Skip to content

feat: Gateway API support, network policy tracking & code cleanup#4

Merged
davealtena merged 4 commits intomainfrom
feature/extended-cluster-data
Jan 30, 2026
Merged

feat: Gateway API support, network policy tracking & code cleanup#4
davealtena merged 4 commits intomainfrom
feature/extended-cluster-data

Conversation

@davealtena
Copy link
Copy Markdown
Contributor

@davealtena davealtena commented Jan 30, 2026

Summary

  • Gateway API support: Add detection for HTTPRoute, GRPCRoute, TCPRoute, and TLSRoute resources in exposure analysis
  • Network policy tracking: Track network policy status per workload for hardening visibility
  • Code cleanup: Remove ~600 lines of unused scanner code that was never called in production
  • Version bump: 0.1.0 → 0.2.0

Changes

New Features

  • internal/kubectl/gateway.go - New Gateway API client for listing Gateways and routes
  • Exposure analysis now includes Gateway API routes alongside Ingress
  • Workloads now report has_network_policy status

Cleanup (dead code removal)

Removed Lines Reason
trivy/delete.go 232 Never called
trivy/benchmark_scanner.go 48 Never instantiated
trivy/compliance_scanner.go 58 Never instantiated
trivy/infra_scanner.go 55 Never instantiated
trivy/rbac_scanner.go 55 Never instantiated
trivy/secrets_scanner.go 52 Never instantiated
Parts of cluster_scanners.go ~130 Unused scanner types

Improvements

  • Replace duplicate contains() helpers with slices.Contains()
  • Remove unused log import from db.go

Test plan

  • go build ./... passes
  • go test ./... passes
  • Deploy to test cluster and verify exposure analysis includes Gateway routes

@davealtena
feat: add cluster resource collection for risk analysis
526f299 
Add collectors and API endpoint for ServiceAccounts, Secrets metadata,
Namespaces (with PSS labels), and Nodes. This enables the SaaS platform
to perform more comprehensive security risk analysis including:

- RBAC misconfiguration detection (cluster-admin to ServiceAccount)
- Unused secret identification
- Pod Security Standards enforcement gaps
- Outdated Kubernetes version detection

New endpoint: POST /api/v1/cluster-resources

Signed-off-by: Dave Altena <dave@altena.io>
@davealtena
feat: add cluster detection for provider/platform identification
05abed7 
Detect cluster provider (eks, aks, gke, openshift, k3s, etc.),
control plane type (managed vs self-hosted), platform (aws, azure, gcp),
and Kubernetes version. This enables the SaaS to:

- Select correct CIS benchmark for the cluster type
- Skip control plane checks for managed clusters
- Show provider-specific security recommendations

Detection uses node labels, pod names, and provider IDs.

Signed-off-by: Dave Altena <dave@altena.io>
@davealtena
chore: remove secrets collection for security reasons
6d2a139 
Secrets metadata collection removed as it poses unnecessary risk.
The agent still collects ServiceAccounts, Namespaces, Nodes, and
ClusterInfo for risk analysis.

Signed-off-by: Dave Altena <dave@altena.io>
@davealtena
feat: add Gateway API support and cleanup unused code
1e5ef79 
- Add Gateway API route detection for exposure analysis (HTTPRoute, GRPCRoute, TCPRoute, TLSRoute)
- Add network policy status tracking per workload
- Remove unused scanner implementations (secrets, rbac, infra, benchmark, compliance)
- Remove unused delete.go (report deletion functions never called)
- Replace duplicate contains() helpers with slices.Contains()
- Bump version to 0.2.0

Signed-off-by: Dave Altena <dave@altena.io>
@davealtena davealtena merged commit 907119f into main Jan 30, 2026
2 checks passed
@davealtena davealtena deleted the feature/extended-cluster-data branch January 30, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davealtena