refactor: Use embed package to define ConfigAuditReports CRD

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Apr 23, 2021 · adb6504 · adb6504
1 parent ca59eb2
commit adb6504
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 89 deletions.
diff --git a/embedded.go b/embedded.go
@@ -10,11 +10,21 @@ import (
 var (
 	//go:embed deploy/crd/vulnerabilityreports.crd.yaml
 	vulnerabilityReportsCRD []byte
+	//go:embed deploy/crd/configauditreports.crd.yaml
+	configAuditReportsCRD []byte
 )
 
 func GetVulnerabilityReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
+	return getCRDFromBytes(vulnerabilityReportsCRD)
+}
+
+func GetConfigAuditReportsCRD() (apiextensionsv1.CustomResourceDefinition, error) {
+	return getCRDFromBytes(configAuditReportsCRD)
+}
+
+func getCRDFromBytes(bytes []byte) (apiextensionsv1.CustomResourceDefinition, error) {
 	var crd apiextensionsv1.CustomResourceDefinition
-	_, _, err := scheme.Codecs.UniversalDecoder().Decode(vulnerabilityReportsCRD, nil, &crd)
+	_, _, err := scheme.Codecs.UniversalDecoder().Decode(bytes, nil, &crd)
 	if err != nil {
 		return apiextensionsv1.CustomResourceDefinition{}, err
 	}

diff --git a/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go b/pkg/apis/aquasecurity/v1alpha1/config_audit_types.go
@@ -1,11 +1,7 @@
 package v1alpha1
 
 import (
-	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/utils/pointer"
 )
 
 const (
@@ -15,76 +11,9 @@ const (
 	ConfigAuditReportListKind  = "ConfigAuditReportList"
 )
 
-var (
-	// TODO Once we migrate to Go 1.16 we can use the embed package to load the CRD from ./deploy/crd/configauditreports.crd.yaml
-	ConfigAuditReportCRD = apiextensionsv1.CustomResourceDefinition{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: ConfigAuditReportCRName,
-			Labels: labels.Set{
-				"app.kubernetes.io/managed-by": "starboard",
-			},
-		},
-		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
-			Group: aquasecurity.GroupName,
-			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
-				{
-					Name:    ConfigAuditReportCRVersion,
-					Served:  true,
-					Storage: true,
-					AdditionalPrinterColumns: []apiextensionsv1.CustomResourceColumnDefinition{
-						{
-							JSONPath: ".report.scanner.name",
-							Type:     "string",
-							Name:     "Scanner",
-						},
-						{
-							JSONPath: ".metadata.creationTimestamp",
-							Type:     "date",
-							Name:     "Age",
-						},
-						{
-							JSONPath: ".report.summary.dangerCount",
-							Type:     "integer",
-							Name:     "Danger",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.warningCount",
-							Type:     "integer",
-							Name:     "Warning",
-							Priority: 1,
-						},
-						{
-							JSONPath: ".report.summary.passCount",
-							Type:     "integer",
-							Name:     "Pass",
-							Priority: 1,
-						},
-					},
-					Schema: &apiextensionsv1.CustomResourceValidation{
-						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
-							XPreserveUnknownFields: pointer.BoolPtr(true),
-							Type:                   "object",
-						},
-					},
-				},
-			},
-			Scope: apiextensionsv1.NamespaceScoped,
-			Names: apiextensionsv1.CustomResourceDefinitionNames{
-				Singular:   "configauditreport",
-				Plural:     "configauditreports",
-				Kind:       ConfigAuditReportKind,
-				ListKind:   ConfigAuditReportListKind,
-				Categories: []string{"all"},
-				ShortNames: []string{"configaudit"},
-			},
-		},
-	}
-)
-
 const (
-	ConfigAuditDangerSeverity  = "danger"
-	ConfigAuditWarningSeverity = "warning"
+	ConfigAuditSeverityDanger  = "danger"
+	ConfigAuditSeverityWarning = "warning"
 )
 
 type ConfigAuditSummary struct {

diff --git a/pkg/kube/cr_manager.go b/pkg/kube/cr_manager.go
@@ -157,7 +157,11 @@ func (m *CRManager) Init(ctx context.Context) error {
 		return err
 	}
 
-	err = m.createOrUpdateCRD(ctx, &v1alpha1.ConfigAuditReportCRD)
+	configAuditReportsCRD, err := embedded.GetConfigAuditReportsCRD()
+	if err != nil {
+		return err
+	}
+	err = m.createOrUpdateCRD(ctx, &configAuditReportsCRD)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/plugin/conftest/plugin.go b/pkg/plugin/conftest/plugin.go
@@ -24,8 +24,6 @@ const (
 	policyPrefix          = "conftest.policy."
 	workloadKey           = "starboard.workload.yaml"
 	defaultCheckCategory  = "Security"
-	severityWarning       = "WARNING"
-	severityDanger        = "DANGER"
 )
 
 type Config interface {
@@ -212,7 +210,7 @@ func (p *plugin) ParseConfigAuditReportData(logsReader io.ReadCloser) (v1alpha1.
 		for _, warning := range cr.Warnings {
 			checks = append(checks, v1alpha1.Check{
 				ID:       p.getPolicyTitleFromResult(warning),
-				Severity: severityWarning,
+				Severity: v1alpha1.ConfigAuditSeverityWarning,
 				Message:  warning.Message,
 				Category: defaultCheckCategory,
 				Success:  false,
@@ -223,7 +221,7 @@ func (p *plugin) ParseConfigAuditReportData(logsReader io.ReadCloser) (v1alpha1.
 		for _, failure := range cr.Failures {
 			checks = append(checks, v1alpha1.Check{
 				ID:       p.getPolicyTitleFromResult(failure),
-				Severity: severityDanger,
+				Severity: v1alpha1.ConfigAuditSeverityDanger,
 				Message:  failure.Message,
 				Category: defaultCheckCategory,
 			})

diff --git a/pkg/plugin/conftest/plugin_test.go b/pkg/plugin/conftest/plugin_test.go
@@ -304,35 +304,35 @@ func TestPlugin_ParseConfigAuditReportData(t *testing.T) {
 				ID:       "Default capabilities: some containers do not drop all",
 				Message:  "container kubedns of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 			"container dnsmasq of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop": Equal(v1alpha1.Check{
 				ID:       "Default capabilities: some containers do not drop all",
 				Message:  "container dnsmasq of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 			"container sidecar of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop": Equal(v1alpha1.Check{
 				ID:       "Default capabilities: some containers do not drop all",
 				Message:  "container sidecar of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 			"container prometheus-to-sd of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop": Equal(v1alpha1.Check{
 				ID:       "Default capabilities: some containers do not drop all",
 				Message:  "container prometheus-to-sd of deployment kube-dns in default namespace should add 'ALL' to securityContext.capabilities.drop",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 			"container dnsmasq of deployment kube-dns in default namespace should set securityContext.readOnlyRootFilesystem to true": Equal(v1alpha1.Check{
 				ID:       "Root file system is not read-only",
 				Message:  "container dnsmasq of deployment kube-dns in default namespace should set securityContext.readOnlyRootFilesystem to true",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 			"container prometheus-to-sd of deployment kube-dns in default namespace should set resources.requests.cpu": Equal(v1alpha1.Check{
@@ -342,7 +342,7 @@ func TestPlugin_ParseConfigAuditReportData(t *testing.T) {
 				ID:       "00000000-0000-0000-0000-000000000001",
 				Message:  "container prometheus-to-sd of deployment kube-dns in default namespace should set resources.requests.cpu",
 				Success:  false,
-				Severity: "DANGER",
+				Severity: "danger",
 				Category: "Security",
 			}),
 		}),

diff --git a/pkg/plugin/polaris/plugin.go b/pkg/plugin/polaris/plugin.go
@@ -207,9 +207,9 @@ func (p *plugin) configAuditSummaryFrom(podChecks []v1alpha1.Check, containerChe
 			continue
 		}
 		switch c.Severity {
-		case v1alpha1.ConfigAuditDangerSeverity:
+		case v1alpha1.ConfigAuditSeverityDanger:
 			summary.DangerCount++
-		case v1alpha1.ConfigAuditWarningSeverity:
+		case v1alpha1.ConfigAuditSeverityWarning:
 			summary.WarningCount++
 		}
 	}
@@ -220,9 +220,9 @@ func (p *plugin) configAuditSummaryFrom(podChecks []v1alpha1.Check, containerChe
 				continue
 			}
 			switch c.Severity {
-			case v1alpha1.ConfigAuditDangerSeverity:
+			case v1alpha1.ConfigAuditSeverityDanger:
 				summary.DangerCount++
-			case v1alpha1.ConfigAuditWarningSeverity:
+			case v1alpha1.ConfigAuditSeverityWarning:
 				summary.WarningCount++
 			}
 		}