Merge pull request #4 from Daniel-GrunbergerCA/master

add exclude-namespaces flag
add cli flag
2026-04-15 06:58:11 +00:00 · 2021-08-18 11:56:43 +03:00 · 2021-08-18 11:48:10 +03:00 · 2021-08-17 17:39:50 +03:00 · 2021-08-17 16:27:53 +03:00 · 2021-08-17 16:24:23 +03:00
16 changed files with 125 additions and 53 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -18,7 +18,7 @@ jobs:
        go-version: 1.16

    - name: Build
-      run: mkdir build  && go mod tidy && go build -o build/kubescape
+      run: mkdir build  && go mod tidy && go build -ldflags "-w -s" -o build/kubescape
    
    - name: Chmod
      run: chmod +x build/kubescape
--- a/README.md
+++ b/README.md
@@ -1,16 +1,54 @@
 <img src="docs/kubescape.png" width="300" alt="logo" align="center">

-kubescape is a tool for testing Kubernetes clusters against industry accepted security standards and recomendations like:
-* NSA hardening for Kubernetes operators [see here](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF)
-* MITRE threat matrix for Kubernetes [see here](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/)
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
+
+<img src="docs/using-mov.gif">

 # TL;DR
-To get a fast check of the security posture of your Kubernetes cluster run this:
+## Installation
+To install the tool locally, run this:

 `curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash`

 <img src="docs/install.jpeg">

+## Run
+To get a fast check of the security posture of your Kubernetes cluster, run this:
+
+`kubescape scan framework nsa`
+
+<img src="docs/run.jpeg">
+

 # Status
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
+[![Github All Releases](https://img.shields.io/github/downloads/armosec/kubescape/total.svg)]()
+
+# How to build 
+`go mod tidy && go build -o kubescape` :zany_face:
+
+# Under the hood
+
+## Tests
+Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by to NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+* Non-root containers
+* Immutable container filesystem 
+* Privileged containers 
+* hostPID, hostIPC privileges
+* hostNetwork access
+* allowedHostPaths field
+* Protecting pod service account tokens
+* Resource policies
+* Control plane hardening 
+* Exposed dashboard
+
+
+## Technology
+Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls. 
+
+The tools retrieves Kubernetes objects from the API server and runs a set of [regos snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io/). 
+
+The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.
+
+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
--- a/cautils/opapolicy/datastructures.go
+++ b/cautils/opapolicy/datastructures.go
@@ -42,11 +42,11 @@ type ControlReport struct {
 	Description string       `json:"description"`
 }
 type RuleReport struct {
-	Name           string         `json:"name"`
-	Remediation    string         `json:"remediation"`
-	RuleStatus     RuleStatus     `json:"ruleStatus"`
-	RuleResponses  []RuleResponse `json:"ruleResponses"`
-	NumOfResources int
+	Name               string                   `json:"name"`
+	Remediation        string                   `json:"remediation"`
+	RuleStatus         RuleStatus               `json:"ruleStatus"`
+	RuleResponses      []RuleResponse           `json:"ruleResponses"`
+	ListInputResources []map[string]interface{} `json:"-"`
 }
 type RuleStatus struct {
 	Status  string `json:"status"`
--- a/cautils/opapolicy/datastructuresmethods.go
+++ b/cautils/opapolicy/datastructuresmethods.go
@@ -70,7 +70,10 @@ func ParseRegoResult(regoResult *rego.ResultSet) ([]RuleResponse, error) {
 func (controlReport *ControlReport) GetNumberOfResources() int {
 	sum := 0
 	for i := range controlReport.RuleReports {
-		sum += controlReport.RuleReports[i].NumOfResources
+		if controlReport.RuleReports[i].ListInputResources == nil {
+			continue
+		}
+		sum += len(controlReport.RuleReports[i].ListInputResources)
 	}
 	return sum
 }
--- a/docs/kubescape.png
+++ b/docs/kubescape.png
--- a/docs/run.jpeg
+++ b/docs/run.jpeg
--- a/docs/using-mov.gif
+++ b/docs/using-mov.gif
--- a/inputhandler/clihandler/flaghandler.go
+++ b/inputhandler/clihandler/flaghandler.go
@@ -45,7 +45,7 @@ func (flagHandler *FlagHandler) Help() {
 }

 func (flagHandler *FlagHandler) Version() {
-	fmt.Println("bla.bla.bla")
+	fmt.Println("")
 }

 func (flagHandler *FlagHandler) Scan() {
@@ -67,7 +67,10 @@ func (flagHandler *FlagHandler) Scan() {
 }
 func (flagHandler *FlagHandler) ScanFramework() {
 	frameworkName := strings.ToUpper(flag.Arg(2))
-
+	// if cautils.StringInSlice(SupportedFrameworks(), frameworkName) == cautils.ValueNotFound {
+	// 	fmt.Printf("framework %s not supported, supported frameworks: %v", frameworkName, SupportedFrameworks())
+	// 	return
+	// }
 	flagHandler.policyIdentifier = &opapolicy.PolicyIdentifier{
 		Kind: opapolicy.KindFramework,
 		Name: frameworkName,
@@ -80,11 +83,15 @@ func (flagHandler *FlagHandler) ScanControl() {
 	}
 }
 func (flagHandler *FlagHandler) ScanHelp() {
-	fmt.Println("Entre scope: framework or control")
+	fmt.Println("")
 }
 func (flagHandler *FlagHandler) ScanFrameworkHelp() {
-	fmt.Println("Run a framework. Run 'cacli opa framework list' for the list of available frameworks")
+	fmt.Println("Run framework nsa or mitre")
 }
 func (flagHandler *FlagHandler) ScanControlHelp() {
 	fmt.Println("not supported")
 }
+
+func SupportedFrameworks() []string {
+	return []string{"nsa", "mitre"} // TODO - get from BE
+}
--- a/inputhandler/dummy_test.go
+++ b/inputhandler/dummy_test.go
@@ -1 +0,0 @@
-package inputhandler
--- a/install.sh
+++ b/install.sh
@@ -6,14 +6,14 @@ echo
 
 BASE_DIR=~/.kubescape
 KUBESCAPE_EXEC=kubescape
-RELEASE=v0.0.5
+RELEASE=v0.0.18
 DOWNLOAD_URL="https://github.com/armosec/kubescape/releases/download/$RELEASE/kubescape"

 mkdir -p $BASE_DIR 

 OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC

-curl -sL $DOWNLOAD_URL -o $OUTPUT
+curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
 echo -e "\033[32m[V] Downloaded Kubescape"

 sudo chmod +x $OUTPUT
--- a/opaprocessor/processorhandler.go
+++ b/opaprocessor/processorhandler.go
@@ -67,13 +67,15 @@ func (opap *OPAProcessor) ProcessRulesHandler(opaSessionObj *cautils.OPASessionO
 		controlReports := []opapolicy.ControlReport{}
 		for _, control := range framework.Controls {
 			// cautils.SimpleDisplay(os.Stdout, fmt.Sprintf("\033[2K\r%s", control.Name))
-			// fmt.Printf("\033[2K\r%s", control.Name)
 			controlReport := opapolicy.ControlReport{}
 			controlReport.Name = control.Name
 			controlReport.Description = control.Description
 			controlReport.Remediation = control.Remediation
 			ruleReports := []opapolicy.RuleReport{}
 			for _, rule := range control.Rules {
+				if ruleWithArmoOpaDependency(rule.Attributes) {
+					continue
+				}
 				k8sObjects := getKubernetesObjects(opaSessionObj.K8SResources, rule.Match)
 				ruleReport, err := opap.runOPAOnSingleRule(&rule, k8sObjects)
 				if err != nil {
@@ -85,10 +87,8 @@ func (opap *OPAProcessor) ProcessRulesHandler(opaSessionObj *cautils.OPASessionO
 				} else {
 					ruleReport.RuleStatus.Status = "success"
 				}
-				ruleReport.NumOfResources = len(k8sObjects)
-				// if len(ruleReport.RuleResponses) > 0 {
+				ruleReport.ListInputResources = k8sObjects
 				ruleReports = append(ruleReports, ruleReport)
-				// }
 			}
 			controlReport.RuleReports = ruleReports
 			controlReports = append(controlReports, controlReport)
--- a/opaprocessor/processorhandlerutils.go
+++ b/opaprocessor/processorhandlerutils.go
@@ -3,6 +3,7 @@ package opaprocessor
 import (
 	"kube-escape/cautils"

+	pkgcautils "kube-escape/cautils/cautils"
 	"kube-escape/cautils/k8sinterface"
 	"kube-escape/cautils/opapolicy"
 	resources "kube-escape/cautils/opapolicy/resources"
@@ -48,3 +49,13 @@ func getRuleDependencies() (map[string]string, error) {
 	}
 	return modules, nil
 }
+
+func ruleWithArmoOpaDependency(annotations map[string]interface{}) bool {
+	if annotations == nil {
+		return false
+	}
+	if s, ok := annotations["armoOpa"]; ok { // TODO - make global
+		return pkgcautils.StringToBool(s.(string))
+	}
+	return false
+}
--- a/policyhandler/handlenotification.go
+++ b/policyhandler/handlenotification.go
@@ -1,6 +1,7 @@
 package policyhandler

 import (
+	"flag"
 	"fmt"
 	"kube-escape/cautils"

@@ -52,7 +53,11 @@ func (policyHandler *PolicyHandler) HandleNotificationRequest(notification *opap
 	// get k8s resources
 	cautils.ProgressTextDisplay("Accessing Kubernetes objects")
 	glog.Infof(fmt.Sprintf("Getting kubernetes objects. reportID: %s", notification.ReportID))
-	k8sResources, err := policyHandler.getK8sResources(frameworks, &notification.Designators)
+	excludedNamespaces := ""
+	if flag.Arg(3) == "--exclude-namespaces" {
+		excludedNamespaces = flag.Arg(4)
+	}
+	k8sResources, err := policyHandler.getK8sResources(frameworks, &notification.Designators, excludedNamespaces)
 	if err != nil || len(*k8sResources) == 0 {
 		glog.Error(err)
 	} else {
--- a/policyhandler/k8sresources.go
+++ b/policyhandler/k8sresources.go
@@ -3,6 +3,7 @@ package policyhandler
 import (
 	"fmt"
 	"kube-escape/cautils"
+	"strings"

 	"kube-escape/cautils/k8sinterface"

@@ -18,7 +19,7 @@ import (

 const SelectAllResources = "*"

-func (policyHandler *PolicyHandler) getK8sResources(frameworks []opapolicy.Framework, designator *armotypes.PortalDesignator) (*cautils.K8SResources, error) {
+func (policyHandler *PolicyHandler) getK8sResources(frameworks []opapolicy.Framework, designator *armotypes.PortalDesignator, excludedNamespaces string) (*cautils.K8SResources, error) {
 	// build resources map
 	k8sResourcesMap := setResourceMap(frameworks)

@@ -26,20 +27,20 @@ func (policyHandler *PolicyHandler) getK8sResources(frameworks []opapolicy.Frame
 	_, namespace, labels := armotypes.DigestPortalDesignator(designator)

 	// pull k8s recourses
-	if err := policyHandler.pullResources(k8sResourcesMap, namespace, labels); err != nil {
+	if err := policyHandler.pullResources(k8sResourcesMap, namespace, labels, excludedNamespaces); err != nil {
 		return k8sResourcesMap, err
 	}

 	return k8sResourcesMap, nil
 }

-func (policyHandler *PolicyHandler) pullResources(k8sResources *cautils.K8SResources, namespace string, labels map[string]string) error {
+func (policyHandler *PolicyHandler) pullResources(k8sResources *cautils.K8SResources, namespace string, labels map[string]string, excludedNamespaces string) error {

 	var errs error
 	for groupResource := range *k8sResources {
 		apiGroup, apiVersion, resource := k8sinterface.StringToResourceGroup(groupResource)
 		gvr := schema.GroupVersionResource{Group: apiGroup, Version: apiVersion, Resource: resource}
-		result, err := policyHandler.pullSingleResource(&gvr, namespace, labels)
+		result, err := policyHandler.pullSingleResource(&gvr, namespace, labels, excludedNamespaces)
 		if err != nil {
 			// handle error
 			if errs == nil {
@@ -55,10 +56,16 @@ func (policyHandler *PolicyHandler) pullResources(k8sResources *cautils.K8SResou
 	return errs
 }

-func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVersionResource, namespace string, labels map[string]string) ([]unstructured.Unstructured, error) {
+func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVersionResource, namespace string, labels map[string]string, excludedNamespaces string) ([]unstructured.Unstructured, error) {

 	// set labels
 	listOptions := metav1.ListOptions{}
+	if excludedNamespaces != "" {
+		excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
+		for _, excludedNamespace := range excludedNamespacesSlice {
+			listOptions.FieldSelector += "metadata.namespace!=" + excludedNamespace + ","
+		}
+	}
 	if labels != nil && len(labels) > 0 {
 		set := k8slabels.Set(labels)
 		listOptions.LabelSelector = set.AsSelector().String()
--- a/printer/printresults.go
+++ b/printer/printresults.go
@@ -51,14 +51,17 @@ func (printer *Printer) ActionPrint() {
 func (printer *Printer) SummerySetup(postureReport *opapolicy.PostureReport) {
 	for _, fr := range postureReport.FrameworkReports {
 		for _, cr := range fr.ControlReports {
+			if len(cr.RuleReports) == 0 {
+				continue
+			}
 			workloadsSummery := listResultSummery(cr.RuleReports)
 			mapResources := groupByNamespace(workloadsSummery)

 			printer.summery[cr.Name] = ControlSummery{
 				TotalResources:  cr.GetNumberOfResources(),
 				TotalFailed:     len(workloadsSummery),
-				Description:     cr.Description,
 				WorkloadSummery: mapResources,
+				Description:     cr.Description,
 			}
 		}
 	}
@@ -68,18 +71,32 @@ func (printer *Printer) PrintResults() {
 	for control, controlSummery := range printer.summery {
 		printer.printTitle(control, &controlSummery)
 		printer.printResult(control, &controlSummery)
+
+		if controlSummery.TotalResources > 0 {
+			printer.printSummery(control, &controlSummery)
+		}
+
 	}
 }

+func (print *Printer) printSummery(controlName string, controlSummery *ControlSummery) {
+	cautils.SimpleDisplay(os.Stdout, "Summary - ")
+	cautils.SuccessDisplay(os.Stdout, "Passed:%v   ", controlSummery.TotalResources-controlSummery.TotalFailed)
+	cautils.FailureDisplay(os.Stdout, "Failed:%v   ", controlSummery.TotalFailed)
+	cautils.InfoDisplay(os.Stdout, "Total:%v\n", controlSummery.TotalResources)
+}
+
 func (printer *Printer) printTitle(controlName string, controlSummery *ControlSummery) {
 	cautils.InfoDisplay(os.Stdout, "[control: %s] ", controlName)
-	if controlSummery.TotalFailed == 0 {
+	if controlSummery.TotalResources == 0 {
+		cautils.InfoDisplay(os.Stdout, "resources not found %v\n", emoji.ConfusedFace)
+	} else if controlSummery.TotalFailed == 0 {
 		cautils.SuccessDisplay(os.Stdout, "passed %v\n", emoji.ThumbsUp)
 	} else {
 		cautils.FailureDisplay(os.Stdout, "failed %v\n", emoji.SadButRelievedFace)
 	}

-	cautils.SimpleDisplay(os.Stdout, "%sDescription: %s\n", INDENT, controlSummery.Description)
+	cautils.SimpleDisplay(os.Stdout, "Description: %s\n", controlSummery.Description)

 }
 func (printer *Printer) printResult(controlName string, controlSummery *ControlSummery) {
@@ -113,6 +130,9 @@ func generateHeader() []string {

 func percentage(big, small int) int {
 	if big == 0 {
+		if small == 0 {
+			return 100
+		}
 		return 0
 	}
 	return int(float64(float64(big-small)/float64(big)) * 100)
--- a/printer/summery.go
+++ b/printer/summery.go
@@ -1,6 +1,8 @@
 package printer

-import "fmt"
+import (
+	"fmt"
+)

 type Summery map[string]ControlSummery

@@ -12,7 +14,7 @@ type ControlSummery struct {
 	TotalResources  int
 	TotalFailed     int
 	Description     string
-	WorkloadSummery map[string][]WorkloadSummery
+	WorkloadSummery map[string][]WorkloadSummery // <namespace>:[<WorkloadSummery>]
 }

 type WorkloadSummery struct {
@@ -22,26 +24,6 @@ type WorkloadSummery struct {
 	Group     string
 }

-func (summery *Summery) SetWorkloadSummery(c string, ws map[string][]WorkloadSummery) {
-	s := (*summery)[c]
-	s.WorkloadSummery = ws
-}
-
-func (summery *Summery) SetTotalResources(c string, t int) {
-	s := (*summery)[c]
-	s.TotalResources = t
-}
-
-func (summery *Summery) SetTotalFailed(c string, t int) {
-	s := (*summery)[c]
-	s.TotalFailed = t
-}
-
-func (summery *Summery) SetDescription(c string, d string) {
-	s := (*summery)[c]
-	s.Description = d
-}
-
 func (controlSummery *ControlSummery) ToSlice() []string {
 	s := []string{}
 	s = append(s, fmt.Sprintf("%d", controlSummery.TotalFailed))
Author	SHA1	Message	Date
David Wertenteil	6be692c66f	Merge pull request #4 from Daniel-GrunbergerCA/master add exclude-namespaces flag	2021-08-18 11:56:43 +03:00
danielgrunbergerarmo	3c062238ad	add cli flag	2021-08-18 11:48:10 +03:00
Daniel Grunberger	954224e9f6	Update README.md	2021-08-17 17:39:50 +03:00
David Wertenteil	a5f99e0a8d	Merge pull request #3 from dwertent/master Update description display	2021-08-17 16:27:53 +03:00
dwertent	d484aeb62c	update description	2021-08-17 16:24:23 +03:00
Daniel Grunberger	8c3eeab7ed	Update README.md	2021-08-17 13:37:24 +03:00
Benyamin Hirschberg	cea8266734	Update README.md	2021-08-15 22:35:29 +03:00
Benyamin Hirschberg	eefaf7b23c	adding progress bar	2021-08-15 21:53:26 +03:00
Benyamin Hirschberg	bc61755f67	Update install.sh	2021-08-15 21:46:37 +03:00
Benyamin Hirschberg	c462d1ec2f	Update build.yaml	2021-08-15 21:43:11 +03:00
Benyamin Hirschberg	203d43347e	optimize release	2021-08-15 21:40:39 +03:00
Benyamin Hirschberg	d102789a35	Update README.md	2021-08-15 21:34:01 +03:00
Benyamin Hirschberg	28b431c623	Update README.md	2021-08-15 21:33:15 +03:00
Benyamin Hirschberg	2fb1fef6d5	Merge pull request #2 from BenHirschbergCa/dev updating image + gif v	2021-08-15 21:21:45 +03:00
Ben Hirschberg	091a811fa1	updating image + gif v	2021-08-15 21:19:56 +03:00
dwertent	5d378bd7d0	remove mitre	2021-08-12 18:07:47 +03:00
dwertent	2e3343ce34	Merge branch 'master' of ssh://github.com/armosec/kubescape	2021-08-12 18:01:48 +03:00
dwertent	1d6ef6d3b5	update description and validate input	2021-08-12 18:01:43 +03:00
Benyamin Hirschberg	a68b90032e	Merge pull request #1 from BenHirschbergCa/dev Take updates on the readme	2021-08-12 17:35:09 +03:00
Ben Hirschberg	393ab6805f	more explanation	2021-08-12 17:33:54 +03:00
Ben Hirschberg	244661b60c	run instruction	2021-08-12 17:22:00 +03:00