Merge branch 'master' of github.com:kubescape/regolibrary into dev

kubescape · Apr 23, 2023 · 64eb6b7 · 64eb6b7
2 parents 7445186 + b9e8f89
commit 64eb6b7
Show file tree

Hide file tree

Showing 61 changed files with 14,352 additions and 16,273 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+# Description
+<!-- A clear and concise description of what the bug is. -->
+
+# Environment
+OS: ` ` <!-- the OS + version you’re running Kubescape on, e.g Ubuntu 22.04 LTS  -->
+Version: ` ` <!-- the version that Kubescape reports when you run `kubescape version`  -->
+
+# Steps To Reproduce
+<!--
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+-->
+
+# Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+# Actual Behavior
+<!-- A clear and concise description of what happened. If applicable, add screenshots to help explain your  problem. -->
+
+# Additional context
+<!-- Add any other context about the problem here. -->
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'feature'
+assignees: ''
+
+---
+
+## Overview
+<!-- A brief overview of the related current state -->
+
+## Problem
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+## Solution
+<!-- A clear and concise description of what you want to happen. -->
+
+## Alternatives
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+<!-- Add any other context or screenshots about the feature request here. -->
+
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,44 @@
+## Overview
+<!-- Please provide a brief overview of the changes made in this pull request. e.g. current behavior/future behavior -->
+
+<!-- 
+## Additional Information
+
+> Any additional information that may be useful for reviewers to know 
+-->
+
+<!--
+## How to Test
+
+> Please provide instructions on how to test the changes made in this pull request
+-->
+
+<!--
+## Examples/Screenshots
+
+> Here you add related screenshots 
+-->
+
+<!-- 
+## Related issues/PRs:
+
+Here you add related issues and PRs.
+If this resolved an issue, write "Resolved #<issue number>
+
+e.g. If this PR resolves issues 1 and 2, it should look as follows:
+* Resolved #1
+* Resolved #2
+-->
+
+<!--
+## Checklist before requesting a review
+
+put an [x] in the box to get it checked 
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have commented on my code, particularly in hard-to-understand areas
+- [ ] I have performed a self-review of my code
+- [ ] If it is a core feature, I have added thorough tests.
+- [ ] New and existing unit tests pass locally with my changes
+
+--> 
diff --git a/.github/workflows/export-dev.yaml b/.github/workflows/export-dev.yaml
@@ -7,25 +7,30 @@ jobs:
     name: Build, Test, Create And Generate releaseDev
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e
-      - name: Set up Go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
-        with:
-          go-version: 1.19
-      - name: Test Regoes
-        working-directory: testrunner
-        run: |
-          apt update && apt install -y cmake
-          GOPATH=$(go env GOPATH) make
-      - name: Run export script
-        run: |
-          OUTPUT=pre-release python ./scripts/export.py
-          rm -r releaseDev
-          cp -R pre-release releaseDev
-      - name: stage changed files
-        run: git add .
-      - name: Commit & Push changes
-        uses: Andro999b/push@c77535fe7a94645f7ceca83e48e6cc977620710e
-        with:
-          branch: dev
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+    - uses: actions/checkout@v1
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with: 
+        go-version: 1.19
+
+    - name: Test Regoes
+      working-directory: testrunner
+      run: |
+        apt update && apt install -y cmake
+        GOPATH=$(go env GOPATH) make
+
+    
+    - name: Run export script
+      run: | 
+        OUTPUT=pre-release python ./scripts/export.py
+        rm -r releaseDev
+        cp -R pre-release releaseDev
+    - name: stage changed files
+      run: git add .
+
+    - name: Commit & Push changes
+      uses: Andro999b/push@v1.3
+      with:
+        branch: dev
+        github_token: ${{ secrets.GITHUB_TOKEN }} 
diff --git a/.github/workflows/export.yaml b/.github/workflows/export.yaml
@@ -26,35 +26,19 @@ jobs:
         uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa
         with:
           python-version: 3.10.6
-      # - name: Setup OPA binaries
-      #   uses: open-policy-agent/setup-opa@v2
-      #   with:
-      #     version: v0.44.0
 
-      # - name: Build OPA bundles
-      #   run: |
-      #     mkdir -p release
-      #     pip install requests pyyaml
-      #     python ./scripts/bundle.py . -o ./release --removed-out release/removed.json --edit-readme
-
-      # - name: Test OPA bundle
-      #   working-directory: testrunner
-      #   env:
-      #     BUNDLE: ../release/kubescape_regolibrary_bundle.tar.gz
-      #     SKIPPED_RULES: ../release/removed.json
-      #   run: |
-      #     go test -v -tags="static" . -run TestRegoBundles
-      #     rm ${SKIPPED_RULES}
       - name: Create Metadata Release Files
         run: |
           python ./scripts/export.py
+
       # The next step kept here for only backward competability.
       # Release files should have extensions!
       - name: Strip Metadata Files Extensions (to be removed)
         run: |
           cd release
           find -type f -name '*.json' | while read f; do mv "$f" "${f%.json}"; done
           find -type f -name '*.csv' | while read f; do mv "$f" "${f%.csv}"; done
+
       - name: Create Release
         id: create_release
         uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
@@ -73,6 +57,10 @@ jobs:
         with:
           release_id: ${{ steps.create_release.outputs.id }}
           assets_path: release
+
+      - run: git status # show modified files
+      - run: git diff # show diff in files
+
       - name: Update readme
         uses: Andro999b/push@c77535fe7a94645f7ceca83e48e6cc977620710e
         with:

diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml
@@ -1,31 +1,61 @@
 name: pr-tests
 on:
+  push:
+    branches: [ master, main ]
   pull_request:
-    branches: [dev, master]
-    types: [opened]
-    paths-ignore:
-      # Do not run the pipeline if only Markdown files changed
-      - '**.yaml'
-      - '**.md'
+    # run for every chnage in the PR
+    types: [ opened, synchronize, reopened ]
+    # Do not run the pipeline if only Markdown files changed
+    paths-ignore: ['**.md']
 jobs:
-  build:
+  # testing link checks
+  markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - name: Check links
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368
+        with:
+          use-verbose-mode: 'yes'
+
+  # testing rego library
+  test_rego:
+    name: Test Regos
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e
       - name: Set up Go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
           go-version: 1.19
-      - name: golangci-lint
-        continue-on-error: true
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5
-        with:
-          version: latest
-          args: --timeout 10m ./...
-          only-new-issues: true
-      - name: Test
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: go test -v -race ./...
-      - name: Build
-        run: go build -v github.com/kubescape/regolibrary/gitregostore/...
+      - name: Test Regoes
+        working-directory: testrunner
+        run: |-
+          apt update && apt install -y cmake
+          GOPATH=$(go env GOPATH) make
+
+  # main job of testing and building the env. 
+  test_pr_checks:
+    permissions:
+      pull-requests: write
+    uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main
+    with:
+      GO_VERSION: 1.19
+      BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/...
+    secrets: inherit
+
+  # build and e2e tests
+  binary_build_and_e2e:
+    uses: kubescape/kubescape/.github/workflows/b-binary-build-and-e2e-tests.yaml@master
+    needs: [markdown-link-check, test_rego, test_pr_checks]
+    with:
+      COMPONENT_NAME: kubescape
+      CGO_ENABLED: 1
+      GO111MODULE: ""
+      GO_VERSION: "1.19"
+      RELEASE: ""
+      CLIENT: test
+      CHECKOUT_REPO: kubescape/kubescape
+      BUILD_AND_TEST_LOCAL_KUBESCAPE_CLI: false
+    secrets: inherit
+
diff --git a/.github/workflows/rego-tests.yaml b/.github/workflows/rego-tests.yaml
diff --git a/MITRE.md b/MITRE.md
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 [![release-date](https://img.shields.io/github/release-date/kubescape/regolibrary)](releases)
 <!-- markdown-link-check-enable-->
 [![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
+<!-- markdown-link-check-enable-->
 
 # Kubescape Regolibrary
 

diff --git a/controls/C-0253-deprecated-k8s-registry.json b/controls/C-0253-deprecated-k8s-registry.json
@@ -0,0 +1,16 @@
+{
+    "name": "Deprecated Kubernetes image registry",
+    "attributes": {
+        "armoBuiltin": true
+    },
+    "description": "Kubernetes team has deprecated GCR (k8s.gcr.io) registry and recommends pulling Kubernetes components from the new registry (registry.k8s.io). This is mandatory from 1.27",
+    "remediation": "Change the images to be pulled from the new registry (registry.k8s.io).",
+    "rulesNames": [
+        "rule-identify-old-k8s-registry"
+    ],
+    "long_description": "Kubernetes team has deprecated GCR (k8s.gcr.io) registry and recommends pulling Kubernetes components from the new registry (registry.k8s.io). This is mandatory from 1.27",
+    "test": "Checking images in kube-system namespace, if the registry of the image is from the old registry we raise an alert.",
+    "controlID": "C-0253",
+    "baseScore": 5.0,
+    "example": "@controls/examples/c239.yaml"
+}
diff --git a/controls/examples/c001.yaml b/controls/examples/c001.yaml
@@ -5,5 +5,4 @@ metadata:
 spec:
   containers:
     - name: pause
-      image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries 
-
+      image: k8s.gcr.io/pause # This is the line we check against the configured allowed registries