/
namespace.go
167 lines (141 loc) · 4.47 KB
/
namespace.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
package basic
import (
"sync"
"github.com/open-kingfisher/king-inspect/check"
"golang.org/x/sync/errgroup"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func init() {
check.Register(&defaultNamespaceCheck{})
}
type defaultNamespaceCheck struct{}
type alert struct {
diagnostics []check.Diagnostic
mu sync.Mutex
}
func (alert *alert) GetDiagnostics() []check.Diagnostic {
return alert.diagnostics
}
func (alert *alert) SetDiagnostics(d []check.Diagnostic) {
alert.diagnostics = d
}
func (alert *alert) warn(k8stype check.Kind, itemMeta metav1.ObjectMeta) {
d := check.Diagnostic{
Severity: check.Warning,
Message: check.Message[107],
Kind: k8stype,
Object: &itemMeta,
Owners: itemMeta.GetOwnerReferences(),
}
alert.mu.Lock()
alert.diagnostics = append(alert.diagnostics, d)
alert.mu.Unlock()
}
// Name 返回此检查的唯一名称
func (nc *defaultNamespaceCheck) Name() string {
return "default-namespace"
}
// Groups 返回此检查应属于的组名列表
func (nc *defaultNamespaceCheck) Groups() []string {
return []string{"basic"}
}
// Description 返回此检查的描述信息
func (nc *defaultNamespaceCheck) Description() string {
return "检查是否有用户在缺省名称空间中创建了k8s对象"
}
// checkPods check if there are pods in the default namespace
func (nc *defaultNamespaceCheck) checkPods(items *corev1.PodList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() {
alert.warn(check.Pod, item.ObjectMeta)
}
}
}
// checkPodTemplates check if there are pod templates in the default namespace
func (nc *defaultNamespaceCheck) checkPodTemplates(items *corev1.PodTemplateList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() {
alert.warn(check.PodTemplate, item.ObjectMeta)
}
}
}
// checkPVCs check if there are pvcs in the default namespace
func (nc *defaultNamespaceCheck) checkPVCs(items *corev1.PersistentVolumeClaimList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() {
alert.warn(check.PersistentVolumeClaim, item.ObjectMeta)
}
}
}
// checkConfigMaps check if there are config maps in the default namespace
func (nc *defaultNamespaceCheck) checkConfigMaps(items *corev1.ConfigMapList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() {
alert.warn(check.ConfigMap, item.ObjectMeta)
}
}
}
// checkervices check if there are user created services in the default namespace
func (nc *defaultNamespaceCheck) checkervices(items *corev1.ServiceList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() && item.GetName() != "kubernetes" {
alert.warn(check.Service, item.ObjectMeta)
}
}
}
// checkecrets check if there are user created secrets in the default namespace
func (nc *defaultNamespaceCheck) checkecrets(items *corev1.SecretList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() && item.Type != corev1.SecretTypeServiceAccountToken {
alert.warn(check.Secret, item.ObjectMeta)
}
}
}
// checkA check if there are user created SAs in the default namespace
func (nc *defaultNamespaceCheck) checkA(items *corev1.ServiceAccountList, alert *alert) {
for _, item := range items.Items {
if corev1.NamespaceDefault == item.GetNamespace() && item.GetName() != "default" {
alert.warn(check.ServiceAccount, item.ObjectMeta)
}
}
}
// Run 运行这个检查
func (nc *defaultNamespaceCheck) Run(objects *check.Objects) ([]check.Diagnostic, check.Summary, error) {
alert := &alert{}
var g errgroup.Group
g.Go(func() error {
nc.checkPods(objects.Pods, alert)
return nil
})
g.Go(func() error {
nc.checkPodTemplates(objects.PodTemplates, alert)
return nil
})
g.Go(func() error {
nc.checkPVCs(objects.PersistentVolumeClaims, alert)
return nil
})
g.Go(func() error {
nc.checkConfigMaps(objects.ConfigMaps, alert)
return nil
})
g.Go(func() error {
nc.checkervices(objects.Services, alert)
return nil
})
g.Go(func() error {
nc.checkecrets(objects.Secrets, alert)
return nil
})
g.Go(func() error {
nc.checkA(objects.ServiceAccounts, alert)
return nil
})
err := g.Wait()
var summary check.Summary
summary.Total = len(alert.GetDiagnostics())
summary.Issue = summary.Total
summary.Warning = summary.Total
return alert.GetDiagnostics(), summary, err
}