Audit default resource gathering

[timothysc]

Describe the solution you'd like
There are additional api-resources that could be gathered

$ kubectl api-resources
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
bindings                                                                      true         Binding
componentstatuses                 cs                                          false        ComponentStatus
configmaps                        cm                                          true         ConfigMap
endpoints                         ep                                          true         Endpoints
events                            ev                                          true         Event
limitranges                       limits                                      true         LimitRange
namespaces                        ns                                          false        Namespace
nodes                             no                                          false        Node
persistentvolumeclaims            pvc                                         true         PersistentVolumeClaim
persistentvolumes                 pv                                          false        PersistentVolume
pods                              po                                          true         Pod
podtemplates                                                                  true         PodTemplate
replicationcontrollers            rc                                          true         ReplicationController
resourcequotas                    quota                                       true         ResourceQuota
secrets                                                                       true         Secret
serviceaccounts                   sa                                          true         ServiceAccount
services                          svc                                         true         Service
mutatingwebhookconfigurations                  admissionregistration.k8s.io   false        MutatingWebhookConfiguration
validatingwebhookconfigurations                admissionregistration.k8s.io   false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds     apiextensions.k8s.io           false        CustomResourceDefinition
apiservices                                    apiregistration.k8s.io         false        APIService
controllerrevisions                            apps                           true         ControllerRevision
daemonsets                        ds           apps                           true         DaemonSet
deployments                       deploy       apps                           true         Deployment
replicasets                       rs           apps                           true         ReplicaSet
statefulsets                      sts          apps                           true         StatefulSet
tokenreviews                                   authentication.k8s.io          false        TokenReview
localsubjectaccessreviews                      authorization.k8s.io           true         LocalSubjectAccessReview
selfsubjectaccessreviews                       authorization.k8s.io           false        SelfSubjectAccessReview
selfsubjectrulesreviews                        authorization.k8s.io           false        SelfSubjectRulesReview
subjectaccessreviews                           authorization.k8s.io           false        SubjectAccessReview
horizontalpodautoscalers          hpa          autoscaling                    true         HorizontalPodAutoscaler
cronjobs                          cj           batch                          true         CronJob
jobs                                           batch                          true         Job
certificatesigningrequests        csr          certificates.k8s.io            false        CertificateSigningRequest
bgpconfigurations                              crd.projectcalico.org          false        BGPConfiguration
bgppeers                                       crd.projectcalico.org          false        BGPPeer
clusterinformations                            crd.projectcalico.org          false        ClusterInformation
felixconfigurations                            crd.projectcalico.org          false        FelixConfiguration
globalnetworkpolicies                          crd.projectcalico.org          false        GlobalNetworkPolicy
globalnetworksets                              crd.projectcalico.org          false        GlobalNetworkSet
hostendpoints                                  crd.projectcalico.org          false        HostEndpoint
ippools                                        crd.projectcalico.org          false        IPPool
networkpolicies                                crd.projectcalico.org          true         NetworkPolicy
events                            ev           events.k8s.io                  true         Event
daemonsets                        ds           extensions                     true         DaemonSet
deployments                       deploy       extensions                     true         Deployment
ingresses                         ing          extensions                     true         Ingress
networkpolicies                   netpol       extensions                     true         NetworkPolicy
podsecuritypolicies               psp          extensions                     false        PodSecurityPolicy
replicasets                       rs           extensions                     true         ReplicaSet
networkpolicies                   netpol       networking.k8s.io              true         NetworkPolicy
poddisruptionbudgets              pdb          policy                         true         PodDisruptionBudget
podsecuritypolicies               psp          policy                         false        PodSecurityPolicy
clusterrolebindings                            rbac.authorization.k8s.io      false        ClusterRoleBinding
clusterroles                                   rbac.authorization.k8s.io      false        ClusterRole
rolebindings                                   rbac.authorization.k8s.io      true         RoleBinding
roles                                          rbac.authorization.k8s.io      true         Role
priorityclasses                   pc           scheduling.k8s.io              false        PriorityClass
storageclasses                    sc           storage.k8s.io                 false        StorageClass
volumeattachments                              storage.k8s.io                 false        VolumeAttachment

Environment:

• Sonobuoy version: 0.11.3+

[timothysc]

This also includes updating the default list, I'm currently making a patch for v0.11.4 that isn't very clean that requires cleaning.

[stevesloka]

Hey @timothysc could you add some information about this? Not sure the work items.

[johnSchnake]

So I actually have a poc working locally (very WIP) that updates the namespace queries to use the dynamic client.

There seem to be some things that aren't walked so easily in the dynamic client, like pod logs, server groups, etc. Those things still seem to need to be a one-off for each of them which, frustratingly, removes some of the value of moving to the dynamic client.

However, a question for @timothysc and the larger community if anyone wants to chime in: in my POC it gathers everything it can via the dynamic client and that ends up also including secrets. Do we consider that a problem? It is no secret (pun intended) that k8s secrets aren't by default secure, but I dont know if we'll have people yelling about adding them now. IMO it should just be a wakeup call that they shouldn't be using them perhaps.

In my POC it still allows users to choose explicitly the items to collect so they can avoid those if they want, but it is an extra step.

[johnSchnake]

POC is actually working now for all the items; leveraging the existing code for:

• node data (healthz/configz)
• pod logs
• servergroups
• server version

Other than that all the NS and cluster resources get listed using the dynamic client.

The only drawback to this is that it is, in the POC form, much more time consuming. Queries take about 45s right now because we are running ~250 queries and each (with the dynamic client) takes around 200ms. This is about 3-4x slower than using the typed clients.

The dynamic client could make it much easier though to query things more in bulk and reduce the number of queries significantly, i.e. I could query all the jobs and then split them up when saving them. That could reduce the time by 7x unless the list time goes up linearly with the number of objects.

[johnSchnake]

Considering how much stuff we could be leaving on the table by not querying those items, I think it is worth it to add them and use the dynamic client. As long as we give the users a way to cut them out/down I think its fine.

[johnSchnake]

Random thought on this but even though it is fun to remove code (we could remove lots of the typed query stuff), it may be worth having a more complicated code if the performance is 3-4x faster.

We could just combine the two approaches to use the typed client on the existing/more stable API objects, and just use the dynamic for some of the less common/newer items.

At some point, I'll have to check what the overall performance is in that situation.

[johnSchnake]

Was so much slower (~200ms per query, even when there wasn't any responses) but that may be a result of some rate limiting on the client side. Need to look into the field "eventRecordQPS": 5; 5/s would explain the ~200ms timing.

If we could use the dynamic client for everything then it'd get all the benefit and not the slowdown. If we need to use both then we can get the benefits but pay in the complexity of using both types of queries.