-
Notifications
You must be signed in to change notification settings - Fork 197
/
Copy pathreport.go
92 lines (82 loc) · 3.43 KB
/
report.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package cmd
import (
"fmt"
"io"
"github.com/aquasecurity/starboard/pkg/ext"
"github.com/aquasecurity/starboard/pkg/kube"
"github.com/aquasecurity/starboard/pkg/report"
"github.com/aquasecurity/starboard/pkg/starboard"
"github.com/spf13/cobra"
"k8s.io/cli-runtime/pkg/genericclioptions"
"sigs.k8s.io/controller-runtime/pkg/client"
)
func NewReportCmd(info starboard.BuildInfo, cf *genericclioptions.ConfigFlags, out io.Writer) *cobra.Command {
return &cobra.Command{
Use: "report (NAME | TYPE/NAME)",
Short: "Generate an HTML security report for a specified Kubernetes object",
Long: fmt.Sprintf(`Generate an HTML security report for a specified Kubernetes object.
If the specified object is a Kubernetes workload, for example Pod or Deployment,
the report will contain vulnerabilities found in its container images as well as
results of its configuration audit.
If the specified object is a Kubernetes namespace, the report will contain the
summary of security risks, including vulnerabilities and results of configuration
audits for most critical workloads within that namespace.
HTML reports are generated from data already stored as VulnerabilityReport and
ConfigAuditReport resources. Therefore, before generating a report make sure
that you scanned Kubernetes workloads for vulnerabilities and configuration
pitfalls. You can run "%[1]s scan vulnerabilityreports -h" and
"%[1]s scan configauditreports -h" commands for more details on how to do that.
If the specified object is a Kubernetes node, the report will contain configuration
checks based on CIS Kubernetes Benchmark guides.
TYPE is a Kubernetes workload. Shortcuts and API groups will be resolved, e.g. 'po' or 'deployments.apps'.
NAME is the name of a particular Kubernetes workload.
`, info.Executable),
Example: fmt.Sprintf(` # Generate an HTML report for a deployment with the specified name and save it to a file.
%[1]s report deployment/nginx > nginx.deploy.html
# Generate an HTML report for a namespace with the specified name and save it to a file.
%[1]s report namespace/kube-system > kube-system.ns.html
# Generate an HTML report for a node with the specified name and save it to a file.
%[1]s report node/kind-control-plane > kind-control-plane.node.html
`, info.Executable),
RunE: func(cmd *cobra.Command, args []string) error {
kubeConfig, err := cf.ToRESTConfig()
if err != nil {
return err
}
kubeClient, err := client.New(kubeConfig, client.Options{Scheme: starboard.NewScheme()})
ns, _, err := cf.ToRawKubeConfigLoader().Namespace()
if err != nil {
return err
}
mapper, err := cf.ToRESTMapper()
if err != nil {
return err
}
workload, _, err := WorkloadFromArgs(mapper, ns, args)
if err != nil {
return err
}
clock := ext.NewSystemClock()
switch workload.Kind {
case kube.KindDeployment,
kube.KindReplicaSet,
kube.KindReplicationController,
kube.KindStatefulSet,
kube.KindDaemonSet,
kube.KindCronJob,
kube.KindJob,
kube.KindPod:
reporter := report.NewWorkloadReporter(clock, kubeClient)
return reporter.Generate(workload, out)
case kube.KindNamespace:
reporter := report.NewNamespaceReporter(clock, kubeClient)
return reporter.Generate(workload, out)
case kube.KindNode:
reporter := report.NewNodeReporter(clock, kubeClient)
return reporter.Generate(workload, out)
default:
return fmt.Errorf("HTML report is not supported for %q", workload.Kind)
}
},
}
}