From 7165ecb7a04fb303438bd0f5e8d95f3495846afd Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Fri, 31 Aug 2018 12:53:46 +0200 Subject: [PATCH 01/66] inital commit of anchore-policy-validator --- .helmignore | 22 +++++ Chart.yaml | 4 + clenup.sh | 14 ++++ requirements.yaml | 5 ++ templates/NOTES.txt | 1 + templates/_helpers.tpl | 16 ++++ templates/default-policy/configmap.yaml | 107 ++++++++++++++++++++++++ templates/default-policy/job.yaml | 45 ++++++++++ templates/deployment.yaml | 61 ++++++++++++++ templates/init-ca/init-ca-hook.yaml | 33 ++++++++ templates/init-ca/init-ca-script.yaml | 106 +++++++++++++++++++++++ templates/init-ca/rbac.yaml | 68 +++++++++++++++ templates/rbac.yaml | 81 ++++++++++++++++++ templates/service.yaml | 19 +++++ templates/validatingwebhook.yaml | 25 ++++++ values.yaml | 23 +++++ 16 files changed, 630 insertions(+) create mode 100644 .helmignore create mode 100644 Chart.yaml create mode 100755 clenup.sh create mode 100644 requirements.yaml create mode 100644 templates/NOTES.txt create mode 100644 templates/_helpers.tpl create mode 100644 templates/default-policy/configmap.yaml create mode 100644 templates/default-policy/job.yaml create mode 100644 templates/deployment.yaml create mode 100644 templates/init-ca/init-ca-hook.yaml create mode 100644 templates/init-ca/init-ca-script.yaml create mode 100644 templates/init-ca/rbac.yaml create mode 100644 templates/rbac.yaml create mode 100644 templates/service.yaml create mode 100644 templates/validatingwebhook.yaml create mode 100644 values.yaml diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000..1c17e63 --- /dev/null +++ b/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +cleanup.sh diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..38fbcf6 --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: anchore-policy-validator +version: 0.1.0 diff --git a/clenup.sh b/clenup.sh new file mode 100755 index 0000000..f5d28d0 --- /dev/null +++ b/clenup.sh @@ -0,0 +1,14 @@ +#!/bin/zsh + +RELEASE_NAME=$1 + +helm delete --purge ${RELEASE_NAME} +kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca +kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin +kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy +kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy +kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster +kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster +kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io +kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca +kubectl delete apiservice v1beta1.admission.example.com diff --git a/requirements.yaml b/requirements.yaml new file mode 100644 index 0000000..b9ad081 --- /dev/null +++ b/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- name: anchore-engine + version: 0.2.x + repository: alias:banzaicloud-anchore + condition: anchore-engine.enabled \ No newline at end of file diff --git a/templates/NOTES.txt b/templates/NOTES.txt new file mode 100644 index 0000000..a922c2a --- /dev/null +++ b/templates/NOTES.txt @@ -0,0 +1 @@ +validatingwebhookConfigureation created :{{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 0000000..a2e0765 --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "anchore-policy-validator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-policy-validator.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/templates/default-policy/configmap.yaml b/templates/default-policy/configmap.yaml new file mode 100644 index 0000000..a81e871 --- /dev/null +++ b/templates/default-policy/configmap.yaml @@ -0,0 +1,107 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{.Release.Name}}-default-policy + labels: + app: {{ template "anchore-policy-validator.fullname" . }} +data: + default-policy.json: |- + { + "id": "0a869a39-1b20-4ce7-bc00-3a7d88271f08", + "version": "1_0", + "name": "AnchoreUserDefault", + "policies": [ + { + "comment": "", + "id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c", + "name": "default", + "rules": [ + { + "action": "WARN", + "gate": "DOCKERFILECHECK", + "id": "ce7b8000-829b-4c27-8122-69cd59018400", + "params": [ + { + "name": "DENIEDPORTS", + "value": "22" + } + ], + "trigger": "EXPOSE" + }, + { + "action": "WARN", + "gate": "DOCKERFILECHECK", + "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb", + "params": [], + "trigger": "NOHEALTHCHECK" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa", + "params": [ + { + "name": "MAXAGE", + "value": "2" + } + ], + "trigger": "FEEDOUTOFDATE" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e", + "params": [], + "trigger": "UNSUPPORTEDDISTRO" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "6063fdde-b1c5-46af-973a-915739451ac4", + "params": [], + "trigger": "VULNMEDIUM" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5", + "params": [], + "trigger": "VULNHIGH" + }, + { + "action": "STOP", + "gate": "ANCHORESEC", + "id": "295adc9f-28b9-4aab-a5d6-833cf7727db7", + "params": [], + "trigger": "VULNCRITICAL" + } + ], + "version": "1_0" + } + ], + "whitelists": [ + { + "comment": "Default Global Whitelist", + "id": "912937b6-05fb-472f-bfbe-834c3562f32d", + "items": [], + "name": "Global Whitelist", + "version": "1_0" + } + ], + "mappings": [ + { + "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611", + "image": { + "type": "tag", + "value": "*" + }, + "name": "default", + "policy_id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c", + "registry": "*", + "repository": "*", + "whitelist_ids": [ + "912937b6-05fb-472f-bfbe-834c3562f32d" + ] + } + ] + } \ No newline at end of file diff --git a/templates/default-policy/job.yaml b/templates/default-policy/job.yaml new file mode 100644 index 0000000..5b6f6b0 --- /dev/null +++ b/templates/default-policy/job.yaml @@ -0,0 +1,45 @@ +{{- $anchoreEngineValues := index .Values "anchore-engine" }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-default-policy" + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.fullname" . }}-default-policy + spec: + restartPolicy: OnFailure + volumes: + - name: default-policy + configMap: + name: {{.Release.Name}}-default-policy + containers: + - name: default-policy + image: "anchore/engine-cli" + volumeMounts: + - name: default-policy + mountPath: /policy + env: + - name: ANCHORE_CLI_USER + value: admin + - name: ANCHORE_CLI_PASS + value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} + - name: ANCHORE_CLI_URL + {{ if $anchoreEngineValues.enabled }} + value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" + {{ else }} + value: {{ $anchoreEngineValues.external }} + {{ end }} + command: + - "sh" + - "-c" + - | + set -ex + anchore-cli policy add /policy/default-policy.json + anchore-cli policy activate 0a869a39-1b20-4ce7-bc00-3a7d88271f08 diff --git a/templates/deployment.yaml b/templates/deployment.yaml new file mode 100644 index 0000000..63e9f93 --- /dev/null +++ b/templates/deployment.yaml @@ -0,0 +1,61 @@ +{{- $anchoreEngineValues := index .Values "anchore-engine" }} +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "anchore-policy-validator.fullname" . }} + labels: + app: {{ template "anchore-policy-validator.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.name" . }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }} + volumes: + - name: serving-cert + secret: + defaultMode: 420 + secretName: {{ template "anchore-policy-validator.name" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "/anchore-image-admission-server" + - "--audit-log-path=-" + - "--tls-cert-file=/var/serving-cert/tls.crt" + - "--tls-private-key-file=/var/serving-cert/tls.key" + - "--v={{ .Values.logVerbosity }}" + env: + - name: ANCHORE_ENGINE_USERNAME + value: admin + - name: ANCHORE_ENGINE_PASSWORD + value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} + - name: ANCHORE_ENGINE_URL + {{ if $anchoreEngineValues.enabled }} + value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" + {{ else }} + value: {{ $anchoreEngineValues.external }} + {{ end }} + ports: + - containerPort: {{ .Values.service.internalPort }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.internalPort }} + scheme: HTTPS + volumeMounts: + - mountPath: /var/serving-cert + name: serving-cert + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca/init-ca-hook.yaml new file mode 100644 index 0000000..ba025ab --- /dev/null +++ b/templates/init-ca/init-ca-hook.yaml @@ -0,0 +1,33 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-init-ca" + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: admission-server + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: admission-server + spec: + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-init-ca + restartPolicy: OnFailure + volumes: + - name: init-ca-script + configMap: + name: {{.Release.Name}}-init-ca + containers: + - name: create-ca + image: "cfssl/cfssl:latest" + command: + - bash + - -xe + - /scripts/init-ca.sh + volumeMounts: + - name: init-ca-script + mountPath: /scripts diff --git a/templates/init-ca/init-ca-script.yaml b/templates/init-ca/init-ca-script.yaml new file mode 100644 index 0000000..95c2ef6 --- /dev/null +++ b/templates/init-ca/init-ca-script.yaml @@ -0,0 +1,106 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{.Release.Name}}-init-ca + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" +data: + init-ca.sh: |- + #!/bin/bash -xe + # Adapted from https://github.com/openshift/kubernetes-namespace-reservation/blob/master/hack/install-kube.sh + apt-get update && apt-get install -y jq + + curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl + chmod +x ./kubectl + mv ./kubectl /usr/bin + + # creates a client CA, args are sudo, dest-dir, ca-id, purpose + # purpose is dropped in after "key encipherment", you usually want + # '"client auth"' + # '"server auth"' + # '"client auth","server auth"' + function kube::util::create_signing_certkey { + local sudo=$1 + local dest_dir=$2 + local id=$3 + local purpose=$4 + # Create client ca + ${sudo} /bin/bash -e < "${dest_dir}/${id}-ca-config.json" + EOF + } + + # signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts... + function kube::util::create_serving_certkey { + local sudo=$1 + local dest_dir=$2 + local ca=$3 + local id=$4 + local cn=${5:-$4} + local hosts="" + local SEP="" + shift 5 + while [ -n "${1:-}" ]; do + hosts+="${SEP}\"$1\"" + SEP="," + shift 1 + done + ${sudo} /bin/bash -e </dev/null || { echo "Please install jq (https://stedolan.github.io/jq/)."; exit 1; } + which cfssljson &>/dev/null || { echo "Please install cfssljson (https://github.com/cloudflare/cfssl))."; exit 1; } + + # create necessary TLS certificates: + # - a local CA key and cert + # - a webhook server key and cert signed by the local CA + rm -rf ./_output/ + CERT_DIR=_output/tmp/certs + mkdir -p "${CERT_DIR}" + kube::util::create_signing_certkey "" "${CERT_DIR}" serving '"server auth"' + + # create webhook server key and cert + kube::util::create_serving_certkey "" "${CERT_DIR}" "serving-ca" {{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" + + cat > secret.yaml < api-service.yaml < Date: Mon, 3 Sep 2018 15:01:16 +0200 Subject: [PATCH 02/66] fix external anchore values --- templates/default-policy/job.yaml | 16 ++++++++++++---- templates/deployment.yaml | 16 ++++++++++++---- values.yaml | 8 ++++++-- 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/templates/default-policy/job.yaml b/templates/default-policy/job.yaml index 5b6f6b0..5cfc66a 100644 --- a/templates/default-policy/job.yaml +++ b/templates/default-policy/job.yaml @@ -27,15 +27,23 @@ spec: mountPath: /policy env: - name: ANCHORE_CLI_USER + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchoreUser }} + {{- else }} value: admin + {{- end }} - name: ANCHORE_CLI_PASS + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchorePass }} + {{- else }} value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} + {{- end }} - name: ANCHORE_CLI_URL - {{ if $anchoreEngineValues.enabled }} + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchoreHost }} + {{- else }} value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" - {{ else }} - value: {{ $anchoreEngineValues.external }} - {{ end }} + {{- end }} command: - "sh" - "-c" diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 63e9f93..cf0da09 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -34,15 +34,23 @@ spec: - "--v={{ .Values.logVerbosity }}" env: - name: ANCHORE_ENGINE_USERNAME + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchoreUser }} + {{- else }} value: admin + {{- end }} - name: ANCHORE_ENGINE_PASSWORD + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchorePass }} + {{- else }} value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} + {{- end }} - name: ANCHORE_ENGINE_URL - {{ if $anchoreEngineValues.enabled }} + {{- if .Values.externalAnchore.enabled }} + value: {{ .Values.externalAnchore.anchoreHost }} + {{- else }} value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" - {{ else }} - value: {{ $anchoreEngineValues.external }} - {{ end }} + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} readinessProbe: diff --git a/values.yaml b/values.yaml index ea859a6..9dc86fc 100644 --- a/values.yaml +++ b/values.yaml @@ -18,6 +18,10 @@ anchore-engine: users: admin: password: foobar - external: "" +externalAnchore: + enabled: true + anchoreHost: "http://anchore-anchore-engine:8228" + anchoreUser: "poke232" + anchorePass: "password" resources: {} -k8sCAbubdle: "" \ No newline at end of file +k8sCAbundle: "" From b718c819dd65d64dde4b798811f6ca69885b841d Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 3 Sep 2018 19:37:07 +0200 Subject: [PATCH 03/66] create validationwebhook with job --- clenup.sh | 6 ++- templates/init-ca/init-ca-hook.yaml | 2 +- templates/validatingwebhook.yaml | 25 ----------- templates/validatingwebhook/rbac.yaml | 24 ++++++++++ .../validatingwebhook-job.yaml | 33 ++++++++++++++ .../validetingwebhook-script.yaml | 44 +++++++++++++++++++ values.yaml | 1 - 7 files changed, 106 insertions(+), 29 deletions(-) delete mode 100644 templates/validatingwebhook.yaml create mode 100644 templates/validatingwebhook/rbac.yaml create mode 100644 templates/validatingwebhook/validatingwebhook-job.yaml create mode 100644 templates/validatingwebhook/validetingwebhook-script.yaml diff --git a/clenup.sh b/clenup.sh index f5d28d0..f6d2c9d 100755 --- a/clenup.sh +++ b/clenup.sh @@ -5,10 +5,12 @@ RELEASE_NAME=$1 helm delete --purge ${RELEASE_NAME} kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin -kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy -kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy +kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-validatingwebhook +kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-create-validatingwebhook kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca kubectl delete apiservice v1beta1.admission.example.com +kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding +kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca/init-ca-hook.yaml index ba025ab..466a473 100644 --- a/templates/init-ca/init-ca-hook.yaml +++ b/templates/init-ca/init-ca-hook.yaml @@ -20,7 +20,7 @@ spec: volumes: - name: init-ca-script configMap: - name: {{.Release.Name}}-init-ca + name: {{ .Release.Name }}-init-ca containers: - name: create-ca image: "cfssl/cfssl:latest" diff --git a/templates/validatingwebhook.yaml b/templates/validatingwebhook.yaml deleted file mode 100644 index ff47df7..0000000 --- a/templates/validatingwebhook.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "1" -webhooks: -- name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.anchore.io/v1beta1/imagechecks - caBundle: {{ .Values.k8sCAbundle }} - rules: - - operations: - - CREATE - apiGroups: - - "" - apiVersions: - - "*" - resources: - - pods - failurePolicy: Fail diff --git a/templates/validatingwebhook/rbac.yaml b/templates/validatingwebhook/rbac.yaml new file mode 100644 index 0000000..117b68d --- /dev/null +++ b/templates/validatingwebhook/rbac.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-6" + name: {{ template "anchore-policy-validator.fullname" . }}-validator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-6" + name: {{ template "anchore-policy-validator.fullname" . }}-validator-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: cluster-admin +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }}-validator \ No newline at end of file diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validatingwebhook/validatingwebhook-job.yaml new file mode 100644 index 0000000..a645a52 --- /dev/null +++ b/templates/validatingwebhook/validatingwebhook-job.yaml @@ -0,0 +1,33 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-create-validatingwebhook" + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: validating-webhook + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: validating-webhook + spec: + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator + restartPolicy: OnFailure + volumes: + - name: create-validatingwebhook + configMap: + name: {{ .Release.Name }}-validatingwebhook + containers: + - name: create-validatingwebhook + image: "ubuntu" + command: + - bash + - -xe + - /scripts/create-validatingwebhook.sh + volumeMounts: + - name: create-validatingwebhook + mountPath: /scripts diff --git a/templates/validatingwebhook/validetingwebhook-script.yaml b/templates/validatingwebhook/validetingwebhook-script.yaml new file mode 100644 index 0000000..04ea828 --- /dev/null +++ b/templates/validatingwebhook/validetingwebhook-script.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-validatingwebhook + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" +data: + create-validatingwebhook.sh: |- + #!/bin/bash -xe + apt-get update && apt-get install -y jq curl + + curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl + chmod +x ./kubectl + mv ./kubectl /usr/bin + + cat > validatingwebhook.yaml < Date: Mon, 3 Sep 2018 23:13:43 +0200 Subject: [PATCH 04/66] fix repo in requirements --- requirements.yaml | 2 +- values.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements.yaml b/requirements.yaml index b9ad081..28eb2d6 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: anchore-engine version: 0.2.x - repository: alias:banzaicloud-anchore + repository: alias:banzaicloud-stable condition: anchore-engine.enabled \ No newline at end of file diff --git a/values.yaml b/values.yaml index e391aa2..957faf4 100644 --- a/values.yaml +++ b/values.yaml @@ -13,14 +13,14 @@ service: externalPort: 443 internalPort: 443 anchore-engine: - enabled: false + enabled: true globalConfig: users: admin: password: foobar externalAnchore: - enabled: true - anchoreHost: "http://anchore-anchore-engine:8228" - anchoreUser: "poke232" - anchorePass: "password" + enabled: false + anchoreHost: "" + anchoreUser: "" + anchorePass: "" resources: {} From 883733bac80b22d85ee030c1c165e02f74d26086 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 4 Sep 2018 12:48:24 +0200 Subject: [PATCH 05/66] add missing job delete --- templates/validatingwebhook/validatingwebhook-job.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validatingwebhook/validatingwebhook-job.yaml index a645a52..13f6300 100644 --- a/templates/validatingwebhook/validatingwebhook-job.yaml +++ b/templates/validatingwebhook/validatingwebhook-job.yaml @@ -8,6 +8,7 @@ metadata: annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded spec: template: metadata: From b9325f4d36f05cbc952c97437658adeddf0d5feb Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 5 Sep 2018 10:06:45 +0200 Subject: [PATCH 06/66] add readme to anchore-policy validator --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ values.yaml | 2 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..590e987 --- /dev/null +++ b/README.md @@ -0,0 +1,50 @@ +# anchore-policy-validator + +This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creations is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request. + +## Installing the Chart + +```bash +$ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master +$ helm repo update +``` + +Deploying Anchore-engine as a dependency managed in the chart: + +```bash +$ helm install --name stable/anchore-policy-validator +``` + + +Using external Anchore-engine service: + +```bash +$ helm install --name --set externalAnchore.enabled=True --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator +``` + +## Configuration + +The following tables lists configurable parameters of the anchore-policy-validator chart and their default values. + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------- | -----------------------------------------| +|replicaCount |number of replicas |1 | +|logVerbosity |log verbosity level |8 | +|apiService.group |group of registered api service |admission.anchore.io | +|apiService.version |version of registered api service |v1beta1 | +|image.repository |admission-server image repo |viglesiasce/anchore-image-admission-server| +|image.tag |admission-server image tag |latest | +|image.pullPolicy |admission-server image pull policy |IfNotPresent | +|service.name |validation sevice name |anchoreimagecheck | +|service.type |validation service type |ClusterIP | +|service.externalPort |validation service external port |443 | +|service.internalPort |validation service external port |443 | +|anchore-engine.enabled |enable anchore-engine deploy |true | +|externalAnchore.enabled |enable external anchore-engine usage |false | +|externalAnchore.anchoreHost |external anchore-engine host |"" | +|externalAnchore.anchoreUser |external anchore-engine username |"" | +|externalAnchore.anchorePass |external anchore-engine password |"" | + + +This chart based on: +[Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator) diff --git a/values.yaml b/values.yaml index 957faf4..8d1384a 100644 --- a/values.yaml +++ b/values.yaml @@ -6,7 +6,7 @@ apiService: image: repository: viglesiasce/anchore-image-admission-server tag: latest - pullPolicy: Always + pullPolicy: IfNotPresent service: name: anchoreimagecheck type: ClusterIP From 30b76dd6aa957312bebd1af10699ff5ab3dc9920 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 5 Sep 2018 10:09:18 +0200 Subject: [PATCH 07/66] fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 590e987..9791560 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # anchore-policy-validator -This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creations is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request. +This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request. ## Installing the Chart From 9553efe642ef3045db02a5745e7b5ca088444275 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 5 Sep 2018 14:36:05 +0200 Subject: [PATCH 08/66] remove anchore-engine dependency and fix templates based on Chart style guide --- .helmignore | 1 - Chart.yaml | 9 +++ clenup.sh => README-dev.md | 9 ++- README.md | 16 +--- requirements.yaml | 5 -- templates/_helpers.tpl | 4 + ...map.yaml => default-policy-configmap.yaml} | 4 + .../job.yaml => default-policy-job.yaml} | 16 +--- ...-ca-script.yaml => init-ca-configmap.yaml} | 4 + .../init-ca-hook.yaml => init-ca-job.yaml} | 3 + .../{init-ca/rbac.yaml => init-ca-rbac.yaml} | 2 +- templates/rbac.yaml | 81 ------------------- ...yaml => validating-webhook-configmap.yaml} | 4 + ...k-job.yaml => validating-webhook-job.yaml} | 3 + ...rbac.yaml => validating-webhook-rbac.yaml} | 0 ...loyment.yaml => validator-deployment.yaml} | 16 +--- templates/validator-rbac.yaml | 72 +++++++++++++++++ .../{service.yaml => validator-service.yaml} | 3 +- values.yaml | 7 -- 19 files changed, 122 insertions(+), 137 deletions(-) rename clenup.sh => README-dev.md (84%) delete mode 100644 requirements.yaml rename templates/{default-policy/configmap.yaml => default-policy-configmap.yaml} (94%) rename templates/{default-policy/job.yaml => default-policy-job.yaml} (71%) rename templates/{init-ca/init-ca-script.yaml => init-ca-configmap.yaml} (96%) rename templates/{init-ca/init-ca-hook.yaml => init-ca-job.yaml} (86%) rename templates/{init-ca/rbac.yaml => init-ca-rbac.yaml} (97%) delete mode 100644 templates/rbac.yaml rename templates/{validatingwebhook/validetingwebhook-script.yaml => validating-webhook-configmap.yaml} (89%) rename templates/{validatingwebhook/validatingwebhook-job.yaml => validating-webhook-job.yaml} (87%) rename templates/{validatingwebhook/rbac.yaml => validating-webhook-rbac.yaml} (100%) rename templates/{deployment.yaml => validator-deployment.yaml} (75%) create mode 100644 templates/validator-rbac.yaml rename templates/{service.yaml => validator-service.yaml} (85%) diff --git a/.helmignore b/.helmignore index 1c17e63..f0c1319 100644 --- a/.helmignore +++ b/.helmignore @@ -19,4 +19,3 @@ .project .idea/ *.tmproj -cleanup.sh diff --git a/Chart.yaml b/Chart.yaml index 38fbcf6..c5fac9f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,3 +2,12 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator version: 0.1.0 +keywords: + - analysis + - "anchore-policy-validator" + - image + - security +maintainers: +- name: Banzai Cloud + email: info@banzaicloud.com +engine: gotpl diff --git a/clenup.sh b/README-dev.md similarity index 84% rename from clenup.sh rename to README-dev.md index f6d2c9d..417fa3b 100755 --- a/clenup.sh +++ b/README-dev.md @@ -1,7 +1,9 @@ -#!/bin/zsh - -RELEASE_NAME=$1 +# Dev helper +Due to some resource create with specific deployment method (eg.: create via k8s job), resources has to be deleted by manually. + +```bash +export RELEASE_NAME= helm delete --purge ${RELEASE_NAME} kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin @@ -14,3 +16,4 @@ kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca kubectl delete apiservice v1beta1.admission.example.com kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator +``` diff --git a/README.md b/README.md index 9791560..ee80e62 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# anchore-policy-validator +# Anchore policy validator This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request. @@ -9,17 +9,10 @@ $ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/bran $ helm repo update ``` -Deploying Anchore-engine as a dependency managed in the chart: +Deploying anchore-policy-validator using external Anchore-engine service: ```bash -$ helm install --name stable/anchore-policy-validator -``` - - -Using external Anchore-engine service: - -```bash -$ helm install --name --set externalAnchore.enabled=True --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator +$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator ``` ## Configuration @@ -39,12 +32,11 @@ The following tables lists configurable parameters of the anchore-policy-validat |service.type |validation service type |ClusterIP | |service.externalPort |validation service external port |443 | |service.internalPort |validation service external port |443 | -|anchore-engine.enabled |enable anchore-engine deploy |true | -|externalAnchore.enabled |enable external anchore-engine usage |false | |externalAnchore.anchoreHost |external anchore-engine host |"" | |externalAnchore.anchoreUser |external anchore-engine username |"" | |externalAnchore.anchorePass |external anchore-engine password |"" | +[Due to some resource create with jobs, these resources has to be deleted by manually.](README-dev.md) This chart based on: [Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator) diff --git a/requirements.yaml b/requirements.yaml deleted file mode 100644 index 28eb2d6..0000000 --- a/requirements.yaml +++ /dev/null @@ -1,5 +0,0 @@ -dependencies: -- name: anchore-engine - version: 0.2.x - repository: alias:banzaicloud-stable - condition: anchore-engine.enabled \ No newline at end of file diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index a2e0765..8002210 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -2,6 +2,10 @@ {{/* Expand the name of the chart. */}} +{{- define "anchore-policy-validator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "anchore-policy-validator.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/templates/default-policy/configmap.yaml b/templates/default-policy-configmap.yaml similarity index 94% rename from templates/default-policy/configmap.yaml rename to templates/default-policy-configmap.yaml index a81e871..9ad0c71 100644 --- a/templates/default-policy/configmap.yaml +++ b/templates/default-policy-configmap.yaml @@ -4,6 +4,10 @@ metadata: name: {{.Release.Name}}-default-policy labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: default-policy data: default-policy.json: |- { diff --git a/templates/default-policy/job.yaml b/templates/default-policy-job.yaml similarity index 71% rename from templates/default-policy/job.yaml rename to templates/default-policy-job.yaml index 5cfc66a..80623df 100644 --- a/templates/default-policy/job.yaml +++ b/templates/default-policy-job.yaml @@ -5,6 +5,10 @@ metadata: name: "{{ .Release.Name }}-default-policy" labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: default-policy annotations: "helm.sh/hook": post-install "helm.sh/hook-delete-policy": hook-succeeded @@ -27,23 +31,11 @@ spec: mountPath: /policy env: - name: ANCHORE_CLI_USER - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchoreUser }} - {{- else }} - value: admin - {{- end }} - name: ANCHORE_CLI_PASS - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchorePass }} - {{- else }} - value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} - {{- end }} - name: ANCHORE_CLI_URL - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchoreHost }} - {{- else }} - value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" - {{- end }} command: - "sh" - "-c" diff --git a/templates/init-ca/init-ca-script.yaml b/templates/init-ca-configmap.yaml similarity index 96% rename from templates/init-ca/init-ca-script.yaml rename to templates/init-ca-configmap.yaml index 95c2ef6..c08efa5 100644 --- a/templates/init-ca/init-ca-script.yaml +++ b/templates/init-ca-configmap.yaml @@ -4,6 +4,10 @@ metadata: name: {{.Release.Name}}-init-ca labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: admission-server annotations: "helm.sh/hook": pre-install "helm.sh/hook-weight": "-5" diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca-job.yaml similarity index 86% rename from templates/init-ca/init-ca-hook.yaml rename to templates/init-ca-job.yaml index 466a473..3c46292 100644 --- a/templates/init-ca/init-ca-hook.yaml +++ b/templates/init-ca-job.yaml @@ -4,6 +4,9 @@ metadata: name: "{{ .Release.Name }}-init-ca" labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} component: admission-server annotations: "helm.sh/hook": pre-install diff --git a/templates/init-ca/rbac.yaml b/templates/init-ca-rbac.yaml similarity index 97% rename from templates/init-ca/rbac.yaml rename to templates/init-ca-rbac.yaml index 8ab0a6e..ea50f35 100644 --- a/templates/init-ca/rbac.yaml +++ b/templates/init-ca-rbac.yaml @@ -16,7 +16,7 @@ metadata: "helm.sh/hook": pre-install "helm.sh/hook-weight": "-6" rules: -- apiGroups: [""] # "" indicates the core API group +- apiGroups: [""] resources: ["secrets", "deployments"] verbs: ["get", "patch", "create"] --- diff --git a/templates/rbac.yaml b/templates/rbac.yaml deleted file mode 100644 index 9935b09..0000000 --- a/templates/rbac.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -kind: List -metadata: -items: - -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: {{ template "anchore-policy-validator.fullname" . }} - -# to delegate authentication and authorization -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default - roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: system:auth-delegator - subjects: - - kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} - -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin - roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: cluster-admin - subjects: - - kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} - -# to let the admission server read the namespace reservations -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - name: {{ template "anchore-policy-validator.fullname" . }} - rules: - - apiGroups: - - admission.vicnastea.io - resources: - - {{ template "anchore-policy-validator.fullname" . }} - verbs: - - get - - list - - watch - - create - -# to let the admission server read the namespace reservations -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: {{ template "anchore-policy-validator.fullname" . }}-default - roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }} - subjects: - - kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} - -# to read the config for terminating authentication -- apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - namespace: kube-system - name: extension-{{ template "anchore-policy-validator.fullname" . }}-authentication-reader-default - roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader - subjects: - - kind: ServiceAccount - name: {{ template "anchore-policy-validator.fullname" . }} diff --git a/templates/validatingwebhook/validetingwebhook-script.yaml b/templates/validating-webhook-configmap.yaml similarity index 89% rename from templates/validatingwebhook/validetingwebhook-script.yaml rename to templates/validating-webhook-configmap.yaml index 04ea828..4f68ea9 100644 --- a/templates/validatingwebhook/validetingwebhook-script.yaml +++ b/templates/validating-webhook-configmap.yaml @@ -4,6 +4,10 @@ metadata: name: {{ .Release.Name }}-validatingwebhook labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: validating-webhook annotations: "helm.sh/hook": pre-install "helm.sh/hook-weight": "-5" diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validating-webhook-job.yaml similarity index 87% rename from templates/validatingwebhook/validatingwebhook-job.yaml rename to templates/validating-webhook-job.yaml index 13f6300..fab9501 100644 --- a/templates/validatingwebhook/validatingwebhook-job.yaml +++ b/templates/validating-webhook-job.yaml @@ -4,6 +4,9 @@ metadata: name: "{{ .Release.Name }}-create-validatingwebhook" labels: app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} component: validating-webhook annotations: "helm.sh/hook": post-install diff --git a/templates/validatingwebhook/rbac.yaml b/templates/validating-webhook-rbac.yaml similarity index 100% rename from templates/validatingwebhook/rbac.yaml rename to templates/validating-webhook-rbac.yaml diff --git a/templates/deployment.yaml b/templates/validator-deployment.yaml similarity index 75% rename from templates/deployment.yaml rename to templates/validator-deployment.yaml index cf0da09..98ae9bf 100644 --- a/templates/deployment.yaml +++ b/templates/validator-deployment.yaml @@ -1,13 +1,13 @@ -{{- $anchoreEngineValues := index .Values "anchore-engine" }} apiVersion: extensions/v1beta1 kind: Deployment metadata: name: {{ template "anchore-policy-validator.fullname" . }} labels: - app: {{ template "anchore-policy-validator.name" . }} + app: {{ template "anchore-policy-validator.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} + component: admission-server spec: replicas: {{ .Values.replicaCount }} template: @@ -34,23 +34,11 @@ spec: - "--v={{ .Values.logVerbosity }}" env: - name: ANCHORE_ENGINE_USERNAME - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchoreUser }} - {{- else }} - value: admin - {{- end }} - name: ANCHORE_ENGINE_PASSWORD - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchorePass }} - {{- else }} - value: {{ $anchoreEngineValues.globalConfig.users.admin.password }} - {{- end }} - name: ANCHORE_ENGINE_URL - {{- if .Values.externalAnchore.enabled }} value: {{ .Values.externalAnchore.anchoreHost }} - {{- else }} - value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228" - {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} readinessProbe: diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml new file mode 100644 index 0000000..990fff4 --- /dev/null +++ b/templates/validator-rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: system:auth-delegator +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: cluster-admin +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + name: {{ template "anchore-policy-validator.fullname" . }} +rules: +- apiGroups: + - admission.vicnastea.io + resources: + - {{ template "anchore-policy-validator.fullname" . }} + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "anchore-policy-validator.fullname" . }}-default +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: extension-{{ template "anchore-policy-validator.fullname" . }}-authentication-reader-default +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ template "anchore-policy-validator.fullname" . }} diff --git a/templates/service.yaml b/templates/validator-service.yaml similarity index 85% rename from templates/service.yaml rename to templates/validator-service.yaml index 32af620..397c88d 100644 --- a/templates/service.yaml +++ b/templates/validator-service.yaml @@ -3,10 +3,11 @@ kind: Service metadata: name: {{ template "anchore-policy-validator.fullname" . }} labels: - app: {{ template "anchore-policy-validator.name" . }} + app: {{ template "anchore-policy-validator.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} + component: admission-server spec: type: {{ .Values.service.type }} ports: diff --git a/values.yaml b/values.yaml index 8d1384a..69e64c8 100644 --- a/values.yaml +++ b/values.yaml @@ -12,14 +12,7 @@ service: type: ClusterIP externalPort: 443 internalPort: 443 -anchore-engine: - enabled: true - globalConfig: - users: - admin: - password: foobar externalAnchore: - enabled: false anchoreHost: "" anchoreUser: "" anchorePass: "" From 3c7e5dd3e0d91494ab0ca32b679da63dca5facab Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 11 Sep 2018 10:54:22 +0200 Subject: [PATCH 09/66] fix README --- README-dev.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-dev.md b/README-dev.md index 417fa3b..f4d888b 100755 --- a/README-dev.md +++ b/README-dev.md @@ -1,6 +1,6 @@ # Dev helper -Due to some resource create with specific deployment method (eg.: create via k8s job), resources has to be deleted by manually. +Due to some resources create with specific deployment method (eg.: create via k8s job), resources has to be deleted manually. ```bash export RELEASE_NAME= diff --git a/README.md b/README.md index ee80e62..f8ce83b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Anchore policy validator -This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request. +This chart deploys an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image, which is defined in PodSpec, against configured Anchore-engine API. If the API responds with an error, that the image is not valid according to defined policy, k8s will reject the Pod creation request. ## Installing the Chart From bde2670a00ab494abaf56c078c7c0aec3ad2a015 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 17 Sep 2018 10:24:56 +0200 Subject: [PATCH 10/66] use banzaicloud/admission-image-validator image --- templates/validator-deployment.yaml | 2 +- values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 98ae9bf..b7fbabd 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -27,7 +27,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - - "/anchore-image-admission-server" + - "/anchore-image-validator" - "--audit-log-path=-" - "--tls-cert-file=/var/serving-cert/tls.crt" - "--tls-private-key-file=/var/serving-cert/tls.key" diff --git a/values.yaml b/values.yaml index 69e64c8..2b6fc33 100644 --- a/values.yaml +++ b/values.yaml @@ -4,9 +4,9 @@ apiService: group: admission.anchore.io version: v1beta1 image: - repository: viglesiasce/anchore-image-admission-server - tag: latest - pullPolicy: IfNotPresent + repository: banzaicloud/anchore-image-validator + tag: 0.0.2 + pullPolicy: Always service: name: anchoreimagecheck type: ClusterIP From 061b4dd149ffe3d575d574eee8e403760bfc8c6e Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 17 Sep 2018 13:18:36 +0200 Subject: [PATCH 11/66] add crd, validationwebhook exlude noscan --- templates/validating-webhook-configmap.yaml | 5 ++++ templates/whitelist-crd.yaml | 29 +++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 templates/whitelist-crd.yaml diff --git a/templates/validating-webhook-configmap.yaml b/templates/validating-webhook-configmap.yaml index 4f68ea9..cb018aa 100644 --- a/templates/validating-webhook-configmap.yaml +++ b/templates/validating-webhook-configmap.yaml @@ -43,6 +43,11 @@ data: resources: - pods failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: scan + operator: NotIn + values: [noscan] EOF sed "s/CA_BUNDLE/$(base64 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | tr -d '\n')/g" validatingwebhook.yaml | kubectl -n {{ .Release.Namespace }} apply -f - diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml new file mode 100644 index 0000000..ac3da0d --- /dev/null +++ b/templates/whitelist-crd.yaml @@ -0,0 +1,29 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: whitelists.security.banzaicloud.com +spec: + group: security.banzaicloud.com + version: v1alpha1 + names: + kind: WhiteList + plural: whitelists + singular: whitelist + shortnames: + - wl + scope: Cluster + validation: + openAPIV3Schema: + properties: + spec: + required: + - releaseName + - reason + - creator + properties: + relaseName: + type: string + reason: + type: string + creator: + type: string \ No newline at end of file From 13987f17b7fa7997b4e9a0bc68e029bcc174d108 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 17 Sep 2018 15:39:55 +0200 Subject: [PATCH 12/66] fix readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f8ce83b..4d08203 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ $ helm repo update Deploying anchore-policy-validator using external Anchore-engine service: ```bash -$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator +$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= banzaicloud-stable/anchore-policy-validator ``` ## Configuration From 472712bf2855db9aea8ce8ec7ca935d61468d78d Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 25 Sep 2018 14:07:19 +0200 Subject: [PATCH 13/66] Anchore default policies (#375) * create policy bundles and activate AllowAll by default --- Chart.yaml | 2 +- README.md | 14 ++ templates/audit-crd.yaml | 41 ++++ templates/default-policy-configmap.yaml | 260 +++++++++++++++++++++--- templates/default-policy-job.yaml | 8 +- values.yaml | 2 +- 6 files changed, 290 insertions(+), 37 deletions(-) create mode 100644 templates/audit-crd.yaml diff --git a/Chart.yaml b/Chart.yaml index c5fac9f..ea9f5be 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.0 +version: 0.1.1 keywords: - analysis - "anchore-policy-validator" diff --git a/README.md b/README.md index 4d08203..3da094c 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,20 @@ Deploying anchore-policy-validator using external Anchore-engine service: $ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= banzaicloud-stable/anchore-policy-validator ``` + +During deploying this chart, it's creating predefined policy bundles and activates `AllowAll` by default. + +## Policy bundles + +| PolicyName | Description | +|---------------|-------------------------------------------------------------| +|AllowAll |Allow all images to deploy | +|RejectCritical |Reject deploying images that contain `critical` vulnerabiliy | +|RejectHigh |Reject deploying images that contain `high` vulnerabiliy | +|BlockRoot |Block deploying images that using `root` as effective user | +|DenyAll |Deny all imagest to deploy | + + ## Configuration The following tables lists configurable parameters of the anchore-policy-validator chart and their default values. diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml new file mode 100644 index 0000000..adc17d6 --- /dev/null +++ b/templates/audit-crd.yaml @@ -0,0 +1,41 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: audits.security.banzaicloud.com +spec: + group: security.banzaicloud.com + version: v1alpha1 + names: + kind: Audit + plural: audits + singular: audit + scope: Cluster + validation: + openAPIV3Schema: + properties: + spec: + required: + - releaseName + - resource + - image + - result + - action + properties: + releaseName: + type: string + resource: + type: string + image: + type: array + items: + type: string + result: + type: array + items: + type: string + action: + type: string + status: + properties: + state: + type: string diff --git a/templates/default-policy-configmap.yaml b/templates/default-policy-configmap.yaml index 9ad0c71..167cd73 100644 --- a/templates/default-policy-configmap.yaml +++ b/templates/default-policy-configmap.yaml @@ -9,21 +9,35 @@ metadata: heritage: {{ .Release.Service }} component: default-policy data: - default-policy.json: |- + allow-all.json: |- { - "id": "0a869a39-1b20-4ce7-bc00-3a7d88271f08", + "id": "97b33e2c-3b57-4a3f-a12b-a8c0daa472a0", "version": "1_0", - "name": "AnchoreUserDefault", + "name": "AllowAll", "policies": [ { "comment": "", - "id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c", - "name": "default", + "id": "b83f90b3-24b7-4c51-858e-035f85156f00", + "name": "allow-all", "rules": [ + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "eaef9298-9be9-4cc3-92d8-1b69968e175a", + "params": [], + "trigger": "VULNHIGH" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "f2d9e08e-b09c-4f8d-972c-de84223783f9", + "params": [], + "trigger": "VULNCRITICAL" + }, { "action": "WARN", "gate": "DOCKERFILECHECK", - "id": "ce7b8000-829b-4c27-8122-69cd59018400", + "id": "f47bf985-fbd5-4afa-bdcc-658ecc9e424e", "params": [ { "name": "DENIEDPORTS", @@ -31,81 +45,261 @@ data: } ], "trigger": "EXPOSE" - }, + } + ], + "version": "1_0" + } + ], + "whitelists": [], + "mappings": [ + { + "id": "df21279e-57f3-4ca2-a57a-ae23cb071d6b", + "image": { + "type": "tag", + "value": "*" + }, + "name": "allow-all", + "policy_id": "b83f90b3-24b7-4c51-858e-035f85156f00", + "registry": "*", + "repository": "*", + "whitelist_ids": [] + } + ] + } + deny-all.json: |- + { + "id": "a81d4e45-6021-4b42-a217-a6554015d431", + "version": "1_0", + "name": "DenyAll", + "policies": [ + { + "comment": "", + "id": "9943a629-c3d9-47ce-8235-7142e54bb682", + "name": "deny-all", + "rules": [ + { + "action": "STOP", + "gate": "FILECHECK", + "id": "cbb8b7e5-f8b8-4bb9-905e-1be7f45ac39d", + "params": [ + { + "name": "FILECHECK_NAMEREGEXP", + "value": ".*" + } + ], + "trigger": "FILENAMEMATCH" + } + ], + "version": "1_0" + } + ], + "whitelists": [], + "mappings": [ + { + "id": "2c0ac021-94f4-4366-a818-78fe1fb493d9", + "image": { + "type": "tag", + "value": "*" + }, + "name": "deny-all", + "policy_id": "9943a629-c3d9-47ce-8235-7142e54bb682", + "registry": "*", + "repository": "*", + "whitelist_ids": [] + } + ] + } + reject-high.json: |- + { + "id": "0cd4785e-71fa-4273-8ea5-3b15f515cca4", + "version": "1_0", + "name": "RejectHigh", + "policies": [ + { + "comment": "", + "id": "d8acc789-181a-4b14-b569-4e5b292c8653", + "name": "reject-high", + "rules": [ { "action": "WARN", - "gate": "DOCKERFILECHECK", - "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb", + "gate": "ANCHORESEC", + "id": "1516498a-4e4e-4085-9e24-fdd878834235", "params": [], - "trigger": "NOHEALTHCHECK" + "trigger": "UNSUPPORTEDDISTRO" }, { "action": "WARN", "gate": "ANCHORESEC", - "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa", - "params": [ - { - "name": "MAXAGE", - "value": "2" - } - ], - "trigger": "FEEDOUTOFDATE" + "id": "3750deb2-d7aa-4e72-8a09-88207e5c364f", + "params": [], + "trigger": "VULNMEDIUM" }, + { + "action": "STOP", + "gate": "ANCHORESEC", + "id": "dbea7de9-a398-4306-8326-b3377a483ebd", + "params": [], + "trigger": "VULNCRITICAL" + }, + { + "action": "STOP", + "gate": "ANCHORESEC", + "id": "92c4fd9b-df7d-40ad-91b0-717271122e72", + "params": [], + "trigger": "VULNHIGH" + } + ], + "version": "1_0" + } + ], + "whitelists": [], + "mappings": [ + { + "id": "7bf9ee85-f5fe-4f39-9777-0d687dfd2dcc", + "image": { + "type": "tag", + "value": "*" + }, + "name": "reject-high", + "policy_id": "d8acc789-181a-4b14-b569-4e5b292c8653", + "registry": "*", + "repository": "*", + "whitelist_ids": [] + } + ] + } + reject-critical.json: |- + { + "id": "bdb91dcc-62ca-49a2-a497-ee8a3bb7ec9f", + "version": "1_0", + "name": "RejectCritical", + "policies": [ + { + "comment": "", + "id": "2335c373-6182-4e1b-9e1f-dae4b47eb9f8", + "name": "reject-critical", + "rules": [ { "action": "WARN", "gate": "ANCHORESEC", - "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e", + "id": "f8d4743b-4d19-4e37-a606-bdc886e04e26", "params": [], "trigger": "UNSUPPORTEDDISTRO" }, { "action": "WARN", "gate": "ANCHORESEC", - "id": "6063fdde-b1c5-46af-973a-915739451ac4", + "id": "d995f2d4-576c-4ea3-83cb-e171371d2740", "params": [], "trigger": "VULNMEDIUM" }, { "action": "WARN", "gate": "ANCHORESEC", - "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5", + "id": "d4d216ba-a56d-42a5-a3fc-80fd2a354f5b", "params": [], "trigger": "VULNHIGH" }, + { + "action": "WARN", + "gate": "DOCKERFILECHECK", + "id": "f3e4c04e-ccbe-4933-9768-ab9d722c9675", + "params": [], + "trigger": "NOHEALTHCHECK" + }, { "action": "STOP", "gate": "ANCHORESEC", - "id": "295adc9f-28b9-4aab-a5d6-833cf7727db7", + "id": "bc24976e-eb4f-4162-a0aa-7e820ec61c94", "params": [], "trigger": "VULNCRITICAL" + }, + { + "action": "STOP", + "gate": "DOCKERFILECHECK", + "id": "a703788b-c9ad-4ad5-859a-36a1c7f4f8aa", + "params": [ + { + "name": "DENIEDPORTS", + "value": "22" + } + ], + "trigger": "EXPOSE" } ], "version": "1_0" } ], - "whitelists": [ + "whitelists": [], + "mappings": [ + { + "id": "cb60bd5e-3ac4-4bf0-8d37-16c83d3f7f07", + "image": { + "type": "tag", + "value": "*" + }, + "name": "reject-critical", + "policy_id": "2335c373-6182-4e1b-9e1f-dae4b47eb9f8", + "registry": "*", + "repository": "*", + "whitelist_ids": [] + } + ] + } + block-root.json: |- + { + "id": "377c130d-0af7-45d4-adf9-cd72878993e2", + "version": "1_0", + "name": "BlockRoot", + "policies": [ { - "comment": "Default Global Whitelist", - "id": "912937b6-05fb-472f-bfbe-834c3562f32d", - "items": [], - "name": "Global Whitelist", + "comment": "", + "id": "374c81e5-1f63-41c8-ad86-c76a51db4d80", + "name": "block-root", + "rules": [ + { + "action": "STOP", + "gate": "DOCKERFILECHECK", + "id": "3b1c20f5-6a38-423d-9e35-7facdc6aca1c", + "params": [ + { + "name": "DENIED", + "value": "root" + } + ], + "trigger": "EFFECTIVEUSER" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "eab521ac-ca56-4840-b463-11c427ffa7ab", + "params": [], + "trigger": "VULNHIGH" + }, + { + "action": "WARN", + "gate": "ANCHORESEC", + "id": "66218daa-2ee7-48e9-b73e-506378a59b2e", + "params": [], + "trigger": "VULNCRITICAL" + } + ], "version": "1_0" } ], + "whitelists": [], "mappings": [ { - "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611", + "id": "c42e0769-5bb9-4e99-94d6-5c009e228439", "image": { "type": "tag", "value": "*" }, - "name": "default", - "policy_id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c", + "name": "block-root", + "policy_id": "374c81e5-1f63-41c8-ad86-c76a51db4d80", "registry": "*", "repository": "*", - "whitelist_ids": [ - "912937b6-05fb-472f-bfbe-834c3562f32d" - ] + "whitelist_ids": [] } ] } \ No newline at end of file diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 80623df..68ffbd8 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -41,5 +41,9 @@ spec: - "-c" - | set -ex - anchore-cli policy add /policy/default-policy.json - anchore-cli policy activate 0a869a39-1b20-4ce7-bc00-3a7d88271f08 + anchore-cli policy add /policy/allow-all.json + anchore-cli policy add /policy/deny-all.json + anchore-cli policy add /policy/reject-high.json + anchore-cli policy add /policy/reject-critical.json + anchore-cli policy add /policy/block-root.json + anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0 diff --git a/values.yaml b/values.yaml index 2b6fc33..2f98382 100644 --- a/values.yaml +++ b/values.yaml @@ -6,7 +6,7 @@ apiService: image: repository: banzaicloud/anchore-image-validator tag: 0.0.2 - pullPolicy: Always + pullPolicy: IfNotPresent service: name: anchoreimagecheck type: ClusterIP From 45910c20ee876e882b09484cc7f1f0a34e30147b Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 4 Oct 2018 21:53:30 +0200 Subject: [PATCH 14/66] fix kind in whitelist-crd (#384) --- Chart.yaml | 2 +- templates/whitelist-crd.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index ea9f5be..7494672 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.1 +version: 0.1.2 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml index ac3da0d..2ffe17c 100644 --- a/templates/whitelist-crd.yaml +++ b/templates/whitelist-crd.yaml @@ -1,14 +1,14 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: whitelists.security.banzaicloud.com + name: whitelistitems.security.banzaicloud.com spec: group: security.banzaicloud.com version: v1alpha1 names: - kind: WhiteList - plural: whitelists - singular: whitelist + kind: WhiteListItem + plural: whitelistitems + singular: whitelistitem shortnames: - wl scope: Cluster From c92fcb443bde1d31936671dfa9151dc8aa0e0ec2 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 15 Oct 2018 12:46:04 +0200 Subject: [PATCH 15/66] remove releaseName from WhiteListItem Spec and add custom columns --- Chart.yaml | 2 +- templates/audit-crd.yaml | 17 +++++++++++++++++ templates/whitelist-crd.yaml | 14 ++++++++++---- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 7494672..32d3cd8 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.2 +version: 0.1.3 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml index adc17d6..877e783 100644 --- a/templates/audit-crd.yaml +++ b/templates/audit-crd.yaml @@ -39,3 +39,20 @@ spec: properties: state: type: string + additionalPrinterColumns: + - name: ReleaseName + type: string + JSONPath: .spec.releaseName + priority: 1 + - name: Image + type: string + JSONPath: .spec.image + priority: 2 + - name: result + type: string + JSONPath: .spec.result + priority: 3 + - name: action + type: string + JSONPath: .spec.action + priority: 4 \ No newline at end of file diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml index 2ffe17c..18658f9 100644 --- a/templates/whitelist-crd.yaml +++ b/templates/whitelist-crd.yaml @@ -17,13 +17,19 @@ spec: properties: spec: required: - - releaseName - reason - creator properties: - relaseName: - type: string reason: type: string creator: - type: string \ No newline at end of file + type: string + additionalPrinterColumns: + - name: Reason + type: string + JSONPath: .spec.readson + priority: 1 + - name: Creator + type: string + JSONPath: .spec.creator + priority: 2 \ No newline at end of file From f1c187056c949dd3482f4a600a4213df0c0bd423 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 15 Oct 2018 13:23:56 +0200 Subject: [PATCH 16/66] increase nchore-image-validator version --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 2f98382..b6bd1d9 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.0.2 + tag: 0.0.3 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 4b23e13f15364a0b9fba94185c68c4b26eda0647 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 16 Oct 2018 15:21:40 +0200 Subject: [PATCH 17/66] change anchore-image-validator version and executable path (#399) --- Chart.yaml | 2 +- templates/validator-deployment.yaml | 2 +- values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 32d3cd8..e3af378 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.3 +version: 0.1.4 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index b7fbabd..aecf710 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -27,7 +27,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - - "/anchore-image-validator" + - "/usr/local/bin/anchore-image-validator" - "--audit-log-path=-" - "--tls-cert-file=/var/serving-cert/tls.crt" - "--tls-private-key-file=/var/serving-cert/tls.key" diff --git a/values.yaml b/values.yaml index b6bd1d9..413cfb7 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.0.3 + tag: 0.0.4 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 0ab65fd09b03e2eeeef8c41d3e3e3b3daf202096 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 24 Oct 2018 19:28:47 +0200 Subject: [PATCH 18/66] new version of anchore-image-validator (#423) --- Chart.yaml | 3 ++- values.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index e3af378..c355a87 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.4 +version: 0.1.5 +appVersion: 0.0.5 keywords: - analysis - "anchore-policy-validator" diff --git a/values.yaml b/values.yaml index 413cfb7..c854604 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.0.4 + tag: 0.0.5 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 859f40ffd891da8da2ae3a9f8018a3375ff17e46 Mon Sep 17 00:00:00 2001 From: Ferenc HERNADI Date: Fri, 26 Oct 2018 11:16:08 +0200 Subject: [PATCH 19/66] Selector, Affinity, Tolerations added (#424) --- Chart.yaml | 2 +- templates/validator-deployment.yaml | 8 ++++++++ values.yaml | 12 ++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index c355a87..325cda2 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.5 +version: 0.1.6 appVersion: 0.0.5 keywords: - analysis diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index aecf710..fb629d8 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -55,3 +55,11 @@ spec: nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} diff --git a/values.yaml b/values.yaml index c854604..3a130b6 100644 --- a/values.yaml +++ b/values.yaml @@ -17,3 +17,15 @@ externalAnchore: anchoreUser: "" anchorePass: "" resources: {} + +## Node selector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} + +## Affinity +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +## Tolerations +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] From 7d1440b3231c935ec84f8d49b67b8f8fd13a851c Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 8 Nov 2018 13:46:40 +0100 Subject: [PATCH 20/66] Add pre and post delete helm hook (#452) * add pre and post delete helm hook * add release namespace in delet hooks * in case of clusterroles remove unnecessary namespace in delete hook --- Chart.yaml | 2 +- templates/post-delete-job.yaml | 81 ++++++++++++++++++++++++++++++++++ templates/pre-delete-job.yaml | 50 +++++++++++++++++++++ 3 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 templates/post-delete-job.yaml create mode 100644 templates/pre-delete-job.yaml diff --git a/Chart.yaml b/Chart.yaml index 325cda2..381c50a 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.6 +version: 0.1.7 appVersion: 0.0.5 keywords: - analysis diff --git a/templates/post-delete-job.yaml b/templates/post-delete-job.yaml new file mode 100644 index 0000000..453e61a --- /dev/null +++ b/templates/post-delete-job.yaml @@ -0,0 +1,81 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-post-delete" + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: validating-webhook + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: validating-webhook + spec: + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator + restartPolicy: OnFailure + containers: + - name: delete-clusterrolebinding-init-ca + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - clusterrolebinding.rbac.authorization.k8s.io + - extension-{{ template "anchore-policy-validator.fullname" . }}-init-ca-cluster + - name: delete-clusterrole + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - clusterrole.rbac.authorization.k8s.io + - {{ template "anchore-policy-validator.fullname" . }}-init-ca-cluster + - name: delete-clusterrolebinding-validator + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - clusterrolebinding.rbac.authorization.k8s.io + - {{ template "anchore-policy-validator.fullname" . }}-validator-binding + - name: delete-rolebinding-init-ca + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - rolebindings.rbac.authorization.k8s.io + - extension-{{ template "anchore-policy-validator.fullname" . }}-init-ca-admin + - -n + - {{ .Release.Namespace }} + - name: delete-role-init-ca + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - role + - {{ template "anchore-policy-validator.fullname" . }}-init-ca + - -n + - {{ .Release.Namespace }} + - name: delete-serviceaccount-init-ca + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - serviceaccount + - {{ template "anchore-policy-validator.fullname" . }}-init-ca + - -n + - {{ .Release.Namespace }} + - name: delete-serviceaccount-validator + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - serviceaccount + - {{ template "anchore-policy-validator.fullname" . }}-validator + - -n + - {{ .Release.Namespace }} + diff --git a/templates/pre-delete-job.yaml b/templates/pre-delete-job.yaml new file mode 100644 index 0000000..551d103 --- /dev/null +++ b/templates/pre-delete-job.yaml @@ -0,0 +1,50 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-delete-validatingwebhook" + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: validating-webhook + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + labels: + app: {{ template "anchore-policy-validator.fullname" . }} + component: validating-webhook + spec: + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator + restartPolicy: OnFailure + containers: + - name: delete-validatingwebhook + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - validatingwebhookconfigurations.admissionregistration.k8s.io + - {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io + - name: delete-init-ca-configmap + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - configmap + - {{ .Release.Name }}-init-ca + - -n + - {{ .Release.Namespace }} + - name: delete-validatingwebhook-configmap + image: "lachlanevenson/k8s-kubectl" + command: + - kubectl + - delete + - configmap + - {{ .Release.Name }}-validatingwebhook + - -n + - {{ .Release.Namespace }} + From bae821217be78cc95860848dc4258fa70735b018 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Sat, 10 Nov 2018 18:17:34 +0100 Subject: [PATCH 21/66] refactor policyvalidator chart (#464) --- Chart.yaml | 2 +- README-dev.md | 19 ---- README.md | 5 - templates/NOTES.txt | 1 - templates/_helpers.tpl | 20 +++- templates/apiservice-webhook.yaml | 63 +++++++++++ templates/default-policy-job.yaml | 3 - templates/init-ca-configmap.yaml | 110 -------------------- templates/init-ca-job.yaml | 36 ------- templates/init-ca-rbac.yaml | 68 ------------ templates/post-delete-job.yaml | 81 -------------- templates/pre-delete-job.yaml | 50 --------- templates/validating-webhook-configmap.yaml | 53 ---------- templates/validating-webhook-job.yaml | 37 ------- templates/validating-webhook-rbac.yaml | 24 ----- templates/validator-deployment.yaml | 9 +- templates/validator-rbac.yaml | 2 +- 17 files changed, 88 insertions(+), 495 deletions(-) delete mode 100755 README-dev.md create mode 100644 templates/apiservice-webhook.yaml delete mode 100644 templates/init-ca-configmap.yaml delete mode 100644 templates/init-ca-job.yaml delete mode 100644 templates/init-ca-rbac.yaml delete mode 100644 templates/post-delete-job.yaml delete mode 100644 templates/pre-delete-job.yaml delete mode 100644 templates/validating-webhook-configmap.yaml delete mode 100644 templates/validating-webhook-job.yaml delete mode 100644 templates/validating-webhook-rbac.yaml diff --git a/Chart.yaml b/Chart.yaml index 381c50a..36a10e3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.1.7 +version: 0.2.0 appVersion: 0.0.5 keywords: - analysis diff --git a/README-dev.md b/README-dev.md deleted file mode 100755 index f4d888b..0000000 --- a/README-dev.md +++ /dev/null @@ -1,19 +0,0 @@ -# Dev helper - -Due to some resources create with specific deployment method (eg.: create via k8s job), resources has to be deleted manually. - -```bash -export RELEASE_NAME= -helm delete --purge ${RELEASE_NAME} -kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca -kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin -kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-validatingwebhook -kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-create-validatingwebhook -kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster -kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster -kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io -kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca -kubectl delete apiservice v1beta1.admission.example.com -kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding -kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator -``` diff --git a/README.md b/README.md index 3da094c..2ac6c5b 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,3 @@ The following tables lists configurable parameters of the anchore-policy-validat |externalAnchore.anchoreHost |external anchore-engine host |"" | |externalAnchore.anchoreUser |external anchore-engine username |"" | |externalAnchore.anchorePass |external anchore-engine password |"" | - -[Due to some resource create with jobs, these resources has to be deleted by manually.](README-dev.md) - -This chart based on: -[Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator) diff --git a/templates/NOTES.txt b/templates/NOTES.txt index a922c2a..e69de29 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1 +0,0 @@ -validatingwebhookConfigureation created :{{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8002210..c120d6d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -2,10 +2,6 @@ {{/* Expand the name of the chart. */}} -{{- define "anchore-policy-validator.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "anchore-policy-validator.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -13,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "anchore-policy-validator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "anchore-policy-validator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml new file mode 100644 index 0000000..5d18102 --- /dev/null +++ b/templates/apiservice-webhook.yaml @@ -0,0 +1,63 @@ +{{ $ca := genCA "svc-cat-ca" 3650 }} +{{ $cn := printf "%s-%s.%s.svc" .Release.Name .Chart.Name .Release.Namespace }} +{{ $server := genSignedCert $cn nil nil 365 $ca }} + +apiVersion: v1 +kind: List +metadata: +items: + +- apiVersion: v1 + kind: Secret + metadata: + name: {{ template "anchore-policy-validator.name" . }} + type: kubernetes.io/tls + data: + servingCert: {{ b64enc $server.Cert }} + servingKey: {{ b64enc $server.Key }} + caCert: {{ b64enc $ca.Cert }} + +- apiVersion: apiregistration.k8s.io/v1beta1 + kind: APIService + metadata: + name: {{ .Values.apiService.version }}.{{ .Values.apiService.group }} + spec: + caBundle: {{ b64enc $ca.Cert }} + group: {{ .Values.apiService.group }} + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: {{ template "anchore-policy-validator.fullname" . }} + namespace: {{ .Release.Namespace }} + version: {{ .Values.apiService.version }} + +- apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "5" + webhooks: + - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/{{ .Values.apiService.group }}/v1beta1/imagechecks + caBundle: {{ b64enc $ca.Cert }} + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - "*" + resources: + - pods + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: scan + operator: NotIn + values: [noscan] \ No newline at end of file diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 68ffbd8..6cb3680 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -9,9 +9,6 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} component: default-policy - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded spec: template: metadata: diff --git a/templates/init-ca-configmap.yaml b/templates/init-ca-configmap.yaml deleted file mode 100644 index c08efa5..0000000 --- a/templates/init-ca-configmap.yaml +++ /dev/null @@ -1,110 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{.Release.Name}}-init-ca - labels: - app: {{ template "anchore-policy-validator.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: admission-server - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-5" -data: - init-ca.sh: |- - #!/bin/bash -xe - # Adapted from https://github.com/openshift/kubernetes-namespace-reservation/blob/master/hack/install-kube.sh - apt-get update && apt-get install -y jq - - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl - chmod +x ./kubectl - mv ./kubectl /usr/bin - - # creates a client CA, args are sudo, dest-dir, ca-id, purpose - # purpose is dropped in after "key encipherment", you usually want - # '"client auth"' - # '"server auth"' - # '"client auth","server auth"' - function kube::util::create_signing_certkey { - local sudo=$1 - local dest_dir=$2 - local id=$3 - local purpose=$4 - # Create client ca - ${sudo} /bin/bash -e < "${dest_dir}/${id}-ca-config.json" - EOF - } - - # signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts... - function kube::util::create_serving_certkey { - local sudo=$1 - local dest_dir=$2 - local ca=$3 - local id=$4 - local cn=${5:-$4} - local hosts="" - local SEP="" - shift 5 - while [ -n "${1:-}" ]; do - hosts+="${SEP}\"$1\"" - SEP="," - shift 1 - done - ${sudo} /bin/bash -e </dev/null || { echo "Please install jq (https://stedolan.github.io/jq/)."; exit 1; } - which cfssljson &>/dev/null || { echo "Please install cfssljson (https://github.com/cloudflare/cfssl))."; exit 1; } - - # create necessary TLS certificates: - # - a local CA key and cert - # - a webhook server key and cert signed by the local CA - rm -rf ./_output/ - CERT_DIR=_output/tmp/certs - mkdir -p "${CERT_DIR}" - kube::util::create_signing_certkey "" "${CERT_DIR}" serving '"server auth"' - - # create webhook server key and cert - kube::util::create_serving_certkey "" "${CERT_DIR}" "serving-ca" {{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" - - cat > secret.yaml < api-service.yaml < validatingwebhook.yaml < Date: Mon, 12 Nov 2018 10:32:26 +0100 Subject: [PATCH 22/66] add additional information to image --- templates/audit-crd.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml index 877e783..6146426 100644 --- a/templates/audit-crd.yaml +++ b/templates/audit-crd.yaml @@ -28,7 +28,16 @@ spec: image: type: array items: - type: string + type: object + properties: + imageName: + type: string + imageTag: + type: string + imageDigest: + type: string + lastUpdated: + type: string result: type: array items: @@ -46,7 +55,7 @@ spec: priority: 1 - name: Image type: string - JSONPath: .spec.image + JSONPath: .spec.image[*].imageName priority: 2 - name: result type: string From 041f63cbeed821103efe29f3da1418a8a8efc4c9 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 12 Nov 2018 12:38:10 +0100 Subject: [PATCH 23/66] use image-validator version 0.1.0 --- Chart.yaml | 4 ++-- values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 36a10e3..edb72b9 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.0 -appVersion: 0.0.5 +version: 0.2.1 +appVersion: 0.1.0 keywords: - analysis - "anchore-policy-validator" diff --git a/values.yaml b/values.yaml index 3a130b6..808a619 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.0.5 + tag: 0.1.0 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 1617b90cf683def2e0e4a53b27353c44fe07884e Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Fri, 30 Nov 2018 15:01:38 +0100 Subject: [PATCH 24/66] bump image-validator version, add taints and tolerations (#529) --- Chart.yaml | 4 ++-- templates/default-policy-job.yaml | 12 ++++++++++++ templates/whitelist-crd.yaml | 2 +- values.yaml | 2 +- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index edb72b9..3ca01ca 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.1 -appVersion: 0.1.0 +version: 0.2.2 +appVersion: 0.1.1 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 6cb3680..4f3c6f5 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -44,3 +44,15 @@ spec: anchore-cli policy add /policy/reject-critical.json anchore-cli policy add /policy/block-root.json anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0 + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} \ No newline at end of file diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml index 18658f9..60fc188 100644 --- a/templates/whitelist-crd.yaml +++ b/templates/whitelist-crd.yaml @@ -27,7 +27,7 @@ spec: additionalPrinterColumns: - name: Reason type: string - JSONPath: .spec.readson + JSONPath: .spec.reason priority: 1 - name: Creator type: string diff --git a/values.yaml b/values.yaml index 808a619..9f4d7fd 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.1.0 + tag: 0.1.1 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 149a7583abcd19f4cccd34cf20d4a9d122da8c37 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 4 Dec 2018 14:57:23 +0100 Subject: [PATCH 25/66] delete default anchore policy bundle (#554) --- Chart.yaml | 2 +- templates/default-policy-job.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 3ca01ca..f43261b 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.2 +version: 0.2.3 appVersion: 0.1.1 keywords: - analysis diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 4f3c6f5..2bdda5c 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -44,6 +44,7 @@ spec: anchore-cli policy add /policy/reject-critical.json anchore-cli policy add /policy/block-root.json anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0 + anchore-cli policy del 2c53a13c-1765-11e8-82ef-23527761d060 {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} From e4ca0d723b0bb7e79acb06c53b9ba1c111e01a36 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 4 Dec 2018 19:18:42 +0100 Subject: [PATCH 26/66] add whitelist regexp --- Chart.yaml | 4 ++-- templates/whitelist-crd.yaml | 2 ++ values.yaml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index f43261b..55fc190 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.3 -appVersion: 0.1.1 +version: 0.2.4 +appVersion: 0.1.2 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml index 60fc188..a167db3 100644 --- a/templates/whitelist-crd.yaml +++ b/templates/whitelist-crd.yaml @@ -24,6 +24,8 @@ spec: type: string creator: type: string + regexp: + type: string additionalPrinterColumns: - name: Reason type: string diff --git a/values.yaml b/values.yaml index 9f4d7fd..b95793e 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.1.1 + tag: 0.1.2 pullPolicy: IfNotPresent service: name: anchoreimagecheck From b6128603c136b5dc043d09007bc7e69b4144ba25 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 6 Dec 2018 10:17:39 +0100 Subject: [PATCH 27/66] bump anchore-image-validator version (#561) --- Chart.yaml | 4 ++-- values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 55fc190..ccdb1c0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.4 -appVersion: 0.1.2 +version: 0.2.5 +appVersion: 0.2.0 keywords: - analysis - "anchore-policy-validator" diff --git a/values.yaml b/values.yaml index b95793e..6fbc1c2 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.1.2 + tag: 0.2.0 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 4d71314c8a24be5be86157ee41f3e9e19bc1c8c8 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 11 Dec 2018 15:22:54 +0100 Subject: [PATCH 28/66] ValidatingWebhookConfiguration is created by image-validator (#568) --- Chart.yaml | 4 ++-- templates/apiservice-webhook.yaml | 31 ----------------------------- templates/validator-deployment.yaml | 8 ++++++++ values.yaml | 2 +- 4 files changed, 11 insertions(+), 34 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index ccdb1c0..8011f32 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.2.5 -appVersion: 0.2.0 +version: 0.3.0 +appVersion: 0.3.0 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml index 5d18102..823f832 100644 --- a/templates/apiservice-webhook.yaml +++ b/templates/apiservice-webhook.yaml @@ -30,34 +30,3 @@ items: name: {{ template "anchore-policy-validator.fullname" . }} namespace: {{ .Release.Namespace }} version: {{ .Values.apiService.version }} - -- apiVersion: admissionregistration.k8s.io/v1beta1 - kind: ValidatingWebhookConfiguration - metadata: - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "5" - webhooks: - - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/{{ .Values.apiService.group }}/v1beta1/imagechecks - caBundle: {{ b64enc $ca.Cert }} - rules: - - operations: - - CREATE - apiGroups: - - "" - apiVersions: - - "*" - resources: - - pods - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: scan - operator: NotIn - values: [noscan] \ No newline at end of file diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 916ec8f..af191c8 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -33,6 +33,14 @@ spec: - "--tls-private-key-file=/var/serving-cert/servingKey" - "--v={{ .Values.logVerbosity }}" env: + - name: KUBERNETES_NAMESPACE + value: {{ .Release.Namespace }} + - name: ANCHORE_APISERVICE_GROUP + value: {{ .Values.apiService.group }} + - name: ANCHORE_APISERVICE_VERSION + value: {{ .Values.apiService.version }} + - name: ANCHORE_RELEASE_NAME + value: {{ template "anchore-policy-validator.name" . }} - name: ANCHORE_ENGINE_USERNAME value: {{ .Values.externalAnchore.anchoreUser }} - name: ANCHORE_ENGINE_PASSWORD diff --git a/values.yaml b/values.yaml index 6fbc1c2..10db8ac 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.2.0 + tag: 0.3.0 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 806d20dcdbef8e9e0ec0a0dcd051ff71106673de Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 18 Dec 2018 14:54:59 +0100 Subject: [PATCH 29/66] use fullname in case of secret name and job (#579) --- Chart.yaml | 2 +- templates/apiservice-webhook.yaml | 2 +- templates/default-policy-job.yaml | 2 +- templates/validator-deployment.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 8011f32..ade9f49 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: anchore-policy-validator -version: 0.3.0 +version: 0.3.1 appVersion: 0.3.0 keywords: - analysis diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml index 823f832..9825601 100644 --- a/templates/apiservice-webhook.yaml +++ b/templates/apiservice-webhook.yaml @@ -10,7 +10,7 @@ items: - apiVersion: v1 kind: Secret metadata: - name: {{ template "anchore-policy-validator.name" . }} + name: {{ template "anchore-policy-validator.fullname" . }} type: kubernetes.io/tls data: servingCert: {{ b64enc $server.Cert }} diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 2bdda5c..173a252 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: "{{ .Release.Name }}-default-policy" + name: "{{ template "anchore-policy-validator.fullname" . }}-default-policy" labels: app: {{ template "anchore-policy-validator.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index af191c8..0a24e3c 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -21,7 +21,7 @@ spec: - name: serving-cert secret: defaultMode: 420 - secretName: {{ template "anchore-policy-validator.name" . }} + secretName: {{ template "anchore-policy-validator.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -40,7 +40,7 @@ spec: - name: ANCHORE_APISERVICE_VERSION value: {{ .Values.apiService.version }} - name: ANCHORE_RELEASE_NAME - value: {{ template "anchore-policy-validator.name" . }} + value: {{ template "anchore-policy-validator.fullname" . }} - name: ANCHORE_ENGINE_USERNAME value: {{ .Values.externalAnchore.anchoreUser }} - name: ANCHORE_ENGINE_PASSWORD From c9619d66f5be37c0c5e62fd3e4958d8eeb49fe56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=90ry=2C=20M=C3=A1t=C3=A9?= Date: Wed, 19 Dec 2018 16:13:34 +0100 Subject: [PATCH 30/66] add maintainers to all charts' metadata (#580) * add maintainers to all charts * Update Chart.yaml --- Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index ade9f49..6084832 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 -description: A Helm chart for Kubernetes +description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.3.1 +version: 0.3.2 appVersion: 0.3.0 keywords: - analysis From 878c39fa82b2a3da3df5d0775064b2b0a794450c Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 7 Jan 2019 11:53:25 +0100 Subject: [PATCH 31/66] fix anchore-policy-validator README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2ac6c5b..0c15866 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,8 @@ The following tables lists configurable parameters of the anchore-policy-validat |logVerbosity |log verbosity level |8 | |apiService.group |group of registered api service |admission.anchore.io | |apiService.version |version of registered api service |v1beta1 | -|image.repository |admission-server image repo |viglesiasce/anchore-image-admission-server| -|image.tag |admission-server image tag |latest | +|image.repository |admission-server image repo |banzaicloud/anchore-image-validator | +|image.tag |admission-server image tag |0.3.0 | |image.pullPolicy |admission-server image pull policy |IfNotPresent | |service.name |validation sevice name |anchoreimagecheck | |service.type |validation service type |ClusterIP | From a1d267e1e0bbaba29c56dc247b1be31528ce018e Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Sat, 12 Jan 2019 19:39:17 +0100 Subject: [PATCH 32/66] add unauthenticated discovery binding --- Chart.yaml | 2 +- templates/validator-rbac.yaml | 13 +++++++++++++ values.yaml | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 6084832..f2bd948 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.3.2 +version: 0.3.3 appVersion: 0.3.0 keywords: - analysis diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml index 62897a4..a8cb313 100644 --- a/templates/validator-rbac.yaml +++ b/templates/validator-rbac.yaml @@ -70,3 +70,16 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: anchore-unauth-discovery +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:discovery +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated \ No newline at end of file diff --git a/values.yaml b/values.yaml index 10db8ac..5106c1e 100644 --- a/values.yaml +++ b/values.yaml @@ -1,5 +1,5 @@ replicaCount: 1 -logVerbosity: 8 +logVerbosity: 1 apiService: group: admission.anchore.io version: v1beta1 From aff4d9e96fb071a661095fce775ee174f53cd85a Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 25 Feb 2019 13:28:28 +0100 Subject: [PATCH 33/66] images without setcap --- Chart.yaml | 4 ++-- values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index f2bd948..e2f3aba 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.3.3 -appVersion: 0.3.0 +version: 0.3.4 +appVersion: 0.3.1 keywords: - analysis - "anchore-policy-validator" diff --git a/values.yaml b/values.yaml index 5106c1e..654590a 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.0 + tag: 0.3.1 pullPolicy: IfNotPresent service: name: anchoreimagecheck From d0954fd2768cd9345cb11422078eac91362f5c23 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 7 Mar 2019 10:34:29 +0100 Subject: [PATCH 34/66] use unprivileged internalPort (#696) --- Chart.yaml | 4 ++-- templates/validator-deployment.yaml | 4 ++++ values.yaml | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index e2f3aba..757c308 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.3.4 -appVersion: 0.3.1 +version: 0.3.5 +appVersion: 0.3.2 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 0a24e3c..6023ee9 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -32,6 +32,7 @@ spec: - "--tls-cert-file=/var/serving-cert/servingCert" - "--tls-private-key-file=/var/serving-cert/servingKey" - "--v={{ .Values.logVerbosity }}" + - "--secure-port={{ .Values.service.internalPort }}" env: - name: KUBERNETES_NAMESPACE value: {{ .Release.Namespace }} @@ -47,6 +48,9 @@ spec: value: {{ .Values.externalAnchore.anchorePass }} - name: ANCHORE_ENGINE_URL value: {{ .Values.externalAnchore.anchoreHost }} + securityContext: + runAsUser: 65534 + allowPrivilegeEscalation: false ports: - containerPort: {{ .Values.service.internalPort }} livenessProbe: diff --git a/values.yaml b/values.yaml index 654590a..706469f 100644 --- a/values.yaml +++ b/values.yaml @@ -5,13 +5,13 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.1 + tag: 0.3.2 pullPolicy: IfNotPresent service: name: anchoreimagecheck type: ClusterIP externalPort: 443 - internalPort: 443 + internalPort: 8443 externalAnchore: anchoreHost: "" anchoreUser: "" From 505becac13a88c522101fdcbe6b299d245837624 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Fri, 12 Apr 2019 09:12:13 +0200 Subject: [PATCH 35/66] add psp --- templates/validator-deployment.yaml | 4 ++- templates/validator-psp.yaml | 53 +++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 templates/validator-psp.yaml diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 6023ee9..800acd2 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -49,8 +49,10 @@ spec: - name: ANCHORE_ENGINE_URL value: {{ .Values.externalAnchore.anchoreHost }} securityContext: - runAsUser: 65534 + readOnlyRootFilesystem: true allowPrivilegeEscalation: false + runAsUser: 65534 + fsGroup: 65534 ports: - containerPort: {{ .Values.service.internalPort }} livenessProbe: diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml new file mode 100644 index 0000000..91bd4a9 --- /dev/null +++ b/templates/validator-psp.yaml @@ -0,0 +1,53 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + creationTimestamp: null + name: psp.imagevalidator +spec: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: MustRunAsNonRoot + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + volumes: + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:{{ template "anchore-policy-validator.fullname" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: psp:{{ template "anchore-policy-validator.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp:{{ template "anchore-policy-validator.fullname" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp.imagevalidator + resources: + - podsecuritypolicies + verbs: + - use +--- \ No newline at end of file From 956cf1496434df536bcee0112dab88677659a7b6 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 16 Apr 2019 10:10:17 +0200 Subject: [PATCH 36/66] use emptydir for /tmp --- Chart.yaml | 4 ++-- templates/validator-deployment.yaml | 9 ++++----- templates/validator-psp.yaml | 4 +++- values.yaml | 4 +++- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 757c308..72bcd58 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.3.5 -appVersion: 0.3.2 +version: 0.4.0 +appVersion: 0.3.3 keywords: - analysis - "anchore-policy-validator" diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 800acd2..6977275 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -22,6 +22,8 @@ spec: secret: defaultMode: 420 secretName: {{ template "anchore-policy-validator.fullname" . }} + - name: tmp + emptyDir: {} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -60,14 +62,11 @@ spec: path: /healthz port: {{ .Values.service.internalPort }} scheme: HTTPS - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.service.internalPort }} - scheme: HTTPS volumeMounts: - mountPath: /var/serving-cert name: serving-cert + - mountPath: /tmp + name: tmp resources: {{ toYaml .Values.resources | indent 12 }} {{- if .Values.nodeSelector }} diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml index 91bd4a9..8128520 100644 --- a/templates/validator-psp.yaml +++ b/templates/validator-psp.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.pspEnabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -23,6 +24,7 @@ spec: rule: RunAsAny volumes: - secret + - emptyDir --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -50,4 +52,4 @@ rules: - podsecuritypolicies verbs: - use ---- \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 706469f..28307d6 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.2 + tag: 0.3.3 pullPolicy: IfNotPresent service: name: anchoreimagecheck @@ -29,3 +29,5 @@ affinity: {} ## Tolerations ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] + +pspEnabled: false From 25f66cdfbc6a8205aafea28bb247c904caacf98c Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 16 Apr 2019 10:13:46 +0200 Subject: [PATCH 37/66] update readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0c15866..fffa6ba 100644 --- a/README.md +++ b/README.md @@ -49,3 +49,4 @@ The following tables lists configurable parameters of the anchore-policy-validat |externalAnchore.anchoreHost |external anchore-engine host |"" | |externalAnchore.anchoreUser |external anchore-engine username |"" | |externalAnchore.anchorePass |external anchore-engine password |"" | +|pspEnabled |add PSP resources if enabled |false | \ No newline at end of file From 6d35b86e710c1d7fc46fa4ca5c0388386b14b7e0 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 16 Apr 2019 14:57:45 +0200 Subject: [PATCH 38/66] minor fixes --- templates/validator-psp.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml index 8128520..8678c1b 100644 --- a/templates/validator-psp.yaml +++ b/templates/validator-psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.pspEnabled }} +{{- if .Values.pspEnabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -52,4 +52,4 @@ rules: - podsecuritypolicies verbs: - use -{{- end }} \ No newline at end of file +{{- end }} From 3ca83649fa0aa28720fa813e43243dea2ecebbbb Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 16 Apr 2019 22:00:05 +0200 Subject: [PATCH 39/66] refactor psp --- templates/default-policy-job.yaml | 5 ++++- templates/validator-deployment.yaml | 2 ++ templates/validator-psp.yaml | 31 ++------------------------ templates/validator-rbac.yaml | 34 ++++++++++++++++++++++++++++- values.yaml | 5 ++++- 5 files changed, 45 insertions(+), 32 deletions(-) diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index 173a252..e471bf1 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -15,6 +15,9 @@ spec: labels: app: {{ template "anchore-policy-validator.fullname" . }}-default-policy spec: + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "anchore-policy-validator.fullname" . }} + {{- end }} restartPolicy: OnFailure volumes: - name: default-policy @@ -56,4 +59,4 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 6977275..664ce33 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -16,7 +16,9 @@ spec: app: {{ template "anchore-policy-validator.name" . }} release: {{ .Release.Name }} spec: + {{- if .Values.rbac.enabled }} serviceAccountName: {{ template "anchore-policy-validator.fullname" . }} + {{- end }} volumes: - name: serving-cert secret: diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml index 8678c1b..5596d62 100644 --- a/templates/validator-psp.yaml +++ b/templates/validator-psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.pspEnabled }} +{{ if and .Values.rbac.enabled .Values.rbac.psp.enabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -25,31 +25,4 @@ spec: volumes: - secret - emptyDir ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp:{{ template "anchore-policy-validator.fullname" . }} -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: psp:{{ template "anchore-policy-validator.fullname" . }} -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: psp:{{ template "anchore-policy-validator.fullname" . }} -rules: -- apiGroups: - - policy - resourceNames: - - psp.imagevalidator - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} +{{ end }} diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml index a8cb313..db2eb22 100644 --- a/templates/validator-rbac.yaml +++ b/templates/validator-rbac.yaml @@ -1,3 +1,4 @@ +{{ if .Values.rbac.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -82,4 +83,35 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:unauthenticated \ No newline at end of file + name: system:unauthenticated + +{{ if .Values.rbac.psp.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:{{ template "anchore-policy-validator.fullname" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: psp:{{ template "anchore-policy-validator.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ template "anchore-policy-validator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp:{{ template "anchore-policy-validator.fullname" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp.imagevalidator + resources: + - podsecuritypolicies + verbs: + - use +{{ end }} +{{ end }} diff --git a/values.yaml b/values.yaml index 28307d6..cdad925 100644 --- a/values.yaml +++ b/values.yaml @@ -30,4 +30,7 @@ affinity: {} ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] -pspEnabled: false +rbac: + enabled: true + psp: + enabled: false From bd19a7d78fc2c30135f6f10f588b64530958d2d0 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 18 Apr 2019 19:42:42 +0200 Subject: [PATCH 40/66] remove namespacereservation realted binding --- templates/validator-rbac.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml index db2eb22..16bd474 100644 --- a/templates/validator-rbac.yaml +++ b/templates/validator-rbac.yaml @@ -47,19 +47,6 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "anchore-policy-validator.fullname" . }}-default -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }} -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: kube-system From 7ec09148bfaa3e4042a93e796d6990273c98a42a Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 22 Apr 2019 14:15:51 +0200 Subject: [PATCH 41/66] add seccomp --- templates/validator-psp.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml index 5596d62..75ec360 100644 --- a/templates/validator-psp.yaml +++ b/templates/validator-psp.yaml @@ -4,6 +4,9 @@ kind: PodSecurityPolicy metadata: creationTimestamp: null name: psp.imagevalidator + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' spec: readOnlyRootFilesystem: true privileged: false From 1d6b6f847cc023c896b419ce377836050814e98a Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 23 Apr 2019 09:47:36 +0200 Subject: [PATCH 42/66] remove cluster-admin clusterrolebinding --- templates/validator-rbac.yaml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml index 16bd474..e54a879 100644 --- a/templates/validator-rbac.yaml +++ b/templates/validator-rbac.yaml @@ -18,23 +18,11 @@ subjects: name: {{ template "anchore-policy-validator.fullname" . }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: cluster-admin -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ template "anchore-policy-validator.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: annotations: - name: {{ template "anchore-policy-validator.fullname" . }} + name: {{ template "anchore-policy-validator.fullname" . }}-apiext + namespace: kube-system rules: - apiGroups: - {{ .Values.apiService.group }} @@ -45,6 +33,16 @@ rules: - list - watch - create +- apiGroups: + - "" + resources: + - endpoints + - namespaces + - secrets + - configmaps + - serviceaccounts + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -54,10 +52,11 @@ metadata: roleRef: kind: Role apiGroup: rbac.authorization.k8s.io - name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader + name: {{ template "anchore-policy-validator.fullname" . }}-apiext subjects: - kind: ServiceAccount name: {{ template "anchore-policy-validator.fullname" . }} + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding From a90aed93e3fb7724c1887be20a27357a060e2f36 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 23 Apr 2019 09:50:00 +0200 Subject: [PATCH 43/66] update readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fffa6ba..3a14681 100644 --- a/README.md +++ b/README.md @@ -49,4 +49,5 @@ The following tables lists configurable parameters of the anchore-policy-validat |externalAnchore.anchoreHost |external anchore-engine host |"" | |externalAnchore.anchoreUser |external anchore-engine username |"" | |externalAnchore.anchorePass |external anchore-engine password |"" | -|pspEnabled |add PSP resources if enabled |false | \ No newline at end of file +|rbac.enabled |enable RBAC |true | +|rbac.psp.enabled |add PSP resources if enabled |false | From 5d808f5c2e81f32c45a2c2beb8f1f7394ca6ba75 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 10 Jul 2019 12:22:22 +0200 Subject: [PATCH 44/66] do not delete default policy --- Chart.yaml | 2 +- templates/default-policy-job.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 72bcd58..e09fdfc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.4.0 +version: 0.4.1 appVersion: 0.3.3 keywords: - analysis diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml index e471bf1..8719736 100644 --- a/templates/default-policy-job.yaml +++ b/templates/default-policy-job.yaml @@ -47,7 +47,6 @@ spec: anchore-cli policy add /policy/reject-critical.json anchore-cli policy add /policy/block-root.json anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0 - anchore-cli policy del 2c53a13c-1765-11e8-82ef-23527761d060 {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} From a161f0de5bae84f3df4dde63e136898c58aa14f4 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 1 Aug 2019 22:18:28 +0200 Subject: [PATCH 45/66] fix anchore-policy-validator rbac --- Chart.yaml | 2 +- templates/validator-rbac.yaml | 46 +++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index e09fdfc..029cce6 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.4.1 +version: 0.4.2 appVersion: 0.3.3 keywords: - analysis diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml index e54a879..3d064eb 100644 --- a/templates/validator-rbac.yaml +++ b/templates/validator-rbac.yaml @@ -6,6 +6,52 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: {{ template "anchore-policy-validator.fullname" . }}-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ template "anchore-policy-validator.fullname" . }}-role +subjects: +- kind: ServiceAccount + name: {{ template "anchore-policy-validator.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "anchore-policy-validator.fullname" . }}-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + - namespaces + - secrets + - configmaps + verbs: + - get +- apiGroups: + - security.banzaicloud.com + resources: + - audits + - whitelistitems + verbs: + - get + - list + - update + - patch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default roleRef: From 3b1023032f3b8c4bb48f2a27c8f347136cbdc972 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 22 Aug 2019 10:53:52 +0200 Subject: [PATCH 46/66] bump anchore-image validator version --- Chart.yaml | 4 ++-- values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 029cce6..80fc795 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.4.2 -appVersion: 0.3.3 +version: 0.4.3 +appVersion: 0.3.4 keywords: - analysis - "anchore-policy-validator" diff --git a/values.yaml b/values.yaml index cdad925..531abdf 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.3 + tag: 0.3.4 pullPolicy: IfNotPresent service: name: anchoreimagecheck From 3b69329aeb63a721ed2b97165a79d42fa51210a3 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 23 Sep 2019 14:06:03 +0200 Subject: [PATCH 47/66] add capability to define include rule in namespaceSelector --- Chart.yaml | 4 ++-- README.md | 3 ++- templates/validator-deployment.yaml | 2 ++ values.yaml | 4 +++- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 80fc795..4ecc88d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 description: A Helm chart for anchore-policy-validator admission controller name: anchore-policy-validator -version: 0.4.3 -appVersion: 0.3.4 +version: 0.4.4 +appVersion: 0.3.6 keywords: - analysis - "anchore-policy-validator" diff --git a/README.md b/README.md index 3a14681..38c7778 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ The following tables lists configurable parameters of the anchore-policy-validat |apiService.group |group of registered api service |admission.anchore.io | |apiService.version |version of registered api service |v1beta1 | |image.repository |admission-server image repo |banzaicloud/anchore-image-validator | -|image.tag |admission-server image tag |0.3.0 | +|image.tag |admission-server image tag |0.3.6 | |image.pullPolicy |admission-server image pull policy |IfNotPresent | |service.name |validation sevice name |anchoreimagecheck | |service.type |validation service type |ClusterIP | @@ -51,3 +51,4 @@ The following tables lists configurable parameters of the anchore-policy-validat |externalAnchore.anchorePass |external anchore-engine password |"" | |rbac.enabled |enable RBAC |true | |rbac.psp.enabled |add PSP resources if enabled |false | +|webhookSelector |webHookConfig namespaceSelector behaviour |"" (exclude) | diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 664ce33..6f59091 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -52,6 +52,8 @@ spec: value: {{ .Values.externalAnchore.anchorePass }} - name: ANCHORE_ENGINE_URL value: {{ .Values.externalAnchore.anchoreHost }} + - name: WEBHOOK_SELECTOR + value: {{ default "exclude" .Values.webhookSelector }} securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/values.yaml b/values.yaml index 531abdf..19cb5dd 100644 --- a/values.yaml +++ b/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.4 + tag: 0.3.6 pullPolicy: IfNotPresent service: name: anchoreimagecheck @@ -18,6 +18,8 @@ externalAnchore: anchorePass: "" resources: {} +webhookSelector: "" + ## Node selector ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} From c7e6335635706cf80ba341b81fbe090d694c5428 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 23 Sep 2019 14:53:12 +0200 Subject: [PATCH 48/66] use NAMESPACE_SELECTOR instead of WEBHOOK_SELECTOR --- README.md | 2 +- templates/validator-deployment.yaml | 4 ++-- values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 38c7778..805b8c5 100644 --- a/README.md +++ b/README.md @@ -51,4 +51,4 @@ The following tables lists configurable parameters of the anchore-policy-validat |externalAnchore.anchorePass |external anchore-engine password |"" | |rbac.enabled |enable RBAC |true | |rbac.psp.enabled |add PSP resources if enabled |false | -|webhookSelector |webHookConfig namespaceSelector behaviour |"" (exclude) | +|namespaceSelector |webHookConfig namespaceSelector behaviour |"" (exclude) | diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml index 6f59091..15def1c 100644 --- a/templates/validator-deployment.yaml +++ b/templates/validator-deployment.yaml @@ -52,8 +52,8 @@ spec: value: {{ .Values.externalAnchore.anchorePass }} - name: ANCHORE_ENGINE_URL value: {{ .Values.externalAnchore.anchoreHost }} - - name: WEBHOOK_SELECTOR - value: {{ default "exclude" .Values.webhookSelector }} + - name: NAMESPACE_SELECTOR + value: {{ default "exclude" .Values.namespaceSelector }} securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/values.yaml b/values.yaml index 19cb5dd..4308485 100644 --- a/values.yaml +++ b/values.yaml @@ -18,7 +18,7 @@ externalAnchore: anchorePass: "" resources: {} -webhookSelector: "" +namespaceSelector: "" ## Node selector ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector From 72c304b21b2977feb1342ecd7e055d7361304f78 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Sun, 20 Oct 2019 21:00:17 +0200 Subject: [PATCH 49/66] update remove generic-admission-server Signed-off-by: Peter Balogh --- go.mod | 25 +++-- go.sum | 308 +++++++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 237 insertions(+), 96 deletions(-) diff --git a/go.mod b/go.mod index 3a15eca..40b0f0f 100644 --- a/go.mod +++ b/go.mod @@ -1,22 +1,21 @@ module github.com/banzaicloud/anchore-image-validator -go 1.12 +go 1.13 require ( - emperror.dev/errors v0.4.2 + emperror.dev/emperror v0.21.3 + emperror.dev/errors v0.4.3 github.com/imdario/mergo v0.3.7 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/onsi/ginkgo v1.8.0 // indirect github.com/onsi/gomega v1.5.0 // indirect - github.com/openshift/generic-admission-server v1.14.0 - github.com/sirupsen/logrus v1.4.1 - github.com/spf13/cobra v0.0.3 // indirect + github.com/sirupsen/logrus v1.4.2 + github.com/spf13/pflag v1.0.5 + github.com/spf13/viper v1.4.0 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 // indirect - golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect - golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect - k8s.io/api v0.0.0-20190409092523-d687e77c8ae9 - k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b - k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef // indirect - k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798 - k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7 // indirect + k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2 + k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d + k8s.io/client-go v0.0.0-20190918200256-06eb1244587a + logur.dev/adapter/logrus v0.2.0 + logur.dev/logur v0.15.0 + sigs.k8s.io/controller-runtime v0.3.0 ) diff --git a/go.sum b/go.sum index 987014f..15ad14a 100644 --- a/go.sum +++ b/go.sum @@ -1,110 +1,173 @@ -cloud.google.com/go v0.0.0-20160913182117-3b1ae45394a2/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -emperror.dev/errors v0.4.2 h1:snD5ODyv4c9DOBBZh645dy/TziVHZivuFtRRMZP8zK8= -emperror.dev/errors v0.4.2/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0= +emperror.dev/emperror v0.21.3 h1:/S3xa/ljmXKTsrxN8ttCE/eq7fmY/4H4xyqbiunObss= +emperror.dev/emperror v0.21.3/go.mod h1:aeDoz3ERR3yJblyjfKojXoFFsXSd6K8Wfd4Zb1eEbZg= +emperror.dev/errors v0.4.1/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0= +emperror.dev/errors v0.4.3 h1:yfhVxX1vzHgCDXh0KL+gVKfKhXlJCabmc79jS6QQuus= +emperror.dev/errors v0.4.3/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-autorest v11.1.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/BurntSushi/toml v0.3.0 h1:e1/Ivsx3Z0FVTV0NSOv/aVgbUWyQuzj7DDnFblkRvsY= +github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/BurntSushi/toml v0.3.0/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 h1:lsxEuwrXEAokXB9qhlbKWPpo3KMLZQ5WB5WLQRW1uq0= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/coreos/bbolt v1.3.1-coreos.6 h1:uTXKg9gY70s9jMAKdfljFQcuh4e/BXOM+V+d00KFj3A= +github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/coreos/bbolt v1.3.1-coreos.6/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= -github.com/coreos/etcd v3.3.10+incompatible h1:jFneRYjIvLMLhDLCzuTuU4rSJUjRplcJQ7pD7MnhC04= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.13+incompatible h1:8F3hqu9fGYLBifCmRCJsicFqDx/D68Rt3q1JMazcgBQ= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc v0.0.0-20180117170138-065b426bd416/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-semver v0.0.0-20180108230905-e214231b295a h1:WqY2Kv7eI1jeoU3pC05YYK/kK4tdXyLzzaBzCR51r9M= github.com/coreos/go-semver v0.0.0-20180108230905-e214231b295a/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda h1:NyywMz59neOoVRFDz+ccfKWxn784fiHMDnZSy6T+JXY= github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/docker/docker v0.0.0-20180612054059-a9fbbdc8dd87/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550 h1:mV9jbLoSW/8m4VK16ZkHTozJa8sesK5u5kTMFysTYac= github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M= +github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4 h1:bRzFpEzvausOAt4va+I/22BZ1vXDtERngp0BNYDKej0= github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/zapr v0.1.0 h1:h+WVe9j6HAA01niTJPA/kKH0i7e0rLZBCwauQFcRE54= +github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk= +github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= +github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.17.2/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.17.2/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.0 h1:FTUMcX77w5rQkClIzDtTxvn6Bsa894CcrzNj2MMfeg8= github.com/go-openapi/jsonpointer v0.19.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.0 h1:BqWKpV1dFd+AuiKlgtddwVIFQsuMpxfBDBHGfM2yNpk= github.com/go-openapi/jsonreference v0.19.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.17.2/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= +github.com/go-openapi/runtime v0.17.2/go.mod h1:QO936ZXeisByFmZEO1IS1Dqhtf4QV1sYYFtIq6Ld86Q= +github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= github.com/go-openapi/spec v0.17.2 h1:eb2NbuCnoe8cWAxhtK6CfMWUYmiFEZJ9Hx3Z2WRwJ5M= github.com/go-openapi/spec v0.17.2/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.17.2 h1:K/ycE/XTUDFltNHSO32cGRUhrVGJD64o8WgAIZNyc3k= github.com/go-openapi/swag v0.17.2/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/validate v0.17.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= +github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo= +github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= +github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM= +github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/google/btree v0.0.0-20160524151835-7d79101e329e h1:JHB7F/4TJCrYBW8+GZO8VkWDj1jxcWuCl6uxKODiyi4= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= +github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4= -github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c h1:Lh2aW+HnU2Nbe1gqD9SOJLJxW1jBMmQOktN2acDyJk8= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v0.0.0-20190222133341-cfaf5686ec79 h1:lR9ssWAqp9qL0bALxqEEkuudiP1eweOdv9jsRK3e7lE= github.com/grpc-ecosystem/go-grpc-middleware v0.0.0-20190222133341-cfaf5686ec79/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170330212424-2500245aa611 h1:f5vL2EW5pL274ztMNnizZAEa457nKyKPEaN/sm/kdBk= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170330212424-2500245aa611/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.3.0 h1:HJtP6RRwj2EpPCD/mhAWzSvLL/dFTdPm1UrWwanoFos= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.3.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/golang-lru v0.5.0 h1:CL2msUPvZTLb5O648aiLNJw3hnBxN2+1Jq8rCOH9wdo= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c h1:XpRROA6ssPlTwJI8/pH+61uieOkcJhmAFz25cu0B94Y= github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= @@ -113,145 +176,224 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d h1:7PxY7LVfSZm7P github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/natefinch/lumberjack v2.0.0+incompatible h1:4QJd3OLAMgj7ph+yZTuX13Ld4UpgHp07nNdFX7mqFfM= github.com/natefinch/lumberjack v2.0.0+incompatible/go.mod h1:Wi9p2TTF5DG5oU+6YfsmYQpsTIOm0B1VNzQg9Mw6nPk= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w= github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.4.2 h1:3mYCb7aPxS/RU7TI1y4rkEn1oKmPRjNJLNEXgw7MH2I= +github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/openshift/generic-admission-server v1.14.0 h1:GAQy5JNVcbmUuIpPvLd39+2rPecxEm7WQ2sP7ACrse4= -github.com/openshift/generic-admission-server v1.14.0/go.mod h1:GD9KN/W4KxqRQGVMbqQHpHzb2XcQVvLCaBaSciqXvfM= github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= -github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/philhofer/fwd v1.0.0 h1:UbZqGr5Y38ApvM/V/jEljVxwocdweyH+vmYvRPBnbqQ= -github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= -github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= -github.com/pquerna/ffjson v0.0.0-20180717144149-af8b230fcd20 h1:7sBb9iOkeq+O7AXlVoH/8zpIcRXX523zMkKKspHjjx8= -github.com/pquerna/ffjson v0.0.0-20180717144149-af8b230fcd20/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.2 h1:awm861/B8OKDd2I/6o1dy3ra4BamzKhYOiGItCeZ740= github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 h1:idejC8f05m9MGOsuEi1ATq9shN03HrxNkD/luQvxCv8= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU= -github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a h1:9a8MnZMP0X2nLJdBg+pBmGgkJlSaKC2KaQmTCk1XDtE= github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNGfs= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k= -github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= -github.com/soheilhy/cmux v0.1.3 h1:09wy7WZk4AqO03yH85Ex1X+Uo3vDsil3Fa9AgF8Emss= +github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/soheilhy/cmux v0.1.3/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.0-20180319062004-c439c4fa0937 h1:+ryWjMVzFAkEz5zT+Ms49aROZwxlJce3x3zLTFpkz3Y= +github.com/spf13/cobra v0.0.0-20180319062004-c439c4fa0937/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.4.0 h1:yXHLWeravcrgGyFSyCgdYpXQ9dR9c/WED3pg1RhxqEU= +github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/tinylib/msgp v1.1.0 h1:9fQd+ICuRIu/ue4vxJZu6/LzxN0HwMds2nq/0cFvxHU= -github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= -github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8 h1:ndzgwNDnKIqyCvHTXaCqh9KlOWKvBry6nuXMJmonVsE= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1 h1:UvhxfNjNqlZ/x3cDyqxMhoiUpemd3zXkVQApN6bM/lg= -github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1/go.mod h1:hnLbHMwcvSihnDhEfx2/BzKp2xb0Y+ErdfYcrs9tkJQ= -github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 h1:MPPkRncZLN9Kh4MEFmbnK4h3BD7AUmskWv2+EeZJCCs= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.uber.org/atomic v0.0.0-20181018215023-8dc6146f7569/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v0.0.0-20180122172545-ddea229ff1df/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v0.0.0-20180814183419-67bc79d13d15 h1:Z2sc4+v0JHV6Mn4kX1f2a5nruNjmV+Th32sugE8zwz8= go.uber.org/zap v0.0.0-20180814183419-67bc79d13d15/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE= golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80= -golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/oauth2 v0.0.0-20170412232759-a6bd8cefa181/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQeSA51uaEfbOW5dNb68= +golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts= golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU= golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/genproto v0.0.0-20170731182057-09f6ed296fc6 h1:72GtwBPfq6av9X0Ru2HtAopsPW+d+vh1K1zaxanTdE8= google.golang.org/genproto v0.0.0-20170731182057-09f6ed296fc6/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/grpc v1.13.0 h1:bHIbVsCwmvbArgCJmLdgOdHFXlKqTOVjbibbS19cXHc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/grpc v1.13.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.21.0 h1:G+97AoqBnmZIT91cLG/EkCoK9NSelj64P8bOHHNmGn0= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o= gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/natefinch/lumberjack.v2 v2.0.0-20150622162204-20b71e5b60d7 h1:986b60BAz5vO2Vaf48yQaq+wb2bU4JsXxKu1+itW6x8= gopkg.in/natefinch/lumberjack.v2 v2.0.0-20150622162204-20b71e5b60d7/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.0.0-20180411045311-89060dee6a84/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU= gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg= -gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -k8s.io/api v0.0.0-20190409092523-d687e77c8ae9 h1:c9UEl5z8gk1DGh/g3snETZ+a52YeR9VdbX/3BQ4PHas= -k8s.io/api v0.0.0-20190409092523-d687e77c8ae9/go.mod h1:FQEUn50aaytlU65qqBn/w+5ugllHwrBzKm7DzbnXdzE= -k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b h1:fVkKJL9FIpA8LSJyHVM00MP45q1WJ7+af77vcxmQP4g= -k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b/go.mod h1:FW86P8YXVLsbuplGMZeb20J3jYHscrDqw4jELaFJvRU= -k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef h1:0JW8e1tJABjPR1XduEVUES0bCE1h2hrkGg+Y287l3rY= -k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef/go.mod h1:+QPgMR9yE9YFLwPkY1TFifsma26Mqa1lBcA/8yXubGU= -k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798 h1:kVshWJGIQLSzwnl/wes9pFfbmI79Hrz58RTSc5he2/4= -k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798/go.mod h1:4IOfimLkjvlSoc9wyI1VEwkNUG20XFNp7qO6XkH2gdI= -k8s.io/component-base v0.0.0-20190409093041-e34633071963 h1:b0EoSROSsjY+8KrBR0bhSJ/fj6VAbhQu0zeQa+eMTd4= -k8s.io/component-base v0.0.0-20190409093041-e34633071963/go.mod h1:2AUf0gALRFIf31Zup6Torh8msIgiDioNziBnI8wpuk4= -k8s.io/klog v0.0.0-20190306015804-8e90cee79f82 h1:SHucoAy7lRb+w5oC/hbXyZg+zX+Wftn6hD4tGzHCVqA= -k8s.io/klog v0.0.0-20190306015804-8e90cee79f82/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2 h1:bkwe5LsuANqyOwsBng5Qc4S91D2Tv0JHctAztt3YTQs= +k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2/go.mod h1:AOxZTnaXR/xiarlQL0JUfwQPxjmKDvVYoRp58cA7lUo= +k8s.io/apiextensions-apiserver v0.0.0-20190918201827-3de75813f604 h1:Kl/sh+wWzYK2hWFZtwvuFECup1SbE2kXfMnhGZsoO5M= +k8s.io/apiextensions-apiserver v0.0.0-20190918201827-3de75813f604/go.mod h1:7H8sjDlWQu89yWB3FhZfsLyRCRLuoXoCoY5qtwW1q6I= +k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d h1:7Kns6qqhMAQWvGkxYOLSLRZ5hJO0/5pcE5lPGP2fxUw= +k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d/go.mod h1:3jediapYqJ2w1BFw7lAZPCx7scubsTfosqHkhXCWJKw= +k8s.io/apiserver v0.0.0-20190918200908-1e17798da8c1 h1:vXeVIqZsVgwfUENTAeybgfNVW7zZD7GPZJGtwReK+hI= +k8s.io/apiserver v0.0.0-20190918200908-1e17798da8c1/go.mod h1:4FuDU+iKPjdsdQSN3GsEKZLB/feQsj1y9dhhBDVV2Ns= +k8s.io/client-go v0.0.0-20190918200256-06eb1244587a h1:huOvPq1vO7dkuw9rZPYsLGpFmyGvy6L8q6mDItgkdQ4= +k8s.io/client-go v0.0.0-20190918200256-06eb1244587a/go.mod h1:3YAcTbI2ArBRmhHns5vlHRX8YQqvkVYpz+U/N5i1mVU= +k8s.io/code-generator v0.0.0-20190612205613-18da4a14b22b/go.mod h1:G8bQwmHm2eafm5bgtX67XDZQ8CWKSGu9DekI+yN4Y5I= +k8s.io/component-base v0.0.0-20190918200425-ed2f0867c778 h1:YicOHTLJZz/TIpJcqhVYJI2LyuM7VMkYiiG6FZfJmzY= +k8s.io/component-base v0.0.0-20190918200425-ed2f0867c778/go.mod h1:DFWQCXgXVLiWtzFaS17KxHdlUeUymP7FLxZSkmL9/jU= +k8s.io/gengo v0.0.0-20190116091435-f8a0810f38af/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.3 h1:niceAagH1tzskmaie/icWd7ci1wbG7Bf2c6YGcQv+3c= +k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30 h1:TRb4wNWoBVrH9plmkp2q86FIDppkbrEXdXlxU3a3BMI= k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0= -k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7 h1:8r+l4bNWjRlsFYlQJnKJ2p7s1YQPj4XyXiJVqDHRx7c= -k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0= +k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5 h1:VBM/0P5TWxwk+Nw6Z+lAw3DKgO76g90ETOiA6rfLV1Y= +k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +logur.dev/adapter/logrus v0.2.0 h1:X6ZA2KYCc4X3jyKSFoWVgFoqi8XcQi7JXH1HsuDr45M= +logur.dev/adapter/logrus v0.2.0/go.mod h1:d278iWcx1mP2HxN6v8iXn/WvvgJ4SWHcjT5cG5etSSI= +logur.dev/logur v0.15.0 h1:LGFzpPGsV9kVuE2V+HUyIbtYb2F1Vyp54gSp7ixLQHI= +logur.dev/logur v0.15.0/go.mod h1:DyA5B+b6WjjCcnpE1+HGtTLh2lXooxRq+JmAwXMRK08= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +sigs.k8s.io/controller-runtime v0.3.0 h1:ZtdgqJXVHsIytjdmDuk0QjagnzyLq9FjojXRqIp+dU4= +sigs.k8s.io/controller-runtime v0.3.0/go.mod h1:Cw6PkEg0Sa7dAYovGT4R0tRkGhHXpYijwNxYhAnAZZk= sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2 h1:9r5DY45ef9LtcA6BnkhW8MPV7OKAfbf2AUwUhq3LeRk= sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/testing_frameworks v0.1.1 h1:cP2l8fkA3O9vekpy5Ks8mmA0NW/F7yBdXf8brkWhVrs= +sigs.k8s.io/testing_frameworks v0.1.1/go.mod h1:VVBKrHmJ6Ekkfz284YKhQePcdycOzNH9qL6ht1zEr/U= sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= From d68fb48b61ed27e667f02085f1158dd4a4f8bf02 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 08:36:45 +0200 Subject: [PATCH 50/66] udate dockerfiles Signed-off-by: Peter Balogh --- Dockerfile | 6 ++---- Dockerfile.debug | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index a9a7a4d..9507efd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.12-alpine AS builder +FROM golang:1.13-alpine AS builder RUN apk add --update --no-cache ca-certificates git @@ -10,11 +10,9 @@ RUN go mod download COPY . /build RUN go install ./cmd -FROM alpine:3.9 +FROM alpine:3.10 COPY --from=builder /go/bin/cmd /usr/local/bin/anchore-image-validator COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -USER 65534:65534 - ENTRYPOINT ["/usr/local/bin/anchore-image-validator"] diff --git a/Dockerfile.debug b/Dockerfile.debug index fed0127..a278847 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -1,10 +1,10 @@ -FROM golang:1.12-alpine AS builder +FROM golang:1.13-alpine AS builder RUN apk add --update --no-cache ca-certificates git RUN go get github.com/derekparker/delve/cmd/dlv -FROM alpine:3.9 +FROM alpine:3.10 RUN apk add --update --no-cache libc6-compat From 3f2bd2c2af4a80c77e32fa89d449d62bebc6e3be Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:21:31 +0200 Subject: [PATCH 51/66] drop generic-admission-server and move out validation Signed-off-by: Peter Balogh --- cmd/main.go | 242 ++++++++++++++++++++-------------------------------- 1 file changed, 92 insertions(+), 150 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 753cce3..8166737 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -1,49 +1,44 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package main import ( - "encoding/json" + "crypto/tls" "fmt" + "net" + "net/http" "os" - "strings" - "sync" - "github.com/banzaicloud/anchore-image-validator/pkg/anchore" + "emperror.dev/emperror" + "emperror.dev/errors" + "github.com/banzaicloud/anchore-image-validator/internal/app" + "github.com/banzaicloud/anchore-image-validator/internal/log" "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" - clientV1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" - "github.com/openshift/generic-admission-server/pkg/cmd" - "github.com/sirupsen/logrus" - admissionv1beta1 "k8s.io/api/admission/v1beta1" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/dynamic" + clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" + "github.com/spf13/pflag" + "github.com/spf13/viper" "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" + crclient "sigs.k8s.io/controller-runtime/pkg/client" + crconfig "sigs.k8s.io/controller-runtime/pkg/client/config" ) -var securityClientSet *clientV1alpha1.SecurityV1Alpha1Client - -type admissionHook struct { - reservationClient dynamic.ResourceInterface - lock sync.RWMutex - initialized bool -} +var securityClientSet *clientv1alpha1.SecurityV1Alpha1Client -const apiServiceResource = "imagechecks" +const apiServiceResource = "imagecheck" var ( apiServiceGroup = os.Getenv("ANCHORE_APISERVICE_GROUP") @@ -53,24 +48,79 @@ var ( namespaceSelector = getEnv("NAMESPACE_SELECTOR", "exclude") ) +// nolint: gochecknoinits +func init() { + pflag.Bool("version", false, "Show version information") + pflag.Bool("dump-config", false, "Dump configuration to the console (and exit)") +} + func main() { - var config *rest.Config - var err error - config, err = rest.InClusterConfig() + configure(viper.GetViper(), pflag.CommandLine) + + pflag.Parse() + + if viper.GetBool("version") { + fmt.Printf("%s version %s (%s) built on %s\n", "anchore-image-validator", version, commitHash, buildDate) + + os.Exit(0) + } + + err := viper.ReadInConfig() + _, configFileNotFound := err.(viper.ConfigFileNotFoundError) + if !configFileNotFound { + emperror.Panic(errors.Wrap(err, "failed to read configuration")) + } + + var config Config + err = viper.Unmarshal(&config) if err != nil { - logrus.Error(err) + emperror.Panic(errors.Wrap(err, "failed to unmarshal configuration")) } + if viper.GetBool("dump-config") { + fmt.Printf("%+v\n", config) + + os.Exit(0) + } + + // Create logger (first thing after configuration loading) + logger := log.NewLogger(config.Log) + + // Provide some basic context to all log lines + logger = log.WithFields(logger, map[string]interface{}{"service": "imagecheck"}) + + k8sCfg := crconfig.GetConfigOrDie() + + logger.Info("kubernetes config", map[string]interface{}{ + "k8sHost": k8sCfg.Host}) + v1alpha1.AddToScheme(scheme.Scheme) - securityClientSet, err = clientV1alpha1.SecurityConfig(config) + securityClientSet, err = clientv1alpha1.SecurityConfig(k8sCfg) if err != nil { - logrus.Error(err) + logger.Error("error") } - installValidatingWebhookConfig(config) + client, err := crclient.New(k8sCfg, crclient.Options{}) + if err != nil { + logger.Error("get clisntset failed", map[string]interface{}{ + "k8sHost": k8sCfg.Host}) + } + + installValidatingWebhookConfig(client) + + pair, err := tls.LoadX509KeyPair(config.App.CertFile, config.App.KeyFile) + if err != nil { + logger.Error("failed to load key pair") + } - cmd.RunAdmissionServer(&admissionHook{}) + ln, _ := net.Listen("tcp", fmt.Sprintf(":%v", config.App.Port)) + httpServer := &http.Server{ + Handler: app.NewApp(logger, client), + TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}}, + } + logger.Info("starting the webhook.") + httpServer.ServeTLS(ln, "", "") } func getEnv(key, fallback string) string { @@ -80,111 +130,3 @@ func getEnv(key, fallback string) string { } return value } - -func (a *admissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) { - return schema.GroupVersionResource{ - Group: apiServiceGroup, - Version: apiServiceVersion, - Resource: apiServiceResource, - }, - "imagecheck" -} - -func (a *admissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse { - status := &admissionv1beta1.AdmissionResponse{ - Allowed: true, - UID: admissionSpec.UID, - Result: &metav1.Status{Status: "Success", Message: ""}} - - if admissionSpec.Kind.Kind == "Pod" { - whitelists, err := securityClientSet.Whitelists().List(metav1.ListOptions{}) - if err != nil { - logrus.Error(err) - } else { - logrus.WithFields(logrus.Fields{ - "whitelists": whitelists.Items, - }).Debug("Whitelists found") - } - pod := v1.Pod{} - json.Unmarshal(admissionSpec.Object.Raw, &pod) - logrus.WithFields(logrus.Fields{ - "PodName": pod.Name, - "NameSpace": pod.Namespace, - "Labels": pod.Labels, - "Anotations": pod.Annotations, - }).Debug("Pod details") - - var result []string - var message string - var auditImages []v1alpha1.AuditImage - r, f := getReleaseName(pod.Labels, pod.Name) - for _, container := range pod.Spec.Containers { - image := container.Image - logrus.WithFields(logrus.Fields{ - "image": image, - }).Info("Checking image") - auditImage, ok := anchore.CheckImage(image) - if !ok { - status.Result.Status = "Failure" - status.Allowed = false - if checkWhiteList(whitelists.Items, r, f) { - status.Result.Status = "Success" - status.Allowed = true - logrus.WithFields(logrus.Fields{ - "PodName": pod.Name, - }).Info("Whitelisted release") - } - message = fmt.Sprintf("Image failed policy check: %s", image) - status.Result.Message = message - logrus.WithFields(logrus.Fields{ - "image": image, - }).Warning("Image failed policy check") - } else { - message = fmt.Sprintf("Image passed policy check: %s", image) - logrus.WithFields(logrus.Fields{ - "image": image, - }).Warning("Image passed policy check") - } - result = append(result, message) - auditImages = append(auditImages, auditImage) - } - - fr := "false" - if f { - fr = "true" - } - action := "reject" - if status.Allowed { - action = "allowed" - } - owners := pod.GetOwnerReferences() - var auditName string - if len(owners) > 0 { - auditName = strings.ToLower(owners[0].Kind) + "-" + strings.ToLower(owners[0].Name) - } else { - auditName = pod.Name - } - - ainfo := auditInfo{ - name: auditName, - labels: map[string]string{"fakerelease": fr}, - releaseName: r, - resource: "Pod", - images: auditImages, - result: result, - action: action, - state: "", - owners: owners, - } - - createOrUpdateAudit(ainfo) - logrus.WithFields(logrus.Fields{ - "Status": status, - }).Debug("Security scan status") - } - return status -} - -func (a *admissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - return nil -} From 2c20470184ebe8e9bf33c60cf601a9984a9de70a Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:22:50 +0200 Subject: [PATCH 52/66] use controller-runtime Signed-off-by: Peter Balogh --- cmd/self.go | 94 ++++++++++++++++++++++++++--------------------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/cmd/self.go b/cmd/self.go index e83d962..4f20cf0 100644 --- a/cmd/self.go +++ b/cmd/self.go @@ -1,55 +1,55 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package main import ( + "context" "encoding/base64" "fmt" "os" "path" "emperror.dev/errors" - "github.com/sirupsen/logrus" - admissionV1beta1 "k8s.io/api/admissionregistration/v1beta1" + admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - admissionClient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" - clientV1 "k8s.io/client-go/kubernetes/typed/core/v1" - "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" ) -func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.ValidatingWebhookConfiguration { +func createValidatingWebhook(c client.Client) (*admissionv1beta1.ValidatingWebhookConfiguration, error) { path := path.Join("/apis", apiServiceGroup, apiServiceVersion, apiServiceResource) webHookName := fmt.Sprintf("%s.%s", anchoreReleaseName, apiServiceGroup) ownerref, caBundle, err := getSelf(c) if err != nil { - logrus.Error(err) - return nil + return nil, errors.WrapIf(err, "unable to get self object") } - rule := admissionV1beta1.Rule{ + rule := admissionv1beta1.Rule{ APIGroups: []string{""}, APIVersions: []string{"*"}, Resources: []string{"pods"}, } - rulesWithOperations := admissionV1beta1.RuleWithOperations{ - Operations: []admissionV1beta1.OperationType{admissionV1beta1.Create}, + rulesWithOperations := admissionv1beta1.RuleWithOperations{ + Operations: []admissionv1beta1.OperationType{admissionv1beta1.Create}, Rule: rule, } - failurePolicy := admissionV1beta1.Fail + failurePolicy := admissionv1beta1.Fail selectorOperator := metav1.LabelSelectorOpNotIn selectorValues := []string{"noscan"} @@ -69,22 +69,22 @@ func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.Validat MatchExpressions: []metav1.LabelSelectorRequirement{expression}, } - validatingWebhook := admissionV1beta1.Webhook{ + validatingWebhook := admissionv1beta1.ValidatingWebhook{ Name: webHookName, - ClientConfig: admissionV1beta1.WebhookClientConfig{ - Service: &admissionV1beta1.ServiceReference{ + ClientConfig: admissionv1beta1.WebhookClientConfig{ + Service: &admissionv1beta1.ServiceReference{ Namespace: "default", Name: "kubernetes", Path: &path, }, CABundle: caBundle, }, - Rules: []admissionV1beta1.RuleWithOperations{rulesWithOperations}, + Rules: []admissionv1beta1.RuleWithOperations{rulesWithOperations}, FailurePolicy: &failurePolicy, NamespaceSelector: nameSpaceSelector, } - validatingWebhookConfig := &admissionV1beta1.ValidatingWebhookConfiguration{ + validatingWebhookConfig := &admissionv1beta1.ValidatingWebhookConfiguration{ TypeMeta: metav1.TypeMeta{ Kind: "ValidatingWebhookConfiguration", APIVersion: "admissionregistration.k8s.io/v1beta1", @@ -92,41 +92,37 @@ func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.Validat ObjectMeta: metav1.ObjectMeta{ Name: webHookName, }, - Webhooks: []admissionV1beta1.Webhook{validatingWebhook}, + Webhooks: []admissionv1beta1.ValidatingWebhook{validatingWebhook}, } validatingWebhookConfig.SetOwnerReferences(ownerref) - return validatingWebhookConfig + return validatingWebhookConfig, nil } -func installValidatingWebhookConfig(c *rest.Config) error { - coreClientSet, err := clientV1.NewForConfig(c) +func installValidatingWebhookConfig(c client.Client) error { + validatingWebhookConfig, err := createValidatingWebhook(c) if err != nil { - logrus.Error(err) - } - validatingWebhookConfig := createValidatingWebhook(coreClientSet) - if validatingWebhookConfig == nil { return errors.WrapIf(err, "cannot create ValidatingkWebhooConfiguration") } - admissionClientSet, err := admissionClient.NewForConfig(c) - if err != nil { - return errors.WrapIf(err, "cannot create admission registration client") - } - validatingInt := admissionClientSet.ValidatingWebhookConfigurations() - _, err = validatingInt.Create(validatingWebhookConfig) + + err = c.Create(context.Background(), validatingWebhookConfig) if err != nil { return errors.WrapIf(err, "cannot install ValidatingWebhookConfiguration") } return nil } -func getSelf(c *clientV1.CoreV1Client) ([]metav1.OwnerReference, []byte, error) { +func getSelf(c client.Client) ([]metav1.OwnerReference, []byte, error) { podName, _ := os.Hostname() if kubernetesNameSpace == "" { return nil, nil, errors.New("not defined KUBERNETES_NAMESPACE env") } - podDetail, err := c.Pods(kubernetesNameSpace).Get(podName, metav1.GetOptions{}) + podDetail := &corev1.Pod{} + err := c.Get(context.Background(), client.ObjectKey{ + Namespace: kubernetesNameSpace, + Name: podName, + }, podDetail) if err != nil { return nil, nil, errors.WrapIf(err, "unable to get self details") } @@ -142,7 +138,11 @@ func getSelf(c *clientV1.CoreV1Client) ([]metav1.OwnerReference, []byte, error) UID: podDetail.ObjectMeta.UID, } - secretDetail, err := c.Secrets(kubernetesNameSpace).Get(anchoreReleaseName, metav1.GetOptions{}) + secretDetail := &corev1.Secret{} + err = c.Get(context.Background(), client.ObjectKey{ + Namespace: kubernetesNameSpace, + Name: anchoreReleaseName, + }, secretDetail) if err != nil { return nil, nil, errors.WrapIf(err, "unable to get secretDetail") } From b4fe49670057557e0ba20d0c2682e85a8427f8e9 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:23:20 +0200 Subject: [PATCH 53/66] update license header Signed-off-by: Peter Balogh --- cmd/build.go | 28 ++++++++++++++------------ pkg/anchore/client.go | 28 ++++++++++++++------------ pkg/anchore/types.go | 28 ++++++++++++++------------ pkg/apis/security/v1alpha1/deepcopy.go | 28 ++++++++++++++------------ pkg/apis/security/v1alpha1/register.go | 28 ++++++++++++++------------ pkg/apis/security/v1alpha1/types.go | 28 ++++++++++++++------------ pkg/clientset/v1alpha1/api.go | 28 ++++++++++++++------------ pkg/clientset/v1alpha1/audit.go | 28 ++++++++++++++------------ pkg/clientset/v1alpha1/whitelist.go | 28 ++++++++++++++------------ 9 files changed, 135 insertions(+), 117 deletions(-) diff --git a/cmd/build.go b/cmd/build.go index ca26fa0..6834f4f 100644 --- a/cmd/build.go +++ b/cmd/build.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package main diff --git a/pkg/anchore/client.go b/pkg/anchore/client.go index 4f26eda..bbfb6ed 100644 --- a/pkg/anchore/client.go +++ b/pkg/anchore/client.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package anchore diff --git a/pkg/anchore/types.go b/pkg/anchore/types.go index 89871d0..9fcd20e 100644 --- a/pkg/anchore/types.go +++ b/pkg/anchore/types.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package anchore diff --git a/pkg/apis/security/v1alpha1/deepcopy.go b/pkg/apis/security/v1alpha1/deepcopy.go index 983a8dc..9831d72 100644 --- a/pkg/apis/security/v1alpha1/deepcopy.go +++ b/pkg/apis/security/v1alpha1/deepcopy.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go index 6f4c87c..2262390 100644 --- a/pkg/apis/security/v1alpha1/register.go +++ b/pkg/apis/security/v1alpha1/register.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go index 7e42195..e599e42 100644 --- a/pkg/apis/security/v1alpha1/types.go +++ b/pkg/apis/security/v1alpha1/types.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go index 8825141..e756ac0 100644 --- a/pkg/clientset/v1alpha1/api.go +++ b/pkg/clientset/v1alpha1/api.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 diff --git a/pkg/clientset/v1alpha1/audit.go b/pkg/clientset/v1alpha1/audit.go index 20b07f4..cd86be4 100644 --- a/pkg/clientset/v1alpha1/audit.go +++ b/pkg/clientset/v1alpha1/audit.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 diff --git a/pkg/clientset/v1alpha1/whitelist.go b/pkg/clientset/v1alpha1/whitelist.go index 2a6dc49..4b7b106 100644 --- a/pkg/clientset/v1alpha1/whitelist.go +++ b/pkg/clientset/v1alpha1/whitelist.go @@ -1,16 +1,18 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package v1alpha1 From 8538d7d7a631b2515400ebd95204f199a9478808 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:25:01 +0200 Subject: [PATCH 54/66] add config Signed-off-by: Peter Balogh --- cmd/config.go | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 cmd/config.go diff --git a/cmd/config.go b/cmd/config.go new file mode 100644 index 0000000..e3450ef --- /dev/null +++ b/cmd/config.go @@ -0,0 +1,61 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "fmt" + "os" + "strings" + + "github.com/banzaicloud/anchore-image-validator/internal/app" + "github.com/banzaicloud/anchore-image-validator/internal/log" + "github.com/spf13/pflag" + "github.com/spf13/viper" +) + +// Config contains configs +type Config struct { + // App configuration + App app.Config + // Log configuration + Log log.Config +} + +func configure(v *viper.Viper, p *pflag.FlagSet) { + p.Init("imagecheck", pflag.ExitOnError) + pflag.Usage = func() { + _, _ = fmt.Fprintln(os.Stderr, "Usage of imagecheck:") + pflag.PrintDefaults() + } + _ = v.BindPFlags(p) + // Log configuration + v.SetDefault("log.format", "json") + v.SetDefault("log.level", "info") + v.SetDefault("log.noColor", true) + // App configuration + v.SetDefault("app.port", 8443) + v.SetDefault("app.certfile", "/webhook/certs/tls.crt") + v.SetDefault("app.keyfile", "/webhook/certs/tls.key") + + v.AllowEmptyEnv(true) + v.SetEnvPrefix("imagecheck") + v.SetConfigName("config") + v.AddConfigPath(".") + v.AddConfigPath(os.Getenv("CONFIG_DIR")) + v.SetEnvKeyReplacer(strings.NewReplacer(".", "_")) + v.AutomaticEnv() +} From 8d122fd4a67f47ae19ea7b649a69c32542ae5c01 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:25:55 +0200 Subject: [PATCH 55/66] add log Signed-off-by: Peter Balogh --- internal/log/config.go | 28 +++++++++++++++++++++ internal/log/logger.go | 55 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 internal/log/config.go create mode 100644 internal/log/logger.go diff --git a/internal/log/config.go b/internal/log/config.go new file mode 100644 index 0000000..9026533 --- /dev/null +++ b/internal/log/config.go @@ -0,0 +1,28 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package log + +// Config holds details necessary for logging. +type Config struct { + // Format specifies the output log format. + // Accepted values are: json, logfmt + Format string + // Level is the minimum log level that should appear on the output. + Level string + // NoColor makes sure that no log output gets colorized. + NoColor bool +} diff --git a/internal/log/logger.go b/internal/log/logger.go new file mode 100644 index 0000000..7b9187f --- /dev/null +++ b/internal/log/logger.go @@ -0,0 +1,55 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package log + +import ( + "os" + + "github.com/sirupsen/logrus" + logrusadapter "logur.dev/adapter/logrus" + "logur.dev/logur" +) + +// NewLogger creates a new logger. +func NewLogger(config Config) logur.Logger { + logger := logrus.New() + + logger.SetOutput(os.Stdout) + logger.SetFormatter(&logrus.TextFormatter{ + DisableColors: config.NoColor, + EnvironmentOverrideColors: true, + }) + + switch config.Format { + case "logfmt": + // Already the default + + case "json": + logger.SetFormatter(&logrus.JSONFormatter{}) + } + + if level, err := logrus.ParseLevel(config.Level); err == nil { + logger.SetLevel(level) + } + + return logrusadapter.New(logger) +} + +// WithFields returns a new contextual logger instance with context added to it. +func WithFields(logger logur.Logger, fields map[string]interface{}) logur.Logger { + return logur.WithFields(logger, fields) +} From b94d2630e438a24ae68d7a79f54994926f477784 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 10:28:28 +0200 Subject: [PATCH 56/66] move validation to internal Signed-off-by: Peter Balogh --- internal/app/app.go | 117 +++++++++++++++++++++++++++++++++++++++ internal/app/config.go | 27 +++++++++ internal/app/validate.go | 81 +++++++++++++++++++++++++++ 3 files changed, 225 insertions(+) create mode 100644 internal/app/app.go create mode 100644 internal/app/config.go create mode 100644 internal/app/validate.go diff --git a/internal/app/app.go b/internal/app/app.go new file mode 100644 index 0000000..7cd7946 --- /dev/null +++ b/internal/app/app.go @@ -0,0 +1,117 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package app + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + + admissionv1beta1 "k8s.io/api/admission/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/serializer" + "logur.dev/logur" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +const imageValidate = "imagechecks" + +// NewApp creates new application +func NewApp(logger logur.Logger, client client.Client) http.Handler { + mux := http.NewServeMux() + mux.Handle(imageValidate, newHTTPHandler(logger, client)) + + return mux +} + +var ( + runtimeScheme = runtime.NewScheme() + codecs = serializer.NewCodecFactory(runtimeScheme) + deserializer = codecs.UniversalDeserializer() + defaulter = runtime.ObjectDefaulter(runtimeScheme) +) + +// HTTPController collects the greeting use cases and exposes them as HTTP handlers. +type HTTPController struct { + Logger logur.Logger + Client client.Client +} + +// NewHTTPHandler returns a new HTTP handler for the greeter. +func newHTTPHandler(logger logur.Logger, client client.Client) http.Handler { + mux := http.NewServeMux() + controller := NewHTTPController(logger, client) + mux.HandleFunc(imageValidate, controller.webhookCTRL) + return mux +} + +// NewHTTPController returns a new HTTPController instance. +func NewHTTPController(logger logur.Logger, client client.Client) *HTTPController { + return &HTTPController{ + Logger: logger, + Client: client, + } +} + +func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { + body, err := ioutil.ReadAll(r.Body) + if err != nil { + http.Error(w, "reading request body failed", http.StatusInternalServerError) + return + } + if len(body) == 0 { + http.Error(w, "empty body", http.StatusBadRequest) + return + } + + var admissionResponse *admissionv1beta1.AdmissionResponse + ar := admissionv1beta1.AdmissionReview{} + if _, _, err := deserializer.Decode(body, nil, &ar); err != nil { + a.Logger.Error("Can't decode body") + admissionResponse = &admissionv1beta1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } else { + fmt.Println(r.URL.Path) + if r.URL.Path == imageValidate { + admissionResponse = validate(&ar, a.Logger, a.Client) + a.Logger.Info("------ ehunnvagyoke ------") + } + } + + if admissionResponse != nil { + ar.Response = admissionResponse + if ar.Request != nil { + ar.Response.UID = ar.Request.UID + } + } + + resp, err := json.Marshal(ar) + if err != nil { + a.Logger.Error("Can't encode response") + http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError) + } + a.Logger.Info("Ready to write reponse ...") + if _, err := w.Write(resp); err != nil { + a.Logger.Error("Can't write response") + http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) + } +} diff --git a/internal/app/config.go b/internal/app/config.go new file mode 100644 index 0000000..a15a96f --- /dev/null +++ b/internal/app/config.go @@ -0,0 +1,27 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package app + +// Config holds details necessary for app. +type Config struct { + // Port defines server port + Port int + // CertFile server certificate path + CertFile string + // KeyFile server key path + KeyFile string +} diff --git a/internal/app/validate.go b/internal/app/validate.go new file mode 100644 index 0000000..13f75a7 --- /dev/null +++ b/internal/app/validate.go @@ -0,0 +1,81 @@ +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package app + +import ( + "encoding/json" + + admissionv1beta1 "k8s.io/api/admission/v1beta1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "logur.dev/logur" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse { + req := ar.Request + logger.Info("AdmissionReview for", map[string]interface{}{ + "Kind": req.Kind, + "Namespsce": req.Namespace, + "Resource": req.Resource, + "UserInfo": req.UserInfo}) + + switch req.Kind.Kind { + case "Pod": + pod := v1.Pod{} + if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { + logger.Error("could not unmarshal raw object") + return &admissionv1beta1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } + + ok, err := checkImage(&pod, pod.GetNamespace(), logger) + if err != nil { + return &admissionv1beta1.AdmissionResponse{ + Allowed: false, + Result: &metav1.Status{ + Reason: metav1.StatusReason(err.Error()), + }, + } + } + if !ok { + return &admissionv1beta1.AdmissionResponse{ + Allowed: false, + Result: &metav1.Status{ + Reason: "scan results are above treshold", + }, + } + } + } + + return &admissionv1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + Reason: "", + Message: "", + }, + } +} + +func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) { + + return false, nil +} From c56c73660f7ec451e189463cec013f34f4e3e718 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 21 Oct 2019 12:31:46 +0200 Subject: [PATCH 57/66] use controller-runtime in handler Signed-off-by: Peter Balogh --- {cmd => internal/app}/handler.go | 73 +++++++++++++++++++------------- 1 file changed, 43 insertions(+), 30 deletions(-) rename {cmd => internal/app}/handler.go (63%) diff --git a/cmd/handler.go b/internal/app/handler.go similarity index 63% rename from cmd/handler.go rename to internal/app/handler.go index f38014f..fa9a928 100644 --- a/cmd/handler.go +++ b/internal/app/handler.go @@ -1,20 +1,23 @@ -// Copyright © 2018 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main +/* +Copyright 2019 Banzai Cloud. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package app import ( + "context" "encoding/json" "regexp" "strings" @@ -22,6 +25,8 @@ import ( "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" ) type auditInfo struct { @@ -90,7 +95,7 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp { return nil } -func createOrUpdateAudit(a auditInfo) { +func createOrUpdateAudit(a auditInfo, c client.Client) { auditCR := &v1alpha1.Audit{ TypeMeta: metav1.TypeMeta{ Kind: "Audit", @@ -111,35 +116,43 @@ func createOrUpdateAudit(a auditInfo) { State: a.state, }, } - actionByte := []byte(`{"spec":`) - aSpec, er := json.Marshal(auditCR.Spec) - if er != nil { - logrus.Error(er) - } - actionByte = append(actionByte, aSpec...) - tail := []byte(`}`) - actionByte = append(actionByte, tail...) + auditCR.SetOwnerReferences(a.owners) - audit, err := securityClientSet.Audits().Create(auditCR) + + err := c.Create(context.Background(), auditCR) + // audit, err := securityClientSet.Audits().Create(auditCR) if err != nil { logrus.Error(err) - audit, err = securityClientSet.Audits().Update(a.name, actionByte) + + actionByte := []byte(`{"spec":`) + aSpec, er := json.Marshal(auditCR.Spec) + if er != nil { + logrus.Error(er) + } + actionByte = append(actionByte, aSpec...) + tail := []byte(`}`) + actionByte = append(actionByte, tail...) + + err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte)) + // audit, err = securityClientSet.Audits().Update(a.name, actionByte) if err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ - "Audit": audit, + "Audit": auditCR.Name, }).Debug("Update Audit") } } else { logrus.WithFields(logrus.Fields{ - "Audit": audit, + "Audit": auditCR.Name, }).Debug("Created Audit") } } -func listAudits() { - audits, err := securityClientSet.Audits().List(metav1.ListOptions{}) +func listAudits(c client.Client) { + audits := &v1alpha1.AuditList{} + err := c.List(context.Background(), audits) + //audits, err := securityClientSet.Audits().List(metav1.ListOptions{}) if err != nil { logrus.Error(err) } else { From 7f28fff1a445a9f7602f7c3c3cb636a101d6995a Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Thu, 28 Nov 2019 11:15:07 +0100 Subject: [PATCH 58/66] filter anchore-policy-validator chart Signed-off-by: Peter Balogh --- Chart.yaml => charts/anchore-policy-validator/Chart.yaml | 0 README.md => charts/anchore-policy-validator/README.md | 0 .../anchore-policy-validator/templates}/NOTES.txt | 0 .../anchore-policy-validator/templates}/_helpers.tpl | 0 .../anchore-policy-validator/templates}/apiservice-webhook.yaml | 0 .../anchore-policy-validator/templates}/audit-crd.yaml | 0 .../templates}/default-policy-configmap.yaml | 0 .../anchore-policy-validator/templates}/default-policy-job.yaml | 0 .../anchore-policy-validator/templates}/validator-deployment.yaml | 0 .../anchore-policy-validator/templates}/validator-psp.yaml | 0 .../anchore-policy-validator/templates}/validator-rbac.yaml | 0 .../anchore-policy-validator/templates}/validator-service.yaml | 0 .../anchore-policy-validator/templates}/whitelist-crd.yaml | 0 values.yaml => charts/anchore-policy-validator/values.yaml | 0 14 files changed, 0 insertions(+), 0 deletions(-) rename Chart.yaml => charts/anchore-policy-validator/Chart.yaml (100%) rename README.md => charts/anchore-policy-validator/README.md (100%) rename {templates => charts/anchore-policy-validator/templates}/NOTES.txt (100%) rename {templates => charts/anchore-policy-validator/templates}/_helpers.tpl (100%) rename {templates => charts/anchore-policy-validator/templates}/apiservice-webhook.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/audit-crd.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/default-policy-configmap.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/default-policy-job.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/validator-deployment.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/validator-psp.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/validator-rbac.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/validator-service.yaml (100%) rename {templates => charts/anchore-policy-validator/templates}/whitelist-crd.yaml (100%) rename values.yaml => charts/anchore-policy-validator/values.yaml (100%) diff --git a/Chart.yaml b/charts/anchore-policy-validator/Chart.yaml similarity index 100% rename from Chart.yaml rename to charts/anchore-policy-validator/Chart.yaml diff --git a/README.md b/charts/anchore-policy-validator/README.md similarity index 100% rename from README.md rename to charts/anchore-policy-validator/README.md diff --git a/templates/NOTES.txt b/charts/anchore-policy-validator/templates/NOTES.txt similarity index 100% rename from templates/NOTES.txt rename to charts/anchore-policy-validator/templates/NOTES.txt diff --git a/templates/_helpers.tpl b/charts/anchore-policy-validator/templates/_helpers.tpl similarity index 100% rename from templates/_helpers.tpl rename to charts/anchore-policy-validator/templates/_helpers.tpl diff --git a/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml similarity index 100% rename from templates/apiservice-webhook.yaml rename to charts/anchore-policy-validator/templates/apiservice-webhook.yaml diff --git a/templates/audit-crd.yaml b/charts/anchore-policy-validator/templates/audit-crd.yaml similarity index 100% rename from templates/audit-crd.yaml rename to charts/anchore-policy-validator/templates/audit-crd.yaml diff --git a/templates/default-policy-configmap.yaml b/charts/anchore-policy-validator/templates/default-policy-configmap.yaml similarity index 100% rename from templates/default-policy-configmap.yaml rename to charts/anchore-policy-validator/templates/default-policy-configmap.yaml diff --git a/templates/default-policy-job.yaml b/charts/anchore-policy-validator/templates/default-policy-job.yaml similarity index 100% rename from templates/default-policy-job.yaml rename to charts/anchore-policy-validator/templates/default-policy-job.yaml diff --git a/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml similarity index 100% rename from templates/validator-deployment.yaml rename to charts/anchore-policy-validator/templates/validator-deployment.yaml diff --git a/templates/validator-psp.yaml b/charts/anchore-policy-validator/templates/validator-psp.yaml similarity index 100% rename from templates/validator-psp.yaml rename to charts/anchore-policy-validator/templates/validator-psp.yaml diff --git a/templates/validator-rbac.yaml b/charts/anchore-policy-validator/templates/validator-rbac.yaml similarity index 100% rename from templates/validator-rbac.yaml rename to charts/anchore-policy-validator/templates/validator-rbac.yaml diff --git a/templates/validator-service.yaml b/charts/anchore-policy-validator/templates/validator-service.yaml similarity index 100% rename from templates/validator-service.yaml rename to charts/anchore-policy-validator/templates/validator-service.yaml diff --git a/templates/whitelist-crd.yaml b/charts/anchore-policy-validator/templates/whitelist-crd.yaml similarity index 100% rename from templates/whitelist-crd.yaml rename to charts/anchore-policy-validator/templates/whitelist-crd.yaml diff --git a/values.yaml b/charts/anchore-policy-validator/values.yaml similarity index 100% rename from values.yaml rename to charts/anchore-policy-validator/values.yaml From 2b655d41d1b79c85437aaf2de9cf1fdbfba8af8c Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Fri, 29 Nov 2019 13:20:05 +0100 Subject: [PATCH 59/66] update charts Signed-off-by: Peter Balogh --- charts/anchore-policy-validator/.helmignore | 21 +++++ .../templates/apiservice-webhook.yaml | 86 +++++++++++++------ .../templates/validator-deployment.yaml | 21 ++--- .../templates/whitelist-crd.yaml | 2 - charts/anchore-policy-validator/values.yaml | 6 +- 5 files changed, 95 insertions(+), 41 deletions(-) create mode 100644 charts/anchore-policy-validator/.helmignore diff --git a/charts/anchore-policy-validator/.helmignore b/charts/anchore-policy-validator/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/charts/anchore-policy-validator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml index 9825601..31c4667 100644 --- a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml +++ b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml @@ -1,32 +1,64 @@ {{ $ca := genCA "svc-cat-ca" 3650 }} -{{ $cn := printf "%s-%s.%s.svc" .Release.Name .Chart.Name .Release.Namespace }} -{{ $server := genSignedCert $cn nil nil 365 $ca }} - +{{- $svcName := include "anchore-policy-validator.fullname" . }} +{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }} +{{- $altName1 := printf "%s.cluster.local" $cn }} +{{- $altName2 := printf "%s" $cn }} +{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 365 $ca }} +{{- $major := .Capabilities.KubeVersion.Major -}} +{{- $minor := .Capabilities.KubeVersion.Minor -}} apiVersion: v1 -kind: List +kind: Secret metadata: -items: - -- apiVersion: v1 - kind: Secret - metadata: - name: {{ template "anchore-policy-validator.fullname" . }} - type: kubernetes.io/tls - data: - servingCert: {{ b64enc $server.Cert }} - servingKey: {{ b64enc $server.Key }} - caCert: {{ b64enc $ca.Cert }} - -- apiVersion: apiregistration.k8s.io/v1beta1 - kind: APIService - metadata: - name: {{ .Values.apiService.version }}.{{ .Values.apiService.group }} - spec: - caBundle: {{ b64enc $ca.Cert }} - group: {{ .Values.apiService.group }} - groupPriorityMinimum: 1000 - versionPriority: 15 + name: {{ template "anchore-policy-validator.fullname" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $server.Cert }} + tls.key: {{ b64enc $server.Key }} + ca.crt: {{ b64enc $ca.Cert }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "anchore-policy-validator.fullname" . }} + namespace: {{ .Release.Namespace }} +webhooks: +- name: pods.{{ template "anchore-policy-validator.name" . }}.admission.banzaicloud.com + clientConfig: service: - name: {{ template "anchore-policy-validator.fullname" . }} namespace: {{ .Release.Namespace }} - version: {{ .Values.apiService.version }} + name: {{ template "anchore-policy-validator.fullname" . }} + path: /imagecheck + caBundle: {{ b64enc $ca.Cert }} + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE"] + resources: ["pods"] + scope: "*" + admissionReviewVersions: ["v1", "v1beta1"] + failurePolicy: {{ .Values.podsFailurePolicy }} + sideEffects: None + namespaceSelector: + {{- if .Values.namespaceSelector.matchLabels }} + matchLabels: +{{ toYaml .Values.namespaceSelector.matchLabels | indent 6 }} + {{- end }} + matchExpressions: + {{- if .Values.namespaceSelector.matchExpressions }} +{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }} + {{- end }} + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} +{{- if and (eq (int $major) 1) (ge (int $minor) 15) }} + objectSelector: + matchExpressions: + {{- if .Values.objectSelector.matchExpressions }} +{{ toYaml .Values.objectSelector.matchExpressions | indent 4 }} + {{- end }} + - key: security.banzaicloud.io/validate + operator: NotIn + values: + - skip +{{- end }} \ No newline at end of file diff --git a/charts/anchore-policy-validator/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml index 15def1c..62a63e3 100644 --- a/charts/anchore-policy-validator/templates/validator-deployment.yaml +++ b/charts/anchore-policy-validator/templates/validator-deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "anchore-policy-validator.fullname" . }} @@ -10,11 +10,16 @@ metadata: component: admission-server spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "anchore-policy-validator.name" . }} + release: {{ .Release.Name }} template: metadata: labels: app: {{ template "anchore-policy-validator.name" . }} release: {{ .Release.Name }} + security.banzaicloud.io/mutate: skip spec: {{- if .Values.rbac.enabled }} serviceAccountName: {{ template "anchore-policy-validator.fullname" . }} @@ -26,17 +31,15 @@ spec: secretName: {{ template "anchore-policy-validator.fullname" . }} - name: tmp emptyDir: {} + securityContext: + runAsUser: 65534 + fsGroup: 65534 containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "/usr/local/bin/anchore-image-validator" - - "--audit-log-path=-" - - "--tls-cert-file=/var/serving-cert/servingCert" - - "--tls-private-key-file=/var/serving-cert/servingKey" - - "--v={{ .Values.logVerbosity }}" - - "--secure-port={{ .Values.service.internalPort }}" env: - name: KUBERNETES_NAMESPACE value: {{ .Release.Namespace }} @@ -54,13 +57,11 @@ spec: value: {{ .Values.externalAnchore.anchoreHost }} - name: NAMESPACE_SELECTOR value: {{ default "exclude" .Values.namespaceSelector }} + ports: + - containerPort: {{ .Values.service.internalPort }} securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false - runAsUser: 65534 - fsGroup: 65534 - ports: - - containerPort: {{ .Values.service.internalPort }} livenessProbe: httpGet: path: /healthz diff --git a/charts/anchore-policy-validator/templates/whitelist-crd.yaml b/charts/anchore-policy-validator/templates/whitelist-crd.yaml index a167db3..00018e2 100644 --- a/charts/anchore-policy-validator/templates/whitelist-crd.yaml +++ b/charts/anchore-policy-validator/templates/whitelist-crd.yaml @@ -9,8 +9,6 @@ spec: kind: WhiteListItem plural: whitelistitems singular: whitelistitem - shortnames: - - wl scope: Cluster validation: openAPIV3Schema: diff --git a/charts/anchore-policy-validator/values.yaml b/charts/anchore-policy-validator/values.yaml index 4308485..fc33a3a 100644 --- a/charts/anchore-policy-validator/values.yaml +++ b/charts/anchore-policy-validator/values.yaml @@ -5,7 +5,7 @@ apiService: version: v1beta1 image: repository: banzaicloud/anchore-image-validator - tag: 0.3.6 + tag: remove-generic-admission-server pullPolicy: IfNotPresent service: name: anchoreimagecheck @@ -18,7 +18,9 @@ externalAnchore: anchorePass: "" resources: {} -namespaceSelector: "" +namespaceSelector: {} + +objectSelector: {} ## Node selector ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector From fe9c95ec390c6d18e05188e72c50d20b1a32dacf Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Mon, 16 Dec 2019 21:14:31 +0100 Subject: [PATCH 60/66] minor fixes for health check Signed-off-by: Peter Balogh --- .../templates/apiservice-webhook.yaml | 2 +- .../templates/validator-deployment.yaml | 6 ++--- cmd/main.go | 26 ++++++++----------- internal/app/app.go | 13 ++++++++-- internal/app/config.go | 2 +- internal/app/validate.go | 2 +- 6 files changed, 28 insertions(+), 23 deletions(-) diff --git a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml index 31c4667..c629762 100644 --- a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml +++ b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml @@ -45,7 +45,7 @@ webhooks: {{- end }} matchExpressions: {{- if .Values.namespaceSelector.matchExpressions }} -{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }} +{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }} {{- end }} - key: name operator: NotIn diff --git a/charts/anchore-policy-validator/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml index 62a63e3..720c40a 100644 --- a/charts/anchore-policy-validator/templates/validator-deployment.yaml +++ b/charts/anchore-policy-validator/templates/validator-deployment.yaml @@ -19,7 +19,7 @@ spec: labels: app: {{ template "anchore-policy-validator.name" . }} release: {{ .Release.Name }} - security.banzaicloud.io/mutate: skip + security.banzaicloud.io/validate: skip spec: {{- if .Values.rbac.enabled }} serviceAccountName: {{ template "anchore-policy-validator.fullname" . }} @@ -64,11 +64,11 @@ spec: allowPrivilegeEscalation: false livenessProbe: httpGet: - path: /healthz + path: /imagecheck port: {{ .Values.service.internalPort }} scheme: HTTPS volumeMounts: - - mountPath: /var/serving-cert + - mountPath: /webhook/certs name: serving-cert - mountPath: /tmp name: tmp diff --git a/cmd/main.go b/cmd/main.go index 8166737..b026d3d 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -17,9 +17,7 @@ limitations under the License. package main import ( - "crypto/tls" "fmt" - "net" "net/http" "os" @@ -52,6 +50,7 @@ var ( func init() { pflag.Bool("version", false, "Show version information") pflag.Bool("dump-config", false, "Dump configuration to the console (and exit)") + pflag.Bool("dev-http", false, "Developer mode use http for local testing") } func main() { @@ -92,7 +91,7 @@ func main() { k8sCfg := crconfig.GetConfigOrDie() - logger.Info("kubernetes config", map[string]interface{}{ + logger.Debug("kubernetes config", map[string]interface{}{ "k8sHost": k8sCfg.Host}) v1alpha1.AddToScheme(scheme.Scheme) @@ -107,20 +106,17 @@ func main() { "k8sHost": k8sCfg.Host}) } - installValidatingWebhookConfig(client) + logger.Info("starting the webhook.", map[string]interface{}{ + "port": ":" + config.App.Port, + "certfile": config.App.CertFile, + "keyfile": config.App.KeyFile, + }) - pair, err := tls.LoadX509KeyPair(config.App.CertFile, config.App.KeyFile) - if err != nil { - logger.Error("failed to load key pair") - } - - ln, _ := net.Listen("tcp", fmt.Sprintf(":%v", config.App.Port)) - httpServer := &http.Server{ - Handler: app.NewApp(logger, client), - TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}}, + if viper.GetBool("dev-http") { + http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client)) + } else { + http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client)) } - logger.Info("starting the webhook.") - httpServer.ServeTLS(ln, "", "") } func getEnv(key, fallback string) string { diff --git a/internal/app/app.go b/internal/app/app.go index 7cd7946..1509dad 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -30,12 +30,13 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -const imageValidate = "imagechecks" +const imageValidate = "/imagecheck" // NewApp creates new application func NewApp(logger logur.Logger, client client.Client) http.Handler { mux := http.NewServeMux() mux.Handle(imageValidate, newHTTPHandler(logger, client)) + logger.Info("newApp", map[string]interface{}{"app": imageValidate}) return mux } @@ -58,6 +59,8 @@ func newHTTPHandler(logger logur.Logger, client client.Client) http.Handler { mux := http.NewServeMux() controller := NewHTTPController(logger, client) mux.HandleFunc(imageValidate, controller.webhookCTRL) + logger.Info("newHTTPHandler", map[string]interface{}{"handler": imageValidate}) + return mux } @@ -70,11 +73,18 @@ func NewHTTPController(logger logur.Logger, client client.Client) *HTTPControlle } func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { + if r.Method == http.MethodGet { + w.WriteHeader(http.StatusOK) + return + } + body, err := ioutil.ReadAll(r.Body) if err != nil { http.Error(w, "reading request body failed", http.StatusInternalServerError) return } + a.Logger.Debug("request body", map[string]interface{}{"body": body}) + if len(body) == 0 { http.Error(w, "empty body", http.StatusBadRequest) return @@ -93,7 +103,6 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { fmt.Println(r.URL.Path) if r.URL.Path == imageValidate { admissionResponse = validate(&ar, a.Logger, a.Client) - a.Logger.Info("------ ehunnvagyoke ------") } } diff --git a/internal/app/config.go b/internal/app/config.go index a15a96f..9a67eec 100644 --- a/internal/app/config.go +++ b/internal/app/config.go @@ -19,7 +19,7 @@ package app // Config holds details necessary for app. type Config struct { // Port defines server port - Port int + Port string // CertFile server certificate path CertFile string // KeyFile server key path diff --git a/internal/app/validate.go b/internal/app/validate.go index 13f75a7..7cb1359 100644 --- a/internal/app/validate.go +++ b/internal/app/validate.go @@ -59,7 +59,7 @@ func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c clien return &admissionv1beta1.AdmissionResponse{ Allowed: false, Result: &metav1.Status{ - Reason: "scan results are above treshold", + Reason: "result of policy evaluation is failed", }, } } From cf29aff776684f511022023f80edd97e679d21db Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 17 Dec 2019 10:50:56 +0100 Subject: [PATCH 61/66] cleanup self Signed-off-by: Peter Balogh --- .vscode/launch.json | 17 +++ cmd/build.go | 1 - cmd/main.go | 16 +-- cmd/self.go | 152 ------------------------- internal/app/app.go | 18 +-- internal/app/handler.go | 17 ++- internal/app/validate.go | 4 +- pkg/apis/security/v1alpha1/register.go | 6 +- pkg/clientset/v1alpha1/api.go | 16 +-- 9 files changed, 52 insertions(+), 195 deletions(-) create mode 100644 .vscode/launch.json delete mode 100644 cmd/self.go diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..77919ef --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,17 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Launch", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceRoot}/cmd/main.go", + "env": {}, + "args": ["--dev-http"] + } + ] +} \ No newline at end of file diff --git a/cmd/build.go b/cmd/build.go index 6834f4f..94bf7e9 100644 --- a/cmd/build.go +++ b/cmd/build.go @@ -18,7 +18,6 @@ package main // Provisioned by ldflags // nolint: gochecknoglobals - var ( version string commitHash string diff --git a/cmd/main.go b/cmd/main.go index b026d3d..50f9fc4 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -34,18 +34,8 @@ import ( crconfig "sigs.k8s.io/controller-runtime/pkg/client/config" ) -var securityClientSet *clientv1alpha1.SecurityV1Alpha1Client - const apiServiceResource = "imagecheck" -var ( - apiServiceGroup = os.Getenv("ANCHORE_APISERVICE_GROUP") - apiServiceVersion = os.Getenv("ANCHORE_APISERVICE_VERSION") - anchoreReleaseName = os.Getenv("ANCHORE_RELEASE_NAME") - kubernetesNameSpace = os.Getenv("KUBERNETES_NAMESPACE") - namespaceSelector = getEnv("NAMESPACE_SELECTOR", "exclude") -) - // nolint: gochecknoinits func init() { pflag.Bool("version", false, "Show version information") @@ -95,7 +85,7 @@ func main() { "k8sHost": k8sCfg.Host}) v1alpha1.AddToScheme(scheme.Scheme) - securityClientSet, err = clientv1alpha1.SecurityConfig(k8sCfg) + sc, err := clientv1alpha1.SecurityConfig(k8sCfg) if err != nil { logger.Error("error") } @@ -113,9 +103,9 @@ func main() { }) if viper.GetBool("dev-http") { - http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client)) + http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client, sc)) } else { - http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client)) + http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client, sc)) } } diff --git a/cmd/self.go b/cmd/self.go deleted file mode 100644 index 4f20cf0..0000000 --- a/cmd/self.go +++ /dev/null @@ -1,152 +0,0 @@ -/* -Copyright 2019 Banzai Cloud. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "context" - "encoding/base64" - "fmt" - "os" - "path" - - "emperror.dev/errors" - admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -func createValidatingWebhook(c client.Client) (*admissionv1beta1.ValidatingWebhookConfiguration, error) { - - path := path.Join("/apis", apiServiceGroup, apiServiceVersion, apiServiceResource) - webHookName := fmt.Sprintf("%s.%s", anchoreReleaseName, apiServiceGroup) - ownerref, caBundle, err := getSelf(c) - if err != nil { - return nil, errors.WrapIf(err, "unable to get self object") - } - rule := admissionv1beta1.Rule{ - APIGroups: []string{""}, - APIVersions: []string{"*"}, - Resources: []string{"pods"}, - } - - rulesWithOperations := admissionv1beta1.RuleWithOperations{ - Operations: []admissionv1beta1.OperationType{admissionv1beta1.Create}, - Rule: rule, - } - - failurePolicy := admissionv1beta1.Fail - - selectorOperator := metav1.LabelSelectorOpNotIn - selectorValues := []string{"noscan"} - - if namespaceSelector == "include" { - selectorOperator = metav1.LabelSelectorOpIn - selectorValues = []string{"scan"} - } - - expression := metav1.LabelSelectorRequirement{ - Key: "scan", - Operator: selectorOperator, - Values: selectorValues, - } - - nameSpaceSelector := &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{expression}, - } - - validatingWebhook := admissionv1beta1.ValidatingWebhook{ - Name: webHookName, - ClientConfig: admissionv1beta1.WebhookClientConfig{ - Service: &admissionv1beta1.ServiceReference{ - Namespace: "default", - Name: "kubernetes", - Path: &path, - }, - CABundle: caBundle, - }, - Rules: []admissionv1beta1.RuleWithOperations{rulesWithOperations}, - FailurePolicy: &failurePolicy, - NamespaceSelector: nameSpaceSelector, - } - - validatingWebhookConfig := &admissionv1beta1.ValidatingWebhookConfiguration{ - TypeMeta: metav1.TypeMeta{ - Kind: "ValidatingWebhookConfiguration", - APIVersion: "admissionregistration.k8s.io/v1beta1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: webHookName, - }, - Webhooks: []admissionv1beta1.ValidatingWebhook{validatingWebhook}, - } - - validatingWebhookConfig.SetOwnerReferences(ownerref) - - return validatingWebhookConfig, nil -} - -func installValidatingWebhookConfig(c client.Client) error { - validatingWebhookConfig, err := createValidatingWebhook(c) - if err != nil { - return errors.WrapIf(err, "cannot create ValidatingkWebhooConfiguration") - } - - err = c.Create(context.Background(), validatingWebhookConfig) - if err != nil { - return errors.WrapIf(err, "cannot install ValidatingWebhookConfiguration") - } - return nil -} - -func getSelf(c client.Client) ([]metav1.OwnerReference, []byte, error) { - podName, _ := os.Hostname() - if kubernetesNameSpace == "" { - return nil, nil, errors.New("not defined KUBERNETES_NAMESPACE env") - } - podDetail := &corev1.Pod{} - err := c.Get(context.Background(), client.ObjectKey{ - Namespace: kubernetesNameSpace, - Name: podName, - }, podDetail) - if err != nil { - return nil, nil, errors.WrapIf(err, "unable to get self details") - } - - if anchoreReleaseName == "" { - return nil, nil, errors.New("not defined ANCHORE_RELEASE_NAME env") - } - - owner := metav1.OwnerReference{ - APIVersion: "v1", - Kind: "Pod", - Name: podName, - UID: podDetail.ObjectMeta.UID, - } - - secretDetail := &corev1.Secret{} - err = c.Get(context.Background(), client.ObjectKey{ - Namespace: kubernetesNameSpace, - Name: anchoreReleaseName, - }, secretDetail) - if err != nil { - return nil, nil, errors.WrapIf(err, "unable to get secretDetail") - } - caBundle := []byte(base64.StdEncoding.EncodeToString(secretDetail.Data["caCert"])) - - return []metav1.OwnerReference{owner}, caBundle, nil -} diff --git a/internal/app/app.go b/internal/app/app.go index 1509dad..b670761 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -22,6 +22,7 @@ import ( "io/ioutil" "net/http" + clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" admissionv1beta1 "k8s.io/api/admission/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -32,8 +33,16 @@ import ( const imageValidate = "/imagecheck" +// nolint: gochecknoglobals +var ( + runtimeScheme = runtime.NewScheme() + codecs = serializer.NewCodecFactory(runtimeScheme) + deserializer = codecs.UniversalDeserializer() + defaulter = runtime.ObjectDefaulter(runtimeScheme) +) + // NewApp creates new application -func NewApp(logger logur.Logger, client client.Client) http.Handler { +func NewApp(logger logur.Logger, client client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) http.Handler { mux := http.NewServeMux() mux.Handle(imageValidate, newHTTPHandler(logger, client)) logger.Info("newApp", map[string]interface{}{"app": imageValidate}) @@ -41,13 +50,6 @@ func NewApp(logger logur.Logger, client client.Client) http.Handler { return mux } -var ( - runtimeScheme = runtime.NewScheme() - codecs = serializer.NewCodecFactory(runtimeScheme) - deserializer = codecs.UniversalDeserializer() - defaulter = runtime.ObjectDefaulter(runtimeScheme) -) - // HTTPController collects the greeting use cases and exposes them as HTTP handlers. type HTTPController struct { Logger logur.Logger diff --git a/internal/app/handler.go b/internal/app/handler.go index fa9a928..57f8938 100644 --- a/internal/app/handler.go +++ b/internal/app/handler.go @@ -23,6 +23,7 @@ import ( "strings" "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" + clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -95,7 +96,7 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp { return nil } -func createOrUpdateAudit(a auditInfo, c client.Client) { +func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) { auditCR := &v1alpha1.Audit{ TypeMeta: metav1.TypeMeta{ Kind: "Audit", @@ -120,7 +121,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { auditCR.SetOwnerReferences(a.owners) err := c.Create(context.Background(), auditCR) - // audit, err := securityClientSet.Audits().Create(auditCR) + audit, err := sc.Audits().Create(auditCR) if err != nil { logrus.Error(err) @@ -134,25 +135,23 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { actionByte = append(actionByte, tail...) err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte)) - // audit, err = securityClientSet.Audits().Update(a.name, actionByte) + audit, err = sc.Audits().Update(a.name, actionByte) if err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ - "Audit": auditCR.Name, + "Audit": audit, }).Debug("Update Audit") } } else { logrus.WithFields(logrus.Fields{ - "Audit": auditCR.Name, + "Audit": audit, }).Debug("Created Audit") } } -func listAudits(c client.Client) { - audits := &v1alpha1.AuditList{} - err := c.List(context.Background(), audits) - //audits, err := securityClientSet.Audits().List(metav1.ListOptions{}) +func listAudits(c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) { + audits, err := sc.Audits().List(metav1.ListOptions{}) if err != nil { logrus.Error(err) } else { diff --git a/internal/app/validate.go b/internal/app/validate.go index 7cb1359..b93e2b3 100644 --- a/internal/app/validate.go +++ b/internal/app/validate.go @@ -26,7 +26,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse { +func validate(ar *admissionv1beta1.AdmissionReview, + logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse { + req := ar.Request logger.Info("AdmissionReview for", map[string]interface{}{ "Kind": req.Kind, diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go index 2262390..ccbdcee 100644 --- a/pkg/apis/security/v1alpha1/register.go +++ b/pkg/apis/security/v1alpha1/register.go @@ -28,10 +28,10 @@ const GroupName = "security.banzaicloud.com" // GroupVersion for crd const GroupVersion = "v1alpha1" -// SchemeGroupVersion for crd -var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: GroupVersion} - +// nolint: gochecknoglobals var ( + // SchemeGroupVersion for crd + SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: GroupVersion} // SchemeBuilder for crd SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) // AddToScheme for crd diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go index e756ac0..102318b 100644 --- a/pkg/clientset/v1alpha1/api.go +++ b/pkg/clientset/v1alpha1/api.go @@ -25,19 +25,19 @@ import ( "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" ) -// SecurityV1Alpha1Interface interface for audit -type SecurityV1Alpha1Interface interface { +// Securityv1Alpha1Interface interface for audit +type Securityv1Alpha1Interface interface { Audits(namespace string) AuditInterface Whitelists(namespace string) WhiteListInterface } -// SecurityV1Alpha1Client client for crd -type SecurityV1Alpha1Client struct { +// Securityv1Alpha1Client client for crd +type Securityv1Alpha1Client struct { restClient rest.Interface } // SecurityConfig for admission hook configuration -func SecurityConfig(c *rest.Config) (*SecurityV1Alpha1Client, error) { +func SecurityConfig(c *rest.Config) (*Securityv1Alpha1Client, error) { config := *c config.ContentConfig.GroupVersion = &schema.GroupVersion{Group: v1alpha1.GroupName, Version: v1alpha1.GroupVersion} config.APIPath = "/apis" @@ -49,18 +49,18 @@ func SecurityConfig(c *rest.Config) (*SecurityV1Alpha1Client, error) { return nil, err } - return &SecurityV1Alpha1Client{restClient: client}, nil + return &Securityv1Alpha1Client{restClient: client}, nil } // Audits returns Audits for client -func (c *SecurityV1Alpha1Client) Audits() AuditInterface { +func (c *Securityv1Alpha1Client) Audits() AuditInterface { return &auditClient{ restClient: c.restClient, } } // Whitelists return WhiteLists for client -func (c *SecurityV1Alpha1Client) Whitelists() WhiteListInterface { +func (c *Securityv1Alpha1Client) Whitelists() WhiteListInterface { return &whitelistClient{ restClient: c.restClient, } From 42e23b669fe28a31c4e2979a0df78dcab95cf75b Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 17 Dec 2019 14:01:51 +0100 Subject: [PATCH 62/66] fix lint Signed-off-by: Peter Balogh --- Makefile | 4 +- cmd/config.go | 1 + cmd/main.go | 15 ++--- internal/app/app.go | 16 +++-- internal/app/handler.go | 40 +++++++----- internal/app/validate.go | 12 ++-- pkg/anchore/client.go | 39 +++++++++++- pkg/anchore/types.go | 2 +- pkg/apis/security/v1alpha1/deepcopy.go | 4 ++ pkg/apis/security/v1alpha1/register.go | 1 + pkg/clientset/v1alpha1/api.go | 67 -------------------- pkg/clientset/v1alpha1/audit.go | 88 -------------------------- pkg/clientset/v1alpha1/whitelist.go | 85 ------------------------- 13 files changed, 92 insertions(+), 282 deletions(-) delete mode 100644 pkg/clientset/v1alpha1/api.go delete mode 100644 pkg/clientset/v1alpha1/audit.go delete mode 100644 pkg/clientset/v1alpha1/whitelist.go diff --git a/Makefile b/Makefile index cd15000..ffb0de5 100644 --- a/Makefile +++ b/Makefile @@ -21,10 +21,10 @@ endif DOCKER_TAG ?= ${VERSION} # Dependency versions -GOLANGCI_VERSION = 1.12.3 +GOLANGCI_VERSION = 1.21.0 LICENSEI_VERSION = 0.1.0 -GOLANG_VERSION = 1.12 +GOLANG_VERSION = 1.13 .PHONY: clean clean: ## Clean the working area and the project diff --git a/cmd/config.go b/cmd/config.go index e3450ef..e594040 100644 --- a/cmd/config.go +++ b/cmd/config.go @@ -39,6 +39,7 @@ func configure(v *viper.Viper, p *pflag.FlagSet) { p.Init("imagecheck", pflag.ExitOnError) pflag.Usage = func() { _, _ = fmt.Fprintln(os.Stderr, "Usage of imagecheck:") + pflag.PrintDefaults() } _ = v.BindPFlags(p) diff --git a/cmd/main.go b/cmd/main.go index 50f9fc4..0142046 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -26,7 +26,6 @@ import ( "github.com/banzaicloud/anchore-image-validator/internal/app" "github.com/banzaicloud/anchore-image-validator/internal/log" "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" - clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" "github.com/spf13/pflag" "github.com/spf13/viper" "k8s.io/client-go/kubernetes/scheme" @@ -34,8 +33,6 @@ import ( crconfig "sigs.k8s.io/controller-runtime/pkg/client/config" ) -const apiServiceResource = "imagecheck" - // nolint: gochecknoinits func init() { pflag.Bool("version", false, "Show version information") @@ -44,7 +41,6 @@ func init() { } func main() { - configure(viper.GetViper(), pflag.CommandLine) pflag.Parse() @@ -57,12 +53,14 @@ func main() { err := viper.ReadInConfig() _, configFileNotFound := err.(viper.ConfigFileNotFoundError) + if !configFileNotFound { emperror.Panic(errors.Wrap(err, "failed to read configuration")) } var config Config err = viper.Unmarshal(&config) + if err != nil { emperror.Panic(errors.Wrap(err, "failed to unmarshal configuration")) } @@ -85,10 +83,6 @@ func main() { "k8sHost": k8sCfg.Host}) v1alpha1.AddToScheme(scheme.Scheme) - sc, err := clientv1alpha1.SecurityConfig(k8sCfg) - if err != nil { - logger.Error("error") - } client, err := crclient.New(k8sCfg, crclient.Options{}) if err != nil { @@ -103,9 +97,9 @@ func main() { }) if viper.GetBool("dev-http") { - http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client, sc)) + http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client)) } else { - http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client, sc)) + http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client)) } } @@ -114,5 +108,6 @@ func getEnv(key, fallback string) string { if !exists { value = fallback } + return value } diff --git a/internal/app/app.go b/internal/app/app.go index b670761..e937a5e 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -22,7 +22,6 @@ import ( "io/ioutil" "net/http" - clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" admissionv1beta1 "k8s.io/api/admission/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -38,11 +37,12 @@ var ( runtimeScheme = runtime.NewScheme() codecs = serializer.NewCodecFactory(runtimeScheme) deserializer = codecs.UniversalDeserializer() - defaulter = runtime.ObjectDefaulter(runtimeScheme) + +// defaulter = runtime.ObjectDefaulter(runtimeScheme) ) // NewApp creates new application -func NewApp(logger logur.Logger, client client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) http.Handler { +func NewApp(logger logur.Logger, client client.Client) http.Handler { mux := http.NewServeMux() mux.Handle(imageValidate, newHTTPHandler(logger, client)) logger.Info("newApp", map[string]interface{}{"app": imageValidate}) @@ -85,6 +85,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { http.Error(w, "reading request body failed", http.StatusInternalServerError) return } + a.Logger.Debug("request body", map[string]interface{}{"body": body}) if len(body) == 0 { @@ -93,9 +94,12 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { } var admissionResponse *admissionv1beta1.AdmissionResponse + ar := admissionv1beta1.AdmissionReview{} + if _, _, err := deserializer.Decode(body, nil, &ar); err != nil { a.Logger.Error("Can't decode body") + admissionResponse = &admissionv1beta1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), @@ -104,7 +108,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { } else { fmt.Println(r.URL.Path) if r.URL.Path == imageValidate { - admissionResponse = validate(&ar, a.Logger, a.Client) + admissionResponse = validate(&ar, a.Logger) //a.Client) } } @@ -120,7 +124,9 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { a.Logger.Error("Can't encode response") http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError) } - a.Logger.Info("Ready to write reponse ...") + + a.Logger.Info("Ready to write response ...") + if _, err := w.Write(resp); err != nil { a.Logger.Error("Can't write response") http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) diff --git a/internal/app/handler.go b/internal/app/handler.go index 57f8938..874bdcb 100644 --- a/internal/app/handler.go +++ b/internal/app/handler.go @@ -23,7 +23,6 @@ import ( "strings" "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" - clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -44,15 +43,19 @@ type auditInfo struct { func getReleaseName(labels map[string]string, p string) (string, bool) { release := labels["release"] + if release != "" { logrus.WithFields(logrus.Fields{ "release": release, }).Info("Check whitelist") + return release, false } + logrus.WithFields(logrus.Fields{ "PodName": p, }).Info("Missing release label, using PodName") + return p, true } @@ -62,15 +65,19 @@ func checkWhiteList(wl []v1alpha1.WhiteListItem, r string, f bool) bool { logrus.WithFields(logrus.Fields{ "FakeRelease": true, }).Info("Missing release label, using PodName") + fakeRelease := string(res.ObjectMeta.Name + "-") if strings.Contains(r, fakeRelease) { return true } } + if r == res.ObjectMeta.Name { return true } + match := regexpWhiteList(res) + if match != nil { if match.MatchString(r) { return true @@ -89,14 +96,17 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp { "error": err, "expression": wl.Spec.Regexp, }).Error("regexp compile error") + return nil } + return match } + return nil } -func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) { +func createOrUpdateAudit(a auditInfo, c client.Client) { auditCR := &v1alpha1.Audit{ TypeMeta: metav1.TypeMeta{ Kind: "Audit", @@ -121,37 +131,35 @@ func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securi auditCR.SetOwnerReferences(a.owners) err := c.Create(context.Background(), auditCR) - audit, err := sc.Audits().Create(auditCR) if err != nil { logrus.Error(err) - actionByte := []byte(`{"spec":`) - aSpec, er := json.Marshal(auditCR.Spec) - if er != nil { - logrus.Error(er) + aCR, err := json.Marshal(auditCR) + + if err != nil { + logrus.Error(err) } - actionByte = append(actionByte, aSpec...) - tail := []byte(`}`) - actionByte = append(actionByte, tail...) - err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte)) - audit, err = sc.Audits().Update(a.name, actionByte) + err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)) + if err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ - "Audit": audit, + "Audit": auditCR, }).Debug("Update Audit") } } else { logrus.WithFields(logrus.Fields{ - "Audit": audit, + "Audit": auditCR, }).Debug("Created Audit") } } -func listAudits(c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) { - audits, err := sc.Audits().List(metav1.ListOptions{}) +func listAudits(c client.Client) { + audits := &v1alpha1.AuditList{} + err := c.List(context.Background(), audits) + if err != nil { logrus.Error(err) } else { diff --git a/internal/app/validate.go b/internal/app/validate.go index b93e2b3..4e684ab 100644 --- a/internal/app/validate.go +++ b/internal/app/validate.go @@ -23,24 +23,24 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "logur.dev/logur" - "sigs.k8s.io/controller-runtime/pkg/client" + // "sigs.k8s.io/controller-runtime/pkg/client" ) func validate(ar *admissionv1beta1.AdmissionReview, - logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse { - + logger logur.Logger) *admissionv1beta1.AdmissionResponse { req := ar.Request + // c client.Client logger.Info("AdmissionReview for", map[string]interface{}{ "Kind": req.Kind, "Namespsce": req.Namespace, "Resource": req.Resource, "UserInfo": req.UserInfo}) - switch req.Kind.Kind { - case "Pod": + if req.Kind.Kind == "Pod" { pod := v1.Pod{} if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { logger.Error("could not unmarshal raw object") + return &admissionv1beta1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), @@ -57,6 +57,7 @@ func validate(ar *admissionv1beta1.AdmissionReview, }, } } + if !ok { return &admissionv1beta1.AdmissionResponse{ Allowed: false, @@ -78,6 +79,5 @@ func validate(ar *admissionv1beta1.AdmissionReview, } func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) { - return false, nil } diff --git a/pkg/anchore/client.go b/pkg/anchore/client.go index bbfb6ed..811be9d 100644 --- a/pkg/anchore/client.go +++ b/pkg/anchore/client.go @@ -36,73 +36,96 @@ func anchoreRequest(path string, bodyParams map[string]string, method string) ([ fullURL := anchoreEngineURL + path client := &http.Client{} - bodyParamJson, err := json.Marshal(bodyParams) + bodyParamJSON, err := json.Marshal(bodyParams) + if err != nil { logrus.Fatal(err) } - req, err := http.NewRequest(method, fullURL, bytes.NewBuffer(bodyParamJson)) + + req, err := http.NewRequest(method, fullURL, bytes.NewBuffer(bodyParamJSON)) + if err != nil { logrus.Fatal(err) } + req.SetBasicAuth(username, password) + logrus.WithFields(logrus.Fields{ "url": fullURL, "bodyParams": bodyParams, }).Info("Sending request") + req.Header.Add("Content-Type", "application/json") resp, err := client.Do(req) + if err != nil { return nil, fmt.Errorf("failed to complete request to Anchore: %v", err) } + bodyText, err := ioutil.ReadAll(resp.Body) + defer resp.Body.Close() + logrus.WithFields(logrus.Fields{ "response": string(bodyText), }).Info("Anchore Response Body") + if err != nil { return nil, fmt.Errorf("failed to complete request to Anchore: %v", err) } + if resp.StatusCode != 200 { return nil, fmt.Errorf("response from Anchore: %d", resp.StatusCode) } + return bodyText, nil } func getStatus(digest string, tag string) bool { path := fmt.Sprintf("/v1/images/%s/check?history=false&detail=false&tag=%s", digest, tag) body, err := anchoreRequest(path, nil, "GET") + if err != nil { logrus.Error(err) return false } + var result []map[string]map[string][]SHAResult err = json.Unmarshal(body, &result) + if err != nil { logrus.Error(err) return false } resultIndex := fmt.Sprintf("docker.io/%s:latest", tag) + return result[0][digest][resultIndex][0].Status == "pass" } func getImage(imageRef string) (Image, error) { params := map[string]string{"tag": imageRef} body, err := anchoreRequest("/v1/images?history=false", params, "GET") + if err != nil { return Image{}, err } + var images []Image err = json.Unmarshal(body, &images) + if err != nil { return Image{}, fmt.Errorf("failed to unmarshal JSON from response: %v", err) } + return images[0], nil } func getImageDigest(imageRef string) (string, error) { image, err := getImage(imageRef) + if err != nil { return "", fmt.Errorf("failed to get image digest: %v", err) } + return image.ImageDigest, nil } @@ -110,12 +133,15 @@ func getImageDigest(imageRef string) (string, error) { func AddImage(image string) error { params := map[string]string{"tag": image} _, err := anchoreRequest("/v1/images", params, "POST") + if err != nil { return err } + logrus.WithFields(logrus.Fields{ "Image": image, }).Info("Added image to Anchore Engine") + return nil } @@ -123,14 +149,18 @@ func AddImage(image string) error { func CheckImage(image string) (v1alpha1.AuditImage, bool) { imageParts := strings.Split(image, ":") tag := "latest" + if len(imageParts) > 1 { tag = imageParts[1] } + digest, err := getImageDigest(image) + if err != nil { AddImage(image) digest, _ = getImageDigest(image) } + lastUpdated := getImageLastUpdate(digest) auditImage := v1alpha1.AuditImage{ ImageName: imageParts[0], @@ -138,21 +168,26 @@ func CheckImage(image string) (v1alpha1.AuditImage, bool) { ImageDigest: digest, LastUpdated: lastUpdated, } + return auditImage, getStatus(digest, tag) } func getImageLastUpdate(digest string) string { path := fmt.Sprintf("/v1/images/%s?history=false&detail=false", digest) body, err := anchoreRequest(path, nil, "GET") + if err != nil { logrus.Error(err) return "" } + var images []Image err = json.Unmarshal(body, &images) + if err != nil { logrus.Error(err) return "" } + return images[0].LastUpdated } diff --git a/pkg/anchore/types.go b/pkg/anchore/types.go index 9fcd20e..d3cabc9 100644 --- a/pkg/anchore/types.go +++ b/pkg/anchore/types.go @@ -19,7 +19,7 @@ package anchore // Check type for Anchore check type Check struct { LastEvaluation string `json:"last_evaluation"` - PolicyId string `json:"policy_id"` + PolicyID string `json:"policy_id"` Status string `json:"status"` } diff --git a/pkg/apis/security/v1alpha1/deepcopy.go b/pkg/apis/security/v1alpha1/deepcopy.go index 9831d72..7b01d9c 100644 --- a/pkg/apis/security/v1alpha1/deepcopy.go +++ b/pkg/apis/security/v1alpha1/deepcopy.go @@ -45,10 +45,12 @@ func (in *WhiteListItemList) DeepCopyObject() runtime.Object { if in.Items != nil { out.Items = make([]WhiteListItem, len(in.Items)) + for i := range in.Items { in.Items[i].DeepCopyInto(&out.Items[i]) } } + return &out } @@ -81,9 +83,11 @@ func (in *AuditList) DeepCopyObject() runtime.Object { if in.Items != nil { out.Items = make([]Audit, len(in.Items)) + for i := range in.Items { in.Items[i].DeepCopyInto(&out.Items[i]) } } + return &out } diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go index ccbdcee..8954d34 100644 --- a/pkg/apis/security/v1alpha1/register.go +++ b/pkg/apis/security/v1alpha1/register.go @@ -47,5 +47,6 @@ func addKnownTypes(scheme *runtime.Scheme) error { ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil } diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go deleted file mode 100644 index 102318b..0000000 --- a/pkg/clientset/v1alpha1/api.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright 2019 Banzai Cloud. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/runtime/serializer" - "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" - - "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" -) - -// Securityv1Alpha1Interface interface for audit -type Securityv1Alpha1Interface interface { - Audits(namespace string) AuditInterface - Whitelists(namespace string) WhiteListInterface -} - -// Securityv1Alpha1Client client for crd -type Securityv1Alpha1Client struct { - restClient rest.Interface -} - -// SecurityConfig for admission hook configuration -func SecurityConfig(c *rest.Config) (*Securityv1Alpha1Client, error) { - config := *c - config.ContentConfig.GroupVersion = &schema.GroupVersion{Group: v1alpha1.GroupName, Version: v1alpha1.GroupVersion} - config.APIPath = "/apis" - config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs} - config.UserAgent = rest.DefaultKubernetesUserAgent() - - client, err := rest.RESTClientFor(&config) - if err != nil { - return nil, err - } - - return &Securityv1Alpha1Client{restClient: client}, nil -} - -// Audits returns Audits for client -func (c *Securityv1Alpha1Client) Audits() AuditInterface { - return &auditClient{ - restClient: c.restClient, - } -} - -// Whitelists return WhiteLists for client -func (c *Securityv1Alpha1Client) Whitelists() WhiteListInterface { - return &whitelistClient{ - restClient: c.restClient, - } -} diff --git a/pkg/clientset/v1alpha1/audit.go b/pkg/clientset/v1alpha1/audit.go deleted file mode 100644 index cd86be4..0000000 --- a/pkg/clientset/v1alpha1/audit.go +++ /dev/null @@ -1,88 +0,0 @@ -/* -Copyright 2019 Banzai Cloud. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" - - "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" -) - -// AuditInterface for audit -type AuditInterface interface { - List(metav1.ListOptions) (*v1alpha1.AuditList, error) - Get(string, metav1.GetOptions) (*v1alpha1.Audit, error) - Create(*v1alpha1.Audit) (*v1alpha1.Audit, error) - Update(string, []byte) (*v1alpha1.Audit, error) -} - -type auditClient struct { - restClient rest.Interface -} - -func (c *auditClient) List(opts metav1.ListOptions) (*v1alpha1.AuditList, error) { - result := v1alpha1.AuditList{} - err := c.restClient. - Get(). - Resource("audits"). - VersionedParams(&opts, scheme.ParameterCodec). - Do(). - Into(&result) - - return &result, err -} - -func (c *auditClient) Get(name string, opts metav1.GetOptions) (*v1alpha1.Audit, error) { - result := v1alpha1.Audit{} - err := c.restClient. - Get(). - Resource("audits"). - Name(name). - VersionedParams(&opts, scheme.ParameterCodec). - Do(). - Into(&result) - - return &result, err -} - -func (c *auditClient) Create(audit *v1alpha1.Audit) (*v1alpha1.Audit, error) { - result := v1alpha1.Audit{} - err := c.restClient. - Post(). - Resource("audits"). - Body(audit). - Do(). - Into(&result) - - return &result, err -} - -func (c *auditClient) Update(name string, auditPatch []byte) (*v1alpha1.Audit, error) { - result := v1alpha1.Audit{} - err := c.restClient. - Patch(types.MergePatchType). - Resource("audits"). - Name(name). - Body(auditPatch). - Do(). - Into(&result) - - return &result, err -} diff --git a/pkg/clientset/v1alpha1/whitelist.go b/pkg/clientset/v1alpha1/whitelist.go deleted file mode 100644 index 4b7b106..0000000 --- a/pkg/clientset/v1alpha1/whitelist.go +++ /dev/null @@ -1,85 +0,0 @@ -/* -Copyright 2019 Banzai Cloud. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes/scheme" - "k8s.io/client-go/rest" - - "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" -) - -// WhiteListInterface for whitelist -type WhiteListInterface interface { - List(opts metav1.ListOptions) (*v1alpha1.WhiteListItemList, error) - Get(name string, options metav1.GetOptions) (*v1alpha1.WhiteListItem, error) - Create(*v1alpha1.WhiteListItem) (*v1alpha1.WhiteListItem, error) - Delete(name string, options *metav1.DeleteOptions) error -} - -type whitelistClient struct { - restClient rest.Interface -} - -func (c *whitelistClient) List(opts metav1.ListOptions) (*v1alpha1.WhiteListItemList, error) { - result := v1alpha1.WhiteListItemList{} - err := c.restClient. - Get(). - Resource("whitelistitems"). - VersionedParams(&opts, scheme.ParameterCodec). - Do(). - Into(&result) - - return &result, err -} - -func (c *whitelistClient) Get(name string, opts metav1.GetOptions) (*v1alpha1.WhiteListItem, error) { - result := v1alpha1.WhiteListItem{} - err := c.restClient. - Get(). - Resource("whitelistitems"). - Name(name). - VersionedParams(&opts, scheme.ParameterCodec). - Do(). - Into(&result) - - return &result, err -} - -func (c *whitelistClient) Create(whiteListItem *v1alpha1.WhiteListItem) (*v1alpha1.WhiteListItem, error) { - result := v1alpha1.WhiteListItem{} - err := c.restClient. - Post(). - Resource("whitelistitems"). - Body(whiteListItem). - Do(). - Into(&result) - - return &result, err -} - -func (c *whitelistClient) Delete(name string, options *metav1.DeleteOptions) error { - - return c.restClient. - Delete(). - Resource("whitelistitems"). - Name(name). - Body(options). - Do(). - Error() -} From 7cc0c66329349c25c69206644c2761875a8c5b61 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 17 Dec 2019 20:40:33 +0100 Subject: [PATCH 63/66] implement original logic Signed-off-by: Peter Balogh --- internal/app/app.go | 2 +- internal/app/handler.go | 10 +-- internal/app/validate.go | 139 ++++++++++++++++++++++++++++++++------- 3 files changed, 120 insertions(+), 31 deletions(-) diff --git a/internal/app/app.go b/internal/app/app.go index e937a5e..a371567 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -108,7 +108,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) { } else { fmt.Println(r.URL.Path) if r.URL.Path == imageValidate { - admissionResponse = validate(&ar, a.Logger) //a.Client) + admissionResponse = validate(&ar, a.Logger, a.Client) } } diff --git a/internal/app/handler.go b/internal/app/handler.go index 874bdcb..d4b7edd 100644 --- a/internal/app/handler.go +++ b/internal/app/handler.go @@ -130,8 +130,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { auditCR.SetOwnerReferences(a.owners) - err := c.Create(context.Background(), auditCR) - if err != nil { + if err := c.Create(context.Background(), auditCR); err != nil { logrus.Error(err) aCR, err := json.Marshal(auditCR) @@ -140,9 +139,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { logrus.Error(err) } - err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)) - - if err != nil { + if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)); err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ @@ -158,9 +155,8 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { func listAudits(c client.Client) { audits := &v1alpha1.AuditList{} - err := c.List(context.Background(), audits) - if err != nil { + if err := c.List(context.Background(), audits); err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ diff --git a/internal/app/validate.go b/internal/app/validate.go index 4e684ab..63a5f1e 100644 --- a/internal/app/validate.go +++ b/internal/app/validate.go @@ -17,19 +17,24 @@ limitations under the License. package app import ( + "context" "encoding/json" + "fmt" + "strings" + "github.com/banzaicloud/anchore-image-validator/pkg/anchore" + "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1" admissionv1beta1 "k8s.io/api/admission/v1beta1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "logur.dev/logur" - // "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client" ) func validate(ar *admissionv1beta1.AdmissionReview, - logger logur.Logger) *admissionv1beta1.AdmissionResponse { + logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse { req := ar.Request - // c client.Client + logger.Info("AdmissionReview for", map[string]interface{}{ "Kind": req.Kind, "Namespsce": req.Namespace, @@ -37,6 +42,18 @@ func validate(ar *admissionv1beta1.AdmissionReview, "UserInfo": req.UserInfo}) if req.Kind.Kind == "Pod" { + whitelists := &v1alpha1.WhiteListItemList{} + + if err := c.List(context.Background(), whitelists); err != nil { + logger.Error("cannot list whitelistimets", map[string]interface{}{ + "error": err.Error(), + }) + } else { + logger.Debug("whitelists found", map[string]interface{}{ + "whitelists": whitelists.Items, + }) + } + pod := v1.Pod{} if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { logger.Error("could not unmarshal raw object") @@ -48,24 +65,7 @@ func validate(ar *admissionv1beta1.AdmissionReview, } } - ok, err := checkImage(&pod, pod.GetNamespace(), logger) - if err != nil { - return &admissionv1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Reason: metav1.StatusReason(err.Error()), - }, - } - } - - if !ok { - return &admissionv1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Reason: "result of policy evaluation is failed", - }, - } - } + return checkImage(&pod, whitelists, logger, c) } return &admissionv1beta1.AdmissionResponse{ @@ -78,6 +78,99 @@ func validate(ar *admissionv1beta1.AdmissionReview, } } -func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) { - return false, nil +func checkImage(pod *v1.Pod, + wl *v1alpha1.WhiteListItemList, + logger logur.Logger, + c client.Client) *admissionv1beta1.AdmissionResponse { + result := []string{} + auditImages := []v1alpha1.AuditImage{} + message := "" + + resp := &admissionv1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + Reason: "", + Message: "", + }, + } + + r, f := getReleaseName(pod.Labels, pod.Name) + + for _, container := range pod.Spec.Containers { + image := container.Image + + logger.Debug("Checking image", map[string]interface{}{ + "image": image, + }) + + auditImage, ok := anchore.CheckImage(image) + + if !ok { + resp.Result.Status = "Failure" + resp.Allowed = false + + if checkWhiteList(wl.Items, r, f) { + resp.Result.Status = "Success" + resp.Allowed = true + + logger.Info("Whitelisted release", map[string]interface{}{ + "PodName": pod.Name, + }) + } + message = fmt.Sprintf("Image failed policy check: %s", image) + resp.Result.Message = message + + logger.Warn("Image failed policy check", map[string]interface{}{ + "image": image, + }) + } else { + message = fmt.Sprintf("Image passed policy check: %s", image) + + logger.Warn("Image passed policy check", map[string]interface{}{ + "image": image, + }) + } + + result = append(result, message) + auditImages = append(auditImages, auditImage) + } + + fr := "false" + if f { + fr = "true" + } + + action := "reject" + if resp.Allowed { + action = "allowed" + } + + owners := pod.GetOwnerReferences() + var auditName string + + if len(owners) > 0 { + auditName = strings.ToLower(owners[0].Kind) + "-" + strings.ToLower(owners[0].Name) + } else { + auditName = pod.Name + } + + ainfo := auditInfo{ + name: auditName, + labels: map[string]string{"fakerelease": fr}, + releaseName: r, + resource: "Pod", + images: auditImages, + result: result, + action: action, + state: "", + owners: owners, + } + + createOrUpdateAudit(ainfo, c) + logger.Debug("Security scan status", map[string]interface{}{ + "Status": resp, + }) + + return resp } From 3225279d947cffe148bdab32368d66ab3441e136 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Tue, 17 Dec 2019 21:50:32 +0100 Subject: [PATCH 64/66] minor fixes Signed-off-by: Peter Balogh --- internal/app/handler.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/app/handler.go b/internal/app/handler.go index d4b7edd..ecb3b49 100644 --- a/internal/app/handler.go +++ b/internal/app/handler.go @@ -110,7 +110,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { auditCR := &v1alpha1.Audit{ TypeMeta: metav1.TypeMeta{ Kind: "Audit", - APIVersion: "v1alpha1", + APIVersion: "security.banzaicloud.com/v1alpha1", }, ObjectMeta: metav1.ObjectMeta{ Name: a.name, @@ -139,7 +139,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) { logrus.Error(err) } - if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)); err != nil { + if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, aCR)); err != nil { logrus.Error(err) } else { logrus.WithFields(logrus.Fields{ From e01055711e132d9a4ead1382d9794172399ad85e Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 18 Dec 2019 11:05:17 +0100 Subject: [PATCH 65/66] update go version in circleci config Signed-off-by: Peter Balogh --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 38980c4..28c8fb7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,7 +6,7 @@ jobs: docker_layer_caching: true environment: - GO_VERSION: "1.12.3" + GO_VERSION: "1.13" # K8S_VERSION: v1.13.1 # KUBECONFIG: /home/circleci/.kube/config # MINIKUBE_VERSION: v0.33.1 @@ -45,7 +45,7 @@ jobs: key: go-mod-v1-{{ .Branch }}-{{ checksum "go.sum" }} paths: - "/go/pkg/mod" - + - run: name: Install license checker command: make bin/licensei From 81149df68c297ac654e39b420198f82efa41b687 Mon Sep 17 00:00:00 2001 From: Peter Balogh Date: Wed, 18 Dec 2019 11:25:14 +0100 Subject: [PATCH 66/66] fix licensei and check-header Signed-off-by: Peter Balogh --- .licensei.toml | 3 +++ scripts/check-header.sh | 30 ++++++++++++++++-------------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/.licensei.toml b/.licensei.toml index 6e94247..c08ac52 100644 --- a/.licensei.toml +++ b/.licensei.toml @@ -16,4 +16,7 @@ ignored = [ "go.uber.org/atomic", "go.uber.org/multierr", "emperror.dev/errors", + "emperror.dev/emperror", + "logur.dev/logur", + "logur.dev/adapter/logrus", ] diff --git a/scripts/check-header.sh b/scripts/check-header.sh index 1b9610b..1c52977 100755 --- a/scripts/check-header.sh +++ b/scripts/check-header.sh @@ -1,19 +1,21 @@ #!/usr/bin/env bash read -r -d '' EXPECTED <