Package policy recommendation #732
Conversation
|
@vishnusomank Please rebase onto latest dev. |
Signed-off-by: Vishnu Soman <[email protected]>
updated @Vyom-Yadav |
| for _, d := range replicaSets { | ||
|
|
||
| labelMap := labelArrayToLabelMap(strings.Split(d.Labels, ",")) | ||
|
|
||
| if recommendAdmissionControllerPolicy && | ||
| isNamespaceAllowed(d.Namespace, nsNotFilterAdmissionControllerPolicy, nsFilterAdmissionControllerPolicy) { | ||
| policies = append(policies, generateAdmissionControllerPolicy(d.Name, d.Namespace, labelMap)...) | ||
| } | ||
| } | ||
| for _, d := range statefulSets { | ||
|
|
||
| labelMap := labelArrayToLabelMap(strings.Split(d.Labels, ",")) | ||
|
|
||
| if recommendAdmissionControllerPolicy && | ||
| isNamespaceAllowed(d.Namespace, nsNotFilterAdmissionControllerPolicy, nsFilterAdmissionControllerPolicy) { | ||
| policies = append(policies, generateAdmissionControllerPolicy(d.Name, d.Namespace, labelMap)...) | ||
| } | ||
| } | ||
| for _, d := range daemonSets { | ||
|
|
||
| labelMap := labelArrayToLabelMap(strings.Split(d.Labels, ",")) | ||
|
|
||
| if recommendAdmissionControllerPolicy && | ||
| isNamespaceAllowed(d.Namespace, nsNotFilterAdmissionControllerPolicy, nsFilterAdmissionControllerPolicy) { | ||
| policies = append(policies, generateAdmissionControllerPolicy(d.Name, d.Namespace, labelMap)...) | ||
| } | ||
| } |
There was a problem hiding this comment.
This won't work for all types of pod controllers as we generate some fields in Kyverno policy according to the type of controller.
discovery-engine/src/recommendpolicy/helperFunctions.go
Lines 148 to 151 in 1746c3e
Other generated fields would work similarly for all pod controllers except CronJob.
So you would need to have the name of the kind passed while generating Kyverno policy so it gets updated accordingly. The merger of #734 would lead to some conflicts as we are shifting to kyverno policy interface.
There was a problem hiding this comment.
Please add some PR description. Major item: #732 (comment)
Other items:
| if rs.Namespace == "kube-system" { | ||
| continue | ||
| } |
There was a problem hiding this comment.
I see this pattern for other controllers too, IMO resource filtration shouldn't be hardcoded and should be based on some configuration.
Edit-
There are ns filters in configuration for DE
discovery-engine/deployments/k8s/deployment.yaml
Lines 74 to 75 in 1746c3e
So, it shouldn't be hardcoded.
| deployments := cluster.GetDeploymentsFromK8sClient() | ||
| deployments = append(deployments, cluster.GetReplicaSetsFromK8sClient()...) | ||
| deployments = append(deployments, cluster.GetStatefulSetsFromK8sClient()...) | ||
| deployments = append(deployments, cluster.GetDaemonSetsFromK8sClient()...) |
There was a problem hiding this comment.
deployments -> podControllers, let's use better variable names.
|
|
||
| "github.com/accuknox/auto-policy-discovery/src/admissioncontrollerpolicy" | ||
| "github.com/accuknox/auto-policy-discovery/src/cluster" | ||
| cfg "github.com/accuknox/auto-policy-discovery/src/config" | ||
| logger "github.com/accuknox/auto-policy-discovery/src/logging" | ||
| "github.com/accuknox/auto-policy-discovery/src/systempolicy" | ||
| "github.com/accuknox/auto-policy-discovery/src/types" | ||
| v1 "github.com/kyverno/kyverno/api/kyverno/v1" |
There was a problem hiding this comment.
v1 -> kyvernov1, we usually use v1 when we are referring to core v1.
| deployments := cluster.GetDeploymentsFromK8sClient() | ||
| if deployments == nil { | ||
| log.Error().Msg("Error getting Deployments from k8s client.") |
There was a problem hiding this comment.
Based on the logic of cluster.GetDeploymentsFromK8sClient() function, it would automatically filter kube-system ns, this would alter the current behavior. Same for other pod controllers.
| if policies == nil { | ||
| log.Error().Msg("Error generating hardened policies") | ||
| return | ||
| } | ||
| systempolicy.UpdateSysPolicies(policies) |
There was a problem hiding this comment.
Not related to the current changes, but this leads to the non-generation of Kyverno policies if no KubeArmor policies are found. This shouldn't be the expected behavior.
|
|
||
| labelMap := labelArrayToLabelMap(strings.Split(d.Labels, ",")) | ||
|
|
||
| if recommendAdmissionControllerPolicy && |
There was a problem hiding this comment.
recommendAdmissionControllerPolicy should be the overall condition.
| func GetHardenPolicy(deployments, replicaSets, statefulSets, daemonSets []types.Deployment, nsNotFilter []string) []types.KnoxSystemPolicy { | ||
|
|
||
| var policies []types.KnoxSystemPolicy | ||
| if !isLatest() { |
There was a problem hiding this comment.
Not related to the current changes but can you please move the logic of DownloadAndUnzipRelease out of this function? It is not just related to hardening policy and results in this function doing more than what its name suggests.
No description provided.