refactor: Use embed package to define CISKubeBenchReports and KubeHun…

…terReports CRDs (#532) Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Apr 26, 2021 · 29992e4 · 29992e4
1 parent 3d7ad49
commit 29992e4
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 235 deletions.
diff --git a/embedded.go b/embedded.go
@@ -12,6 +12,10 @@ var (
 	vulnerabilityReportsCRD []byte
 	//go:embed deploy/crd/configauditreports.crd.yaml
 	configAuditReportsCRD []byte
+	//go:embed deploy/crd/ciskubebenchreports.crd.yaml
+	kubeBenchReportsCRD []byte
+	//go:embed deploy/crd/kubehunterreports.crd.yaml
+	kubeHunterReportsCRD []byte
 )
 
 func GetVulnerabilityReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
@@ -22,6 +26,14 @@ func GetConfigAuditReportsCRD() (apiextensionsv1.CustomResourceDefinition, error
 	return getCRDFromBytes(configAuditReportsCRD)
 }
 
+func GetCISKubeBenchReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
+	return getCRDFromBytes(kubeBenchReportsCRD)
+}
+
+func GetKubeHunterReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
+	return getCRDFromBytes(kubeHunterReportsCRD)
+}
+
 func getCRDFromBytes(bytes []byte) (apiextensionsv1.CustomResourceDefinition, error) {
 	var crd apiextensionsv1.CustomResourceDefinition
 	_, _, err := scheme.Codecs.UniversalDecoder().Decode(bytes, nil, &crd)

diff --git a/pkg/apis/aquasecurity/v1alpha1/cis_kube_bench_types.go b/pkg/apis/aquasecurity/v1alpha1/cis_kube_bench_types.go
@@ -1,11 +1,7 @@
 package v1alpha1
 
 import (
-	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/utils/pointer"
 )
 
 const (
@@ -15,79 +11,6 @@ const (
 	CISKubeBenchReportListKind  = "CISKubeBenchReportList"
 )
 
-var (
-	// TODO Once we migrate to Go 1.16 we can use the embed package to load the CRD from ./deploy/crd/ciskubebenchreports.crd.yaml
-	CISKubeBenchReportCRD = apiextensionsv1.CustomResourceDefinition{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: CISKubeBenchReportCRName,
-			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
-			},
-		},
-		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
-			Group: aquasecurity.GroupName,
-			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
-				{
-					Name:    CISKubeBenchReportCRVersion,
-					Served:  true,
-					Storage: true,
-					AdditionalPrinterColumns: []apiextensionsv1.CustomResourceColumnDefinition{
-						{
-							JSONPath: ".report.scanner.name",
-							Type:     "string",
-							Name:     "Scanner",
-						},
-						{
-							JSONPath: ".metadata.creationTimestamp",
-							Type:     "date",
-							Name:     "Age",
-						},
-						{
-							JSONPath: ".report.summary.failCount",
-							Type:     "integer",
-							Name:     "Fail",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.warnCount",
-							Type:     "integer",
-							Name:     "Warn",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.infoCount",
-							Type:     "integer",
-							Name:     "Info",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.passCount",
-							Type:     "integer",
-							Name:     "Pass",
-							Priority: 1,
-						},
-					},
-					Schema: &apiextensionsv1.CustomResourceValidation{
-						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
-							XPreserveUnknownFields: pointer.BoolPtr(true),
-							Type:                   "object",
-						},
-					},
-				},
-			},
-			Scope: apiextensionsv1.ClusterScoped,
-			Names: apiextensionsv1.CustomResourceDefinitionNames{
-				Singular:   "ciskubebenchreport",
-				Plural:     "ciskubebenchreports",
-				Kind:       CISKubeBenchReportKind,
-				ListKind:   CISKubeBenchReportListKind,
-				Categories: []string{"all"},
-				ShortNames: []string{"kubebench"},
-			},
-		},
-	}
-)
-
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/pkg/apis/aquasecurity/v1alpha1/kube_hunter_types.go b/pkg/apis/aquasecurity/v1alpha1/kube_hunter_types.go
@@ -1,13 +1,7 @@
 package v1alpha1
 
 import (
-	"strconv"
-
-	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/utils/pointer"
 )
 
 const (
@@ -17,156 +11,6 @@ const (
 	KubeHunterReportListKind  = "KubeHunterReportList"
 )
 
-var (
-	// TODO Once we migrate to Go 1.16 we can use the embed package to load the CRD from ./deploy/crd/kubehunterreports.crd.yaml
-	KubeHunterReportCRD = apiextensionsv1.CustomResourceDefinition{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: KubeHunterReportCRName,
-			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
-			},
-		},
-		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
-			Group: aquasecurity.GroupName,
-			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
-				{
-					Name:    KubeHunterReportCRVersion,
-					Served:  true,
-					Storage: true,
-					AdditionalPrinterColumns: []apiextensionsv1.CustomResourceColumnDefinition{
-						{
-							JSONPath: ".report.scanner.name",
-							Type:     "string",
-							Name:     "Scanner",
-						},
-						{
-							JSONPath: ".metadata.creationTimestamp",
-							Type:     "date",
-							Name:     "Age",
-						},
-						{
-							JSONPath: ".report.summary.highCount",
-							Type:     "integer",
-							Name:     "High",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.mediumCount",
-							Type:     "integer",
-							Name:     "Medium",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.lowCount",
-							Type:     "integer",
-							Name:     "Low",
-							Priority: 1,
-						},
-					},
-					Schema: &apiextensionsv1.CustomResourceValidation{
-						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
-							Type: "object",
-							Required: []string{
-								"apiVersion",
-								"kind",
-								"metadata",
-								"report",
-							},
-							Properties: map[string]apiextensionsv1.JSONSchemaProps{
-								"apiVersion": {Type: "string"},
-								"kind":       {Type: "string"},
-								"metadata":   {Type: "object"},
-								"report": {
-									Type: "object",
-									Required: []string{
-										"scanner",
-										"vulnerabilities",
-									},
-									Properties: map[string]apiextensionsv1.JSONSchemaProps{
-										"scanner": {
-											Type: "object",
-											Required: []string{
-												"name",
-												"vendor",
-												"version",
-											},
-											Properties: map[string]apiextensionsv1.JSONSchemaProps{
-												"name":    {Type: "string"},
-												"vendor":  {Type: "string"},
-												"version": {Type: "string"},
-											},
-										},
-										"summary": {
-											Type: "object",
-											Required: []string{
-												"highCount",
-												"mediumCount",
-												"lowCount",
-												"unknownCount",
-											},
-											Properties: map[string]apiextensionsv1.JSONSchemaProps{
-												"highCount":    {Type: "integer", Minimum: pointer.Float64Ptr(0)},
-												"mediumCount":  {Type: "integer", Minimum: pointer.Float64Ptr(0)},
-												"lowCount":     {Type: "integer", Minimum: pointer.Float64Ptr(0)},
-												"unknownCount": {Type: "integer", Minimum: pointer.Float64Ptr(0)},
-											},
-										},
-										"updateTimestamp": {
-											Type:   "string",
-											Format: "date-time",
-										},
-										"vulnerabilities": {
-											Type: "array",
-											Items: &apiextensionsv1.JSONSchemaPropsOrArray{
-												Schema: &apiextensionsv1.JSONSchemaProps{
-													Type: "object",
-													Required: []string{
-														"category",
-														"severity",
-														"vulnerability",
-														"description",
-														"evidence",
-													},
-													Properties: map[string]apiextensionsv1.JSONSchemaProps{
-														"id":       {Type: "string"},
-														"category": {Type: "string"},
-														"severity": {
-															Type: "string",
-															Enum: []apiextensionsv1.JSON{
-																{Raw: []byte(strconv.Quote(string(KubeHunterSeverityHigh)))},
-																{Raw: []byte(strconv.Quote(string(KubeHunterSeverityMedium)))},
-																{Raw: []byte(strconv.Quote(string(KubeHunterSeverityLow)))},
-																{Raw: []byte(strconv.Quote(string(KubeHunterSeverityUnknown)))},
-															},
-														},
-														"vulnerability": {Type: "string"},
-														"description":   {Type: "string"},
-														"evidence":      {Type: "string"},
-														"avd_reference": {Type: "string"},
-													},
-												},
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			Scope: apiextensionsv1.ClusterScoped,
-			Names: apiextensionsv1.CustomResourceDefinitionNames{
-				Singular:   "kubehunterreport",
-				Plural:     "kubehunterreports",
-				Kind:       KubeHunterReportKind,
-				ListKind:   KubeHunterReportListKind,
-				Categories: []string{"all"},
-				ShortNames: []string{"kubehunter"},
-			},
-		},
-	}
-)
-
 const (
 	KubeHunterSeverityHigh    Severity = "high"
 	KubeHunterSeverityMedium  Severity = "medium"

diff --git a/pkg/kube/cr_manager.go b/pkg/kube/cr_manager.go
@@ -147,12 +147,20 @@ func (m *CRManager) Init(ctx context.Context) error {
 		return err
 	}
 
-	err = m.createOrUpdateCRD(ctx, &v1alpha1.CISKubeBenchReportCRD)
+	kubeBenchReportsCRD, err := embedded.GetCISKubeBenchReportsCRD()
+	if err != nil {
+		return err
+	}
+	err = m.createOrUpdateCRD(ctx, &kubeBenchReportsCRD)
 	if err != nil {
 		return err
 	}
 
-	err = m.createOrUpdateCRD(ctx, &v1alpha1.KubeHunterReportCRD)
+	kubeHunterReportsCRD, err := embedded.GetKubeHunterReportsCRD()
+	if err != nil {
+		return err
+	}
+	err = m.createOrUpdateCRD(ctx, &kubeHunterReportsCRD)
 	if err != nil {
 		return err
 	}