Delete controllers package (#270)

* rename root fs check

* speed up docker build

* refactor webhook to be more generic

* delete controllers pkg

* revert deploy

* fix example config

* remove controllersToScan config

* fix lint error

* fix webhook name

* FileSystem -> Filesystem

* update deps

* skip node owners

* clean up meta tracking

Co-authored-by: Robert Brennan <[email protected]>

Dockerfile

@@ -3,13 +3,16 @@ WORKDIR /go/src/github.com/fairwindsops/polaris/
 
 ENV GO111MODULE=on
 ENV GOPROXY=https://proxy.golang.org
-
-COPY . .
-RUN go get -u github.com/gobuffalo/packr/v2/packr2
-
 ENV CGO_ENABLED=0
 ENV GOOS=linux
 ENV GOARCH=amd64
+
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+RUN go get -u github.com/gobuffalo/packr/v2/packr2
+
+COPY . .
 RUN packr2 build -a -o polaris *.go
 
 FROM alpine:3.10

cmd/polaris/webhook.go

@@ -15,21 +15,50 @@
 package cmd
 
 import (
- "fmt"
  "io/ioutil"
  "os"
  "strings"
 
  fwebhook "github.com/fairwindsops/polaris/pkg/webhook"
  "github.com/sirupsen/logrus"
  "github.com/spf13/cobra"
+ appsv1 "k8s.io/api/apps/v1"
+ appsv1beta1 "k8s.io/api/apps/v1beta1"
+ appsv1beta2 "k8s.io/api/apps/v1beta2"
+ batchv1 "k8s.io/api/batch/v1"
+ batchv1beta1 "k8s.io/api/batch/v1beta1"
+ batchv2alpha1 "k8s.io/api/batch/v2alpha1"
+ corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/runtime"
  apitypes "k8s.io/apimachinery/pkg/types"
  k8sConfig "sigs.k8s.io/controller-runtime/pkg/client/config"
  "sigs.k8s.io/controller-runtime/pkg/manager"
  "sigs.k8s.io/controller-runtime/pkg/runtime/signals"
  "sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
+var supportedVersions = map[string]runtime.Object{
+ "appsv1/Deployment": &appsv1.Deployment{},
+ "appsv1beta1/Deployment": &appsv1beta1.Deployment{},
+ "appsv1beta2/Deployment": &appsv1beta2.Deployment{},
+
+ "appsv1/StatefulSet": &appsv1.StatefulSet{},
+ "appsv1beta1/StatefulSet": &appsv1beta1.StatefulSet{},
+ "appsv1beta2/StatefulSet": &appsv1beta2.StatefulSet{},
+
+ "appsv1/DaemonSet": &appsv1.DaemonSet{},
+ "appsv1beta2/DaemonSet": &appsv1beta2.DaemonSet{},
+
+ "batchv1/Job": &batchv1.Job{},
+
+ "batchv1beta1/CronJob": &batchv1beta1.CronJob{},
+ "batchv2alpha1/CronJob": &batchv2alpha1.CronJob{},
+
+ "corev1/ReplicationController": &corev1.ReplicationController{},
+
+ "corev1/Pod": &corev1.Pod{},
+}
+
 var webhookPort int
 var disableWebhookConfigInstaller bool
 
@@ -102,14 +131,16 @@ var webhookCmd = &cobra.Command{
  // Should only register controllers that are configured to be scanned
  logrus.Debug("Registering webhooks to the webhook server")
  var webhooks []webhook.Webhook
- for index, controllerToScan := range config.ControllersToScan {
- for innerIndex, supportedAPIType := range controllerToScan.ListSupportedAPIVersions() {
-  webhookName := strings.ToLower(fmt.Sprintf("%s-%d-%d", controllerToScan, index, innerIndex))
-  hook := fwebhook.NewWebhook(webhookName, mgr, fwebhook.Validator{Config: config}, supportedAPIType)
-  if hook != nil {
-  webhooks = append(webhooks, hook)
- }
+ for name, supportedAPIType := range supportedVersions {
+ webhookName := strings.ToLower(name)
+ webhookName = strings.ReplaceAll(webhookName, "/", "-")
+ hook, err := fwebhook.NewWebhook(webhookName, mgr, fwebhook.Validator{Config: config}, supportedAPIType)
+ if err != nil {
+ logrus.Warningf("Couldn't build webhook %s: %v", webhookName, err)
+ continue
  }
+ webhooks = append(webhooks, hook)
+ logrus.Infof("%s webhook started", webhookName)
  }
 
  if err = as.Register(webhooks...); err != nil {

deploy/dashboard.yaml

@@ -33,7 +33,7 @@ data:
  # security
  hostIPCSet: error
  hostPIDSet: error
- notReadOnlyRootFileSystem: warning
+ notReadOnlyRootFilesystem: warning
  privilegeEscalationAllowed: error
  runAsRootAllowed: warning
  runAsPrivileged: error
@@ -100,7 +100,7 @@ data:
  - tiller
  - kube2iam
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - cert-manager
  - dns-controller
@@ -128,7 +128,7 @@ data:
  - goldilocks
  - insights-agent-goldilocks-vpa-install
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - insights-agent-goldilocks-controller
  rules:

deploy/webhook.yaml

@@ -46,7 +46,7 @@ data:
  # security
  hostIPCSet: error
  hostPIDSet: error
- notReadOnlyRootFileSystem: warning
+ notReadOnlyRootFilesystem: warning
  privilegeEscalationAllowed: error
  runAsRootAllowed: warning
  runAsPrivileged: error
@@ -113,7 +113,7 @@ data:
  - tiller
  - kube2iam
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - cert-manager
  - dns-controller
@@ -141,7 +141,7 @@ data:
  - goldilocks
  - insights-agent-goldilocks-vpa-install
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - insights-agent-goldilocks-controller
  rules:

docs/check-documentation/security.md

@@ -6,7 +6,7 @@ key | default | description
 ----|---------|------------
 `security.hostIPCSet` | `error` | Fails when `hostIPC` attribute is configured.
 `security.hostPIDSet` | `error` | Fails when `hostPID` attribute is configured.
-`security.notReadOnlyRootFileSystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true.
+`security.notReadOnlyRootFilesystem` | `warning` | Fails when `securityContext.readOnlyRootFilesystem` is not true.
 `security.privilegeEscalationAllowed` | `error` | Fails when `securityContext.allowPrivilegeEscalation` is true.
 `security.runAsRootAllowed` | `error` | Fails when `securityContext.runAsNonRoot` is not true.
 `security.runAsPrivileged` | `error` | Fails when `securityContext.privileged` is true.

examples/config-full.yaml

@@ -17,7 +17,7 @@ checks:
  # security
  hostIPCSet: error
  hostPIDSet: error
- notReadOnlyRootFileSystem: warning
+ notReadOnlyRootFilesystem: warning
  privilegeEscalationAllowed: error
  runAsRootAllowed: warning
  runAsPrivileged: error
@@ -72,13 +72,6 @@ customChecks:
  not:
  pattern: ^quay.io
 
-controllersToScan:
- - Deployments
- - StatefulSets
- - DaemonSets
- - CronJobs
- - Jobs
- - ReplicationControllers
 exemptions:
  - controllerNames:
  - dns-controller
@@ -133,7 +126,7 @@ exemptions:
  - tiller
  - kube2iam
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - cert-manager
  - dns-controller

examples/config.yaml

@@ -16,19 +16,12 @@ checks:
  # security
  hostIPCSet: error
  hostPIDSet: error
- notReadOnlyRootFileSystem: warning
+ notReadOnlyRootFilesystem: warning
  privilegeEscalationAllowed: error
  runAsRootAllowed: warning
  runAsPrivileged: error
  dangerousCapabilities: error
  insecureCapabilities: warning
-controllersToScan:
- - Deployments
- - StatefulSets
- - DaemonSets
- - CronJobs
- - Jobs
- - ReplicationControllers
 exemptions:
  - controllerNames:
  - dns-controller
@@ -83,7 +76,7 @@ exemptions:
  - tiller
  - kube2iam
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - cert-manager
  - dns-controller
@@ -111,7 +104,7 @@ exemptions:
  - goldilocks
  - insights-agent-goldilocks-vpa-install
  rules:
- - notReadOnlyRootFileSystem
+ - notReadOnlyRootFilesystem
  - controllerNames:
  - insights-agent-goldilocks-controller
  rules:

go.mod

@@ -47,16 +47,17 @@ require (
  github.com/markbates/safe v1.0.1
  github.com/matttproud/golang_protobuf_extensions v1.0.1
  github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
- github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742
+ github.com/modern-go/reflect2 v1.0.1
  github.com/pborman/uuid v0.0.0-20180906182336-adf5a7427709
  github.com/petar/GoLLRB v0.0.0-20190514000832-33fb24c13b99
  github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
  github.com/pkg/errors v0.9.1
  github.com/pmezard/go-difflib v1.0.0
- github.com/prometheus/client_golang v0.9.3
- github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90
+ github.com/prometheus/client_golang v1.0.0
+ github.com/prometheus/client_model v0.2.0
  github.com/prometheus/common v0.9.1
  github.com/prometheus/procfs v0.0.11
+ github.com/prometheus/tsdb v0.7.1 // indirect
  github.com/qri-io/jsonschema v0.1.1
  github.com/rogpeppe/go-internal v1.5.2
  github.com/sirupsen/logrus v1.4.2
@@ -76,7 +77,7 @@ require (
  golang.org/x/net v0.0.0-20190620200207-3b0461eec859
  golang.org/x/oauth2 v0.0.0-20190517181255-950ef44c6e07
  golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
- golang.org/x/sys v0.0.0-20191218084908-4a24b4065292
+ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e
  golang.org/x/text v0.3.2
  golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
  golang.org/x/tools v0.0.0-20191224055732-dd894d0a8a40

go.sum

@@ -250,6 +250,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 h1:Esafd1046DLDQ0W1YjYsBW+p8U2u7vzgW2SQVmlNazg=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -284,11 +285,13 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3 h1:9iH4JKXLzFbOAdtqv/a+j8aewx2Y8lAjAydhbaScPF8=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=

pkg/config/config.go

@@ -30,7 +30,6 @@ import (
 type Configuration struct {
  DisplayName string `json:"displayName"`
  Checks map[string]Severity `json:"checks"`
- ControllersToScan []SupportedController `json:"controllersToScan"`
  CustomChecks map[string]SchemaCheck `json:"customChecks"`
  Exemptions []Exemption `json:"exemptions"`
  DisallowExemptions bool `json:"disallowExemptions"`

pkg/config/config_test.go

@@ -31,16 +31,13 @@ var confInvalid = `test`
 var confValidYAML = `
 checks:
  cpuRequestsMissing: warning
-controllersToScan:
- - Deployments
 `
 
 var confValidJSON = `
 {
  "checks": {
  "cpuRequestsMissing": "warning"
- },
- "controllersToScan": ["Deployments"]
+ }
 }
 `
 
@@ -160,5 +157,4 @@ func TestConfigWithCustomChecks(t *testing.T) {
 func testParsedConfig(t *testing.T, config *Configuration) {
  assert.Equal(t, SeverityWarning, config.Checks["cpuRequestsMissing"])
  assert.Equal(t, Severity(""), config.Checks["cpuLimitsMissing"])
- assert.ElementsMatch(t, []SupportedController{Deployments}, config.ControllersToScan)
 }