mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
0c019819ff
* add cmd Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * support single workload scan Signed-off-by: Amir Malka <amirm@armosec.io> * fix conflict Signed-off-by: Amir Malka <amirm@armosec.io> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * more refactoring Signed-off-by: Amir Malka <amirm@armosec.io> * add scanned workload reference to opasessionobj Signed-off-by: Amir Malka <amirm@armosec.io> * fix GetWorkloadParentKind Signed-off-by: Amir Malka <amirm@armosec.io> * remove namespace argument from pullSingleResource, using field selector instead Signed-off-by: Amir Malka <amirm@armosec.io> * removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function Signed-off-by: Amir Malka <amirm@armosec.io> * fix tests Signed-off-by: Amir Malka <amirm@armosec.io> * use ScanObject instead of workload identifier Signed-off-by: Amir Malka <amirm@armosec.io> * refactor logic after CR Signed-off-by: Amir Malka <amirm@armosec.io> --------- Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> Signed-off-by: Amir Malka <amirm@armosec.io> Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io>
86 lines
2.6 KiB
Go
86 lines
2.6 KiB
Go
package cautils
|
|
|
|
import (
|
|
"golang.org/x/mod/semver"
|
|
|
|
"github.com/armosec/utils-go/boolutils"
|
|
"github.com/kubescape/opa-utils/reporthandling"
|
|
"github.com/kubescape/opa-utils/reporthandling/apis"
|
|
)
|
|
|
|
func NewPolicies() *Policies {
|
|
return &Policies{
|
|
Frameworks: make([]string, 0),
|
|
Controls: make(map[string]reporthandling.Control),
|
|
}
|
|
}
|
|
|
|
func (policies *Policies) Set(frameworks []reporthandling.Framework, version string, excludedRules map[string]bool) {
|
|
for i := range frameworks {
|
|
if frameworks[i].Name != "" && len(frameworks[i].Controls) > 0 {
|
|
policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
|
|
}
|
|
for j := range frameworks[i].Controls {
|
|
compatibleRules := []reporthandling.PolicyRule{}
|
|
for r := range frameworks[i].Controls[j].Rules {
|
|
if excludedRules != nil {
|
|
ruleName := frameworks[i].Controls[j].Rules[r].Name
|
|
if _, exclude := excludedRules[ruleName]; exclude {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if !ruleWithKSOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
|
|
compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
|
|
}
|
|
}
|
|
if len(compatibleRules) > 0 {
|
|
frameworks[i].Controls[j].Rules = compatibleRules
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
} else { // if the control type is manual review, add it to the list of controls
|
|
actionRequiredStr := frameworks[i].Controls[j].GetActionRequiredAttribute()
|
|
if actionRequiredStr == "" {
|
|
continue
|
|
}
|
|
if actionRequiredStr == string(apis.SubStatusManualReview) {
|
|
policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
func ruleWithKSOpaDependency(attributes map[string]interface{}) bool {
|
|
if attributes == nil {
|
|
return false
|
|
}
|
|
if s, ok := attributes["armoOpa"]; ok { // TODO - make global
|
|
return boolutils.StringToBool(s.(string))
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Checks that kubescape version is in range of use for this rule
|
|
// In local build (BuildNumber = ""):
|
|
// returns true only if rule doesn't have the "until" attribute
|
|
func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
|
|
if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
|
|
if version != "" {
|
|
if semver.Compare(version, from.(string)) == -1 {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
|
|
if version == "" {
|
|
return false
|
|
}
|
|
if semver.Compare(version, until.(string)) >= 0 {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|