* Fix: rolebindingRolePodExecAttach check
Fix the case of a RoleBinding that points to a ClusterRole.
In that case, we ignore the RoleBinding since it will be evaluated by the rolebindingClusterRolePodExecAttach check.
* add tests for role-binding that uses a cluster-role binding
---------
Co-authored-by: Vitor Vezani <vitor.vezani@fairwinds.com>
* update
* update go mod
* tidy
* revert go mod
* fix port
* move pod test case
* downgrade controller-runtime
* revert updates
* fix nil pointer
* add logs
* fix var
* remove test requirement
* fix decoder
* fix mutate
* fix test case
* fix logs
* fmt
* fix owned pods in mutate
* fix test
* add logs
* add mutations to tests
* convert to json for patch
* fix up tests
* remove nil check
* fix logs
* add logs
* add env vars to webhook tests
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Co-authored-by: Andrew Suderman <andrew@sudermanjr.com>
* Enable these checks in the default configuration file, which may produce many new results:
* automountServiceAccountToken
* linuxHardening
* sensitiveConfigmapContent and sensitiveContainerEnvVar
* clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole
* clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach
* Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default
* `hasPrefix` and `hasSuffix` functions are now available in the go template
* Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment
variable names when those variables use `valueFrom` to reference an
external resource.
* Add the `*ClusterAdmin` checks to `examples/config-full.yaml`.
* Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
* added fix command implementation
* use node api
* fix tests
* added hostport mutate rule
* update mutating server
* fix array reference and add back leading slash
* added test and refactor findNodes
* more tests
* added more test and fix issue with arrays
* rename findNode function and ensure we capture exceptions
* rename findNode function
* append array value at the end and for single item remove brackets
* append array value at the end and for single item remove brackets
* create array if it does not exists
* fix tests
* handle some exceptions
* fix tests
* fix string format
* guard for PodResult
* fix flag name
* fix privilegeEscalation check
* fix up mutations for local files
* fix pod parsing
* fix object values
* remove logspam
* fix import
* update some comments for health probes
* add an option to not apply any mutations\, and just adjust yaml formatting
* add preliminary support for helm
* logspam
* change up comment strategy
* fix object comments
* format
* fix tests
* add comments
* fix key updates
* fix mutation tests
* tidy
* refactor test
* add test
* add test
* add test for object comments
Co-authored-by: Robert Brennan <accounts@rbren.io>
Co-authored-by: Robert Brennan <contact@rbren.io>
* Pretty output: remove 2 leading line breaks and 1 trailing after container results
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* validator: don't add empty results in ApplyAllSchemaChecksToAllResources
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
* Fix MockPod() fixture:
- Since now result is considered non-empty only if Kind and Name are set, needed to adjust MockPod() to make it contain Name.
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
Co-authored-by: Robert Brennan <accounts@rbren.io>
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
* Add schema tests
* Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests
* Add the new checks to the full example config
* Update checks' success/failure messages and add some helpful comments
* Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case
* Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace
* Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
* added fix command
* update fix command to walk through the folder to find all files
* added ability to add comment
* fix comment prefix
* trim whitespaces to the line
* refactor update mutated file
* remove filepath as is not needed anymore
* remove filepath as is not needed anymore
* remove timestamp and status if creation is null
* added comments and fix tests
* remove hardcoded mutation in config
* revert comment deletion
* separate mutated to success files
* read multiple resources in a file and update both
* Remove mutation in config.yaml
* added more mutations and refactor test to test each mutation separately
* added more mutation definitions
* update spec for controller
* added mutations for cpu and memory request and limits
* update request memory mutation
* added liveness and probes
* rmeove hostport mutation
* added multiple mutations for request and limits memory
Co-authored-by: Robert Brennan <accounts@rbren.io>
* added mutation field in checks and config
* added test
* fix tests
* revert resolve export
* remove Patched resources as moving that to separate functionality apart from validation
* go mod tidy
* move mutation to the container level
* change prefix based on the resource kind
* collect all mutations from results and apply
* added test for cronjob and deployment apart from just pod
* test cronjob prefix
* return a copy of mutation
* fix tests and comments
* address feedback comments
* fix warning formating
* refactor getJSONSchemaPrefix function
* update runAsPrivileged to test at pod level
* update runAsPrivileged to test at pod level
* add pod level success/failure tests
* add insuecure capabilities pod level testing
* update checks to include good/bad security
* update checks for good/bad security
* remove good security from runAsPrivileged
* update notReadOnlyRootFilesystem check
* remove run as user
* add pod level testing to notreadonlyrootFileSystem and update schema_test.go file
Co-authored-by: Robert Brennan <accounts@rbren.io>
* refactor test structure
* update syntax to include template/spec layout
* update syntax to include template/spec layout
Co-authored-by: Robert Brennan <accounts@rbren.io>
* add failure.all.yaml for dangerouscapabilities test
* change to [ALL] failing test
* add failure.all.yaml for dangerouscapabilities test
* change to [ALL] failing test
* fix dangerous caps test
Co-authored-by: Robert Brennan <contact@rbren.io>
