chore(cmd): Merge kubectl-starboard repository in (#4)

Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · May 11, 2020 · a4f150f · a4f150f
1 parent 8048595
commit a4f150f
Show file tree

Hide file tree

Showing 52 changed files with 3,032 additions and 2 deletions.
diff --git a/.github/workflows/build.yml → .github/workflows/build.yaml b/.github/workflows/build.yml → .github/workflows/build.yaml
@@ -19,3 +19,12 @@ jobs:
         run: go mod vendor
       - name: Verify generated code
         run: GOPATH="$(go env GOPATH)" ./hack/verify-codegen.sh
+      - name: Run unit tests
+        run: make test
+      - name: Upload code coverage
+        uses: codecov/codecov-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          file: ./coverage.txt
+      - name: Build executable binary
+        run: make build
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,26 @@
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.14
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Unshallow # This step is required for the changelog to work correctly
+        run: git fetch --prune --unshallow
+      - name: Run unit tests
+        run: make test
+      - name: Release
+        uses: goreleaser/goreleaser-action@v1
+        with:
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
 .idea/
 
-vendor/
+bin/
+dist/
+
+coverage.txt
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,27 @@
+env:
+  - GO111MODULE=on
+before:
+  hooks:
+    - go mod download
+builds:
+  - id: build-kubectl-starboard
+    main: ./cmd/kubectl-starboard/main.go
+    binary: kubectl-starboard
+    env:
+      - CGO_ENABLED=0
+archives:
+  - replacements:
+      darwin: Darwin
+      linux: Linux
+      386: i386
+      amd64: x86_64
+checksum:
+  name_template: "checksums.txt"
+snapshot:
+  name_template: "{{ .FullCommit }}"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs'
+      - '^test'
diff --git a/Makefile b/Makefile
@@ -0,0 +1,10 @@
+SOURCES := $(shell find . -name '*.go')
+BINARY := kubectl-starboard
+
+build: kubectl-starboard
+
+$(BINARY): $(SOURCES)
+	CGO_ENABLED=0 go build -o ./bin/$(BINARY) ./cmd/kubectl-starboard/main.go
+
+test: $(SOURCES)
+	go test -v -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
diff --git a/cmd/kubectl-starboard/main.go b/cmd/kubectl-starboard/main.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/spf13/pflag"
+
+	"github.com/aquasecurity/starboard/pkg/cmd"
+	"k8s.io/klog"
+)
+
+func main() {
+	defer klog.Flush()
+
+	initFlags()
+
+	if err := cmd.GetRootCmd().Execute(); err != nil {
+		fmt.Printf("error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func initFlags() {
+	klog.InitFlags(nil)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+
+	// Hide all klog flags except for -v
+	flag.CommandLine.VisitAll(func(f *flag.Flag) {
+		if f.Name != "v" {
+			pflag.Lookup(f.Name).Hidden = true
+		}
+	})
+}
diff --git a/go.mod b/go.mod
@@ -3,8 +3,16 @@ module github.com/aquasecurity/starboard
 go 1.14
 
 require (
+	github.com/google/uuid v1.1.1
+	github.com/spf13/cobra v0.0.5
+	github.com/spf13/pflag v1.0.5
+	github.com/stretchr/testify v1.5.1
+	k8s.io/api v0.17.5
 	k8s.io/apiextensions-apiserver v0.17.5
 	k8s.io/apimachinery v0.17.5
+	k8s.io/cli-runtime v0.17.5
+	k8s.io/client-go v0.17.5
 	k8s.io/code-generator v0.17.5
+	k8s.io/klog v1.0.0
 	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
 )
diff --git a/go.sum b/go.sum
diff --git a/kube/starboard.yaml b/kube/starboard.yaml
@@ -0,0 +1,179 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: starboard
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: starboard
+  namespace: starboard
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: starboard
+rules:
+  - apiGroups:
+      - apps
+      - batch
+      - ""
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - jobs
+      - cronjobs
+      - replicationcontrollers
+      - nodes
+      - namespaces
+      - pods
+    verbs:
+      - list
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: starboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: starboard
+subjects:
+  - kind: ServiceAccount
+    name: starboard
+    namespace: starboard
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: polaris-config
+  namespace: starboard
+data:
+  config.yaml: |
+    checks:
+      # resources
+      cpuRequestsMissing: warning
+      cpuLimitsMissing: warning
+      memoryRequestsMissing: warning
+      memoryLimitsMissing: warning
+      # images
+      tagNotSpecified: error
+      pullPolicyNotAlways: ignore
+      # healthChecks
+      readinessProbeMissing: warning
+      livenessProbeMissing: warning
+      # networking
+      hostNetworkSet: warning
+      hostPortSet: warning
+      # security
+      hostIPCSet: error
+      hostPIDSet: error
+      notReadOnlyRootFileSystem: warning
+      privilegeEscalationAllowed: error
+      runAsRootAllowed: warning
+      runAsPrivileged: error
+      dangerousCapabilities: error
+      insecureCapabilities: warning
+    controllersToScan:
+      - Deployments
+      - StatefulSets
+      - DaemonSets
+      - CronJobs
+      - Jobs
+      - ReplicationControllers
+    exemptions:
+      - controllerNames:
+          - dns-controller
+          - datadog-datadog
+          - kube-flannel-ds
+          - kube2iam
+          - aws-iam-authenticator
+          - datadog
+          - kube2iam
+        rules:
+          - hostNetworkSet
+      - controllerNames:
+          - aws-iam-authenticator
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - dnsmasq
+          - autoscaler
+          - kubernetes-dashboard
+          - install-cni
+          - kube2iam
+        rules:
+          - readinessProbeMissing
+          - livenessProbeMissing
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - runAsRootAllowed
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - cert-manager
+          - dns-controller
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - cpuRequestsMissing
+          - cpuLimitsMissing
+          - memoryRequestsMissing
+          - memoryLimitsMissing
+      - controllerNames:
+          - kube2iam
+          - kube-flannel-ds
+        rules:
+          - runAsPrivileged
+      - controllerNames:
+          - kube-hunter
+        rules:
+          - hostPIDSet
+      - controllerNames:
+          - polaris
+          - kube-hunter
+          - goldilocks
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - insights-agent-goldilocks-controller
+        rules:
+          - livenessProbeMissing
+          - readinessProbeMissing
+      - controllerNames:
+          - insights-agent-goldilocks-vpa-install
+          - kube-hunter
+        rules:
+          - runAsRootAllowed
diff --git a/pkg/cmd/cleanup.go b/pkg/cmd/cleanup.go
@@ -0,0 +1,31 @@
+package cmd
+
+import (
+	"github.com/aquasecurity/starboard/pkg/kube"
+	"github.com/spf13/cobra"
+	extapi "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+func GetCleanupCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "cleanup",
+		Short: "Delete custom resource definitions created by starboard",
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			config, err := cf.ToRESTConfig()
+			if err != nil {
+				return
+			}
+			client, err := extapi.NewForConfig(config)
+			if err != nil {
+				return
+			}
+			crm, err := kube.NewCRManager(client)
+			if err != nil {
+				return
+			}
+			return crm.Cleanup()
+		},
+	}
+	return cmd
+}
diff --git a/pkg/cmd/find.go b/pkg/cmd/find.go
@@ -0,0 +1,16 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+func GetFindCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
+	findCmd := &cobra.Command{
+		Use:   "find",
+		Short: "Manage security scanners",
+	}
+	findCmd.AddCommand(GetVulnerabilitiesCmd(cf))
+
+	return findCmd
+}