forked from Shopify/kubeaudit
/
runAsNonRoot.go
89 lines (77 loc) · 2.26 KB
/
runAsNonRoot.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package cmd
import (
log "github.com/sirupsen/logrus"
"github.com/spf13/cobra"
apiv1 "k8s.io/api/core/v1"
)
func printResultNR(results []Result) {
for _, result := range results {
if result.err > 0 {
log.WithField("type", result.kubeType).Error(result.namespace, "/", result.name)
}
}
}
func checkRunAsNonRoot(container apiv1.Container, result *Result) {
if container.SecurityContext != nil {
if container.SecurityContext.RunAsNonRoot == nil {
result.err = 1
} else if !*container.SecurityContext.RunAsNonRoot {
result.err = 2
}
} else {
result.err = 3
}
return
}
func auditRunAsNonRoot(items Items) (results []Result) {
for _, item := range items.Iter() {
containers, result := containerIter(item)
for _, container := range containers {
checkRunAsNonRoot(container, result)
if result != nil && result.err > 0 {
results = append(results, *result)
break
}
}
}
printResultNR(results)
defer wg.Done()
return
}
// runAsNonRootCmd represents the runAsNonRoot command
var runAsNonRootCmd = &cobra.Command{
Use: "nonroot",
Short: "Audit containers running as root",
Long: `This command determines which containers in a kubernetes cluster
are running as root (uid=0).
A PASS is given when a container runs as a uid greater than 0
A FAIL is generated when a container runs as root
Example usage:
kubeaudit runAsNonRoot`,
Run: func(cmd *cobra.Command, args []string) {
kube, err := kubeClient(rootConfig.kubeConfig)
if err != nil {
log.Error(err)
}
if rootConfig.json {
log.SetFormatter(&log.JSONFormatter{})
}
// fetch deployments, statefulsets, daemonsets
// and pods which do not belong to another abstraction
deployments := getDeployments(kube)
statefulSets := getStatefulSets(kube)
daemonSets := getDaemonSets(kube)
pods := getPods(kube)
replicationControllers := getReplicationControllers(kube)
wg.Add(5)
go auditRunAsNonRoot(kubeAuditStatefulSets{list: statefulSets})
go auditRunAsNonRoot(kubeAuditDaemonSets{list: daemonSets})
go auditRunAsNonRoot(kubeAuditPods{list: pods})
go auditRunAsNonRoot(kubeAuditReplicationControllers{list: replicationControllers})
go auditRunAsNonRoot(kubeAuditDeployments{list: deployments})
wg.Wait()
},
}
func init() {
securityContextCmd.AddCommand(runAsNonRootCmd)
}