load configMap before file

Revert python script build

README.md

@@ -15,6 +15,8 @@ Use Kubescape to test clusters or scan single YAML files and integrate it to you
 curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
 ```
 
+[Install on windows](#install-on-windows)
+
 ## Run:
 ```
 kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
@@ -24,6 +26,8 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
 
 <img src="docs/summary.png">
 
+### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀 
+
 # Being part of the team
 
 We invite you to our team! We are excited about this project and want to return the love we get. 
@@ -31,12 +35,26 @@ We invite you to our team! We are excited about this project and want to return
 Want to contribute? Want to discuss something? Have an issue?
 
 * Open a issue, we are trying to respond within 48 hours
-* [Join us](https://discordapp.com/invite/CTcCaBbb) in a discussion on our discord server! 
+* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server! 
 
-[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://discordapp.com/invite/CTcCaBbb)
+[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
 
 # Options and examples
 
+## Install on Windows
+
+**Requires powershell v5.0+**
+
+``` powershell
+iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex
+```
+
+Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
+
+``` powershell
+Set-ExecutionPolicy RemoteSigned -scope CurrentUser
+```
+
 ## Flags
 
 | flag |  default | description | options |
@@ -97,7 +115,7 @@ for example:
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
-### Offline Support <img src="docs/new-feature.svg">
+### Offline Support
 
 It is possible to run Kubescape offline!
 
@@ -117,13 +135,30 @@ Kubescape is an open source project, we welcome your feedback and ideas for impr
 
 # How to build 
 
-## For development
+## Build using python script
+
+Kubescpae can be built using:
+
+``` sh
+python built.py
+```
+
+Note: In order to built using the above script, one must set the environment
+variables in this script:
+
++ RELEASE
++ ArmoBEServer
++ ArmoERServer
++ ArmoWebsite
+
+
+## Build using go
 
 Note: development (and the release process) is done with Go `1.16`
 
 1. Clone Project
 ```
-git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 ```
 
 2. Build
@@ -142,7 +177,7 @@ go mod tidy && go build -o kubescape .
 
 1. Clone Project
 ```
-git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
+git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 ```
 
 2. Build

build.py

@@ -0,0 +1,82 @@
+import os
+import sys
+import hashlib
+import platform
+import subprocess
+
+BASE_GETTER_CONST = "github.com/armosec/kubescape/cautils/getter"
+BE_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoBEURL"
+ER_SERVER_CONST   = BASE_GETTER_CONST + ".ArmoERURL"
+WEBSITE_CONST     = BASE_GETTER_CONST + ".ArmoFEURL"
+
+def checkStatus(status, msg):
+    if status != 0:
+        sys.stderr.write(msg)
+        exit(status)
+
+
+def getBuildDir():
+    currentPlatform = platform.system()
+    buildDir = "build/"
+
+    if currentPlatform == "Windows": buildDir += "windows-latest"
+    elif currentPlatform == "Linux": buildDir += "ubuntu-latest"
+    elif currentPlatform == "Darwin": buildDir += "macos-latest"
+    else: raise OSError("Platform %s is not supported!" % (currentPlatform))
+
+    return buildDir
+
+def getPackageName():
+    packageName = "kubescape"
+    if platform.system() == "Windows": packageName += ".exe"
+
+    return packageName
+
+
+def main():
+    print("Building Kubescape")
+
+    # print environment variables
+    print(os.environ)
+
+    # Set some variables
+    packageName = getPackageName()
+    buildUrl = "github.com/armosec/kubescape/cmd.BuildNumber"
+    releaseVersion = os.getenv("RELEASE")
+    ArmoBEServer = os.getenv("ArmoBEServer")
+    ArmoERServer = os.getenv("ArmoERServer")
+    ArmoWebsite = os.getenv("ArmoWebsite")
+
+    # Create build directory
+    buildDir = getBuildDir()
+
+    if not os.path.isdir(buildDir):
+        os.makedirs(buildDir)
+
+    # Get dependencies
+    try:
+        status = subprocess.call(["go", "mod", "tidy"])
+        checkStatus(status, "Failed to get dependencies")
+
+    except OSError:
+        print("An error occured:  (Hint: check if go is installed)")
+        raise
+
+    # Build kubescape
+    ldflags = "-w -s -X %s=%s -X %s=%s -X %s=%s -X %s=%s" \
+        % (buildUrl, releaseVersion, BE_SERVER_CONST, ArmoBEServer,
+           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
+    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
+    checkStatus(status, "Failed to build kubescape")
+
+
+    sha1 = hashlib.sha1()
+    with open(buildDir + "/" + packageName, "rb") as kube:
+        sha1.update(kube.read())
+        with open(buildDir + "/" + packageName + ".sha1", "w") as kube_sha:
+            kube_sha.write(sha1.hexdigest())
+
+    print("Build Done")
+
+if __name__ == "__main__":
+    main()

build/Dockerfile

@@ -10,4 +10,7 @@ RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o k
 FROM alpine
 COPY --from=builder /work/kubescape /usr/bin/kubescape
 
+# # Download the frameworks. Use the "--use-default" flag when running kubescape 
+# RUN kubescape download framework nsa && kubescape download framework mitre
+
 CMD ["kubescape"]

cautils/customerloader.go

@@ -189,20 +189,20 @@ func (c *ClusterConfig) SetKeyValueInConfigmap(key string, value string) error {
 
 func (c *ClusterConfig) SetCustomerGUID() error {
 
-	// get from file
-	if existsConfigJson() {
-		c.configObj, _ = loadConfigFromFile()
-	} else if c.existsConfigMap() {
+	// get from configMap
+	if c.existsConfigMap() {
 		c.configObj, _ = c.loadConfigFromConfigMap()
+	} else if existsConfigJson() { // get from file
+		c.configObj, _ = loadConfigFromFile()
 	} else {
 		c.createConfigMap()
 		createConfigJson()
 	}
 
 	customerGUID := c.GetCustomerGUID()
+
 	// get from armoBE
 	tenantResponse, err := c.armoAPI.GetCustomerGUID(customerGUID)
-
 	if err == nil && tenantResponse != nil {
 		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
 			if existsConfigJson() {
@@ -222,7 +222,7 @@ func (c *ClusterConfig) SetCustomerGUID() error {
 			}
 		}
 	} else {
-		if err != nil && strings.Contains(err.Error(), "Invitation for tenant already exists") {
+		if err != nil && strings.Contains(err.Error(), "already exists") {
 			return nil
 		}
 		return err

cautils/k8sinterface/k8sconfig.go

@@ -104,13 +104,18 @@ func GetClusterName() string {
 }
 
 func GetDefaultNamespace() string {
+	defaultNamespace := "default"
 	clientCfg, err := clientcmd.NewDefaultClientConfigLoadingRules().Load()
 	if err != nil {
-		return "default"
+		return defaultNamespace
 	}
-	namespace := clientCfg.Contexts[clientCfg.CurrentContext].Namespace
-	if namespace == "" {
-		namespace = "default"
+	apiContext, ok := clientCfg.Contexts[clientCfg.CurrentContext]
+	if !ok || apiContext == nil {
+		return defaultNamespace
+	}
+	namespace := apiContext.Namespace
+	if apiContext.Namespace == "" {
+		namespace = defaultNamespace
 	}
 	return namespace
 }

cmd/framework.go

@@ -23,7 +23,7 @@ import (
 )
 
 var scanInfo cautils.ScanInfo
-var supportedFrameworks = []string{"nsa"}
+var supportedFrameworks = []string{"nsa", "mitre"}
 
 type CLIHandler struct {
 	policyHandler *policyhandler.PolicyHandler
@@ -39,7 +39,7 @@ var frameworkCmd = &cobra.Command{
 		if len(args) < 1 && !(cmd.Flags().Lookup("use-from").Changed) {
 			return fmt.Errorf("requires at least one argument")
 		} else if len(args) > 0 {
-			if !isValidFramework(args[0]) {
+			if !isValidFramework(strings.ToLower(args[0])) {
 				return fmt.Errorf(fmt.Sprintf("supported frameworks: %s", strings.Join(supportedFrameworks, ", ")))
 			}
 		}
@@ -50,7 +50,7 @@ var frameworkCmd = &cobra.Command{
 		scanInfo.PolicyIdentifier.Kind = opapolicy.KindFramework
 
 		if !(cmd.Flags().Lookup("use-from").Changed) {
-			scanInfo.PolicyIdentifier.Name = args[0]
+			scanInfo.PolicyIdentifier.Name = strings.ToLower(args[0])
 		}
 		if len(args) > 0 {
 			if len(args[1:]) == 0 || args[1] != "-" {

docs/index.html

@@ -0,0 +1,24 @@
+<html>
+
+<head>
+    <title>
+        Kubscape Website
+    </title>
+    <link rel="icon" type="image/x-icon" href="favicon.ico">
+</head>
+<style>
+    img {
+        display: block;
+        margin-left: auto;
+        margin-right: auto;
+    }
+</style>
+
+<body style="text-align: center;">
+    <img src="kubescape.png" alt="Kubescap logo" style="width:20%">
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500"
+        allowtransparency="true" frameborder="0"
+        sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</body>
+
+</html>

install.ps1

@@ -0,0 +1,26 @@
+Write-Host "Installing Kubescape..." -ForegroundColor Cyan
+
+$BASE_DIR=$env:USERPROFILE + "\.kubescape"
+$packageName = "/kubescape-windows-latest"
+
+# Get latest release url
+$config = Invoke-WebRequest "https://api.github.com/repos/armosec/kubescape/releases/latest" | ConvertFrom-Json
+$url = $config.html_url.Replace("/tag/","/download/")
+$fullUrl = $url + $packageName
+
+# Create a new directory if needed
+New-Item -Path $BASE_DIR -ItemType "directory" -ErrorAction SilentlyContinue
+
+# Download the binary
+Invoke-WebRequest -Uri $fullUrl -OutFile $BASE_DIR\kubescape.exe
+
+# Update user PATH if needed
+$currentPath = [Environment]::GetEnvironmentVariable("Path", "User")
+if (-not $currentPath.Contains($BASE_DIR)) {
+    $confirmation = Read-Host "Add kubescape to user path? (y/n)"
+    if ($confirmation -eq 'y') {
+        [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";$BASE_DIR;", "User")
+    }
+}
+
+Write-Host "Finished Installation" -ForegroundColor Green 

opaprocessor/processorhandler.go

@@ -112,7 +112,9 @@ func (opap *OPAProcessor) processFramework(framework *opapolicy.Framework) (*opa
 		if err != nil {
 			errs = fmt.Errorf("%v\n%s", errs, err.Error())
 		}
-		controlReports = append(controlReports, *controlReport)
+		if controlReport != nil {
+			controlReports = append(controlReports, *controlReport)
+		}
 	}
 	frameworkReport.ControlReports = controlReports
 	return &frameworkReport, errs
@@ -139,6 +141,9 @@ func (opap *OPAProcessor) processControl(control *opapolicy.Control) (*opapolicy
 			ruleReports = append(ruleReports, *ruleReport)
 		}
 	}
+	if len(ruleReports) == 0 {
+		return nil, nil
+	}
 	controlReport.RuleReports = ruleReports
 	return &controlReport, errs
 }

policyhandler/handlepullpolicies.go

@@ -18,14 +18,13 @@ func (policyHandler *PolicyHandler) GetPoliciesFromBackend(notification *opapoli
 		switch rule.Kind {
 		case opapolicy.KindFramework:
 			receivedFramework, recExceptionPolicies, err := policyHandler.getFrameworkPolicies(rule.Name)
-			if err != nil {
-				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
-			}
 			if receivedFramework != nil {
 				frameworks = append(frameworks, *receivedFramework)
 				if recExceptionPolicies != nil {
 					exceptionPolicies = append(exceptionPolicies, recExceptionPolicies...)
 				}
+			} else if err != nil {
+				return nil, nil, fmt.Errorf("kind: %v, name: %s, error: %s", rule.Kind, rule.Name, err.Error())
 			}
 
 		default:

policyhandler/k8sresources.go

@@ -65,11 +65,8 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 
 	// set labels
 	listOptions := metav1.ListOptions{}
-	if excludedNamespaces != "" && k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
-		excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
-		for _, excludedNamespace := range excludedNamespacesSlice {
-			listOptions.FieldSelector += "metadata.namespace!=" + excludedNamespace + ","
-		}
+	if excludedNamespaces != "" {
+		setFieldSelector(&listOptions, resource, excludedNamespaces)
 	}
 	if len(labels) > 0 {
 		set := k8slabels.Set(labels)
@@ -93,3 +90,18 @@ func (policyHandler *PolicyHandler) pullSingleResource(resource *schema.GroupVer
 	return result.Items, nil
 
 }
+
+func setFieldSelector(listOptions *metav1.ListOptions, resource *schema.GroupVersionResource, excludedNamespaces string) {
+	fieldSelector := "metadata."
+	if resource.Resource == "namespaces" {
+		fieldSelector += "name"
+	} else if k8sinterface.IsNamespaceScope(resource.Group, resource.Resource) {
+		fieldSelector += "namespace"
+	} else {
+		return
+	}
+	excludedNamespacesSlice := strings.Split(excludedNamespaces, ",")
+	for _, excludedNamespace := range excludedNamespacesSlice {
+		listOptions.FieldSelector += fmt.Sprintf("%s!=%s,", fieldSelector, excludedNamespace)
+	}
+}

scapepkg/exceptions/exceptionprocessor.go

@@ -1,6 +1,8 @@
 package exceptions
 
 import (
+	"regexp"
+
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/k8sinterface"
 
@@ -96,7 +98,7 @@ func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.
 		return false // if designators are empty
 	}
 
-	if cluster != "" && cautils.ClusterName != "" && cluster != cautils.ClusterName { // TODO - where do we receive cluster name from?
+	if cluster != "" && cautils.ClusterName != "" && regexCompare(cluster, cautils.ClusterName) { // TODO - where do we receive cluster name from?
 		return false // cluster name does not match
 	}
 
@@ -120,17 +122,17 @@ func hasException(designator *armotypes.PortalDesignator, workload k8sinterface.
 
 func compareNamespace(workload k8sinterface.IWorkload, namespace string) bool {
 	if workload.GetKind() == "Namespace" {
-		return namespace == workload.GetName()
+		return regexCompare(namespace, workload.GetName())
 	}
-	return namespace == workload.GetNamespace()
+	return regexCompare(namespace, workload.GetNamespace())
 }
 
 func compareKind(workload k8sinterface.IWorkload, kind string) bool {
-	return kind == workload.GetKind()
+	return regexCompare(kind, workload.GetKind())
 }
 
 func compareName(workload k8sinterface.IWorkload, name string) bool {
-	return name == workload.GetName()
+	return regexCompare(workload.GetName(), name)
 }
 
 func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string) bool {
@@ -139,3 +141,8 @@ func compareLabels(workload k8sinterface.IWorkload, attributes map[string]string
 
 	return designators.Matches(workloadLabels)
 }
+
+func regexCompare(reg, name string) bool {
+	r, _ := regexp.MatchString(reg, name)
+	return r
+}

website/index.html

@@ -0,0 +1,14 @@
+<html>
+    <head>
+        <title>
+            Kubscape Website
+        </title>
+        <h1>Kubscape Website</h1>
+    </head>
+    <body>
+<h2>
+    Join us!!!
+    <iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
+</h2>
+    </body>
+</html>