-
Notifications
You must be signed in to change notification settings - Fork 212
/
builder.go
151 lines (137 loc) · 4.96 KB
/
builder.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package configauditreport
import (
"context"
"fmt"
"strings"
"github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
"github.com/aquasecurity/trivy-operator/pkg/kube"
"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation"
"k8s.io/utils/pointer"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)
type ReportBuilder struct {
scheme *runtime.Scheme
controller client.Object
resourceSpecHash string
pluginConfigHash string
data v1alpha1.ConfigAuditReportData
}
func NewReportBuilder(scheme *runtime.Scheme) *ReportBuilder {
return &ReportBuilder{
scheme: scheme,
}
}
func (b *ReportBuilder) Controller(controller client.Object) *ReportBuilder {
b.controller = controller
return b
}
func (b *ReportBuilder) ResourceSpecHash(hash string) *ReportBuilder {
b.resourceSpecHash = hash
return b
}
func (b *ReportBuilder) PluginConfigHash(hash string) *ReportBuilder {
b.pluginConfigHash = hash
return b
}
func (b *ReportBuilder) Data(data v1alpha1.ConfigAuditReportData) *ReportBuilder {
b.data = data
return b
}
func (b *ReportBuilder) reportName() string {
kind := b.controller.GetObjectKind().GroupVersionKind().Kind
name := b.controller.GetName()
reportName := fmt.Sprintf("%s-%s", strings.ToLower(kind), name)
if len(validation.IsValidLabelValue(reportName)) == 0 {
return reportName
}
return fmt.Sprintf("%s-%s", strings.ToLower(kind), kube.ComputeHash(name))
}
func (b *ReportBuilder) GetClusterReport() (v1alpha1.ClusterConfigAuditReport, error) {
labelsSet := make(labels.Set)
if b.resourceSpecHash != "" {
labelsSet[trivyoperator.LabelResourceSpecHash] = b.resourceSpecHash
}
if b.pluginConfigHash != "" {
labelsSet[trivyoperator.LabelPluginConfigHash] = b.pluginConfigHash
}
report := v1alpha1.ClusterConfigAuditReport{
ObjectMeta: metav1.ObjectMeta{
Name: b.reportName(),
Labels: labelsSet,
},
Report: b.data,
}
err := kube.ObjectToObjectMeta(b.controller, &report.ObjectMeta)
if err != nil {
return v1alpha1.ClusterConfigAuditReport{}, err
}
err = controllerutil.SetControllerReference(b.controller, &report, b.scheme)
if err != nil {
return v1alpha1.ClusterConfigAuditReport{}, fmt.Errorf("setting controller reference: %w", err)
}
// The OwnerReferencesPermissionsEnforcement admission controller protects the
// access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so
// that only users with "update" permission to the finalizers subresource of the
// referenced owner can change it.
// We set metadata.ownerReferences[x].blockOwnerDeletion to false so that
// additional RBAC permissions are not required when the OwnerReferencesPermissionsEnforcement
// is enabled.
// See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
report.OwnerReferences[0].BlockOwnerDeletion = pointer.BoolPtr(false)
return report, nil
}
func (b *ReportBuilder) GetReport() (v1alpha1.ConfigAuditReport, error) {
labelsSet := make(labels.Set)
if b.resourceSpecHash != "" {
labelsSet[trivyoperator.LabelResourceSpecHash] = b.resourceSpecHash
}
if b.pluginConfigHash != "" {
labelsSet[trivyoperator.LabelPluginConfigHash] = b.pluginConfigHash
}
report := v1alpha1.ConfigAuditReport{
ObjectMeta: metav1.ObjectMeta{
Name: b.reportName(),
Namespace: b.controller.GetNamespace(),
Labels: labelsSet,
},
Report: b.data,
}
err := kube.ObjectToObjectMeta(b.controller, &report.ObjectMeta)
if err != nil {
return v1alpha1.ConfigAuditReport{}, err
}
err = controllerutil.SetControllerReference(b.controller, &report, b.scheme)
if err != nil {
return v1alpha1.ConfigAuditReport{}, fmt.Errorf("setting controller reference: %w", err)
}
// The OwnerReferencesPermissionsEnforcement admission controller protects the
// access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so
// that only users with "update" permission to the finalizers subresource of the
// referenced owner can change it.
// We set metadata.ownerReferences[x].blockOwnerDeletion to false so that
// additional RBAC permissions are not required when the OwnerReferencesPermissionsEnforcement
// is enabled.
// See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
report.OwnerReferences[0].BlockOwnerDeletion = pointer.BoolPtr(false)
return report, nil
}
func (b *ReportBuilder) Write(ctx context.Context, writer Writer) error {
if kube.IsClusterScopedKind(b.controller.GetObjectKind().GroupVersionKind().Kind) {
report, err := b.GetClusterReport()
if err != nil {
return err
}
return writer.WriteClusterReport(ctx, report)
} else {
report, err := b.GetReport()
if err != nil {
return err
}
return writer.WriteReport(ctx, report)
}
}