feat: add kubescape patch command

[anubhav06]

Overview

Add kubescape patch command

Additional Information

1. The kubescape patch command can be used to patch container images with vulnerabilities.
2. It uses copa and buildkit under the hood for patching the images, and grype as its engine for scanning the images (at the moment)
3. The detailed documentation for this command can be found here.

TODO

1. Replace anubhav06/copacetic with project-copacetic/copacetic, when the copa team accepts the kubescape and copa integration support PR.

Usage

sudo buildkitd & 
sudo kubescape patch --image <image-name>

The patch command can also be run without sudo privileges. Refer to the documentation here.

Examples/Screenshots

1. Run sudo buildkitd in a separate terminal

2. Run sudo kubescape patch --image docker.io/library/nginx:1.22:

cc @craigbox @dwertent

Related issues/PRs:

Resolved #1227

Checklist before requesting a review

put an [x] in the box to get it checked

• My code follows the style guidelines of this project
• I have commented on my code, particularly in hard-to-understand areas
• I have performed a self-review of my code
• If it is a core feature, I have added thorough tests.
• New and existing unit tests pass locally with my changes

[ghost]

👇 Click on the image for a new way to code review

Legend

[craigbox]

At the present, there's no assertion of levels of support in Kubescape. Everything just "is", in the most part.
I have proposed that we introduce feature gates (with the same syntax as the Kubernetes API server) in order to be able to only include Alpha or Labs-level features if someone enables a feature gate.

The alternative would be keeping it in a separate branch, which would require keeping it in sync, and making builds from it if we wanted anyone to actually use it.

/cc @rotemamsa

[anubhav06]

The former sounds better to me. So this will be merged later, when the feature gates have been introduced, right?

[dwertent]

@anubhav06 Please pull from the master branch and run the kubescape scan image command.
This might help you to understand how Kubescape scans images (and there is no reason to develop another "image scanning" mechanism in Kubescape).
Also, you will see the CLI output, it is essential we keep it aligned.

What do you think?

[anubhav06]

@dwertent I've updated the output to align with that of image scan command (screenshot in PR desc).
I've also removed the "image scanning" logic I'd added for results handling.
Please let me know if this is what's expected and if any other changes are required.

[Daniel-GrunbergerCA]

@anubhav06 This feature looks really cool and works smoothly! I'm very excited for this!

I have some general comments about the feature, which are mostly food for thought:

1. We should add the image name to the kubescape patch follow-up step (which is printed at the end)
2. Maybe we should add to the output some comparison between the old image and the new one, so it will become clear to the user the value he is getting from the patch command
3. Do we need to print the entire copa output? I think is best to have it in debug mode only
4. We shouldn't use the -r flag. We have the -f flag, where we can specify JSON output
5. Maybe the commands should be kubescape image scan and kubescape image patch

cc: @craigbox @dwertent

[anubhav06]

@Daniel-GrunbergerCA Thanks! To answer your questions:

2. Even I agree with that. I had done that only previously (screenshot here). But since, David said that the output should align with that of the image scan command, I removed that.
3. Alright. So I'll try to remove the output of copa to STDOUT and display it only when running with debug mode, and see how it looks. (Personally I believe that it looks good right now, the way it is, because by default the user can see what's happening: copa is building the image, installing the pkg and exporting to docker). But yes, I'll try to do it the way you said and let's see how it looks.

[Daniel-GrunbergerCA]

You can wait with that, let's see what @craigbox and @dwertent think

[dwertent]

2. @Daniel-GrunbergerCA I think it is a good suggestion, but still, I believe we should print only the latest state so we don't overwhelm the terminal. Also, this way we can have the same function for printing the image scan command and image patch command.
   As I'm writing this reply, I'm thinking we can print just the summary of the old image, but we can save this to the future.
3. Thenk you @anubhav06 . The reason Daniel asked to "hide" the logs is because it does not look good when using two different loggers when running a single command. I suggest we should use the spinner (form the kubescape logger repo) instead of printing the copa logs. I'm aware that we are less "verbose", but for now I think it's better :)

In general, thank you @anubhav06 for this PR!
Please merge the changes that have been pushed to the main so we will be able to properly test your PR before accepting it :)

[anubhav06]

changes: (updated screenshot in PR desc)

• By default, copa's output (logs) will not be shown.
  If a user wants to see copa's logs, run kubescape in debug mode ( --logger='debug')
• removed the --report flag as it was redundant & was not providing any real value
• moved normalize_image_name from opaprocessor pkg to cautils pkg
• removed the "try patching your image with..." text (for now)

[dwertent]

@YiscahLevySilas1 can this affect the controls that are using this function?

[YiscahLevySilas1]

I don't think it will affect them

[dwertent]

was this accidentally removed?
cc @Daniel-GrunbergerCA

[anubhav06]

No. Because with the new version of grype, the previous syntax is not supported.
Similarly, in the jsonprinter, the ValidatedConfig method has been removed (here)