/
builder.go
76 lines (65 loc) · 2.32 KB
/
builder.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package kubebench
import (
"fmt"
"github.com/kube-security-manager/kube-security-manager/pkg/apis/aquasecurity/v1alpha1"
"github.com/kube-security-manager/kube-security-manager/pkg/kube"
"github.com/kube-security-manager/kube-security-manager/pkg/starboard"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/utils/pointer"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)
func NewBuilder(scheme *runtime.Scheme) *Builder {
return &Builder{
scheme: scheme,
}
}
type Builder struct {
scheme *runtime.Scheme
controller metav1.Object
data v1alpha1.CISKubeBenchReportData
}
func (b *Builder) Controller(controller metav1.Object) *Builder {
b.controller = controller
return b
}
func (b *Builder) Data(data v1alpha1.CISKubeBenchReportData) *Builder {
b.data = data
return b
}
func (b *Builder) reportName() string {
return b.controller.GetName()
}
func (b *Builder) Get() (v1alpha1.CISKubeBenchReport, error) {
kind, err := kube.KindForObject(b.controller, b.scheme)
if err != nil {
return v1alpha1.CISKubeBenchReport{}, fmt.Errorf("getting kind for object: %w", err)
}
labels := map[string]string{
starboard.LabelResourceKind: kind,
starboard.LabelResourceName: b.controller.GetName(),
}
reportName := b.reportName()
report := v1alpha1.CISKubeBenchReport{
ObjectMeta: metav1.ObjectMeta{
Name: reportName,
Namespace: b.controller.GetNamespace(),
Labels: labels,
},
Report: b.data,
}
err = controllerutil.SetControllerReference(b.controller, &report, b.scheme)
if err != nil {
return v1alpha1.CISKubeBenchReport{}, fmt.Errorf("setting controller reference: %w", err)
}
// The OwnerReferencesPermissionsEnforcement admission controller protects the
// access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so
// that only users with "update" permission to the finalizers subresource of the
// referenced owner can change it.
// We set metadata.ownerReferences[x].blockOwnerDeletion to false so that
// additional RBAC permissions are not required when the OwnerReferencesPermissionsEnforcement
// is enabled.
// See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
report.OwnerReferences[0].BlockOwnerDeletion = pointer.BoolPtr(false)
return report, nil
}