From 3304285b4e7c6b676fc93844ea44b5f86d7dfd0f Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Fri, 20 Dec 2019 17:33:52 +0000 Subject: [PATCH] move rest of pod checks over to schema --- checks/hostIPC.yaml | 15 +++++++++++ .../{host_network.yaml => hostNetwork.yaml} | 3 +-- checks/hostPID.yaml | 15 +++++++++++ pkg/validator/pod.go | 26 ------------------- pkg/validator/schema.go | 10 ++++--- 5 files changed, 38 insertions(+), 31 deletions(-) create mode 100644 checks/hostIPC.yaml rename checks/{host_network.yaml => hostNetwork.yaml} (91%) create mode 100644 checks/hostPID.yaml diff --git a/checks/hostIPC.yaml b/checks/hostIPC.yaml new file mode 100644 index 00000000..1fa03550 --- /dev/null +++ b/checks/hostIPC.yaml @@ -0,0 +1,15 @@ +name: HostIPCSet +id: hostIPCSet +successMessage: Host IPC is not configured +failureMessage: Host IPC should not be configured +category: Security +controllers: + exclude: [] +target: Pod +schema: + '$schema': http://json-schema.org/draft-07/schema + type: object + properties: + hostIPC: + not: + const: true diff --git a/checks/host_network.yaml b/checks/hostNetwork.yaml similarity index 91% rename from checks/host_network.yaml rename to checks/hostNetwork.yaml index 59447ece..462155e3 100644 --- a/checks/host_network.yaml +++ b/checks/hostNetwork.yaml @@ -12,5 +12,4 @@ schema: properties: hostNetwork: not: - enum: - - true + const: true diff --git a/checks/hostPID.yaml b/checks/hostPID.yaml new file mode 100644 index 00000000..9af45033 --- /dev/null +++ b/checks/hostPID.yaml @@ -0,0 +1,15 @@ +name: HostPIDSet +id: hostPIDSet +successMessage: Host PID is not configured +failureMessage: Host PID should not be configured +category: Security +controllers: + exclude: [] +target: Pod +schema: + '$schema': http://json-schema.org/draft-07/schema + type: object + properties: + hostPID: + not: + const: true diff --git a/pkg/validator/pod.go b/pkg/validator/pod.go index 222c6ed2..d3b455e8 100644 --- a/pkg/validator/pod.go +++ b/pkg/validator/pod.go @@ -16,7 +16,6 @@ package validator import ( "github.com/fairwindsops/polaris/pkg/config" - "github.com/fairwindsops/polaris/pkg/validator/messages" corev1 "k8s.io/api/core/v1" ) @@ -33,7 +32,6 @@ func ValidatePod(conf config.Configuration, pod *corev1.PodSpec, controllerName ResourceValidation: &ResourceValidation{}, } - pv.validateSecurity(&conf, controllerName) applyPodSchemaChecks(&conf, pod, controllerName, &pv) pRes := PodResult{ @@ -59,27 +57,3 @@ func (pv *PodValidation) validateContainers(containers []corev1.Container, pRes pRes.ContainerResults = append(pRes.ContainerResults, cRes) } } - -func (pv *PodValidation) validateSecurity(conf *config.Configuration, controllerName string) { - category := messages.CategorySecurity - - name := "HostIPCSet" - if conf.IsActionable(conf.Security, name, controllerName) { - id := config.GetIDFromField(conf.Security, name) - if pv.Pod.HostIPC { - pv.addFailure(messages.HostIPCFailure, conf.Security.HostIPCSet, category, id) - } else { - pv.addSuccess(messages.HostIPCSuccess, category, id) - } - } - - name = "HostPIDSet" - if conf.IsActionable(conf.Security, name, controllerName) { - id := config.GetIDFromField(conf.Security, name) - if pv.Pod.HostPID { - pv.addFailure(messages.HostPIDFailure, conf.Security.HostPIDSet, category, id) - } else { - pv.addSuccess(messages.HostPIDSuccess, category, id) - } - } -} diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 0cceaf2a..d9e8ea81 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -44,13 +44,17 @@ var ( TargetContainer: []SchemaCheck{}, TargetPod: []SchemaCheck{}, } + checkOrder = []string{ + "hostIPC", + "hostPID", + "hostNetwork", + } ) func init() { schemaBox = packr.New("Schemas", "../../checks") - files := schemaBox.List() - for _, file := range files { - contents, err := schemaBox.Find(file) + for _, file := range checkOrder { + contents, err := schemaBox.Find(file + ".yaml") if err != nil { panic(err) }