return &attach
-		}
-	}
-
-	// deprecated
-	if ignore, ok := labels[CAIgnore]; ok {
-		if strings.ToLower(ignore) == "true" {
-			return &attach
-		}
-	}
-
-	return nil
-}
-
-func IsSecretProtected(labels map[string]string) *bool {
-	protect := false
-	if labels == nil {
-		return nil
-	}
-	if protected, ok := labels[ArmoSecretStatus]; ok {
-		if strings.ToLower(protected) == ArmoSecretProtectStatus {
-			protect = true
-			return &protect
-		} else {
-			return &protect
-		}
-	}
-	return nil
-}
-
-func LoadConfig(configPath string, loadToEnv bool) (*ClusterConfig, error) {
-	if configPath == "" {
-		configPath = "/etc/config/clusterData.json"
-	}
-
-	dat, err := ioutil.ReadFile(configPath)
-	if err != nil || len(dat) == 0 {
-		return nil, fmt.Errorf("Config empty or not found. path: %s", configPath)
-	}
-	componentConfig := &ClusterConfig{}
-	if err := json.Unmarshal(dat, componentConfig); err != nil {
-		return componentConfig, fmt.Errorf("Failed to read component config, path: %s, reason: %s", configPath, err.Error())
-	}
-	if loadToEnv {
-		componentConfig.LoadConfigToEnv()
-	}
-	return componentConfig, nil
-}
-
-func (clusterConfig *ClusterConfig) LoadConfigToEnv() {
-
-	SetEnv("CA_CLUSTER_NAME", clusterConfig.ClusterName)
-	SetEnv("CA_CLUSTER_GUID", clusterConfig.ClusterGUID)
-	SetEnv("CA_ORACLE_SERVER", clusterConfig.OracleURL)
-	SetEnv("CA_CUSTOMER_GUID", clusterConfig.CustomerGUID)
-	SetEnv("CA_DASHBOARD_BACKEND", clusterConfig.Dashboard)
-	SetEnv("CA_NOTIFICATION_SERVER_REST", clusterConfig.NotificationWSURL)
-	SetEnv("CA_NOTIFICATION_SERVER_WS", clusterConfig.NotificationWSURL)
-	SetEnv("CA_NOTIFICATION_SERVER_REST", clusterConfig.NotificationRestURL)
-	SetEnv("CA_OCIMAGE_URL", clusterConfig.OciImageURL)
-	SetEnv("CA_K8S_REPORT_URL", clusterConfig.EventReceiverWS)
-	SetEnv("CA_EVENT_RECEIVER_HTTP", clusterConfig.EventReceiverREST)
-	SetEnv("CA_VULNSCAN", clusterConfig.VulnScanURL)
-	SetEnv("CA_POSTMAN", clusterConfig.Postman)
-	SetEnv("MASTER_NOTIFICATION_SERVER_HOST", clusterConfig.MaserNotificationServer)
-	SetEnv("CLAIR_URL", clusterConfig.ClairURL)
-
-}
-
-func SetEnv(key, value string) {
-	if e := os.Getenv(key); e == "" {
-		if err := os.Setenv(key, value); err != nil {
-			glog.Warning("%s: %s", key, err.Error())
-		}
-	}
-}

cautils/cautils/cautils_test.go

@@ -1,29 +0,0 @@
-package cautils
-
-import (
-	"testing"
-)
-
-// tests wlid parse
-
-func TestSpiffeWLIDToInfoSuccess(t *testing.T) {
-
-	WLID := "wlid://cluster-HipsterShopCluster2/namespace-prod/deployment-cartservice"
-	ms, er := SpiffeToSpiffeInfo(WLID)
-
-	if er != nil || ms.Level0 != "HipsterShopCluster2" || ms.Level0Type != "cluster" || ms.Level1 != "prod" || ms.Level1Type != "namespace" ||
-		ms.Kind != "deployment" || ms.Name != "cartservice" {
-		t.Errorf("TestSpiffeWLIDToInfoSuccess failed to parse %v", WLID)
-	}
-}
-
-func TestSpiffeSIDInfoSuccess(t *testing.T) {
-
-	SID := "sid://cluster-HipsterShopCluster2/namespace-dev/secret-caregcred"
-	ms, er := SpiffeToSpiffeInfo(SID)
-
-	if er != nil || ms.Level0 != "HipsterShopCluster2" || ms.Level0Type != "cluster" || ms.Level1 != "dev" || ms.Level1Type != "namespace" ||
-		ms.Kind != "secret" || ms.Name != "caregcred" {
-		t.Errorf("TestSpiffeSIDInfoSuccess failed to parse %v", SID)
-	}
-}

cautils/cautils/genericutils.go

@@ -1,118 +0,0 @@
-package cautils
-
-import (
-	"crypto/sha256"
-	"fmt"
-	"strings"
-)
-
-// wlid/ sid utils
-const (
-	SpiffePrefix = "://"
-)
-
-// wlid/ sid utils
-const (
-	PackagePath = "vendor/github.com/armosec/capacketsgo"
-)
-
-//AsSHA256 takes anything turns it into string :) https://blog.8bitzen.com/posts/22-08-2019-how-to-hash-a-struct-in-go
-func AsSHA256(v interface{}) string {
-	h := sha256.New()
-	h.Write([]byte(fmt.Sprintf("%v", v)))
-
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
-
-func SpiffeToSpiffeInfo(spiffe string) (*SpiffeBasicInfo, error) {
-	basicInfo := &SpiffeBasicInfo{}
-
-	pos := strings.Index(spiffe, SpiffePrefix)
-	if pos < 0 {
-		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
-	}
-
-	pos += len(SpiffePrefix)
-	spiffeNoPrefix := spiffe[pos:]
-	splits := strings.Split(spiffeNoPrefix, "/")
-	if len(splits) < 3 {
-		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
-	}
-
-	p0 := strings.Index(splits[0], "-")
-	p1 := strings.Index(splits[1], "-")
-	p2 := strings.Index(splits[2], "-")
-	if p0 == -1 || p1 == -1 || p2 == -1 {
-		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
-	}
-	basicInfo.Level0Type = splits[0][:p0]
-	basicInfo.Level0 = splits[0][p0+1:]
-	basicInfo.Level1Type = splits[1][:p1]
-	basicInfo.Level1 = splits[1][p1+1:]
-	basicInfo.Kind = splits[2][:p2]
-	basicInfo.Name = splits[2][p2+1:]
-
-	return basicInfo, nil
-}
-
-func ImageTagToImageInfo(imageTag string) (*ImageInfo, error) {
-	ImageInfo := &ImageInfo{}
-	spDelimiter := "/"
-	pos := strings.Index(imageTag, spDelimiter)
-	if pos < 0 {
-		ImageInfo.Registry = ""
-		ImageInfo.VersionImage = imageTag
-		return ImageInfo, nil
-	}
-
-	splits := strings.Split(imageTag, spDelimiter)
-	if len(splits) == 0 {
-
-		return nil, fmt.Errorf("Invalid image info %s", imageTag)
-	}
-
-	ImageInfo.Registry = splits[0]
-	if len(splits) > 1 {
-		ImageInfo.VersionImage = splits[len(splits)-1]
-	} else {
-		ImageInfo.VersionImage = ""
-	}
-
-	return ImageInfo, nil
-}
-
-func BoolPointer(b bool) *bool { return &b }
-
-func BoolToString(b bool) string {
-	if b {
-		return "true"
-	}
-	return "false"
-}
-
-func BoolPointerToString(b *bool) string {
-	if b == nil {
-		return ""
-	}
-	if *b {
-		return "true"
-	}
-	return "false"
-}
-
-func StringToBool(s string) bool {
-	if strings.ToLower(s) == "true" || strings.ToLower(s) == "1" {
-		return true
-	}
-	return false
-}
-
-func StringToBoolPointer(s string) *bool {
-	if strings.ToLower(s) == "true" || strings.ToLower(s) == "1" {
-		return BoolPointer(true)
-	}
-	if strings.ToLower(s) == "false" || strings.ToLower(s) == "0" {
-		return BoolPointer(false)
-	}
-	return nil
-}

cautils/cautils/k8sutils.go

@@ -1,52 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"hash/fnv"
-	"strings"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-var NamespacesListToIgnore = make([]string, 0)
-var KubeNamespaces = []string{metav1.NamespaceSystem, metav1.NamespacePublic}
-
-// NamespacesListToIgnore namespaces to ignore if a pod
-func InitNamespacesListToIgnore(caNamespace string) {
-	if len(NamespacesListToIgnore) > 0 {
-		return
-	}
-	NamespacesListToIgnore = append(NamespacesListToIgnore, KubeNamespaces...)
-	NamespacesListToIgnore = append(NamespacesListToIgnore, caNamespace)
-}
-
-func IfIgnoreNamespace(ns string) bool {
-	for i := range NamespacesListToIgnore {
-		if NamespacesListToIgnore[i] == ns {
-			return true
-		}
-	}
-	return false
-}
-
-func IfKubeNamespace(ns string) bool {
-	for i := range KubeNamespaces {
-		if NamespacesListToIgnore[i] == ns {
-			return true
-		}
-	}
-	return false
-}
-
-func hash(s string) string {
-	h := fnv.New32a()
-	h.Write([]byte(s))
-	return fmt.Sprintf("%d", h.Sum32())
-}
-func GenarateConfigMapName(wlid string) string {
-	name := strings.ToLower(fmt.Sprintf("ca-%s-%s-%s", GetNamespaceFromWlid(wlid), GetKindFromWlid(wlid), GetNameFromWlid(wlid)))
-	if len(name) >= 63 {
-		name = hash(name)
-	}
-	return name
-}

cautils/cautils/wlid.go

@@ -1,238 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"strings"
-)
-
-// API fields
-var (
-	WlidPrefix           = "wlid://"
-	SidPrefix            = "sid://"
-	ClusterWlidPrefix    = "cluster-"
-	NamespaceWlidPrefix  = "namespace-"
-	DataCenterWlidPrefix = "datacenter-"
-	ProjectWlidPrefix    = "project-"
-	SecretSIDPrefix      = "secret-"
-	SubSecretSIDPrefix   = "subsecret-"
-	K8SKindsList         = []string{"ComponentStatus", "ConfigMap", "ControllerRevision", "CronJob",
-		"CustomResourceDefinition", "DaemonSet", "Deployment", "Endpoints", "Event", "HorizontalPodAutoscaler",
-		"Ingress", "Job", "Lease", "LimitRange", "LocalSubjectAccessReview", "MutatingWebhookConfiguration",
-		"Namespace", "NetworkPolicy", "Node", "PersistentVolume", "PersistentVolumeClaim", "Pod",
-		"PodDisruptionBudget", "PodSecurityPolicy", "PodTemplate", "PriorityClass", "ReplicaSet",
-		"ReplicationController", "ResourceQuota", "Role", "RoleBinding", "Secret", "SelfSubjectAccessReview",
-		"SelfSubjectRulesReview", "Service", "ServiceAccount", "StatefulSet", "StorageClass",
-		"SubjectAccessReview", "TokenReview", "ValidatingWebhookConfiguration", "VolumeAttachment"}
-	NativeKindsList = []string{"Dockerized", "Native"}
-	KindReverseMap  = map[string]string{}
-	dataImagesList  = []string{}
-)
-
-func IsWlid(id string) bool {
-	return strings.HasPrefix(id, WlidPrefix)
-}
-
-func IsSid(id string) bool {
-	return strings.HasPrefix(id, SidPrefix)
-}
-
-// GetK8SKindFronList get the calculated wlid
-func GetK8SKindFronList(kind string) string { // TODO GetK8SKindFromList
-	for i := range K8SKindsList {
-		if strings.ToLower(kind) == strings.ToLower(K8SKindsList[i]) {
-			return K8SKindsList[i]
-		}
-	}
-	return kind
-}
-
-// IsK8SKindInList Check if the kind is a known kind
-func IsK8SKindInList(kind string) bool {
-	for i := range K8SKindsList {
-		if strings.ToLower(kind) == strings.ToLower(K8SKindsList[i]) {
-			return true
-		}
-	}
-	return false
-}
-
-// generateWLID
-func generateWLID(pLevel0, level0, pLevel1, level1, k, name string) string {
-	kind := strings.ToLower(k)
-	kind = strings.Replace(kind, "-", "", -1)
-
-	wlid := WlidPrefix
-	wlid += fmt.Sprintf("%s%s", pLevel0, level0)
-	if level1 == "" {
-		return wlid
-	}
-	wlid += fmt.Sprintf("/%s%s", pLevel1, level1)
-
-	if kind == "" {
-		return wlid
-	}
-	wlid += fmt.Sprintf("/%s", kind)
-
-	if name == "" {
-		return wlid
-	}
-	wlid += fmt.Sprintf("-%s", name)
-
-	return wlid
-}
-
-// GetWLID get the calculated wlid
-func GetWLID(level0, level1, k, name string) string {
-	return generateWLID(ClusterWlidPrefix, level0, NamespaceWlidPrefix, level1, k, name)
-}
-
-// GetK8sWLID get the k8s calculated wlid
-func GetK8sWLID(level0, level1, k, name string) string {
-	return generateWLID(ClusterWlidPrefix, level0, NamespaceWlidPrefix, level1, k, name)
-}
-
-// GetNativeWLID get the native calculated wlid
-func GetNativeWLID(level0, level1, k, name string) string {
-	return generateWLID(DataCenterWlidPrefix, level0, ProjectWlidPrefix, level1, k, name)
-}
-
-// WildWlidContainsWlid does WildWlid contains Wlid
-func WildWlidContainsWlid(wildWlid, wlid string) bool { // TODO- test
-	if wildWlid == wlid {
-		return true
-	}
-	wildWlidR, _ := RestoreMicroserviceIDsFromSpiffe(wildWlid)
-	wlidR, _ := RestoreMicroserviceIDsFromSpiffe(wlid)
-	if len(wildWlidR) > len(wildWlidR) {
-		// invalid wlid
-		return false
-	}
-
-	for i := range wildWlidR {
-		if wildWlidR[i] != wlidR[i] {
-			return false
-		}
-	}
-	return true
-}
-
-func restoreInnerIdentifiersFromID(spiffeSlices []string) []string {
-	if len(spiffeSlices) >= 1 && strings.HasPrefix(spiffeSlices[0], ClusterWlidPrefix) {
-		spiffeSlices[0] = spiffeSlices[0][len(ClusterWlidPrefix):]
-	}
-	if len(spiffeSlices) >= 2 && strings.HasPrefix(spiffeSlices[1], NamespaceWlidPrefix) {
-		spiffeSlices[1] = spiffeSlices[1][len(NamespaceWlidPrefix):]
-	}
-	if len(spiffeSlices) >= 3 && strings.Contains(spiffeSlices[2], "-") {
-		dashIdx := strings.Index(spiffeSlices[2], "-")
-		spiffeSlices = append(spiffeSlices, spiffeSlices[2][dashIdx+1:])
-		spiffeSlices[2] = spiffeSlices[2][:dashIdx]
-		if val, ok := KindReverseMap[spiffeSlices[2]]; ok {
-			spiffeSlices[2] = val
-		}
-	}
-	return spiffeSlices
-}
-
-// RestoreMicroserviceIDsFromSpiffe -
-func RestoreMicroserviceIDsFromSpiffe(spiffe string) ([]string, error) {
-	if spiffe == "" {
-		return nil, fmt.Errorf("in RestoreMicroserviceIDsFromSpiffe, expecting valid wlid recieved empty string")
-	}
-
-	if StringHasWhitespace(spiffe) {
-		return nil, fmt.Errorf("wlid %s invalid. whitespace found", spiffe)
-	}
-
-	if strings.HasPrefix(spiffe, WlidPrefix) {
-		spiffe = spiffe[len(WlidPrefix):]
-	} else if strings.HasPrefix(spiffe, SidPrefix) {
-		spiffe = spiffe[len(SidPrefix):]
-	}
-	spiffeSlices := strings.Split(spiffe, "/")
-	// The documented WLID format (https://cyberarmorio.sharepoint.com/sites/development2/Shared%20Documents/kubernetes_design1.docx?web=1)
-	if len(spiffeSlices) <= 3 {
-		spiffeSlices = restoreInnerIdentifiersFromID(spiffeSlices)
-	}
-	if len(spiffeSlices) != 4 { // first used WLID, deprecated since 24.10.2019
-		return spiffeSlices, fmt.Errorf("invalid WLID format. format received: %v", spiffeSlices)
-	}
-
-	for i := range spiffeSlices {
-		if spiffeSlices[i] == "" {
-			return spiffeSlices, fmt.Errorf("one or more entities are empty, spiffeSlices: %v", spiffeSlices)
-		}
-	}
-
-	return spiffeSlices, nil
-}
-
-// RestoreMicroserviceIDsFromSpiffe -
-func RestoreMicroserviceIDs(spiffe string) []string {
-	if spiffe == "" {
-		return []string{}
-	}
-
-	if StringHasWhitespace(spiffe) {
-		return []string{}
-	}
-
-	if strings.HasPrefix(spiffe, WlidPrefix) {
-		spiffe = spiffe[len(WlidPrefix):]
-	} else if strings.HasPrefix(spiffe, SidPrefix) {
-		spiffe = spiffe[len(SidPrefix):]
-	}
-	spiffeSlices := strings.Split(spiffe, "/")
-
-	return restoreInnerIdentifiersFromID(spiffeSlices)
-}
-
-// GetClusterFromWlid parse wlid and get cluster
-func GetClusterFromWlid(wlid string) string {
-	r := RestoreMicroserviceIDs(wlid)
-	if len(r) >= 1 {
-		return r[0]
-	}
-	return ""
-}
-
-// GetNamespaceFromWlid parse wlid and get Namespace
-func GetNamespaceFromWlid(wlid string) string {
-	r := RestoreMicroserviceIDs(wlid)
-	if len(r) >= 2 {
-		return r[1]
-	}
-	return ""
-}
-
-// GetKindFromWlid parse wlid and get kind
-func GetKindFromWlid(wlid string) string {
-	r := RestoreMicroserviceIDs(wlid)
-	if len(r) >= 3 {
-		return GetK8SKindFronList(r[2])
-	}
-	return ""
-}
-
-// GetNameFromWlid parse wlid and get name
-func GetNameFromWlid(wlid string) string {
-	r := RestoreMicroserviceIDs(wlid)
-	if len(r) >= 4 {
-		return GetK8SKindFronList(r[3])
-	}
-	return ""
-}
-
-// IsWlidValid test if wlid is a valid wlid
-func IsWlidValid(wlid string) error {
-	_, err := RestoreMicroserviceIDsFromSpiffe(wlid)
-	return err
-}
-
-// StringHasWhitespace check if a string has whitespace
-func StringHasWhitespace(str string) bool {
-	if whitespace := strings.Index(str, " "); whitespace != -1 {
-		return true
-	}
-	return false
-}

cautils/datastructures.go

@@ -1,49 +0,0 @@
-package cautils
-
-import (
-	"kube-escape/cautils/opapolicy"
-)
-
-// K8SResources map[<api group>/<api version>/<resource>]<resource object>
-type K8SResources map[string]interface{}
-
-type OPASessionObj struct {
-	Frameworks    []opapolicy.Framework
-	K8SResources  *K8SResources
-	PostureReport *opapolicy.PostureReport
-}
-
-func NewOPASessionObj(frameworks []opapolicy.Framework, k8sResources *K8SResources) *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   frameworks,
-		K8SResources: k8sResources,
-		PostureReport: &opapolicy.PostureReport{
-			ClusterName:  ClusterName,
-			CustomerGUID: CustomerGUID,
-		},
-	}
-}
-
-func NewOPASessionObjMock() *OPASessionObj {
-	return &OPASessionObj{
-		Frameworks:   nil,
-		K8SResources: nil,
-		PostureReport: &opapolicy.PostureReport{
-			ClusterName:  "",
-			CustomerGUID: "",
-			ReportID:     "",
-			JobID:        "",
-		},
-	}
-}
-
-type ComponentConfig struct {
-	Exceptions Exception `json:"exceptions"`
-}
-
-type Exception struct {
-	Ignore        *bool                 `json:"ignore"`        // ignore test results
-	MultipleScore *opapolicy.AlertScore `json:"multipleScore"` // MultipleScore number - float32
-	Namespaces    []string              `json:"namespaces"`
-	Regex         string                `json:"regex"` // not supported
-}

cautils/display.go

@@ -1,45 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/briandowns/spinner"
-	"github.com/fatih/color"
-	"github.com/mattn/go-isatty"
-)
-
-var FailureDisplay = color.New(color.Bold, color.FgHiRed).FprintfFunc()
-var FailureTextDisplay = color.New(color.Faint, color.FgHiRed).FprintfFunc()
-var InfoDisplay = color.New(color.Bold, color.FgHiYellow).FprintfFunc()
-var InfoTextDisplay = color.New(color.Faint, color.FgHiYellow).FprintfFunc()
-var SimpleDisplay = color.New(color.Bold, color.FgHiWhite).FprintfFunc()
-var SuccessDisplay = color.New(color.Bold, color.FgHiGreen).FprintfFunc()
-
-var Spinner *spinner.Spinner
-
-func SuccessTextDisplay(str string) {
-	SuccessDisplay(os.Stdout, "[success] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-
-func ProgressTextDisplay(str string) {
-	InfoDisplay(os.Stdout, "[progress] ")
-	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))
-
-}
-func StartSpinner() {
-	if isatty.IsTerminal(os.Stdout.Fd()) {
-		Spinner = spinner.New(spinner.CharSets[7], 100*time.Millisecond) // Build our new spinner
-		Spinner.Start()
-	}
-}
-
-func StopSpinner() {
-	if Spinner == nil {
-		return
-	}
-	Spinner.Stop()
-}

cautils/environments.go

@@ -1,24 +0,0 @@
-package cautils
-
-import (
-	"os"
-)
-
-// CA environment vars
-var (
-	CustomerGUID          = ""
-	ClusterName           = ""
-	EventReceiverURL      = ""
-	NotificationServerURL = ""
-	DashboardBackendURL   = ""
-	RestAPIPort           = "4001"
-)
-
-func SetupDefaultEnvs() {
-	if os.Getenv("CA_DASHBOARD_BACKEND") == "" {
-		os.Setenv("CA_DASHBOARD_BACKEND", "https://dashbe.eudev3.cyberarmorsoft.com") // use prod
-	}
-	if os.Getenv("CA_CUSTOMER_GUID") == "" {
-		os.Setenv("CA_CUSTOMER_GUID", "11111111-1111-1111-1111-111111111111")
-	}
-}

cautils/k8sinterface/cloudvendorregistrycreds.go

@@ -1,265 +0,0 @@
-package k8sinterface
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/ecr"
-	"github.com/docker/docker/api/types"
-)
-
-// For GCR there are some permissions one need to assign in order to allow ARMO to pull images:
-// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
-// gcloud iam service-accounts create armo-controller-sa
-// gcloud projects add-iam-policy-binding <PROJECT_NAME> --role roles/storage.objectViewer --member "serviceAccount:armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com"
-// gcloud iam service-accounts add-iam-policy-binding   --role roles/iam.workloadIdentityUser   --member "serviceAccount:<PROJECT_NAME>.svc.id.goog[cyberarmor-system/ca-controller-service-account]"   armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com
-// kubectl annotate serviceaccount --overwrite   --namespace cyberarmor-system   ca-controller-service-account iam.gke.io/gcp-service-account=armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com
-
-const (
-	gcrDefaultServiceAccountName = "default"
-	// armoServiceAccountName = "ca-controller-service-account"
-)
-
-var (
-	httpClient = http.Client{Timeout: 5 * time.Second}
-)
-
-// CheckIsECRImage check if this image is suspected as ECR hosted image
-func CheckIsECRImage(imageTag string) bool {
-	return strings.Contains(imageTag, "dkr.ecr")
-}
-
-// GetLoginDetailsForECR return user name + password using the default iam-role OR ~/.aws/config of the machine
-func GetLoginDetailsForECR(imageTag string) (string, string, error) {
-	// imageTag := "015253967648.dkr.ecr.eu-central-1.amazonaws.com/armo:1"
-	imageTagSlices := strings.Split(imageTag, ".")
-	repo := imageTagSlices[0]
-	region := imageTagSlices[3]
-	mySession := session.Must(session.NewSession())
-	ecrClient := ecr.New(mySession, aws.NewConfig().WithRegion(region))
-	input := &ecr.GetAuthorizationTokenInput{
-		RegistryIds: []*string{&repo},
-	}
-	res, err := ecrClient.GetAuthorizationToken(input)
-	if err != nil {
-		return "", "", fmt.Errorf("in PullFromECR, failed to GetAuthorizationToken: %v", err)
-	}
-	res64 := (*res.AuthorizationData[0].AuthorizationToken)
-	resB, err := base64.StdEncoding.DecodeString(res64)
-	if err != nil {
-		return "", "", fmt.Errorf("in PullFromECR, failed to DecodeString: %v", err)
-	}
-	delimiterIdx := bytes.IndexByte(resB, ':')
-	// userName := resB[:delimiterIdx]
-	// resB = resB[delimiterIdx+1:]
-	// resB, err = base64.StdEncoding.DecodeString(string(resB))
-	// if err != nil {
-	// 	t.Errorf("failed to DecodeString #2: %v\n\n", err)
-	// }
-	return string(resB[:delimiterIdx]), string(resB[delimiterIdx+1:]), nil
-}
-
-func CheckIsACRImage(imageTag string) bool {
-	// atest1.azurecr.io/go-inf:1
-	return strings.Contains(imageTag, ".azurecr.io/")
-}
-
-type azureADDResponseJson struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	ExpiresIn    string `json:"expires_in"`
-	ExpiresOn    string `json:"expires_on"`
-	NotBefore    string `json:"not_before"`
-	Resource     string `json:"resource"`
-	TokenType    string `json:"token_type"`
-}
-
-func getAzureAADAccessToken() (string, error) {
-	msi_endpoint, err := url.Parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01")
-	if err != nil {
-		return "", fmt.Errorf("creating URL : %v", err)
-	}
-	msi_parameters := url.Values{}
-	msi_parameters.Add("resource", "https://management.azure.com/")
-	msi_parameters.Add("api-version", "2018-02-01")
-	msi_endpoint.RawQuery = msi_parameters.Encode()
-	req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
-	if err != nil {
-		return "", fmt.Errorf("creating HTTP request : %v", err)
-	}
-	req.Header.Add("Metadata", "true")
-
-	// Call managed services for Azure resources token endpoint
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("calling token endpoint : %v", err)
-	}
-
-	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
-	defer resp.Body.Close()
-	if err != nil {
-		return "", fmt.Errorf("reading response body : %v", err)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return "", fmt.Errorf("azure ActiveDirectory AT resp: %v, %v", resp.Status, string(responseBytes))
-	}
-
-	// Unmarshall response body into struct
-	var r azureADDResponseJson
-	err = json.Unmarshal(responseBytes, &r)
-	if err != nil {
-		return "", fmt.Errorf("unmarshalling the response: %v", err)
-	}
-	return r.AccessToken, nil
-}
-
-// GetLoginDetailsForAzurCR return user name + password to use
-func GetLoginDetailsForAzurCR(imageTag string) (string, string, error) {
-	// imageTag := "atest1.azurecr.io/go-inf:1"
-	imageTagSlices := strings.Split(imageTag, "/")
-	azureIdensAT, err := getAzureAADAccessToken()
-	if err != nil {
-		return "", "", err
-	}
-	atMap := make(map[string]interface{})
-	azureIdensATSlices := strings.Split(azureIdensAT, ".")
-	if len(azureIdensATSlices) < 2 {
-		return "", "", fmt.Errorf("len(azureIdensATSlices) < 2")
-	}
-	resB, err := base64.RawStdEncoding.DecodeString(azureIdensATSlices[1])
-	if err != nil {
-		return "", "", fmt.Errorf("in GetLoginDetailsForAzurCR, failed to DecodeString: %v, %s", err, azureIdensATSlices[1])
-	}
-	if err := json.Unmarshal(resB, &atMap); err != nil {
-		return "", "", fmt.Errorf("failed to unmarshal azureIdensAT: %v, %s", err, string(resB))
-	}
-	// excahnging AAD for ACR refresh token
-	refreshToken, err := excahngeAzureAADAccessTokenForACRRefreshToken(imageTagSlices[0], fmt.Sprintf("%v", atMap["tid"]), azureIdensAT)
-	if err != nil {
-		return "", "", fmt.Errorf("failed to excahngeAzureAADAccessTokenForACRRefreshToken: %v, registry: %s, tenantID: %s, azureAADAT: %s", err, imageTagSlices[0], fmt.Sprintf("%v", atMap["tid"]), azureIdensAT)
-	}
-
-	return "00000000-0000-0000-0000-000000000000", refreshToken, nil
-}
-
-func excahngeAzureAADAccessTokenForACRRefreshToken(registry, tenantID, azureAADAT string) (string, error) {
-	msi_parameters := url.Values{}
-	msi_parameters.Add("service", registry)
-	msi_parameters.Add("grant_type", "access_token")
-	msi_parameters.Add("tenant", tenantID)
-	msi_parameters.Add("access_token", azureAADAT)
-	postBodyStr := msi_parameters.Encode()
-	req, err := http.NewRequest("POST", fmt.Sprintf("https://%v/oauth2/exchange", registry), strings.NewReader(postBodyStr))
-	if err != nil {
-		return "", fmt.Errorf("creating HTTP request : %v", err)
-	}
-	req.Header.Add("Metadata", "true")
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-
-	// Call managed services for Azure resources token endpoint
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("calling token endpoint : %v", err)
-	}
-
-	// Pull out response body
-	responseBytes, err := ioutil.ReadAll(resp.Body)
-	defer resp.Body.Close()
-	if err != nil {
-		return "", fmt.Errorf("reading response body : %v", err)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return "", fmt.Errorf("azure exchange AT resp: %v, %v", resp.Status, string(responseBytes))
-	}
-	resultMap := make(map[string]string)
-	err = json.Unmarshal(responseBytes, &resultMap)
-	if err != nil {
-		return "", fmt.Errorf("unmarshalling the response: %v", err)
-	}
-	return resultMap["refresh_token"], nil
-}
-
-func CheckIsGCRImage(imageTag string) bool {
-	// gcr.io/elated-pottery-310110/golang-inf:2
-	return strings.Contains(imageTag, "gcr.io/")
-}
-
-// GetLoginDetailsForGCR return user name + password to use
-func GetLoginDetailsForGCR(imageTag string) (string, string, error) {
-	msi_endpoint, err := url.Parse(fmt.Sprintf("http://169.254.169.254/computeMetadata/v1/instance/service-accounts/%s/token", gcrDefaultServiceAccountName))
-	if err != nil {
-		return "", "", fmt.Errorf("creating URL : %v", err)
-	}
-	req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
-	if err != nil {
-		return "", "", fmt.Errorf("creating HTTP request : %v", err)
-	}
-	req.Header.Add("Metadata-Flavor", "Google")
-
-	// Call managed services for Azure resources token endpoint
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", "", fmt.Errorf("calling token endpoint : %v", err)
-	}
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return "", "", fmt.Errorf("HTTP Status : %v, make sure the '%s' service account is configured for ARMO pod", resp.Status, gcrDefaultServiceAccountName)
-	}
-	defer resp.Body.Close()
-	respMap := make(map[string]interface{})
-	if err := json.NewDecoder(resp.Body).Decode(&respMap); err != nil {
-		return "", "", fmt.Errorf("json Decode : %v", err)
-	}
-	return "oauth2accesstoken", fmt.Sprintf("%v", respMap["access_token"]), nil
-}
-
-func GetCloudVendorRegistryCredentials(imageTag string) (map[string]types.AuthConfig, error) {
-	secrets := map[string]types.AuthConfig{}
-	var errRes error
-	if CheckIsACRImage(imageTag) {
-		userName, password, err := GetLoginDetailsForAzurCR(imageTag)
-		if err != nil {
-			errRes = fmt.Errorf("failed to GetLoginDetailsForACR(%s): %v", imageTag, err)
-		} else {
-			secrets[imageTag] = types.AuthConfig{
-				Username: userName,
-				Password: password,
-			}
-		}
-	}
-
-	if CheckIsECRImage(imageTag) {
-		userName, password, err := GetLoginDetailsForECR(imageTag)
-		if err != nil {
-			errRes = fmt.Errorf("failed to GetLoginDetailsForECR(%s): %v", imageTag, err)
-		} else {
-			secrets[imageTag] = types.AuthConfig{
-				Username: userName,
-				Password: password,
-			}
-		}
-	}
-
-	if CheckIsGCRImage(imageTag) {
-		userName, password, err := GetLoginDetailsForGCR(imageTag)
-		if err != nil {
-			errRes = fmt.Errorf("failed to GetLoginDetailsForGCR(%s): %v", imageTag, err)
-		} else {
-			secrets[imageTag] = types.AuthConfig{
-				Username: userName,
-				Password: password,
-			}
-		}
-	}
-
-	return secrets, errRes
-}

cautils/k8sinterface/k8sconfig.go

@@ -1,73 +0,0 @@
-package k8sinterface
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
-
-	// DO NOT REMOVE - load cloud providers auth
-	_ "k8s.io/client-go/plugin/pkg/client/auth"
-)
-
-// K8SConfig pointer to k8s config
-var K8SConfig *restclient.Config
-
-// KubernetesApi -
-type KubernetesApi struct {
-	KubernetesClient kubernetes.Interface
-	DynamicClient    dynamic.Interface
-	Context          context.Context
-}
-
-// NewKubernetesApi -
-func NewKubernetesApi() *KubernetesApi {
-	kubernetesClient, err := kubernetes.NewForConfig(GetK8sConfig())
-	if err != nil {
-		panic(fmt.Sprintf("kubernetes.NewForConfig - Failed to load config file, reason: %s", err.Error()))
-	}
-	dynamicClient, err := dynamic.NewForConfig(GetK8sConfig())
-	if err != nil {
-		panic(fmt.Sprintf("dynamic.NewForConfig - Failed to load config file, reason: %s", err.Error()))
-	}
-
-	return &KubernetesApi{
-		KubernetesClient: kubernetesClient,
-		DynamicClient:    dynamicClient,
-		Context:          context.Background(),
-	}
-}
-
-var ConfigPath = filepath.Join(os.Getenv("HOME"), ".kube", "config")
-var RunningIncluster bool
-
-// LoadK8sConfig load config from local file or from cluster
-func LoadK8sConfig() error {
-	kubeconfig, err := clientcmd.BuildConfigFromFlags("", ConfigPath)
-	if err != nil {
-		kubeconfig, err = restclient.InClusterConfig()
-		if err != nil {
-			return fmt.Errorf("Failed to load kubernetes config from file: '%s', err: %v", ConfigPath, err)
-		}
-		RunningIncluster = true
-	} else {
-		RunningIncluster = false
-	}
-	K8SConfig = kubeconfig
-	return nil
-}
-
-// GetK8sConfig get config. load if not loaded yer
-func GetK8sConfig() *restclient.Config {
-	if K8SConfig == nil {
-		if err := LoadK8sConfig(); err != nil {
-			return nil
-		}
-	}
-	return K8SConfig
-}

cautils/k8sinterface/k8sconfig_test.go

@@ -1,26 +0,0 @@
-package k8sinterface
-
-import (
-	"testing"
-
-	"kube-escape/cautils/cautils"
-)
-
-func TestGetGroupVersionResource(t *testing.T) {
-	wlid := "wlid://cluster-david-v1/namespace-default/deployment-nginx-deployment"
-	r, err := GetGroupVersionResource(cautils.GetKindFromWlid(wlid))
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	if r.Group != "apps" {
-		t.Errorf("wrong group")
-	}
-	if r.Version != "v1" {
-		t.Errorf("wrong Version")
-	}
-	if r.Resource != "deployments" {
-		t.Errorf("wrong Resource")
-	}
-
-}

cautils/k8sinterface/k8sdynamic.go

@@ -1,145 +0,0 @@
-package k8sinterface
-
-import (
-	"fmt"
-	"strings"
-
-	"kube-escape/cautils/cautils"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/dynamic"
-	//
-	// Uncomment to load all auth plugins
-	// _ "k8s.io/client-go/plugin/pkg/client/auth
-	//
-	// Or uncomment to load specific auth plugins
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
-)
-
-func (k8sAPI *KubernetesApi) GetWorkloadByWlid(wlid string) (*Workload, error) {
-	return k8sAPI.GetWorkload(cautils.GetNamespaceFromWlid(wlid), cautils.GetKindFromWlid(wlid), cautils.GetNameFromWlid(wlid))
-}
-
-func (k8sAPI *KubernetesApi) GetWorkload(namespace, kind, name string) (*Workload, error) {
-	groupVersionResource, err := GetGroupVersionResource(kind)
-	if err != nil {
-		return nil, err
-	}
-
-	w, err := k8sAPI.ResourceInterface(&groupVersionResource, namespace).Get(k8sAPI.Context, name, metav1.GetOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("failed to GET resource, kind: '%s', namespace: '%s', name: '%s', reason: %s", kind, namespace, name, err.Error())
-	}
-	return NewWorkloadObj(w.Object), nil
-}
-
-func (k8sAPI *KubernetesApi) ListWorkloads(groupVersionResource *schema.GroupVersionResource, namespace string, podLabels, fieldSelector map[string]string) ([]Workload, error) {
-	listOptions := metav1.ListOptions{}
-	if podLabels != nil && len(podLabels) > 0 {
-		set := labels.Set(podLabels)
-		listOptions.LabelSelector = SelectorToString(set)
-	}
-	if fieldSelector != nil && len(fieldSelector) > 0 {
-		set := labels.Set(fieldSelector)
-		listOptions.FieldSelector = SelectorToString(set)
-	}
-	uList, err := k8sAPI.ResourceInterface(groupVersionResource, namespace).List(k8sAPI.Context, listOptions)
-	if err != nil {
-		return nil, fmt.Errorf("failed to LIST resources, reason: %s", err.Error())
-	}
-	workloads := make([]Workload, len(uList.Items))
-	for i := range uList.Items {
-		workloads[i] = *NewWorkloadObj(uList.Items[i].Object)
-	}
-	return workloads, nil
-}
-
-func (k8sAPI *KubernetesApi) DeleteWorkloadByWlid(wlid string) error {
-	groupVersionResource, err := GetGroupVersionResource(cautils.GetKindFromWlid(wlid))
-	if err != nil {
-		return err
-	}
-	err = k8sAPI.ResourceInterface(&groupVersionResource, cautils.GetNamespaceFromWlid(wlid)).Delete(k8sAPI.Context, cautils.GetNameFromWlid(wlid), metav1.DeleteOptions{})
-	if err != nil {
-		return fmt.Errorf("failed to DELETE resource, workloadID: '%s', reason: %s", wlid, err.Error())
-	}
-	return nil
-}
-
-func (k8sAPI *KubernetesApi) CreateWorkload(workload *Workload) (*Workload, error) {
-	groupVersionResource, err := GetGroupVersionResource(workload.GetKind())
-	if err != nil {
-		return nil, err
-	}
-	obj, err := workload.ToUnstructured()
-	if err != nil {
-		return nil, err
-	}
-	w, err := k8sAPI.ResourceInterface(&groupVersionResource, workload.GetNamespace()).Create(k8sAPI.Context, obj, metav1.CreateOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("failed to CREATE resource, workload: '%s', reason: %s", workload.Json(), err.Error())
-	}
-	return NewWorkloadObj(w.Object), nil
-}
-
-func (k8sAPI *KubernetesApi) UpdateWorkload(workload *Workload) (*Workload, error) {
-	groupVersionResource, err := GetGroupVersionResource(workload.GetKind())
-	if err != nil {
-		return nil, err
-	}
-
-	obj, err := workload.ToUnstructured()
-	if err != nil {
-		return nil, err
-	}
-
-	w, err := k8sAPI.ResourceInterface(&groupVersionResource, workload.GetNamespace()).Update(k8sAPI.Context, obj, metav1.UpdateOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("failed to UPDATE resource, workload: '%s', reason: %s", workload.Json(), err.Error())
-	}
-	return NewWorkloadObj(w.Object), nil
-}
-
-func (k8sAPI *KubernetesApi) GetNamespace(ns string) (*Workload, error) {
-	groupVersionResource, err := GetGroupVersionResource("namespace")
-	if err != nil {
-		return nil, err
-	}
-	w, err := k8sAPI.DynamicClient.Resource(groupVersionResource).Get(k8sAPI.Context, ns, metav1.GetOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("failed to get namespace: '%s', reason: %s", ns, err.Error())
-	}
-	return NewWorkloadObj(w.Object), nil
-}
-
-func (k8sAPI *KubernetesApi) ResourceInterface(resource *schema.GroupVersionResource, namespace string) dynamic.ResourceInterface {
-	if IsNamespaceScope(resource.Group, resource.Resource) {
-		return k8sAPI.DynamicClient.Resource(*resource).Namespace(namespace)
-	}
-	return k8sAPI.DynamicClient.Resource(*resource)
-}
-
-func (k8sAPI *KubernetesApi) CalculateWorkloadParentRecursive(workload *Workload) (string, string, error) {
-	ownerReferences, err := workload.GetOwnerReferences() // OwnerReferences in workload
-	if err != nil {
-		return workload.GetKind(), workload.GetName(), err
-	}
-	if len(ownerReferences) == 0 {
-		return workload.GetKind(), workload.GetName(), nil // parent found
-	}
-	ownerReference := ownerReferences[0]
-
-	parentWorkload, err := k8sAPI.GetWorkload(workload.GetNamespace(), ownerReference.Kind, ownerReference.Name)
-	if err != nil {
-		if strings.Contains(err.Error(), "not found in resourceMap") { // if parent is RCD
-			return workload.GetKind(), workload.GetName(), nil // parent found
-		}
-		return workload.GetKind(), workload.GetName(), err
-	}
-	return k8sAPI.CalculateWorkloadParentRecursive(parentWorkload)
-}

cautils/k8sinterface/k8sdynamic_test.go

@@ -1,43 +0,0 @@
-package k8sinterface
-
-import (
-	"context"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	dynamicfake "k8s.io/client-go/dynamic/fake"
-	kubernetesfake "k8s.io/client-go/kubernetes/fake"
-	//
-	// metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	// Uncomment to load all auth plugins
-	// _ "k8s.io/client-go/plugin/pkg/client/auth
-	//
-	// Or uncomment to load specific auth plugins
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
-)
-
-// NewKubernetesApi -
-func NewKubernetesApiMock() *KubernetesApi {
-
-	return &KubernetesApi{
-		KubernetesClient: kubernetesfake.NewSimpleClientset(),
-		DynamicClient:    dynamicfake.NewSimpleDynamicClient(&runtime.Scheme{}),
-		Context:          context.Background(),
-	}
-}
-
-// func TestListDynamic(t *testing.T) {
-// 	k8s := NewKubernetesApi()
-// 	resource := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
-// 	clientResource, err := k8s.DynamicClient.Resource(resource).Namespace("default").List(k8s.Context, metav1.ListOptions{})
-// 	if err != nil {
-// 		t.Errorf("err: %v", err)
-// 	} else {
-// 		bla, _ := json.Marshal(clientResource)
-// 		// t.Errorf("BearerToken: %v", *K8SConfig)
-// 		// ioutil.WriteFile("bla.json", bla, 777)
-// 		t.Errorf("clientResource: %s", string(bla))
-// 	}
-// }

cautils/k8sinterface/k8sdynamicutils.go

@@ -1,66 +0,0 @@
-package k8sinterface
-
-import (
-	"sort"
-	"strings"
-
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-//
-// Uncomment to load all auth plugins
-// _ "k8s.io/client-go/plugin/pkg/client/auth
-//
-// Or uncomment to load specific auth plugins
-// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
-
-func ConvertUnstructuredSliceToMap(unstructuredSlice []unstructured.Unstructured) []map[string]interface{} {
-	converted := make([]map[string]interface{}, len(unstructuredSlice))
-	for i := range unstructuredSlice {
-		converted[i] = unstructuredSlice[i].Object
-	}
-	return converted
-}
-
-func FilterOutOwneredResources(result []unstructured.Unstructured) []unstructured.Unstructured {
-	response := []unstructured.Unstructured{}
-	recognizedOwners := []string{"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job", "CronJob"}
-	for i := range result {
-		ownerReferences := result[i].GetOwnerReferences()
-		if len(ownerReferences) == 0 {
-			response = append(response, result[i])
-		} else if !IsStringInSlice(recognizedOwners, ownerReferences[0].Kind) {
-			response = append(response, result[i])
-		}
-	}
-	return response
-}
-
-func IsStringInSlice(slice []string, val string) bool {
-	for _, item := range slice {
-		if item == val {
-			return true
-		}
-	}
-	return false
-}
-
-// String returns all labels listed as a human readable string.
-// Conveniently, exactly the format that ParseSelector takes.
-func SelectorToString(ls labels.Set) string {
-	selector := make([]string, 0, len(ls))
-	for key, value := range ls {
-		if value != "" {
-			selector = append(selector, key+"="+value)
-		} else {
-			selector = append(selector, key)
-		}
-	}
-	// Sort for determinism.
-	sort.StringSlice(selector).Sort()
-	return strings.Join(selector, ",")
-}

cautils/k8sinterface/k8sdynamicutils_test.go

@@ -1,10 +0,0 @@
-package k8sinterface
-
-import "testing"
-
-func TestConvertUnstructuredSliceToMap(t *testing.T) {
-	converted := ConvertUnstructuredSliceToMap(V1KubeSystemNamespaceMock().Items)
-	if len(converted) == 0 { // != 7
-		t.Errorf("len(converted) == 0")
-	}
-}

cautils/k8sinterface/k8sstatic.go

@@ -1,71 +0,0 @@
-package k8sinterface
-
-import (
-	"context"
-
-	"kube-escape/cautils/cautils"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-func IsAttached(labels map[string]string) *bool {
-	return IsLabel(labels, cautils.ArmoAttach)
-}
-
-func IsAgentCompatibleLabel(labels map[string]string) *bool {
-	return IsLabel(labels, cautils.ArmoCompatibleLabel)
-}
-func IsAgentCompatibleAnnotation(annotations map[string]string) *bool {
-	return IsLabel(annotations, cautils.ArmoCompatibleAnnotation)
-}
-func SetAgentCompatibleLabel(labels map[string]string, val bool) {
-	SetLabel(labels, cautils.ArmoCompatibleLabel, val)
-}
-func SetAgentCompatibleAnnotation(annotations map[string]string, val bool) {
-	SetLabel(annotations, cautils.ArmoCompatibleAnnotation, val)
-}
-func IsLabel(labels map[string]string, key string) *bool {
-	if labels == nil || len(labels) == 0 {
-		return nil
-	}
-	var k bool
-	if l, ok := labels[key]; ok {
-		if l == "true" {
-			k = true
-		} else if l == "false" {
-			k = false
-		}
-		return &k
-	}
-	return nil
-}
-func SetLabel(labels map[string]string, key string, val bool) {
-	if labels == nil {
-		return
-	}
-	v := ""
-	if val {
-		v = "true"
-	} else {
-		v = "false"
-	}
-	labels[key] = v
-}
-func (k8sAPI *KubernetesApi) ListAttachedPods(namespace string) ([]corev1.Pod, error) {
-	return k8sAPI.ListPods(namespace, map[string]string{cautils.ArmoAttach: cautils.BoolToString(true)})
-}
-
-func (k8sAPI *KubernetesApi) ListPods(namespace string, podLabels map[string]string) ([]corev1.Pod, error) {
-	listOptions := metav1.ListOptions{}
-	if podLabels != nil && len(podLabels) > 0 {
-		set := labels.Set(podLabels)
-		listOptions.LabelSelector = set.AsSelector().String()
-	}
-	pods, err := k8sAPI.KubernetesClient.CoreV1().Pods(namespace).List(context.Background(), listOptions)
-	if err != nil {
-		return []corev1.Pod{}, err
-	}
-	return pods.Items, nil
-}

cautils/k8sinterface/resourcegroupmapping.go

@@ -1,134 +0,0 @@
-package k8sinterface
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/golang/glog"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-const ValueNotFound = -1
-
-// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#-strong-api-groups-strong-
-var ResourceGroupMapping = map[string]string{
-	"services":                        "/v1",
-	"pods":                            "/v1",
-	"replicationcontrollers":          "/v1",
-	"podtemplates":                    "/v1",
-	"namespaces":                      "/v1",
-	"nodes":                           "/v1",
-	"configmaps":                      "/v1",
-	"secrets":                         "/v1",
-	"serviceaccounts":                 "/v1",
-	"persistentvolumeclaims":          "/v1",
-	"limitranges":                     "/v1",
-	"resourcequotas":                  "/v1",
-	"daemonsets":                      "apps/v1",
-	"deployments":                     "apps/v1",
-	"replicasets":                     "apps/v1",
-	"statefulsets":                    "apps/v1",
-	"controllerrevisions":             "apps/v1",
-	"jobs":                            "batch/v1",
-	"cronjobs":                        "batch/v1beta1",
-	"horizontalpodautoscalers":        "autoscaling/v1",
-	"ingresses":                       "extensions/v1beta1",
-	"networkpolicies":                 "networking.k8s.io/v1",
-	"clusterroles":                    "rbac.authorization.k8s.io/v1",
-	"clusterrolebindings":             "rbac.authorization.k8s.io/v1",
-	"roles":                           "rbac.authorization.k8s.io/v1",
-	"rolebindings":                    "rbac.authorization.k8s.io/v1",
-	"mutatingwebhookconfigurations":   "admissionregistration.k8s.io/v1",
-	"validatingwebhookconfigurations": "admissionregistration.k8s.io/v1",
-}
-
-var GroupsClusterScope = []string{}
-var ResourceClusterScope = []string{"nodes", "namespaces", "clusterroles", "clusterrolebindings"}
-
-func GetGroupVersionResource(resource string) (schema.GroupVersionResource, error) {
-	resource = strings.ToLower(resource)
-	if resource != "" && !strings.HasSuffix(resource, "s") {
-		resource = fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
-	}
-	if r, ok := ResourceGroupMapping[resource]; ok {
-		gv := strings.Split(r, "/")
-		return schema.GroupVersionResource{Group: gv[0], Version: gv[1], Resource: resource}, nil
-	}
-	return schema.GroupVersionResource{}, fmt.Errorf("resource '%s' not found in resourceMap", resource)
-}
-
-func IsNamespaceScope(apiGroup, resource string) bool {
-	return StringInSlice(GroupsClusterScope, apiGroup) == ValueNotFound &&
-		StringInSlice(ResourceClusterScope, resource) == ValueNotFound
-}
-
-func StringInSlice(strSlice []string, str string) int {
-	for i := range strSlice {
-		if strSlice[i] == str {
-			return i
-		}
-	}
-	return ValueNotFound
-}
-
-func JoinResourceTriplets(group, version, resource string) string {
-	return fmt.Sprintf("%s/%s/%s", group, version, resource)
-}
-func GetResourceTriplets(group, version, resource string) []string {
-	resourceTriplets := []string{}
-	if resource == "" {
-		// load full map
-		for k, v := range ResourceGroupMapping {
-			g := strings.Split(v, "/")
-			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(g[0], g[1], k))
-		}
-	} else if version == "" {
-		// load by resource
-		if v, ok := ResourceGroupMapping[resource]; ok {
-			g := strings.Split(v, "/")
-			if group == "" {
-				group = g[0]
-			}
-			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(group, g[1], resource))
-		} else {
-			glog.Errorf("Resource '%s' unknown", resource)
-		}
-	} else if group == "" {
-		// load by resource and version
-		if v, ok := ResourceGroupMapping[resource]; ok {
-			g := strings.Split(v, "/")
-			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(g[0], version, resource))
-		} else {
-			glog.Errorf("Resource '%s' unknown", resource)
-		}
-	} else {
-		resourceTriplets = append(resourceTriplets, JoinResourceTriplets(group, version, resource))
-	}
-	return resourceTriplets
-}
-func ResourceGroupToString(group, version, resource string) []string {
-	if group == "*" {
-		group = ""
-	}
-	if version == "*" {
-		version = ""
-	}
-	if resource == "*" {
-		resource = ""
-	}
-	resource = strings.ToLower(resource)
-	if resource != "" && !strings.HasSuffix(resource, "s") {
-		resource = fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
-	}
-	return GetResourceTriplets(group, version, resource)
-}
-
-func StringToResourceGroup(str string) (string, string, string) {
-	splitted := strings.Split(str, "/")
-	for i := range splitted {
-		if splitted[i] == "*" {
-			splitted[i] = ""
-		}
-	}
-	return splitted[0], splitted[1], splitted[2]
-}

cautils/k8sinterface/resourcegroupmapping_test.go

@@ -1,22 +0,0 @@
-package k8sinterface
-
-import "testing"
-
-func TestResourceGroupToString(t *testing.T) {
-	allResources := ResourceGroupToString("*", "*", "*")
-	if len(allResources) != len(ResourceGroupMapping) {
-		t.Errorf("Expected len: %d, received: %d", len(ResourceGroupMapping), len(allResources))
-	}
-	pod := ResourceGroupToString("*", "*", "Pod")
-	if len(pod) == 0 || pod[0] != "/v1/pods" {
-		t.Errorf("pod: %v", pod)
-	}
-	deployments := ResourceGroupToString("*", "*", "Deployment")
-	if len(deployments) == 0 || deployments[0] != "apps/v1/deployments" {
-		t.Errorf("deployments: %v", deployments)
-	}
-	cronjobs := ResourceGroupToString("*", "*", "cronjobs")
-	if len(cronjobs) == 0 || cronjobs[0] != "batch/v1beta1/cronjobs" {
-		t.Errorf("cronjobs: %v", cronjobs)
-	}
-}

cautils/k8sinterface/workload.go

@@ -1,149 +0,0 @@
-package k8sinterface
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"kube-escape/cautils/apis"
-
-	corev1 "k8s.io/api/core/v1"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-)
-
-type IWorkload interface {
-	IBasicWorkload
-
-	// GET
-	GetWlid() string
-	GetJobID() *apis.JobTracking
-
-	// SET
-	SetWlid(string)
-	SetInject()
-	SetIgnore()
-	SetUpdateTime()
-	SetJobID(apis.JobTracking)
-	SetCompatible()
-	SetIncompatible()
-
-	// EXIST
-	IsIgnore() bool
-	IsInject() bool
-	IsAttached() bool
-	IsCompatible() bool
-	IsIncompatible() bool
-
-	// REMOVE
-	RemoveWlid()
-	RemoveInject()
-	RemoveIgnore()
-	RemoveUpdateTime()
-	RemoveJobID()
-	RemoveCompatible()
-	RemoveArmoMetadata()
-	RemoveArmoLabels()
-	RemoveArmoAnnotations()
-}
-type IBasicWorkload interface {
-
-	// Set
-	SetKind(string)
-	SetWorkload(map[string]interface{})
-	SetLabel(key, value string)
-	SetAnnotation(key, value string)
-	SetNamespace(string)
-	SetName(string)
-
-	// Get
-	GetNamespace() string
-	GetName() string
-	GetGenerateName() string
-	GetApiVersion() string
-	GetKind() string
-	GetInnerAnnotation() (string, bool)
-	GetPodAnnotation() (string, bool)
-	GetAnnotation(string) (string, bool)
-	GetLabel(string) (string, bool)
-	GetAnnotations() map[string]string
-	GetInnerAnnotations() map[string]string
-	GetPodAnnotations() map[string]string
-	GetLabels() map[string]string
-	GetInnerLabels() map[string]string
-	GetPodLabels() map[string]string
-	GetJobLabels() map[string]string
-	GetVolumes() []corev1.Volume
-	GetContainers() []corev1.Container
-	GetInitContainers() []corev1.Container
-	GetOwnerReferences() ([]metav1.OwnerReference, error)
-	GetImagePullSecret() ([]corev1.LocalObjectReference, error)
-	GetServiceAccountName() string
-	GetSelector() (*metav1.LabelSelector, error)
-	GetResourceVersion() string
-	GetUID() string
-
-	GetWorkload() map[string]interface{}
-
-	// REMOVE
-	RemoveLabel(string)
-	RemoveAnnotation(string)
-	RemovePodStatus()
-	RemoveResourceVersion()
-}
-
-type Workload struct {
-	workload map[string]interface{}
-}
-
-func NewWorkload(bWorkload []byte) (*Workload, error) {
-	workload := make(map[string]interface{})
-	if bWorkload != nil {
-		if err := json.Unmarshal(bWorkload, &workload); err != nil {
-			return nil, err
-		}
-	}
-	return &Workload{
-		workload: workload,
-	}, nil
-}
-
-func NewWorkloadObj(workload map[string]interface{}) *Workload {
-	return &Workload{
-		workload: workload,
-	}
-}
-
-func (w *Workload) Json() string {
-	if w.workload == nil {
-		return ""
-	}
-	bWorkload, err := json.Marshal(w.workload)
-	if err != nil {
-		return err.Error()
-	}
-	return fmt.Sprintf("%s", bWorkload)
-}
-
-func (workload *Workload) DeepCopy(w map[string]interface{}) {
-	workload.workload = make(map[string]interface{})
-	byt, _ := json.Marshal(w)
-	json.Unmarshal(byt, &workload.workload)
-}
-
-func (w *Workload) ToUnstructured() (*unstructured.Unstructured, error) {
-	obj := &unstructured.Unstructured{}
-	if w.workload == nil {
-		return obj, nil
-	}
-	bWorkload, err := json.Marshal(w.workload)
-	if err != nil {
-		return obj, err
-	}
-	if err := json.Unmarshal(bWorkload, obj); err != nil {
-		return obj, err
-
-	}
-
-	return obj, nil
-}

cautils/k8sinterface/workloadmethods.go

@@ -1,657 +0,0 @@
-package k8sinterface
-
-import (
-	"encoding/json"
-	"fmt"
-	"strconv"
-	"strings"
-	"time"
-
-	"kube-escape/cautils/apis"
-	"kube-escape/cautils/cautils"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// ======================================= DELETE ========================================
-
-func (w *Workload) RemoveInject() {
-	w.RemovePodLabel(cautils.CAInject)      // DEPRECATED
-	w.RemovePodLabel(cautils.CAAttachLabel) // DEPRECATED
-	w.RemovePodLabel(cautils.ArmoAttach)
-
-	w.RemoveLabel(cautils.CAInject)      // DEPRECATED
-	w.RemoveLabel(cautils.CAAttachLabel) // DEPRECATED
-	w.RemoveLabel(cautils.ArmoAttach)
-}
-
-func (w *Workload) RemoveIgnore() {
-	w.RemovePodLabel(cautils.CAIgnore) // DEPRECATED
-	w.RemovePodLabel(cautils.ArmoAttach)
-
-	w.RemoveLabel(cautils.CAIgnore) // DEPRECATED
-	w.RemoveLabel(cautils.ArmoAttach)
-}
-
-func (w *Workload) RemoveWlid() {
-	w.RemovePodAnnotation(cautils.CAWlid) // DEPRECATED
-	w.RemovePodAnnotation(cautils.ArmoWlid)
-
-	w.RemoveAnnotation(cautils.CAWlid) // DEPRECATED
-	w.RemoveAnnotation(cautils.ArmoWlid)
-}
-
-func (w *Workload) RemoveCompatible() {
-	w.RemovePodAnnotation(cautils.ArmoCompatibleAnnotation)
-}
-func (w *Workload) RemoveJobID() {
-	w.RemovePodAnnotation(cautils.ArmoJobIDPath)
-	w.RemovePodAnnotation(cautils.ArmoJobParentPath)
-	w.RemovePodAnnotation(cautils.ArmoJobActionPath)
-
-	w.RemoveAnnotation(cautils.ArmoJobIDPath)
-	w.RemoveAnnotation(cautils.ArmoJobParentPath)
-	w.RemoveAnnotation(cautils.ArmoJobActionPath)
-}
-func (w *Workload) RemoveArmoMetadata() {
-	w.RemoveArmoLabels()
-	w.RemoveArmoAnnotations()
-}
-
-func (w *Workload) RemoveArmoAnnotations() {
-	l := w.GetAnnotations()
-	if l != nil {
-		for k := range l {
-			if strings.HasPrefix(k, cautils.ArmoPrefix) {
-				w.RemoveAnnotation(k)
-			}
-			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
-				w.RemoveAnnotation(k)
-			}
-		}
-	}
-	lp := w.GetPodAnnotations()
-	if lp != nil {
-		for k := range lp {
-			if strings.HasPrefix(k, cautils.ArmoPrefix) {
-				w.RemovePodAnnotation(k)
-			}
-			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
-				w.RemovePodAnnotation(k)
-			}
-		}
-	}
-}
-func (w *Workload) RemoveArmoLabels() {
-	l := w.GetLabels()
-	if l != nil {
-		for k := range l {
-			if strings.HasPrefix(k, cautils.ArmoPrefix) {
-				w.RemoveLabel(k)
-			}
-			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
-				w.RemoveLabel(k)
-			}
-		}
-	}
-	lp := w.GetPodLabels()
-	if lp != nil {
-		for k := range lp {
-			if strings.HasPrefix(k, cautils.ArmoPrefix) {
-				w.RemovePodLabel(k)
-			}
-			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
-				w.RemovePodLabel(k)
-			}
-		}
-	}
-}
-func (w *Workload) RemoveUpdateTime() {
-
-	// remove from pod
-	w.RemovePodAnnotation(cautils.CAUpdate) // DEPRECATED
-	w.RemovePodAnnotation(cautils.ArmoUpdate)
-
-	// remove from workload
-	w.RemoveAnnotation(cautils.CAUpdate) // DEPRECATED
-	w.RemoveAnnotation(cautils.ArmoUpdate)
-}
-
-func (w *Workload) RemovePodStatus() {
-	delete(w.workload, "status")
-}
-
-func (w *Workload) RemoveResourceVersion() {
-	if _, ok := w.workload["metadata"]; !ok {
-		return
-	}
-	meta, _ := w.workload["metadata"].(map[string]interface{})
-	delete(meta, "resourceVersion")
-}
-
-func (w *Workload) RemoveLabel(key string) {
-	w.RemoveMetadata([]string{"metadata"}, "labels", key)
-}
-
-func (w *Workload) RemoveAnnotation(key string) {
-	w.RemoveMetadata([]string{"metadata"}, "annotations", key)
-}
-
-func (w *Workload) RemovePodAnnotation(key string) {
-	w.RemoveMetadata(PodMetadata(w.GetKind()), "annotations", key)
-}
-
-func (w *Workload) RemovePodLabel(key string) {
-	w.RemoveMetadata(PodMetadata(w.GetKind()), "labels", key)
-}
-
-func (w *Workload) RemoveMetadata(scope []string, metadata, key string) {
-
-	workload := w.workload
-	for i := range scope {
-		if _, ok := workload[scope[i]]; !ok {
-			return
-		}
-		workload, _ = workload[scope[i]].(map[string]interface{})
-	}
-
-	if _, ok := workload[metadata]; !ok {
-		return
-	}
-
-	labels, _ := workload[metadata].(map[string]interface{})
-	delete(labels, key)
-
-}
-
-// ========================================= SET =========================================
-
-func (w *Workload) SetWorkload(workload map[string]interface{}) {
-	w.workload = workload
-}
-
-func (w *Workload) SetKind(kind string) {
-	w.workload["kind"] = kind
-}
-
-func (w *Workload) SetInject() {
-	w.SetPodLabel(cautils.ArmoAttach, cautils.BoolToString(true))
-}
-
-func (w *Workload) SetJobID(jobTracking apis.JobTracking) {
-	w.SetPodAnnotation(cautils.ArmoJobIDPath, jobTracking.JobID)
-	w.SetPodAnnotation(cautils.ArmoJobParentPath, jobTracking.ParentID)
-	w.SetPodAnnotation(cautils.ArmoJobActionPath, fmt.Sprintf("%d", jobTracking.LastActionNumber))
-}
-
-func (w *Workload) SetIgnore() {
-	w.SetPodLabel(cautils.ArmoAttach, cautils.BoolToString(false))
-}
-
-func (w *Workload) SetCompatible() {
-	w.SetPodAnnotation(cautils.ArmoCompatibleAnnotation, cautils.BoolToString(true))
-}
-
-func (w *Workload) SetIncompatible() {
-	w.SetPodAnnotation(cautils.ArmoCompatibleAnnotation, cautils.BoolToString(false))
-}
-
-func (w *Workload) SetReplaceheaders() {
-	w.SetPodAnnotation(cautils.ArmoReplaceheaders, cautils.BoolToString(true))
-}
-
-func (w *Workload) SetWlid(wlid string) {
-	w.SetPodAnnotation(cautils.ArmoWlid, wlid)
-}
-
-func (w *Workload) SetUpdateTime() {
-	w.SetPodAnnotation(cautils.ArmoUpdate, string(time.Now().UTC().Format("02-01-2006 15:04:05")))
-}
-
-func (w *Workload) SetNamespace(namespace string) {
-	w.SetMetadata([]string{"metadata"}, "namespace", namespace)
-}
-
-func (w *Workload) SetName(name string) {
-	w.SetMetadata([]string{"metadata"}, "name", name)
-}
-
-func (w *Workload) SetLabel(key, value string) {
-	w.SetMetadata([]string{"metadata", "labels"}, key, value)
-}
-
-func (w *Workload) SetPodLabel(key, value string) {
-	w.SetMetadata(append(PodMetadata(w.GetKind()), "labels"), key, value)
-}
-func (w *Workload) SetAnnotation(key, value string) {
-	w.SetMetadata([]string{"metadata", "annotations"}, key, value)
-}
-func (w *Workload) SetPodAnnotation(key, value string) {
-	w.SetMetadata(append(PodMetadata(w.GetKind()), "annotations"), key, value)
-}
-
-func (w *Workload) SetMetadata(scope []string, key string, val interface{}) {
-	workload := w.workload
-	for i := range scope {
-		if _, ok := workload[scope[i]]; !ok {
-			workload[scope[i]] = make(map[string]interface{})
-		}
-		workload, _ = workload[scope[i]].(map[string]interface{})
-	}
-
-	workload[key] = val
-}
-
-// ========================================= GET =========================================
-func (w *Workload) GetWorkload() map[string]interface{} {
-	return w.workload
-}
-func (w *Workload) GetNamespace() string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "namespace"); ok {
-		return v.(string)
-	}
-	return ""
-}
-
-func (w *Workload) GetName() string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "name"); ok {
-		return v.(string)
-	}
-	return ""
-}
-
-func (w *Workload) GetApiVersion() string {
-	if v, ok := InspectWorkload(w.workload, "apiVersion"); ok {
-		return v.(string)
-	}
-	return ""
-}
-
-func (w *Workload) GetGenerateName() string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "generateName"); ok {
-		return v.(string)
-	}
-	return ""
-}
-
-func (w *Workload) GetKind() string {
-	if v, ok := InspectWorkload(w.workload, "kind"); ok {
-		return v.(string)
-	}
-	return ""
-}
-func (w *Workload) GetSelector() (*metav1.LabelSelector, error) {
-	selector := &metav1.LabelSelector{}
-	if v, ok := InspectWorkload(w.workload, "spec", "selector", "matchLabels"); ok && v != nil {
-		b, err := json.Marshal(v)
-		if err != nil {
-			return selector, err
-		}
-		if err := json.Unmarshal(b, selector); err != nil {
-			return selector, err
-		}
-		return selector, nil
-	}
-	return selector, nil
-}
-
-func (w *Workload) GetAnnotation(annotation string) (string, bool) {
-	if v, ok := InspectWorkload(w.workload, "metadata", "annotations", annotation); ok {
-		return v.(string), ok
-	}
-	return "", false
-}
-func (w *Workload) GetLabel(label string) (string, bool) {
-	if v, ok := InspectWorkload(w.workload, "metadata", "labels", label); ok {
-		return v.(string), ok
-	}
-	return "", false
-}
-
-func (w *Workload) GetPodLabel(label string) (string, bool) {
-	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "labels", label)...); ok && v != nil {
-		return v.(string), ok
-	}
-	return "", false
-}
-
-func (w *Workload) GetLabels() map[string]string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "labels"); ok && v != nil {
-		labels := make(map[string]string)
-		for k, i := range v.(map[string]interface{}) {
-			labels[k] = i.(string)
-		}
-		return labels
-	}
-	return nil
-}
-
-// GetInnerLabels - DEPRECATED
-func (w *Workload) GetInnerLabels() map[string]string {
-	return w.GetPodLabels()
-}
-
-func (w *Workload) GetPodLabels() map[string]string {
-	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "labels")...); ok && v != nil {
-		labels := make(map[string]string)
-		for k, i := range v.(map[string]interface{}) {
-			labels[k] = i.(string)
-		}
-		return labels
-	}
-	return nil
-}
-
-// GetInnerAnnotations - DEPRECATED
-func (w *Workload) GetInnerAnnotations() map[string]string {
-	return w.GetPodAnnotations()
-}
-
-// GetPodAnnotations
-func (w *Workload) GetPodAnnotations() map[string]string {
-	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "annotations")...); ok && v != nil {
-		annotations := make(map[string]string)
-		for k, i := range v.(map[string]interface{}) {
-			annotations[k] = fmt.Sprintf("%v", i)
-		}
-		return annotations
-	}
-	return nil
-}
-
-// GetInnerAnnotation DEPRECATED
-func (w *Workload) GetInnerAnnotation(annotation string) (string, bool) {
-	return w.GetPodAnnotation(annotation)
-}
-
-func (w *Workload) GetPodAnnotation(annotation string) (string, bool) {
-	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "annotations", annotation)...); ok && v != nil {
-		return v.(string), ok
-	}
-	return "", false
-}
-
-func (w *Workload) GetAnnotations() map[string]string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "annotations"); ok && v != nil {
-		annotations := make(map[string]string)
-		for k, i := range v.(map[string]interface{}) {
-			annotations[k] = fmt.Sprintf("%v", i)
-		}
-		return annotations
-	}
-	return nil
-}
-
-// GetVolumes -
-func (w *Workload) GetVolumes() ([]corev1.Volume, error) {
-	volumes := []corev1.Volume{}
-
-	interVolumes, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "volumes")...)
-	if interVolumes == nil {
-		return volumes, nil
-	}
-	volumesBytes, err := json.Marshal(interVolumes)
-	if err != nil {
-		return volumes, err
-	}
-	err = json.Unmarshal(volumesBytes, &volumes)
-
-	return volumes, err
-}
-
-func (w *Workload) GetServiceAccountName() string {
-
-	if v, ok := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "serviceAccountName")...); ok && v != nil {
-		return v.(string)
-	}
-	return ""
-}
-
-func (w *Workload) GetPodSpec() (*corev1.PodSpec, error) {
-	podSpec := &corev1.PodSpec{}
-	podSepcRaw, _ := InspectWorkload(w.workload, PodSpec(w.GetKind())...)
-	if podSepcRaw == nil {
-		return podSpec, fmt.Errorf("no PodSpec for workload: %v", w)
-	}
-	b, err := json.Marshal(podSepcRaw)
-	if err != nil {
-		return podSpec, err
-	}
-	err = json.Unmarshal(b, podSpec)
-
-	return podSpec, err
-}
-
-func (w *Workload) GetImagePullSecret() ([]corev1.LocalObjectReference, error) {
-	imgPullSecrets := []corev1.LocalObjectReference{}
-
-	iImgPullSecrets, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "imagePullSecrets")...)
-	b, err := json.Marshal(iImgPullSecrets)
-	if err != nil {
-		return imgPullSecrets, err
-	}
-	err = json.Unmarshal(b, &imgPullSecrets)
-
-	return imgPullSecrets, err
-}
-
-// GetContainers -
-func (w *Workload) GetContainers() ([]corev1.Container, error) {
-	containers := []corev1.Container{}
-
-	interContainers, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "containers")...)
-	if interContainers == nil {
-		return containers, nil
-	}
-	containersBytes, err := json.Marshal(interContainers)
-	if err != nil {
-		return containers, err
-	}
-	err = json.Unmarshal(containersBytes, &containers)
-
-	return containers, err
-}
-
-// GetContainers -
-func (w *Workload) GetInitContainers() ([]corev1.Container, error) {
-	containers := []corev1.Container{}
-
-	interContainers, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "initContainers")...)
-	if interContainers == nil {
-		return containers, nil
-	}
-	containersBytes, err := json.Marshal(interContainers)
-	if err != nil {
-		return containers, err
-	}
-	err = json.Unmarshal(containersBytes, &containers)
-
-	return containers, err
-}
-
-// GetOwnerReferences -
-func (w *Workload) GetOwnerReferences() ([]metav1.OwnerReference, error) {
-	ownerReferences := []metav1.OwnerReference{}
-	interOwnerReferences, ok := InspectWorkload(w.workload, "metadata", "ownerReferences")
-	if !ok {
-		return ownerReferences, nil
-	}
-
-	ownerReferencesBytes, err := json.Marshal(interOwnerReferences)
-	if err != nil {
-		return ownerReferences, err
-	}
-	err = json.Unmarshal(ownerReferencesBytes, &ownerReferences)
-	if err != nil {
-		return ownerReferences, err
-
-	}
-	return ownerReferences, nil
-}
-func (w *Workload) GetResourceVersion() string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "resourceVersion"); ok {
-		return v.(string)
-	}
-	return ""
-}
-func (w *Workload) GetUID() string {
-	if v, ok := InspectWorkload(w.workload, "metadata", "uid"); ok {
-		return v.(string)
-	}
-	return ""
-}
-func (w *Workload) GetWlid() string {
-	if wlid, ok := w.GetAnnotation(cautils.ArmoWlid); ok {
-		return wlid
-	}
-	return ""
-}
-
-func (w *Workload) GetJobID() *apis.JobTracking {
-	jobTracking := apis.JobTracking{}
-	if job, ok := w.GetPodAnnotation(cautils.ArmoJobIDPath); ok {
-		jobTracking.JobID = job
-	}
-	if parent, ok := w.GetPodAnnotation(cautils.ArmoJobParentPath); ok {
-		jobTracking.ParentID = parent
-	}
-	if action, ok := w.GetPodAnnotation(cautils.ArmoJobActionPath); ok {
-		if i, err := strconv.Atoi(action); err == nil {
-			jobTracking.LastActionNumber = i
-		}
-	}
-	if jobTracking.LastActionNumber == 0 { // start the counter at 1
-		jobTracking.LastActionNumber = 1
-	}
-	return &jobTracking
-}
-
-// func (w *Workload) GetJobID() string {
-// 	if status, ok := w.GetAnnotation(cautils.ArmoJobID); ok {
-// 		return status
-// 	}
-// 	return ""
-// }
-
-// ========================================= IS =========================================
-
-func (w *Workload) IsInject() bool {
-	return w.IsAttached()
-}
-
-func (w *Workload) IsIgnore() bool {
-	if attach := cautils.IsAttached(w.GetPodLabels()); attach != nil {
-		return !(*attach)
-	}
-	if attach := cautils.IsAttached(w.GetLabels()); attach != nil {
-		return !(*attach)
-	}
-	return false
-}
-
-func (w *Workload) IsCompatible() bool {
-	if c, ok := w.GetPodAnnotation(cautils.ArmoCompatibleAnnotation); ok {
-		return cautils.StringToBool(c)
-
-	}
-	if c, ok := w.GetAnnotation(cautils.ArmoCompatibleAnnotation); ok {
-		return cautils.StringToBool(c)
-
-	}
-	return false
-}
-
-func (w *Workload) IsIncompatible() bool {
-	if c, ok := w.GetPodAnnotation(cautils.ArmoCompatibleAnnotation); ok {
-		return !cautils.StringToBool(c)
-	}
-	if c, ok := w.GetAnnotation(cautils.ArmoCompatibleAnnotation); ok {
-		return !cautils.StringToBool(c)
-	}
-	return false
-}
-func (w *Workload) IsAttached() bool {
-	if attach := cautils.IsAttached(w.GetPodLabels()); attach != nil {
-		return *attach
-	}
-	if attach := cautils.IsAttached(w.GetLabels()); attach != nil {
-		return *attach
-	}
-	return false
-}
-
-func (w *Workload) IsReplaceheaders() bool {
-	if c, ok := w.GetPodAnnotation(cautils.ArmoReplaceheaders); ok {
-		return cautils.StringToBool(c)
-	}
-	return false
-}
-
-// ======================================= UTILS =========================================
-
-// InspectWorkload -
-func InspectWorkload(workload interface{}, scopes ...string) (val interface{}, k bool) {
-
-	val, k = nil, false
-	if len(scopes) == 0 {
-		if workload != nil {
-			return workload, true
-		}
-		return nil, false
-	}
-	if data, ok := workload.(map[string]interface{}); ok {
-		val, k = InspectWorkload(data[scopes[0]], scopes[1:]...)
-	}
-	return val, k
-
-}
-
-// // InspectWorkload -
-// func InjectWorkload(workload interface{}, scopes []string, val string) {
-
-// 	if len(scopes) == 0 {
-
-// 	}
-// 	if data, ok := workload.(map[string]interface{}); ok {
-// 		InjectWorkload(data[scopes[0]], scopes[1:], val)
-// 	} else {
-
-// 	}
-
-// }
-
-// InjectWorkload -
-// func InjectWorkload(workload interface{}, scopes []string, val string) {
-
-// 	if len(scopes) == 0 {
-// 		workload = ""
-// 	}
-// 	if data, ok := workload.(map[string]interface{}); ok {
-// 		d := InjectWorkload(data[scopes[0]], scopes[1:], val)
-// 		data[scopes[0]] = d
-// 		return data
-// 	} else {
-
-// 	}
-
-// }
-// func (w *Workload) SetNamespace(ns string) {
-
-// 	if v, k := w.workload["metadata"]; k {
-// 		if vv, kk := v.(map[string]interface{}); kk {
-// 			vv["namespace"] = ""
-// 			// if v3, k3 := w.workload["namespace"]; k3 {
-// 			// 	if v4, k4 := v.(map[string]interface{}); kk {
-
-// 			// 	}
-// 			// }
-// 			v = vv
-// 		}
-// 		w.workload = v
-// 	}
-// 	// if data, ok := w.workload.(map[string]interface{}); ok {
-// 	// 	val, k = InspectWorkload(data[scopes[0]], scopes[1:]...)
-// 	// }
-
-// }

cautils/k8sinterface/workloadmethods_test.go

@@ -1,155 +0,0 @@
-package k8sinterface
-
-import (
-	"testing"
-)
-
-// ========================================= IS =========================================
-
-func TestLabels(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"labels":{"app":"demoservice-server","cyberarmor.inject":"true"},"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	if workload.GetKind() != "Deployment" {
-		t.Errorf("wrong kind")
-	}
-	if workload.GetNamespace() != "default" {
-		t.Errorf("wrong namespace")
-	}
-	if workload.GetName() != "demoservice-server" {
-		t.Errorf("wrong name")
-	}
-	if !workload.IsInject() {
-		t.Errorf("expect to find inject label")
-	}
-	if workload.IsIgnore() {
-		t.Errorf("expect to find ignore label")
-	}
-}
-
-func TestSetNamespace(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"demoservice-server"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"demoservice-server"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	workload.SetNamespace("default")
-	if workload.GetNamespace() != "default" {
-		t.Errorf("wrong namespace")
-	}
-}
-func TestSetLabels(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	workload.SetLabel("bla", "daa")
-	v, ok := workload.GetLabel("bla")
-	if !ok || v != "daa" {
-		t.Errorf("expect to find label")
-	}
-	workload.RemoveLabel("bla")
-	v2, ok2 := workload.GetLabel("bla")
-	if ok2 || v2 == "daa" {
-		t.Errorf("label not deleted")
-	}
-}
-
-func TestSetAnnotations(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	workload.SetAnnotation("bla", "daa")
-	v, ok := workload.GetAnnotation("bla")
-	if !ok || v != "daa" {
-		t.Errorf("expect to find annotation")
-	}
-	workload.RemoveAnnotation("bla")
-	v2, ok2 := workload.GetAnnotation("bla")
-	if ok2 || v2 == "daa" {
-		t.Errorf("annotation not deleted")
-	}
-}
-func TestSetPodLabels(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	workload.SetPodLabel("bla", "daa")
-	v, ok := workload.GetPodLabel("bla")
-	if !ok || v != "daa" {
-		t.Errorf("expect to find label")
-	}
-	workload.RemovePodLabel("bla")
-	v2, ok2 := workload.GetPodLabel("bla")
-	if ok2 || v2 == "daa" {
-		t.Errorf("label not deleted")
-	}
-}
-func TestRemoveArmo(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server", "armo.attach": "true"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	if !workload.IsAttached() {
-		t.Errorf("expect to be attached")
-	}
-	workload.RemoveArmoMetadata()
-	if workload.IsAttached() {
-		t.Errorf("expect to be clear")
-	}
-
-}
-
-func TestSetWlid(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	workload.SetWlid("wlid://bla")
-	// t.Errorf(workload.Json())
-
-}
-
-func TestGetResourceVersion(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	if workload.GetResourceVersion() != "1016043" {
-		t.Errorf("wrong resourceVersion")
-	}
-
-}
-func TestGetUID(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	if workload.GetUID() != "e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e" {
-		t.Errorf("wrong UID")
-	}
-
-}
-
-func TestIsAttached(t *testing.T) {
-	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"3"},"creationTimestamp":"2021-06-21T04:52:05Z","generation":3,"name":"emailservice","namespace":"default"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"emailservice"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"armo.last-update":"21-06-2021 06:40:42","armo.wlid":"wlid://cluster-david-demo/namespace-default/deployment-emailservice"},"creationTimestamp":null,"labels":{"app":"emailservice","armo.attach":"true"}},"spec":{"containers":[{"env":[{"name":"PORT","value":"8080"},{"name":"DISABLE_PROFILER","value":"1"}],"image":"gcr.io/google-samples/microservices-demo/emailservice:v0.2.3","imagePullPolicy":"IfNotPresent","livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"failureThreshold":3,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":1},"name":"server","ports":[{"containerPort":8080,"protocol":"TCP"}],"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"failureThreshold":3,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":1},"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":5}}}}`
-	workload, err := NewWorkload([]byte(w))
-	if err != nil {
-		t.Errorf(err.Error())
-	}
-	if !workload.IsAttached() {
-		t.Errorf("expected attached")
-	}
-
-}

cautils/k8sinterface/workloadmethodsutils.go

@@ -1,23 +0,0 @@
-package k8sinterface
-
-func PodSpec(kind string) []string {
-	switch kind {
-	case "Pod", "Namespace":
-		return []string{"spec"}
-	case "CronJob":
-		return []string{"spec", "jobTemplate", "spec", "template", "spec"}
-	default:
-		return []string{"spec", "template", "spec"}
-	}
-}
-
-func PodMetadata(kind string) []string {
-	switch kind {
-	case "Pod", "Namespace", "Secret":
-		return []string{"metadata"}
-	case "CronJob":
-		return []string{"spec", "jobTemplate", "spec", "template", "metadata"}
-	default:
-		return []string{"spec", "template", "metadata"}
-	}
-}

cautils/opapolicy/apis.go

@@ -1,7 +0,0 @@
-package opapolicy
-
-const (
-	PostureRestAPIPathV1   = "/v1/posture"
-	PostureRedisPrefix     = "_postureReportv1"
-	K8sPostureNotification = "/k8srestapi/v1/newPostureReport"
-)

cautils/opapolicy/datastructures.go

@@ -1,150 +0,0 @@
-package opapolicy
-
-import (
-	"time"
-
-	armotypes "kube-escape/cautils/armotypes"
-)
-
-type AlertScore float32
-type RuleLanguages string
-
-const (
-	RegoLanguage  RuleLanguages = "Rego"
-	RegoLanguage2 RuleLanguages = "rego"
-)
-
-// RegoResponse the expected response of single run of rego policy
-type RuleResponse struct {
-	AlertMessage string     `json:"alertMessage"`
-	PackageName  string     `json:"packagename"`
-	AlertScore   AlertScore `json:"alertScore"`
-	// AlertObject   AlertObject `json:"alertObject"`
-	AlertObject   AlertObject `json:"alertObject"` // TODO - replace interface to AlertObject
-	Context       []string    `json:"context"`     // TODO - Remove
-	Rulename      string      `json:"rulename"`    // TODO - Remove
-	ExceptionName string      `json:"exceptionName"`
-}
-
-type AlertObject struct {
-	K8SApiObjects   []map[string]interface{} `json:"k8sApiObjects,omitempty"`
-	ExternalObjects []map[string]interface{} `json:"externalObjects,omitempty"`
-}
-
-type FrameworkReport struct {
-	Name           string          `json:"name"`
-	ControlReports []ControlReport `json:"controlReports"`
-}
-type ControlReport struct {
-	Name        string       `json:"name"`
-	RuleReports []RuleReport `json:"ruleReports"`
-	Remediation string       `json:"remediation"`
-	Description string       `json:"description"`
-}
-type RuleReport struct {
-	Name           string         `json:"name"`
-	Remediation    string         `json:"remediation"`
-	RuleStatus     RuleStatus     `json:"ruleStatus"`
-	RuleResponses  []RuleResponse `json:"ruleResponses"`
-	NumOfResources int
-}
-type RuleStatus struct {
-	Status  string `json:"status"`
-	Message string `json:"message"`
-}
-
-// PostureReport
-type PostureReport struct {
-	CustomerGUID         string            `json:"customerGUID"`
-	ClusterName          string            `json:"clusterName"`
-	ReportID             string            `json:"reportID"`
-	JobID                string            `json:"jobID"`
-	ReportGenerationTime time.Time         `json:"generationTime"`
-	FrameworkReports     []FrameworkReport `json:"frameworks"`
-}
-
-// RuleMatchObjects defines which objects this rule applied on
-type RuleMatchObjects struct {
-	APIGroups   []string `json:"apiGroups"`   // apps
-	APIVersions []string `json:"apiVersions"` // v1/ v1beta1 / *
-	Resources   []string `json:"resources"`   // dep.., pods,
-}
-
-// RuleMatchObjects defines which objects this rule applied on
-type RuleDependency struct {
-	PackageName string `json:"packageName"` // package name
-}
-
-// PolicyRule represents single rule, the fundamental executable block of policy
-type PolicyRule struct {
-	armotypes.PortalBase `json:",inline"`
-	CreationTime         string             `json:"creationTime"`
-	Rule                 string             `json:"rule"` // multiline string!
-	RuleLanguage         RuleLanguages      `json:"ruleLanguage"`
-	Match                []RuleMatchObjects `json:"match"`
-	RuleDependencies     []RuleDependency   `json:"ruleDependencies"`
-	Description          string             `json:"description"`
-	Remediation          string             `json:"remediation"`
-	RuleQuery            string             `json:"ruleQuery"` // default "armo_builtins" - DEPRECATED
-}
-
-// Control represents a collection of rules which are combined together to single purpose
-type Control struct {
-	armotypes.PortalBase `json:",inline"`
-	CreationTime         string       `json:"creationTime"`
-	Description          string       `json:"description"`
-	Remediation          string       `json:"remediation"`
-	Rules                []PolicyRule `json:"rules"`
-	// for new list of  rules in POST/UPADTE requests
-	RulesIDs *[]string `json:"rulesIDs,omitempty"`
-}
-
-type UpdatedControl struct {
-	Control `json:",inline"`
-	Rules   []interface{} `json:"rules"`
-}
-
-// Framework represents a collection of controls which are combined together to expose comprehensive behavior
-type Framework struct {
-	armotypes.PortalBase `json:",inline"`
-	CreationTime         string    `json:"creationTime"`
-	Description          string    `json:"description"`
-	Controls             []Control `json:"controls"`
-	// for new list of  controls in POST/UPADTE requests
-	ControlsIDs *[]string `json:"controlsIDs,omitempty"`
-}
-
-type UpdatedFramework struct {
-	Framework `json:",inline"`
-	Controls  []interface{} `json:"controls"`
-}
-
-type NotificationPolicyType string
-type NotificationPolicyKind string
-
-// Supported NotificationTypes
-const (
-	TypeValidateRules   NotificationPolicyType = "validateRules"
-	TypeExecPostureScan NotificationPolicyType = "execPostureScan"
-	TypeUpdateRules     NotificationPolicyType = "updateRules"
-)
-
-// Supported NotificationKinds
-const (
-	KindFramework NotificationPolicyKind = "Framework"
-	KindControl   NotificationPolicyKind = "Control"
-	KindRule      NotificationPolicyKind = "Rule"
-)
-
-type PolicyNotification struct {
-	NotificationType NotificationPolicyType     `json:"notificationType"`
-	Rules            []PolicyIdentifier         `json:"rules"`
-	ReportID         string                     `json:"reportID"`
-	JobID            string                     `json:"jobID"`
-	Designators      armotypes.PortalDesignator `json:"designators"`
-}
-
-type PolicyIdentifier struct {
-	Kind NotificationPolicyKind `json:"kind"`
-	Name string                 `json:"name"`
-}

cautils/opapolicy/datastructures_mock.go

@@ -1,300 +0,0 @@
-package opapolicy
-
-import (
-	"time"
-
-	armotypes "kube-escape/cautils/armotypes"
-)
-
-// Mock A
-var (
-	AMockCustomerGUID  = "5d817063-096f-4d91-b39b-8665240080af"
-	AMockJobID         = "36b6f9e1-3b63-4628-994d-cbe16f81e9c7"
-	AMockReportID      = "2c31e4da-c6fe-440d-9b8a-785b80c8576a"
-	AMockClusterName   = "clusterA"
-	AMockFrameworkName = "testFrameworkA"
-	AMockControlName   = "testControlA"
-	AMockRuleName      = "testRuleA"
-	AMockPortalBase    = *armotypes.MockPortalBase(AMockCustomerGUID, "", nil)
-)
-
-func MockRuleResponseA() *RuleResponse {
-	return &RuleResponse{
-		AlertMessage: "test alert message A",
-		AlertScore:   0,
-		Rulename:     AMockRuleName,
-		PackageName:  "test.package.name.A",
-		Context:      []string{},
-	}
-}
-
-func MockFrameworkReportA() *FrameworkReport {
-	return &FrameworkReport{
-		Name: AMockFrameworkName,
-		ControlReports: []ControlReport{
-			{
-				Name: AMockControlName,
-				RuleReports: []RuleReport{
-					{
-						Name:        AMockRuleName,
-						Remediation: "remove privilegedContainer: True flag from your pod spec",
-						RuleResponses: []RuleResponse{
-							*MockRuleResponseA(),
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func MockPostureReportA() *PostureReport {
-	return &PostureReport{
-		CustomerGUID:         AMockCustomerGUID,
-		ClusterName:          AMockClusterName,
-		ReportID:             AMockReportID,
-		JobID:                AMockJobID,
-		ReportGenerationTime: time.Now().UTC(),
-		FrameworkReports:     []FrameworkReport{*MockFrameworkReportA()},
-	}
-}
-
-func MockFrameworkA() *Framework {
-	return &Framework{
-		PortalBase:   *armotypes.MockPortalBase("aaaaaaaa-096f-4d91-b39b-8665240080af", AMockFrameworkName, nil),
-		CreationTime: "",
-		Description:  "mock framework descryption",
-		Controls: []Control{
-			{
-				PortalBase: *armotypes.MockPortalBase("aaaaaaaa-aaaa-4d91-b39b-8665240080af", AMockControlName, nil),
-				Rules: []PolicyRule{
-					*MockRuleA(),
-				},
-			},
-		},
-	}
-}
-
-func MockRuleUntrustedRegistries() *PolicyRule {
-	return &PolicyRule{
-		PortalBase: *armotypes.MockPortalBase("aaaaaaaa-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
-		Rule: `
-package armo_builtins
-# Check for images from blacklisted repos
-
-untrusted_registries(z) = x {
-	x := ["015253967648.dkr.ecr.eu-central-1.amazonaws.com/"]	
-}
-
-public_registries(z) = y{
-	y := ["quay.io/kiali/","quay.io/datawire/","quay.io/keycloak/","quay.io/bitnami/"]
-}
-
-untrustedImageRepo[msga] {
-	pod := input[_]
-	k := pod.kind
-	k == "Pod"
-	container := pod.spec.containers[_]
-	image := container.image
-    repo_prefix := untrusted_registries(image)[_]
-	startswith(image, repo_prefix)
-	selfLink := pod.metadata.selfLink
-	containerName := container.name
-
-	msga := {
-		"alertMessage": sprintf("image '%v' in container '%s' in [%s] comes from untrusted registry", [image, containerName, selfLink]),
-		"alert": true,
-		"prevent": false,
-		"alertScore": 2,
-		"alertObject": [{"pod":pod}]
-	}
-}
-
-untrustedImageRepo[msga] {
-    pod := input[_]
-	k := pod.kind
-	k == "Pod"
-	container := pod.spec.containers[_]
-	image := container.image
-    repo_prefix := public_registries(image)[_]
-	startswith(pod, repo_prefix)
-	selfLink := input.metadata.selfLink
-	containerName := container.name
-
-	msga := {
-		"alertMessage": sprintf("image '%v' in container '%s' in [%s] comes from public registry", [image, containerName, selfLink]),
-		"alert": true,
-		"prevent": false,
-		"alertScore": 1,
-		"alertObject": [{"pod":pod}]
-	}
-}
-		`,
-		RuleLanguage: RegoLanguage,
-		Match: []RuleMatchObjects{
-			{
-				APIVersions: []string{"v1"},
-				APIGroups:   []string{"*"},
-				Resources:   []string{"pods"},
-			},
-		},
-		RuleDependencies: []RuleDependency{
-			{
-				PackageName: "kubernetes.api.client",
-			},
-		},
-	}
-}
-
-func MockRuleA() *PolicyRule {
-	return &PolicyRule{
-		PortalBase:   *armotypes.MockPortalBase("aaaaaaaa-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
-		Rule:         MockRegoPrivilegedPods(), //
-		RuleLanguage: RegoLanguage,
-		Match: []RuleMatchObjects{
-			{
-				APIVersions: []string{"v1"},
-				APIGroups:   []string{"*"},
-				Resources:   []string{"pods"},
-			},
-		},
-		RuleDependencies: []RuleDependency{
-			{
-				PackageName: "kubernetes.api.client",
-			},
-		},
-	}
-}
-
-func MockRuleB() *PolicyRule {
-	return &PolicyRule{
-		PortalBase:   *armotypes.MockPortalBase("bbbbbbbb-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
-		Rule:         MockExternalFacingService(), //
-		RuleLanguage: RegoLanguage,
-		Match: []RuleMatchObjects{
-			{
-				APIVersions: []string{"v1"},
-				APIGroups:   []string{""},
-				Resources:   []string{"pods"},
-			},
-		},
-		RuleDependencies: []RuleDependency{
-			{
-				PackageName: "kubernetes.api.client",
-			},
-		},
-	}
-}
-
-func MockPolicyNotificationA() *PolicyNotification {
-	return &PolicyNotification{
-		NotificationType: TypeExecPostureScan,
-		ReportID:         AMockReportID,
-		JobID:            AMockJobID,
-		Designators:      armotypes.PortalDesignator{},
-		Rules: []PolicyIdentifier{
-			{
-				Kind: KindFramework,
-				Name: AMockFrameworkName,
-			}},
-	}
-}
-
-func MockTemp() string {
-	return `
-	package armo_builtins
-	import data.kubernetes.api.client as client
-	deny[msga] {
-		#object := input[_]
-		object := client.query_all("pods")
-		obj := object.body.items[_]
-		msga := {
-			"packagename": "armo_builtins",
-			"alertMessage": "found object",
-			"alertScore": 3,
-			"alertObject": {"object": obj},
-		}
-	}
-	`
-}
-
-func MockRegoPrivilegedPods() string {
-	return `package armo_builtins
-
-	import data.kubernetes.api.client as client
-
-	# Deny mutating action unless user is in group owning the resource
-	
-	#privileged pods
-	deny[msga] {
-	   
-		pod := input[_]
-		containers := pod.spec.containers[_]
-		containers.securityContext.privileged == true
-		msga := {
-			"packagename": "armo_builtins",
-			"alertMessage": sprintf("the following pods are defined as privileged: %v", [pod]),
-			"alertScore": 3,
-			"alertObject": pod,
-		}
-	}
-	
-	#handles majority of workload resources
-	deny[msga] {
-		wl := input[_]
-		spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
-		spec_template_spec_patterns[wl.kind]
-		containers := wl.spec.template.spec.containers[_]
-		containers.securityContext.privileged == true
-		msga := {
-			"packagename": "armo_builtins",
-			"alertMessage": sprintf("the following workloads are defined as privileged: %v", [wl]),
-			"alertScore": 3,
-			"alertObject": wl,
-		}
-	}
-	
-	#handles cronjob
-	deny[msga] {
-		wl := input[_]
-		wl.kind == "CronJob"
-		containers := wl.spec.jobTemplate.spec.template.spec.containers[_]
-		containers.securityContext.privileged == true
-		msga := {
-			"packagename": "armo_builtins",
-			"alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl]),
-			"alertScore": 3,
-			"alertObject": wl,
-		}
-	}
-	`
-}
-
-func MockExternalFacingService() string {
-	return "\n\tpackage armo_builtins\n\n\timport data.kubernetes.api.client as client\n\timport data.cautils as cautils\n\ndeny[msga] {\n\n\twl := input[_]\n\tcluster_resource := client.query_all(\n\t\t\"services\"\n\t)\n\n\tlabels := wl.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n#service := cluster_resource.body.items[i]\nservices := [svc | cluster_resource.body.items[i].metadata.namespace == wl.metadata.namespace; svc := cluster_resource.body.items[i]]\nservice := services[_]\nnp_or_lb := {\"NodePort\", \"LoadBalancer\"}\nnp_or_lb[service.spec.type]\ncautils.is_subobject(service.spec.selector,filtered_labels)\n\n    msga := {\n\t\t\"alertMessage\": sprintf(\"%v pod %v  expose external facing service: %v\",[wl.metadata.namespace, wl.metadata.name, service.metadata.name]),\n\t\t\"alertScore\": 2,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"srvc\":service}\n\t}\n}\n\t"
-}
-func GetRuntimePods() string {
-	return `
-    package armo_builtins
-
-    import data.kubernetes.api.client as client
-    
-
-deny[msga] {
-
-    
-    cluster_resource := client.query_all(
-      "pods"
-  )
-
-	pod := cluster_resource.body.items[i]
-    msga := {
-        "alertMessage": "got something",
-        "alertScore": 2,
-        "packagename": "armo_builtins",
-        "alertObject": {"pod": pod}
-    }
-}
-    
-    `
-}

cautils/opapolicy/datastructures_test.go

@@ -1,42 +0,0 @@
-package opapolicy
-
-import (
-	"encoding/json"
-	"testing"
-)
-
-func TestMockPolicyNotificationA(t *testing.T) {
-	policy := MockPolicyNotificationA()
-	bp, err := json.Marshal(policy)
-	if err != nil {
-		t.Error(err)
-	} else {
-		t.Logf("%s\n", string(bp))
-		// t.Errorf("%s\n", string(bp))
-	}
-
-}
-
-func TestMockFrameworkA(t *testing.T) {
-	policy := MockFrameworkA()
-	bp, err := json.Marshal(policy)
-	if err != nil {
-		t.Error(err)
-	} else {
-		t.Logf("%s\n", string(bp))
-		// t.Errorf("%s\n", string(bp))
-	}
-
-}
-
-func TestMockPostureReportA(t *testing.T) {
-	policy := MockPostureReportA()
-	bp, err := json.Marshal(policy)
-	if err != nil {
-		t.Error(err)
-	} else {
-		// t.Errorf("%s\n", string(bp))
-		t.Logf("%s\n", string(bp))
-	}
-
-}

cautils/opapolicy/datastructuresmethods.go

@@ -1,89 +0,0 @@
-package opapolicy
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-
-	"github.com/golang/glog"
-	"github.com/open-policy-agent/opa/rego"
-)
-
-func (pn *PolicyNotification) ToJSONBytesBuffer() (*bytes.Buffer, error) {
-	res, err := json.Marshal(pn)
-	if err != nil {
-		return nil, err
-	}
-	return bytes.NewBuffer(res), err
-}
-
-func (ruleReport *RuleReport) GetRuleStatus() (string, []RuleResponse, []RuleResponse) {
-	if len(ruleReport.RuleResponses) == 0 {
-		return "success", nil, nil
-	}
-	exceptions := make([]RuleResponse, 0)
-	failed := make([]RuleResponse, 0)
-
-	for _, rule := range ruleReport.RuleResponses {
-		if rule.ExceptionName != "" {
-			failed = append(failed, rule)
-		} else {
-			exceptions = append(exceptions, rule)
-		}
-	}
-
-	status := "failed"
-	if len(failed) == 0 && len(exceptions) > 0 {
-		status = "warning"
-	}
-	return status, failed, exceptions
-}
-func ParseRegoResult(regoResult *rego.ResultSet) ([]RuleResponse, error) {
-	var errs error
-	ruleResponses := []RuleResponse{}
-	for _, result := range *regoResult {
-		for desicionIdx := range result.Expressions {
-			if resMap, ok := result.Expressions[desicionIdx].Value.(map[string]interface{}); ok {
-				for objName := range resMap {
-					jsonBytes, err := json.Marshal(resMap[objName])
-					if err != nil {
-						err = fmt.Errorf("in parseRegoResult, json.Marshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
-						glog.Error(err)
-						errs = fmt.Errorf("%s\n%s", errs, err)
-						continue
-					}
-					desObj := make([]RuleResponse, 0)
-					if err := json.Unmarshal(jsonBytes, &desObj); err != nil {
-						err = fmt.Errorf("in parseRegoResult, json.Unmarshal failed. name: %s, obj: %v, reason: %s", objName, resMap[objName], err)
-						glog.Error(err)
-						errs = fmt.Errorf("%s\n%s", errs, err)
-						continue
-					}
-					ruleResponses = append(ruleResponses, desObj...)
-				}
-			}
-		}
-	}
-	return ruleResponses, errs
-}
-
-func (controlReport *ControlReport) GetNumberOfResources() int {
-	sum := 0
-	for i := range controlReport.RuleReports {
-		sum += controlReport.RuleReports[i].NumOfResources
-	}
-	return sum
-}
-
-func (controlReport *ControlReport) Passed() bool {
-	for i := range controlReport.RuleReports {
-		if len(controlReport.RuleReports[i].RuleResponses) > 0 {
-			return false
-		}
-	}
-	return true
-}
-
-func (controlReport *ControlReport) Failed() bool {
-	return !controlReport.Passed()
-}

cautils/opapolicy/gojayunmarshaller.go

@@ -1,47 +0,0 @@
-package opapolicy
-
-import (
-	"github.com/francoispqt/gojay"
-	"time"
-)
-
-/*
-  responsible on fast unmarshaling of various COMMON containerscan structures and substructures
-
-*/
-// UnmarshalJSONObject - File inside a pkg
-func (r *PostureReport) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
-
-	switch key {
-	case "customerGUID":
-		err = dec.String(&(r.CustomerGUID))
-
-	case "clusterName":
-		err = dec.String(&(r.ClusterName))
-
-	case "reportID":
-		err = dec.String(&(r.ReportID))
-	case "jobID":
-		err = dec.String(&(r.JobID))
-	case "generationTime":
-		err = dec.Time(&(r.ReportGenerationTime), time.RFC3339)
-		r.ReportGenerationTime = r.ReportGenerationTime.Local()
-	}
-	return err
-
-}
-
-// func (files *PkgFiles) UnmarshalJSONArray(dec *gojay.Decoder) error {
-// 	lae := PackageFile{}
-// 	if err := dec.Object(&lae); err != nil {
-// 		return err
-// 	}
-
-// 	*files = append(*files, lae)
-// 	return nil
-// }
-
-func (file *PostureReport) NKeys() int {
-	return 0
-}
-//------------------------

cautils/opapolicy/resources/dependencies.go

@@ -1,204 +0,0 @@
-package resources
-
-var RegoCAUtils = `
-package cautils
-
-list_contains(lista,element) {
-  some i
-  lista[i] == element
-}
-
-# getPodName(metadata) = name {
-# 	name := metadata.generateName
-#}
-getPodName(metadata) = name {
-	name := metadata.name
-}
-
-#returns subobject ,sub1 is partial to parent,  e.g parent = {a:a,b:b,c:c,d:d}
-# sub1 = {b:b,c:c} - result is {b:b,c:c}, if sub1={b:b,e:f} returns {b:b}
-object_intersection(parent,sub1) = r{
-  
-  r := {k:p  | p := sub1[k]
-              parent[k]== p
-              }
-}
-
-#returns if parent contains sub(both are objects not sets!!)
-is_subobject(sub,parent) {
-object_intersection(sub,parent)  == sub
-}
-`
-
-var RegoDesignators = `
-package designators
-
-import data.cautils
-#functions that related to designators
-
-#allowed_namespace
-#@input@: receive as part of the input object "included_namespaces" list
-#@input@: item's namespace as "namespace"
-#returns true if namespace exists in that list
-included_namespaces(namespace){
-    cautils.list_contains(["default"],namespace)
-}
-
-#forbidden_namespaces
-#@input@: receive as part of the input object "forbidden_namespaces" list
-#@input@: item's namespace as "namespace"
-#returns true if namespace exists in that list
-excluded_namespaces(namespace){
-    not cautils.list_contains(["excluded"],namespace)
-}
-
-forbidden_wlids(wlid){
-    input.forbidden_wlids[_] == wlid
-}
-
-filter_k8s_object(obj) = filtered {
-    #put 
-    filtered := obj
-    	#filtered := [ x | cautils.list_contains(["default"],obj[i].metadata.namespace) ; x := obj[i] ]
-        # filtered := [ x | not cautils.list_contains([],filter1Set[i].metadata.namespace); x := filter1Set[i]]
-        
-}
-`
-var RegoKubernetesApiClient = `
-package kubernetes.api.client
-
-# service account token
-token :=  data.k8sconfig.token
-
-# Cluster host
-host := data.k8sconfig.host
-
-# default certificate path 
-# crt_file := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-crt_file := data.k8sconfig.crtfile
-
-client_crt_file := data.k8sconfig.clientcrtfile
-client_key_file := data.k8sconfig.clientkeyfile
- 
-
-# This information could be retrieved from the kubernetes API
-# too, but would essentially require a request per API group,
-# so for now use a lookup table for the most common resources.
-resource_group_mapping := {
-	"services": "api/v1",
-	"pods": "api/v1",
-	"configmaps": "api/v1",
-	"secrets": "api/v1",
-	"persistentvolumeclaims": "api/v1",
-	"daemonsets": "apis/apps/v1",
-	"deployments": "apis/apps/v1",
-	"statefulsets": "apis/apps/v1",
-	"horizontalpodautoscalers": "api/autoscaling/v1",
-	"jobs": "apis/batch/v1",
-	"cronjobs": "apis/batch/v1beta1",
-	"ingresses": "api/extensions/v1beta1",
-	"replicasets": "apis/apps/v1",
-	"networkpolicies": "apis/networking.k8s.io/v1",
-	"clusterroles": "apis/rbac.authorization.k8s.io/v1",
-	"clusterrolebindings": "apis/rbac.authorization.k8s.io/v1",
-	"roles": "apis/rbac.authorization.k8s.io/v1",
-	"rolebindings": "apis/rbac.authorization.k8s.io/v1",
-	"serviceaccounts": "api/v1"
-}
-
-# Query for given resource/name in provided namespace
-# Example: query_ns("deployments", "my-app", "default")
-query_name_ns(resource, name, namespace) = http.send({
-		"url": sprintf("%v/%v/namespaces/%v/%v/%v", [
-		host,
-		resource_group_mapping[resource],
-		namespace,
-		resource,
-		name,
-	]),
-	"method": "get",	
-	"headers": {"authorization": token},
-	"tls_client_cert_file": client_crt_file,
-	"tls_client_key_file": client_key_file,
-	"tls_ca_cert_file": crt_file,
-	"raise_error": true,
-})
-
-# Query for given resource type using label selectors
-# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-# Example: query_label_selector_ns("deployments", {"app": "opa-kubernetes-api-client"}, "default")
-query_label_selector_ns(resource, selector, namespace) = http.send({
-	"url": sprintf("%v/%v/namespaces/%v/%v?labelSelector=%v", [
-		host,
-		resource_group_mapping[resource],
-		namespace,
-		resource,
-		label_map_to_query_string(selector),
-	]),
-	"method": "get",
-	"headers": {"authorization": token},
-	"tls_client_cert_file": client_crt_file,
-	"tls_client_key_file": client_key_file,
-	"tls_ca_cert_file": crt_file,
-	"raise_error": true,
-})
-
-# x := field_transform_to_qry_param("spec.selector",input)
-# input = {"app": "acmefit", "service": "catalog-db"}
-# result:  "spec.selector.app%3Dacmefit,spec.selector.service%3Dcatalog-db"
-
-
-query_field_selector_ns(resource, field, selector, namespace) = http.send({
-	"url": sprintf("%v/%v/namespaces/%v/%v?fieldSelector=%v", [
-		host,
-		resource_group_mapping[resource],
-		namespace,
-		resource,
-		field_transform_to_qry_param(field,selector),
-	]),
-	"method": "get",
-	"headers": {"authorization": token},
-	"tls_client_cert_file": client_crt_file,
-	"tls_client_key_file": client_key_file,
-	"tls_ca_cert_file": crt_file,
-	"raise_error": true,
-	
-})
-
-# # Query for all resources of type resource in all namespaces
-# # Example: query_all("deployments")
-# query_all(resource) = http.send({
-# 	"url": sprintf("https://%v:%v/%v/%v", [
-# 		ip,
-# 		port,
-# 		resource_group_mapping[resource],
-# 		resource,
-# 	]),
-# 	"method": "get",
-# 	"headers": {"authorization": sprintf("Bearer %v", [token])},
-# 	"tls_client_cert_file": crt_file,
-# 	"raise_error": true,
-# })
-
-# Query for all resources of type resource in all namespaces
-# Example: query_all("deployments")
-query_all(resource) = http.send({
-	"url": sprintf("%v/%v/%v", [
-		host,
-		resource_group_mapping[resource],
-		resource,
-	]),
-	"method": "get",
-	"headers": {"authorization": token},
-	"tls_client_cert_file": client_crt_file,
-	"tls_client_key_file": client_key_file,
-	"tls_ca_cert_file": crt_file,
-	"raise_error": true,
-}) 
-
-field_transform_to_qry_param(field,map) = finala {
-	mid := {concat(".",[field,key]): val | val := map[key]}
-    finala := label_map_to_query_string(mid)
-}
-label_map_to_query_string(map) = concat(",", [str | val := map[key]; str := concat("%3D", [key, val])])
-`

cautils/opapolicy/resources/rego/modules/cronJob.reg

@@ -1,20 +0,0 @@
-package armo_builtins
-
-# import data.kubernetes.api.client as client
-import data.cautils as cautils
-
-
-# alert cronjobs
-
-#handles cronjob
-deny[msga] {
-
-	wl := input[_]
-	wl.kind == "CronJob"
-    msga := {
-		"alertMessage": sprintf("the following cronjobs are defined: %v", [wl]),
-		"alertScore": 2,
-		"packagename": "armo_builtins",
-		"alertObject": wl
-	}
-}

cautils/opapolicy/resources/rego/modules/externalfacing.reg

@@ -1,44 +0,0 @@
-package armo_builtins
-
-import data.kubernetes.api.client as client
-
-
-# input: pod
-# apiversion: v1
-# does: 
-#	returns the external facing services of that pod
-#
-#
-deny[msga] {
-	pod := input[_]
-	podns :=  pod.metadata.namespace
-	podname := getName(pod.metadata)
-	# pod := client.query_name_ns("pods","frontend-86c5ffb485-kfp9d", "default")
-	labels := pod.body.metadata.labels
-	filtered_labels := json.remove(labels, ["pod-template-hash"])
-    
-	 cluster_resource := client.query_all(
-	 	"services"
-	 )
-
-
-	services := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]
-	service := 	services[_]
-	np_or_lb := {"NodePort", "LoadBalancer"}
-	np_or_lb[service.spec.type]
-	service.spec.selector == filtered_labels
-    
-	msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("pod %v/%v exposed services: %v\n", [podns,podname,service]),
-		"alertScore": 7,
-		"alertObject": {"service":service,"labels":filtered_labels, "podname":podname,"namespace":podns}
-	}
-}
-
-getName(metadata) = name {
-	name := metadata.generateName
-}
-getName(metadata) = name {
-	name := metadata.name
-}

cautils/opapolicy/resources/rego/modules/hostpath.reg

@@ -1,57 +0,0 @@
-package armo_builtins
-#import data.kubernetes.api.client as client
-import data.cautils as cautils
-
-# input: pod
-# apiversion: v1
-# does: 
-#	returns hostPath volumes
-#
-#
-deny[msga] {
-    pod := input[_]
-    pod.kind == "Pod"
-    volumes := pod.spec.volumes
-    volume := volumes[_]
-    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name
-    volume.hostPath
-    podname := cautils.getPodName(pod.metadata)
-    obj := {"volume":volume,"podname": podname}
-
-	msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("pod: %v has {%v,%v} ashostPath volume \n\n\n", [podname, volume]),
-		"alertScore": 7,
-		"alertObject": [obj]
-	}
-}
-
-isRWMount(mount) {
- not mount.readOnly
-}
-isRWMount(mount) {
-  mount.readOnly == false
-}
-
-
-#handles majority of workload resources
-deny[msga] {
-
-	wl := input[_]
-	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
-	spec_template_spec_patterns[wl.kind]
-    volumes := wl.spec.template.spec.volumes
-    volume := volumes[_]
-    volume.hostPath
-    wlname := cautils.getPodName(wl.metadata)
-    obj := {"volume":volume,"podname": wlname}
-
-	msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("%v: %v has {%v,%v} as hostPath volume\n\n\n", [wl.kind,wlname, volume]),
-		"alertScore": 7,
-		"alertObject": [obj]
-	}
-}
-
-

cautils/opapolicy/resources/rego/modules/privileged.reg

@@ -1,56 +0,0 @@
-package armo_builtins
-
-#import data.kubernetes.api.client as client
-
-
-# Deny mutating action unless user is in group owning the resource
-
-
-#privileged pods
-deny[msga] {
-
-   
-	pod := input[_]
-	containers := pod.spec.containers[_]
-	containers.securityContext.privileged == true
-    msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("the following pods are defined as privileged: %v", [pod]),
-		"alertScore": 3,
-		"alertObject": pod,
-	}
-}
-
-
-#handles majority of workload resources
-deny[msga] {
-
-	wl := input[_]
-	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
-	spec_template_spec_patterns[wl.kind]
-	containers := wl.spec.template.spec.containers[_]
-	containers.securityContext.privileged == true
-    msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("the following workloads are defined as privileged: %v", [wl]),
-		"alertScore": 3,
-		"alertObject": wl,
-	}
-}
-
-
-
-#handles cronjob
-deny[msga] {
-
-	wl := input[_]
-	wl.kind == "CronJob"
-	containers := wl.spec.jobTemplate.spec.template.spec.containers[_]
-	containers.securityContext.privileged == true
-    msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl]),
-		"alertScore": 3,
-		"alertObject": wl,
-	}
-}

cautils/opapolicy/resources/rego/modules/rbacsecrets.reg

@@ -1,98 +0,0 @@
-package armo_builtins
-import data.kubernetes.api.client as client
-import data.cautils as cautils
-
-
-# input: None
-# apiversion: v1
-# does: 
-#	returns roles+ related subjects in rolebinding
-
-
-deny[msga] {
-	# rsrc := client.query_all("roles")
-	# role := rsrc.body.items[_]
-	role := input[_]
-	role.kind == "Role"
-	rule := role.rules[_]
-	cautils.list_contains(rule.resources,"secrets")
-	canViewSecrets(rule)
-	rbsrc := client.query_all("rolebindings")
-	rolebinding := rbsrc.body.items[_]
-	rolebinding.roleRef.kind == "Role"
-	rolebinding.roleRef.name == role.metadata.name
-	
-    
-	msga := {
-		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
-		"alertScore": 9,
-		"packagename": "armo_builtins",
-		"alertObject": {"role":role,"users":rolebinding.subjects}
-	}
-}
-
-
-
-# input: None
-# apiversion: v1
-# does: 
-#	returns clusterroles+ related subjects in rolebinding
-
-
-deny[msga] {
-	# rsrc := client.query_all("clusterroles")
-	# role := rsrc.body.items[_]
-	role := input[_]
-	role.kind == "ClusterRole"
-	rule := role.rules[_]
-	cautils.list_contains(rule.resources,"secrets")
-	canViewSecrets(rule)
-	rbsrc := client.query_all("rolebindings")
-	rolebinding := rbsrc.body.items[_]
-	rolebinding.roleRef.kind == "ClusterRole"
-	rolebinding.roleRef.name == role.metadata.name
-	
-    
-	msga := {
-		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
-		"alertScore": 9,
-		"packagename": "armo_builtins",
-		"alertObject": {"clusterrole":role,"users":rolebinding.subjects}
-	}
-}
-
-
-# input: None
-# apiversion: v1
-# does: 
-#	returns clusterroles+ related subjects in clusterrolebinding
-#
-#
-deny[msga] {
-	# rsrc := client.query_all("clusterroles")
-	# role := rsrc.body.items[_]
-	role := input[_]
-	role.kind == "ClusterRole"
-	rule := role.rules[_]
-	cautils.list_contains(rule.resources,"secrets")
-	canViewSecrets(rule)
-	rbsrc := client.query_all("clusterrolebindings")
-	rolebinding := rbsrc.body.items[_]
-	rolebinding.roleRef.kind == "ClusterRole"
-	rolebinding.roleRef.name == role.metadata.name
-	
-    
-	msga := {
-		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
-		"alertScore": 9,
-		"packagename": "armo_builtins",
-		"alertObject": {"clusterrole":role,"users":rolebinding.subjects}
-	}
-}
-
-canViewSecrets(rule) {
-	cautils.list_contains(rule.verbs,"get")
-}
-canViewSecrets(rule) {
-	cautils.list_contains(rule.verbs,"watch")
-}

cautils/opapolicy/resources/rego/modules/rwhostpath.reg

@@ -1,64 +0,0 @@
-package armo_builtins
-#import data.kubernetes.api.client as client
-import data.cautils as cautils
-
-# input: pod
-# apiversion: v1
-# does: 
-#	returns rw hostpath volumes of that pod
-#
-#
-deny[msga] {
-    pod := input[_]
-    pod.kind == "Pod"
-    volumes := pod.spec.volumes
-    volume := volumes[_]
-    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name
-    mount := pod.spec.containers[_].volumeMounts[_]
-    mount.name == volume.name
-    volume.hostPath
-    isRWMount(mount)
-    podname := cautils.getPodName(pod.metadata)
-    obj := {"volume":volume,"mount":mount,"podname": podname}
-
-	msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("pod: %v has {%v,%v} as rw hostPath volume and volumemount pair\n\n\n", [podname, volume,mount]),
-		"alertScore": 7,
-		"alertObject": [obj],
-	
-	}
-}
-
-isRWMount(mount) {
- not mount.readOnly
-}
-isRWMount(mount) {
-  mount.readOnly == false
-}
-
-
-#handles majority of workload resources
-deny[msga] {
-
-	wl := input[_]
-	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
-	spec_template_spec_patterns[wl.kind]
-    volumes := wl.spec.template.spec.volumes
-    volume := volumes[_]
-    mount := wl.spec.template.spec.containers[_].volumeMounts[_]
-    mount.name == volume.name
-    volume.hostPath
-    isRWMount(mount)
-    wlname := cautils.getPodName(wl.metadata)
-    obj := {"volume":volume,"mount":mount,"podname": wlname}
-
-	msga := {
-		"packagename": "armo_builtins",
-		"alertMessage": sprintf("%v: %v has {%v,%v} as rw hostPath volume and volumemount pair\n\n\n", [wl.kind,wlname, volume,mount]),
-		"alertScore": 7,
-		"alertObject": [obj],
-	}
-}
-
-

cautils/opapolicy/resources/rego/modules/sshableworkload.reg

@@ -1,57 +0,0 @@
-package armo_builtins
-import data.kubernetes.api.client as client
-import data.cautils as cautils
-
-# input: pod
-# apiversion: v1
-# does: 
-#	returns the external facing services of that pod
-#
-#
-deny[msga] {
-	pod := input[_]
-	podns := pod.metadata.namespace
-	podname := cautils.getPodName(pod.metadata)
-	# pod := client.query_name_ns("pods", "catalog-mongo-6f468d99b4-pn242", "default")
-	labels := pod.body.metadata.labels
-	filtered_labels := json.remove(labels, ["pod-template-hash"])
-    
-	 cluster_resource := client.query_all(
-	 	"services"
-	 )
-
-	services := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]
-	service := 	services[_]
-	service.spec.selector == filtered_labels
-    
-	hasSSHPorts(service)
-
-	msga := {
-		"alertMessage": sprintf("pod %v/%v exposed by SSH services: %v\n", [podns,podname,service]),
-		"packagename": "armo_builtins",
-		"alertScore": 7,
-		"alertObject": [{"pod":pod,"service":{service}}]
-	}
-}
-
-hasSSHPorts(service) {
-	port := service.spec.ports[_]
-	port.port == 22
-}
-
-
-hasSSHPorts(service) {
-	port := service.spec.ports[_]
-	port.port == 2222
-}
-
-hasSSHPorts(service) {
-	port := service.spec.ports[_]
-	port.targetPort == 22
-}
-
-
-hasSSHPorts(service) {
-	port := service.spec.ports[_]
-	port.targetPort == 2222
-}

cautils/opapolicy/resources/rego/regorulesjsons/access2secrets.json

@@ -1,33 +0,0 @@
-{
-    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "[Builtin] rule-deny-access-to-secrets",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "determines which users can get/list/watch secrets",
-    "attributes": {
-        "m$K8sThreatMatrix": "Credential Access::List k8s Secrets"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"cautils"
-        },
-        {
-            "packageName":"kubernetes.api.client"
-        }
-    ],
-    "remediation": "",
-    "match": [
-        {
-            "resources": [
-                "Role","ClusterRole"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "rbac.authorization.k8s.io"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns roles+ related subjects in rolebinding\n\n\ndeny[msga] {\n\t# rsrc := client.query_all(\"roles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"Role\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"rolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"Role\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"role\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns clusterroles+ related subjects in rolebinding\n\n\ndeny[msga] {\n\t# rsrc := client.query_all(\"clusterroles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"ClusterRole\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"rolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"ClusterRole\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"clusterrole\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns clusterroles+ related subjects in clusterrolebinding\n#\n#\ndeny[msga] {\n\t# rsrc := client.query_all(\"clusterroles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"ClusterRole\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"clusterrolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"ClusterRole\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"clusterrole\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\ncanViewSecrets(rule) {\n\tcautils.list_contains(rule.verbs,\"get\")\n}\ncanViewSecrets(rule) {\n\tcautils.list_contains(rule.verbs,\"watch\")\n}\n"
-}

cautils/opapolicy/resources/rego/regorulesjsons/cansshtopod.json

@@ -1,34 +0,0 @@
-{
-    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "[Builtin] rule-can-ssh-to-pod",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "denies pods with SSH ports opened(22/222)",
-    "attributes": {
-        "microsoftK8sThreatMatrix": "val1"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"cautils"
-        },
-        {
-            "packageName":"kubernetes.api.client"
-        }
-    ],
-    "remediation": "create a network policy that protects SSH ports",
-    "match": [
-        {
-            "resources": [
-                "Pods"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns the external facing services of that pod\n#\n#\ndeny[msga] {\n\tpod := input[_]\n\tpodns := pod.metadata.namespace\n\tpodname := cautils.getPodName(pod.metadata)\n\t# pod := client.query_name_ns(\"pods\", \"catalog-mongo-6f468d99b4-pn242\", \"default\")\n\tlabels := pod.body.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n\t cluster_resource := client.query_all(\n\t \t\"services\"\n\t )\n\n\tservices := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]\n\tservice := \tservices[_]\n\tservice.spec.selector == filtered_labels\n    \n\thasSSHPorts(service)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod %v/%v exposed by SSH services: %v\n\", [podns,podname,service]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [{\"pod\":pod,\"service\":{service}}]\n\t\n\t}\n}\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.port == 22\n}\n\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.port == 2222\n}\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.targetPort == 22\n}\n\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.targetPort == 2222\n}\n"
-
-}

cautils/opapolicy/resources/rego/regorulesjsons/compromisedregistries.json

@@ -1,33 +0,0 @@
-{
-    "guid": "",
-    "name": "[Builtin] rule-identify-blacklisted-image-registries",
-    "creationTime": "",
-    "description": "Identifying if pod container images are from unallowed registries",
-    "attributes": {
-        "m$K8sThreatMatrix": "Initial Access::Compromised images in registry"
-    },
-    "ruleDependencies": [
-        {
-            "packageName": "cautils"
-        },
-        {
-            "packageName": "kubernetes.api.client"
-        }
-    ],
-    "remediation": "Use images from safe registry",
-    "match": [
-        {
-            "resources": [
-                "Pods"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\n# Check for images from blacklisted repos\n\nuntrusted_registries(z) = x {\n\tx := [\"015253967648.dkr.ecr.eu-central-1.amazonaws.com/\"]\t\n}\n\npublic_registries(z) = y{\n\ty := [\"quay.io/kiali/\",\"quay.io/datawire/\",\"quay.io/keycloak/\",\"quay.io/bitnami/\"]\n}\n\nuntrustedImageRepo[msga] {\n\tpod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[_]\n\timage := container.image\n    repo_prefix := untrusted_registries(image)[_]\n\tstartswith(image, repo_prefix)\n\tselfLink := pod.metadata.selfLink\n\tcontainerName := container.name\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' in [%s] comes from untrusted registry\", [image, containerName, selfLink]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 2,\n\t\t\"alertObject\": [{\"pod\":pod}]\n\t}\n}\n\nuntrustedImageRepo[msga] {\n    pod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[_]\n\timage := container.image\n    repo_prefix := public_registries(image)[_]\n\tstartswith(pod, repo_prefix)\n\tselfLink := input.metadata.selfLink\n\tcontainerName := container.name\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' in [%s] comes from public registry\", [image, containerName, selfLink]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"pod\":pod}]\n\t}\n}"
-}

cautils/opapolicy/resources/rego/regorulesjsons/externalfacingservicesbypod.json

@@ -1,31 +0,0 @@
-{
-    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "[Builtin] rule-pod-external-facing",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "denies pods with external facing services, grabs related services",
-    "attributes": {
-        "microsoftK8sThreatMatrix": "val1"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"kubernetes.api.client"
-        }
-    ],
-    "remediation": "create a network policy that controls which protect your cluster from unwanted connections and the outside world",
-    "match": [
-        {
-            "resources": [
-                "Pods"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\n\nimport data.kubernetes.api.client as client\n\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns the external facing services of that pod\n#\n#\ndeny[msga] {\n\tpod := input[_]\n\tpodns :=  pod.metadata.namespace\n\tpodname := getName(pod.metadata)\n\t# pod := client.query_name_ns(\"pods\",\"frontend-86c5ffb485-kfp9d\", \"default\")\n\tlabels := pod.body.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n\t cluster_resource := client.query_all(\n\t \t\"services\"\n\t )\n\n\n\tservices := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]\n\tservice := \tservices[_]\n\tnp_or_lb := {\"NodePort\", \"LoadBalancer\"}\n\tnp_or_lb[service.spec.type]\n\tservice.spec.selector == filtered_labels\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod %v/%v exposed services: %v\n\", [podns,podname,service]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": {\"service\":service,\"labels\":filtered_labels, \"podname\":podname,\"namespace\":podns}\n\t\n\t}\n}\n\ngetName(metadata) = name {\n\tname := metadata.generateName\n}\ngetName(metadata) = name {\n\tname := metadata.name\n}\n"
-
-}

cautils/opapolicy/resources/rego/regorulesjsons/hostpath.json

@@ -1,31 +0,0 @@
-{
-    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "[Builtin] alert-any-hostpath",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "determines if any workload contains a hostPath volume",
-    "attributes": {
-        "m$K8sThreatMatrix": "Privilege Escalation::hostPath mount"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"cautils"
-        }
-    ],
-    "remediation": "consider if hostPath is really necessary - reading sensitive data like hostPath credentials might endanger cluster, if so consider encrypting the data",
-
-    "match": [
-        {
-            "resources": [
-                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns hostPath volumes\n#\n#\ndeny[msga] {\n    pod := input[_]\n    pod.kind == \"Pod\"\n    volumes := pod.spec.volumes\n    volume := volumes[_]\n    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name\n    volume.hostPath\n    podname := cautils.getPodName(pod.metadata)\n    obj := {\"volume\":volume,\"podname\": podname}\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod: %v has {%v,%v} ashostPath volume \n\n\n\", [podname, volume]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [obj],\n\t\n\t}\n}\n\nisRWMount(mount) {\n not mount.readOnly\n}\nisRWMount(mount) {\n  mount.readOnly == false\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n    volumes := wl.spec.template.spec.volumes\n    volume := volumes[_]\n    volume.hostPath\n    wlname := cautils.getPodName(wl.metadata)\n    obj := {\"volume\":volume,\"podname\": wlname}\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has {%v,%v} as hostPath volume\n\n\n\", [wl.kind,wlname, volume]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [obj],\n\t\n\t}\n}\n\n\n"
-    }

cautils/opapolicy/resources/rego/regorulesjsons/instancemetadataapi.json

@@ -1,27 +0,0 @@
-{
-    "guid": "82f19070-2826-4fe4-a079-f5f7e7a1b04d",
-    "name": "[Builtin] instance-metadata-api-access",
-    "attributes": {
-        "m$K8sThreatMatrix": "Credential Access::Instance Metadata API"
-    },
-    "creationTime": "2021-04-25T10:48:48.861806",
-    "rule": "package armo_builtins\n# Check for images from blacklisted repos\n\nmetadata_azure(z) = http.send({\n\t\"url\": \"http://169.254.169.254/metadata/instance?api-version=2020-09-01\",\n\t\"method\": \"get\",\n\t\"headers\": {\"Metadata\": \"true\"},\n\t\"raise_error\": true,\t\n})\n\nmetadata_gcp(z) = http.send({\n\t\"url\": \"http://169.254.169.254/computeMetadata/v1/?alt=json&recursive=true\",\n\t\"method\": \"get\",\n\t\"headers\": {\"Metadata-Flavor\": \"Google\"},\n\t\"raise_error\": true,\t\n})\n\nmetadata_aws(z) = metadata_object { \n\thostname := http.send({\n\t\"url\": \"http://169.254.169.254/latest/meta-data/local-hostname\",\n\t\"method\": \"get\",\n\t\"raise_error\": true,\t\n    })\n\tmetadata_object := {\n\t\t\"raw_body\": hostname.raw_body,\n\t\t\"hostname\" : hostname.raw_body,\n\t\t\"status_code\" : hostname.status_code\n\t}\n}\n\nazure_metadata[msga] {\t\n\tmetadata_object := metadata_azure(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.body.compute.name\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of Azure.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\":metadata_object.body}]\n\t}\n}\n\ngcp_metadata[msga] {\t\n\tmetadata_object := metadata_gcp(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.body.instance.hostname\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of GCP.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\": metadata_object.raw_body}]\n\t}\n}\n\naws_metadata[msga] {\t\n\tmetadata_object := metadata_aws(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.hostname\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of AWS.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\": metadata_object.raw_body}]\n\t}\n}",
-    "ruleLanguage": "Rego",
-    "match": [
-        {
-            "apiGroups": [
-                "*"
-            ],
-            "apiVersions": [
-                "*"
-            ],
-            "resources": [
-                "nodes"
-            ]
-        }
-    ],
-    "ruleDependencies": [],
-    "description": "Checks if there is access from the nodes to cloud prividers instance metadata services",
-    "remediation": "From https://attack.mitre.org/techniques/T1552/005/ :Option A: Disable or Remove Feature or Program, Option B: Filter Network Traffic",
-    "ruleQuery": ""
-}

cautils/opapolicy/resources/rego/regorulesjsons/iscronjob.json

@@ -1,30 +0,0 @@
-{
-    "guid": "[Builtin] 3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "rule-deny-cronjobs",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "determines if it's cronjob",
-    "attributes": {
-        "m$K8sThreatMatrix": "Persistence::Cronjob"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"cautils"
-        }
-    ],
-    "remediation": "",
-    "match": [
-        {
-            "resources": [
-                "CronJob"
-            ],
-            "apiVersions": [
-                "v1beta1"
-            ],
-            "apiGroups": [
-                "batch"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\n\n# import data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n\n# alert cronjobs\n\n#handles cronjob\ndeny[msga] {\n\n\twl := input[_]\n\twl.kind == \"CronJob\"\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 2,\n\t\t\"alertObject\": wl\n\t\n\t}\n}\n"
-}

cautils/opapolicy/resources/rego/regorulesjsons/privilegedworkload.json

@@ -1,29 +0,0 @@
-{
-    "guid": "",
-    "name": "[Builtin] rule-privilege-escalation",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "determines if pods/deployments defined as privileged true",
-    "attributes": {
-        "mitre": "Privilege Escalation",
-        "mitreCode": "TA0004",
-        "m$K8sThreatMatrix": "Privilege Escalation::privileged container"
-    },
-    "ruleDependencies": [
-    ],
-    "remediation": "avoid defining pods as privilleged",
-    "match": [
-        {
-            "resources": [
-                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod","CronJob"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\npackage armo_builtins\n\nimport data.kubernetes.api.client as client\nimport data.designators as scope\nimport data.cautils as cautils\n\n\n# Deny mutating action unless user is in group owning the resource\n\n\n#privileged pods\ndeny[msga] {\n\n   \n\tpod := input[_]\n\tcontainers := pod.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following pods are defined as privileged: %v\", [pod]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": pod,\n\t\n\t}\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainers := wl.spec.template.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following workloads are defined as privileged: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": wl,\n\t\n\t}\n}\n\n\n\n#handles cronjob\ndeny[msga] {\n\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainers := wl.spec.jobTemplate.spec.template.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined as privileged: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": wl,\n\t\n\t}\n}\n\n"
-}

cautils/opapolicy/resources/rego/regorulesjsons/rwhostpath.json

@@ -1,31 +0,0 @@
-{
-    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
-    "name": "[Builtin] alert-rw-hostpath",
-    "creationTime": "2019-09-04T12:04:58.461455",
-    "description": "determines if any workload contains a hostPath volume with rw permissions",
-    "attributes": {
-        "m$K8sThreatMatrix": "Persistance::Writable hostPath mount"
-    },
-    "ruleDependencies": [
-        {
-            "packageName":"cautils"
-        }
-    ],
-    "remediation": "consider if hostPath is really necessary- sensitive data like hostPath credentials might endanger cluster, if so consider encrypting the data",
-
-    "match": [
-        {
-            "resources": [
-                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod"
-            ],
-            "apiVersions": [
-                "v1"
-            ],
-            "apiGroups": [
-                "*"
-            ]
-        }
-    ],
-    "ruleLanguage": "Rego",
-    "rule": "\"\\npackage armo_builtins\\nimport data.kubernetes.api.client as client\\nimport data.cautils as cautils\\n\\n# input: pod\\n# apiversion: v1\\n# does: \\n#\\treturns hostPath volumes\\n#\\n#\\ndeny[msga] {\\n    pod := input[_]\\n    pod.kind == \\\"Pod\\\"\\n    volumes := pod.spec.volumes\\n    volume := volumes[_]\\n    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name\\n    volume.hostPath\\n    podname := cautils.getPodName(pod.metadata)\\n    obj := {\\\"volume\\\":volume,\\\"podname\\\": podname}\\n\\n\\tmsga := {\\n\\t\\t\\\"alertMessage\\\": sprintf(\\\"pod: %v has {%v,%v} ashostPath volume \\n\\n\\n\\\", [podname, volume]),\\n\\t\\t\\\"alert\\\": true,\\n\\t\\t\\\"prevent\\\": false,\\n\\t\\t\\\"alertScore\\\": 7,\\n\\t\\t\\\"alertObject\\\": [obj],\\n\\t\\n\\t}\\n}\\n\\nisRWMount(mount) {\\n not mount.readOnly\\n}\\nisRWMount(mount) {\\n  mount.readOnly == false\\n}\\n\\n\\n#handles majority of workload resources\\ndeny[msga] {\\n\\n\\twl := input[_]\\n\\tspec_template_spec_patterns := {\\\"Deployment\\\",\\\"ReplicaSet\\\",\\\"DaemonSet\\\",\\\"StatefulSet\\\",\\\"Job\\\"}\\n\\tspec_template_spec_patterns[wl.kind]\\n    volumes := wl.spec.template.spec.volumes\\n    volume := volumes[_]\\n    volume.hostPath\\n    wlname := cautils.getPodName(wl.metadata)\\n    obj := {\\\"volume\\\":volume,\\\"podname\\\": wlname}\\n\\n\\tmsga := {\\n\\t\\t\\\"alertMessage\\\": sprintf(\\\"%v: %v has {%v,%v} as hostPath volume\\n\\n\\n\\\", [wl.kind,wlname, volume]),\\n\\t\\t\\\"alert\\\": true,\\n\\t\\t\\\"prevent\\\": false,\\n\\t\\t\\\"alertScore\\\": 7,\\n\\t\\t\\\"alertObject\\\": [obj],\\n\\t\\n\\t}\\n}\\n\\n\\n\""
-}

cautils/opapolicy/resources/resourcesutils.go

@@ -1,126 +0,0 @@
-package resources
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"kube-escape/cautils/k8sinterface"
-
-	"github.com/golang/glog"
-	"github.com/open-policy-agent/opa/storage"
-	"github.com/open-policy-agent/opa/storage/inmem"
-	"github.com/open-policy-agent/opa/util"
-	"k8s.io/client-go/rest"
-)
-
-var (
-	RegoDependenciesPath = "/resources/rego/dependencies"
-)
-
-type RegoDependenciesData struct {
-	K8sConfig RegoK8sConfig `json:"k8sconfig"`
-}
-
-type RegoK8sConfig struct {
-	Token         string `json:"token"`
-	IP            string `json:"ip"`
-	Host          string `json:"host"`
-	Port          string `json:"port"`
-	CrtFile       string `json:"crtfile"`
-	ClientCrtFile string `json:"clientcrtfile"`
-	ClientKeyFile string `json:"clientkeyfile"`
-	// ClientKeyFile string `json:"crtfile"`
-}
-
-func NewRegoDependenciesDataMock() *RegoDependenciesData {
-	return NewRegoDependenciesData(k8sinterface.GetK8sConfig())
-}
-
-func NewRegoDependenciesData(k8sConfig *rest.Config) *RegoDependenciesData {
-
-	regoDependenciesData := RegoDependenciesData{
-		K8sConfig: *NewRegoK8sConfig(k8sConfig),
-	}
-	return &regoDependenciesData
-}
-func NewRegoK8sConfig(k8sConfig *rest.Config) *RegoK8sConfig {
-
-	host := k8sConfig.Host
-	if host == "" {
-		ip := os.Getenv("KUBERNETES_SERVICE_HOST")
-		port := os.Getenv("KUBERNETES_SERVICE_PORT")
-		host = fmt.Sprintf("https://%s:%s", ip, port)
-	}
-
-	token := ""
-	if k8sConfig.BearerToken != "" {
-		token = fmt.Sprintf("Bearer %s", k8sConfig.BearerToken)
-	}
-
-	// crtFile := os.Getenv("KUBERNETES_CRT_PATH")
-	// if crtFile == "" {
-	// 	crtFile = k8sConfig.CAFile
-	// 	// crtFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-	// }
-
-	// glog.Infof("===========================================================================")
-	// glog.Infof(fmt.Sprintf("%v", k8sConfig.String()))
-	// glog.Infof("===========================================================================")
-
-	regoK8sConfig := RegoK8sConfig{
-		Token:         token,
-		Host:          k8sConfig.Host,
-		CrtFile:       k8sConfig.CAFile,
-		ClientCrtFile: k8sConfig.CertFile,
-		ClientKeyFile: k8sConfig.KeyFile,
-	}
-	return &regoK8sConfig
-}
-func (data *RegoDependenciesData) TOStorage() (storage.Store, error) {
-	var jsonObj map[string]interface{}
-	bytesData, err := json.Marshal(*data)
-	if err != nil {
-		return nil, err
-	}
-	// glog.Infof("RegoDependenciesData: %s", bytesData)
-	if err := util.UnmarshalJSON(bytesData, &jsonObj); err != nil {
-		return nil, err
-	}
-	return inmem.NewFromObject(jsonObj), nil
-}
-
-// LoadRegoDependenciesFromDir loads the policies list from *.rego file in given directory
-func LoadRegoFiles(dir string) map[string]string {
-
-	modules := make(map[string]string)
-
-	// Compile the module. The keys are used as identifiers in error messages.
-	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
-		if err == nil && strings.HasSuffix(path, ".rego") && !info.IsDir() {
-			content, err := ioutil.ReadFile(path)
-			if err != nil {
-				glog.Errorf("LoadRegoFiles, Failed to load: %s: %v", path, err)
-			} else {
-				modules[strings.Trim(filepath.Base(path), ".rego")] = string(content)
-			}
-		}
-		return nil
-	})
-
-	return modules
-}
-
-// LoadRegoModules loads the policies from variables
-func LoadRegoModules() map[string]string {
-
-	modules := make(map[string]string)
-	modules["cautils"] = RegoCAUtils
-	modules["designators"] = RegoDesignators
-	modules["kubernetes.api.client"] = RegoKubernetesApiClient
-
-	return modules
-}

cautils/opapolicy/resources/resourcesutils_test.go

@@ -1,17 +0,0 @@
-package resources
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestLoadRegoDependenciesFromDir(t *testing.T) {
-	dir, _ := os.Getwd()
-	t.Errorf("%s", filepath.Join(dir, "rego/dependencies"))
-	return
-	// modules := LoadRegoDependenciesFromDir("")
-	// if len(modules) == 0 {
-	// 	t.Errorf("modules len == 0")
-	// }
-}

cautils/reporterutils.go

@@ -1,5 +0,0 @@
-package cautils
-
-const (
-	ComponentIdentifier = "Posture"
-)

cautils/strutils.go

@@ -1,44 +0,0 @@
-package cautils
-
-import (
-	"fmt"
-	"strings"
-)
-
-const ValueNotFound = -1
-
-func ConvertLabelsToString(labels map[string]string) string {
-	labelsStr := ""
-	delimiter := ""
-	for k, v := range labels {
-		labelsStr += fmt.Sprintf("%s%s=%s", delimiter, k, v)
-		delimiter = ";"
-	}
-	return labelsStr
-}
-
-// ConvertStringToLabels convert a string "a=b;c=d" to map: {"a":"b", "c":"d"}
-func ConvertStringToLabels(labelsStr string) map[string]string {
-	labels := make(map[string]string)
-	labelsSlice := strings.Split(labelsStr, ";")
-	if len(labelsSlice)%2 != 0 {
-		return labels
-	}
-	for i := range labelsSlice {
-		kvSlice := strings.Split(labelsSlice[i], "=")
-		if len(kvSlice) != 2 {
-			continue
-		}
-		labels[kvSlice[0]] = kvSlice[1]
-	}
-	return labels
-}
-
-func StringInSlice(strSlice []string, str string) int {
-	for i := range strSlice {
-		if strSlice[i] == str {
-			return i
-		}
-	}
-	return ValueNotFound
-}