mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
5379b9b0a6
* phase-1 Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * factory Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * wip: feat(cli): add an image scanning command Add a CLI command that launches an image scan. Does not scan images yet. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: add image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore: include dependencies Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: adjust image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: use scanning service in CLI Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * use iface Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * touches Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * continue Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * add cmd Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * support single workload scan Signed-off-by: Amir Malka <amirm@armosec.io> * fix conflict Signed-off-by: Amir Malka <amirm@armosec.io> * identifiers * go mod * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * merge * more * integrate img scan * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * more refactoring Signed-off-by: Amir Malka <amirm@armosec.io> * add scanned workload reference to opasessionobj Signed-off-by: Amir Malka <amirm@armosec.io> * fix GetWorkloadParentKind Signed-off-by: Amir Malka <amirm@armosec.io> * remove namespace argument from pullSingleResource, using field selector instead Signed-off-by: Amir Malka <amirm@armosec.io> * removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function Signed-off-by: Amir Malka <amirm@armosec.io> * changes * changes * fixes * changes * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): create vuln db with dedicated function Remove commented out code, too. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * docs(imagescan): provide package-level docs Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * finish merge * image scan tests * continue * fixes * refactor * rm duplicate * start fixes * update gh actions Signed-off-by: David Wertenteil <dwertent@armosec.io> * pr fixes * fix test * improvements --------- Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> Signed-off-by: Amir Malka <amirm@armosec.io> Signed-off-by: David Wertenteil <dwertent@armosec.io> Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io> Co-authored-by: Vlad Klokun <vklokun@protonmail.ch> Co-authored-by: Amir Malka <amirm@armosec.io> Co-authored-by: David Wertenteil <dwertent@armosec.io>
260 lines
6.4 KiB
Go
260 lines
6.4 KiB
Go
package resourcehandler
|
|
|
|
import (
|
|
"context"
|
|
_ "embed"
|
|
"encoding/json"
|
|
"testing"
|
|
|
|
"github.com/kubescape/k8s-interface/k8sinterface"
|
|
"github.com/kubescape/kubescape/v2/core/cautils"
|
|
|
|
"github.com/kubescape/opa-utils/reporthandling/apis"
|
|
helpersv1 "github.com/kubescape/opa-utils/reporthandling/helpers/v1"
|
|
reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2"
|
|
reportv2 "github.com/kubescape/opa-utils/reporthandling/v2"
|
|
"github.com/stretchr/testify/assert"
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apimachinery/pkg/version"
|
|
"k8s.io/client-go/dynamic/fake"
|
|
fakeclientset "k8s.io/client-go/kubernetes/fake"
|
|
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
|
)
|
|
|
|
var (
|
|
//go:embed testdata/kubeconfig_mock.json
|
|
kubeConfigMock string
|
|
)
|
|
|
|
func getKubeConfigMock() *clientcmdapi.Config {
|
|
kubeConfig := clientcmdapi.Config{}
|
|
if err := json.Unmarshal([]byte(kubeConfigMock), &kubeConfig); err != nil {
|
|
panic(err)
|
|
}
|
|
return &kubeConfig
|
|
}
|
|
func Test_getCloudMetadata(t *testing.T) {
|
|
type args struct {
|
|
opaSessionObj *cautils.OPASessionObj
|
|
kubeConfig *clientcmdapi.Config
|
|
context string
|
|
}
|
|
kubeConfig := getKubeConfigMock()
|
|
tests := []struct {
|
|
want apis.ICloudParser
|
|
args args
|
|
name string
|
|
}{
|
|
{
|
|
name: "Test_getCloudMetadata - GitVersion: GKE",
|
|
args: args{
|
|
opaSessionObj: &cautils.OPASessionObj{
|
|
Report: &reporthandlingv2.PostureReport{
|
|
ClusterAPIServerInfo: &version.Info{
|
|
GitVersion: "v1.25.4-gke.1600",
|
|
},
|
|
},
|
|
},
|
|
context: "",
|
|
kubeConfig: kubeConfig,
|
|
},
|
|
want: helpersv1.NewGKEMetadata(""),
|
|
},
|
|
{
|
|
name: "Test_getCloudMetadata_context_GKE",
|
|
args: args{
|
|
opaSessionObj: &cautils.OPASessionObj{
|
|
Report: &reporthandlingv2.PostureReport{
|
|
ClusterAPIServerInfo: nil,
|
|
},
|
|
},
|
|
kubeConfig: kubeConfig,
|
|
context: "gke_xxx-xx-0000_us-central1-c_xxxx-1",
|
|
},
|
|
want: helpersv1.NewGKEMetadata(""),
|
|
},
|
|
{
|
|
name: "Test_getCloudMetadata_context_EKS",
|
|
args: args{
|
|
opaSessionObj: &cautils.OPASessionObj{
|
|
Report: &reporthandlingv2.PostureReport{
|
|
ClusterAPIServerInfo: nil,
|
|
},
|
|
},
|
|
kubeConfig: kubeConfig,
|
|
context: "arn:aws:eks:eu-west-1:xxx:cluster/xxxx",
|
|
},
|
|
want: helpersv1.NewEKSMetadata(""),
|
|
},
|
|
{
|
|
name: "Test_getCloudMetadata_context_AKS",
|
|
args: args{
|
|
opaSessionObj: &cautils.OPASessionObj{
|
|
Report: &reporthandlingv2.PostureReport{
|
|
ClusterAPIServerInfo: nil,
|
|
},
|
|
},
|
|
kubeConfig: kubeConfig,
|
|
context: "xxxx-2",
|
|
},
|
|
want: helpersv1.NewAKSMetadata(""),
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
k8sinterface.SetClusterContextName(tt.args.context)
|
|
got := getCloudMetadata(tt.args.opaSessionObj, tt.args.kubeConfig)
|
|
if got == nil {
|
|
t.Errorf("getCloudMetadata() = %v, want %v", got, tt.want.Provider())
|
|
return
|
|
}
|
|
if got.Provider() != tt.want.Provider() {
|
|
t.Errorf("getCloudMetadata() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_isGKE(t *testing.T) {
|
|
type args struct {
|
|
config *clientcmdapi.Config
|
|
context string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{
|
|
name: "Test_isGKE",
|
|
args: args{
|
|
config: getKubeConfigMock(),
|
|
context: "gke_xxx-xx-0000_us-central1-c_xxxx-1",
|
|
},
|
|
want: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// set context
|
|
k8sinterface.SetClusterContextName(tt.args.context)
|
|
if got := isGKE(tt.args.config); got != tt.want {
|
|
t.Errorf("isGKE() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_isEKS(t *testing.T) {
|
|
type args struct {
|
|
config *clientcmdapi.Config
|
|
context string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{
|
|
name: "Test_isEKS",
|
|
args: args{
|
|
config: getKubeConfigMock(),
|
|
context: "arn:aws:eks:eu-west-1:xxx:cluster/xxxx",
|
|
},
|
|
want: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// set context
|
|
k8sinterface.SetClusterContextName(tt.args.context)
|
|
if got := isEKS(tt.args.config); got != tt.want {
|
|
t.Errorf("isEKS() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_isAKS(t *testing.T) {
|
|
type args struct {
|
|
config *clientcmdapi.Config
|
|
context string
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{
|
|
name: "Test_isAKS",
|
|
args: args{
|
|
config: getKubeConfigMock(),
|
|
context: "xxxx-2",
|
|
},
|
|
want: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// set context
|
|
k8sinterface.SetClusterContextName(tt.args.context)
|
|
if got := isAKS(tt.args.config); got != tt.want {
|
|
t.Errorf("isAKS() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
/* unused for now.
|
|
type iResourceHandlerMock struct{}
|
|
|
|
func (*iResourceHandlerMock) GetResources(*cautils.OPASessionObj, *identifiers.PortalDesignator) (*cautils.K8SResources, map[string]workloadinterface.IMetadata, *cautils.KSResources, error) {
|
|
return nil, nil, nil, nil
|
|
}
|
|
func (*iResourceHandlerMock) GetClusterAPIServerInfo() *version.Info {
|
|
return nil
|
|
}
|
|
*/
|
|
|
|
// https://github.com/kubescape/kubescape/pull/1004
|
|
// Cluster named .*eks.* config without a cloudconfig panics whereas we just want to scan a file
|
|
func getResourceHandlerMock() *K8sResourceHandler {
|
|
client := fakeclientset.NewSimpleClientset()
|
|
fakeDiscovery := client.Discovery()
|
|
|
|
k8s := &k8sinterface.KubernetesApi{
|
|
KubernetesClient: client,
|
|
DynamicClient: fake.NewSimpleDynamicClient(runtime.NewScheme()),
|
|
DiscoveryClient: fakeDiscovery,
|
|
Context: context.Background(),
|
|
}
|
|
|
|
return NewK8sResourceHandler(k8s, &EmptySelector{}, nil, nil, nil, nil)
|
|
}
|
|
func Test_CollectResources(t *testing.T) {
|
|
resourceHandler := getResourceHandlerMock()
|
|
objSession := &cautils.OPASessionObj{
|
|
Metadata: &reporthandlingv2.Metadata{
|
|
ScanMetadata: reporthandlingv2.ScanMetadata{
|
|
ScanningTarget: reportv2.Cluster,
|
|
},
|
|
},
|
|
Report: &reporthandlingv2.PostureReport{
|
|
ClusterAPIServerInfo: nil,
|
|
},
|
|
}
|
|
|
|
assert.NotPanics(t, func() {
|
|
CollectResources(context.TODO(), resourceHandler, []cautils.PolicyIdentifier{}, objSession, cautils.NewProgressHandler(""), cautils.ScanInfo{})
|
|
}, "Cluster named .*eks.* without a cloud config panics on cluster scan !")
|
|
|
|
assert.NotPanics(t, func() {
|
|
objSession.Metadata.ScanMetadata.ScanningTarget = reportv2.File
|
|
CollectResources(context.TODO(), resourceHandler, []cautils.PolicyIdentifier{}, objSession, cautils.NewProgressHandler(""), cautils.ScanInfo{})
|
|
}, "Cluster named .*eks.* without a cloud config panics on non-cluster scan !")
|
|
|
|
}
|