Merge branch 'main' into mv/add-core-pattern-edge

martinvoigt-dd · Sep 12, 2024 · 11aa849 · 11aa849
2 parents 71d6992 + fb9c56a
commit 11aa849
Show file tree

Hide file tree

Showing 185 changed files with 81,402 additions and 1,600 deletions.
diff --git a/.github/workflows/buildx.yml b/.github/workflows/buildx.yml
@@ -86,7 +86,7 @@ jobs:
         name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: compose
+          name: kubehound
           path: ./bin/release/*
           if-no-files-found: error
 
@@ -105,7 +105,7 @@ jobs:
         name: Download artifacts
         uses: actions/download-artifact@v3
         with:
-          name: compose
+          name: kubehound
           path: bin/release
       -
         name: Create checksums

diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml
@@ -0,0 +1,24 @@
+name: Datadog Static Analysis
+
+on:
+  push:
+
+permissions: {}
+
+jobs:
+  static-analysis:
+    name: Datadog Static Analyzer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Check code meets quality and security standards
+        id: datadog-static-analysis
+        uses: DataDog/datadog-static-analyzer-github-action@v1
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_service: kubehound
+          dd_env: ci
+          dd_site: datadoghq.com
+          cpu_count: 2
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -17,18 +17,18 @@ jobs:
   docker-build-push:
     runs-on: ubuntu-latest
     strategy:
-        # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
-        matrix:
-          include:
-            - dockerfile: deployments/kubehound/kubegraph/Dockerfile
-              image: graph
-              workdir: deployments/kubehound/kubegraph/
-            - dockerfile: deployments/kubehound/notebook/Dockerfile
-              image: ui
-              workdir: deployments/kubehound/notebook/
-            - dockerfile: deployments/kubehound/ingestor/Dockerfile
-              image: ingestor
-              workdir: .
+      # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
+      matrix:
+        include:
+          - dockerfile: deployments/kubehound/graph/Dockerfile
+            image: graph
+            workdir: deployments/kubehound/graph/
+          - dockerfile: deployments/kubehound/ui/Dockerfile
+            image: ui
+            workdir: deployments/kubehound/ui/
+          - dockerfile: deployments/kubehound/binary/Dockerfile
+            image: binary
+            workdir: .
     permissions:
       contents: read
       packages: write
@@ -67,6 +67,9 @@ jobs:
             productionresultssa8.blob.core.windows.net:443
             results-receiver.actions.githubusercontent.com:443
             vstsmms.actions.githubusercontent.com:443
+            raw.githubusercontent.com:443
+            nodejs.org:443
+            iojs.org:443
 
       - name: Checkout
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
@@ -94,8 +97,8 @@ jobs:
           build-args: |
             VERSION=${{ github.ref_name }}
           tags: |
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:${{ github.ref_name }}
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:${{ github.ref_name }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:latest
 
       - name: Build and push Docker image
         if: ${{ github.event_name == 'workflow_dispatch' }}
@@ -108,5 +111,5 @@ jobs:
           build-args: |
             VERSION=${{ github.sha }}
           tags: |
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:snapshot-${{ github.sha }}
-              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:snapshot-${{ github.sha }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image }}:latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml
@@ -6,12 +6,25 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   system-test:
     runs-on:
       group: Large Runner Shared Public 
       labels: ubuntu-8-core-latest
-    environment: devenv
+    services:
+      dd-agent:
+        image: gcr.io/datadoghq/agent:7
+        env:
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          DD_TRACE_DEBUG: 1
+          DD_LOGS_ENABLED: true
+          DD_APM_ENABLED: true
+          DD_HOSTNAME: "kubehound-github-action"
+        ports:
+          - 8126:8126
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
@@ -33,12 +46,6 @@ jobs:
             gcr.io:443
             repo.maven.apache.org:443
             *.datadoghq.com:443
-
-      - uses: datadog/agent-github-action@8240b406d73cb84cd5085a3919a78f59c258da3a
-        continue-on-error: true  # external contributors will not have access to the secret, but everything else should still work
-        with:
-          api_key: ${{ secrets.DD_API_KEY }}
-          extra_env: DD_TRACE_DEBUG=1,DD_LOGS_ENABLED=true,DD_APM_ENABLED=true
           
       - name: Checkout Git Repo
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

diff --git a/.gitignore b/.gitignore
@@ -8,7 +8,6 @@ bin/
 *.dll
 *.so
 *.dylib
-*.jar
 *.class
 *.lst
 
@@ -53,7 +52,7 @@ test/system/generator/generator
 scripts/collectors/
 
 # java
-deployments/kubehound/kubegraph/dsl/kubehound/target
+deployments/kubehound/graph/dsl/kubehound/target
 
 # personal settings
 .vscode/settings.json
@@ -100,4 +99,4 @@ override.tf.json
 
 # Ignore CLI configuration files
 .terraformrc
-terraform.rc
+terraform.rc
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -40,5 +40,4 @@ To add a new attack to KubeHound, please do the following:
 + Create the [resources](./test/setup/test-cluster/attacks/) file in the test cluster that will introduce an instance of the attack into the test cluster 
 + Add an [edge system test](./test/system/graph_edge_test.go) that verifies the attack is correctly created by KubeHound
 
-  See [here](https://github.com/DataDog/KubeHound/pull/68/files) for a previous example PR.
-
+See [here](https://github.com/DataDog/KubeHound/pull/68/files) for a previous example PR.
diff --git a/Dockerfile b/Dockerfile
@@ -15,14 +15,14 @@ FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
 FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS base
 COPY --from=xx / /
 RUN apk add --no-cache \
-      clang \
-      docker \
-      file \
-      findutils \
-      git \
-      make \
-      protoc \
-      protobuf-dev
+    clang \
+    docker \
+    file \
+    findutils \
+    git \
+    make \
+    protoc \
+    protobuf-dev
 WORKDIR /src
 ENV CGO_ENABLED=0
 
@@ -49,14 +49,18 @@ RUN --mount=type=bind,target=.,rw \
 
 FROM build-base AS build
 ARG BUILD_TAGS
+ARG BUILD_BRANCH
 ARG BUILD_FLAGS
 ARG TARGETPLATFORM
+ENV BUILD_BRANCH="${BUILD_BRANCH}"
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
     xx-go --wrap && \
-    if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; fi && \
+    # Removing DWARD symbol on Darwin as it causes the following error:
+    # /usr/local/go/pkg/tool/linux_arm64/link: /usr/local/go/pkg/tool/linux_arm64/link: running dsymutil failed: exec: "dsymutil": executable file not found in $PATH
+    if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; export BUILD_TAGS="-w $BUILD_TAGS"; fi && \
     make build GO_BUILDTAGS="$BUILD_TAGS" DESTDIR=/out && \
     xx-verify --static /out/kubehound
 
@@ -97,8 +101,12 @@ RUN --mount=from=binary \
     mkdir -p /out && \
     # TODO: should just use standard arch
     TARGETARCH=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || echo "$TARGETARCH"); \
-    TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH"); \
+    # Use arm64 for darwin
+    TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && [ "$TARGETOS" != "darwin" ] && echo "aarch64" || echo "$TARGETARCH"); \
+    # Upper case first letter to match the uname -o output
+    TARGETOS=$([ "$TARGETOS" = "darwin" ] && echo "Darwin" || echo "$TARGETOS"); \
+    TARGETOS=$([ "$TARGETOS" = "linux" ] && echo "Linux" || echo "$TARGETOS"); \
     cp kubehound* "/out/kubehound-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}$(ls kubehound* | sed -e 's/^kubehound//')"
 
 FROM scratch AS release
-COPY --from=releaser /out/ /
+COPY --from=releaser /out/ /
diff --git a/Makefile b/Makefile
@@ -9,11 +9,12 @@ SYSTEM_TEST_CMD := system-test system-test-clean
 COMMIT := $(shell git rev-parse --short HEAD)
 DATE := $(shell git log -1 --format=%cd --date=format:"%Y%m%d")
 
-BUILD_VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always --tags)
+BUILD_VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty --always --tags)
+BUILD_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 BUILD_ARCH := $(shell go env GOARCH)
 BUILD_OS := $(shell go env GOOS)
 
-BUILD_FLAGS := -ldflags="-X github.com/DataDog/KubeHound/pkg/config.BuildVersion=$(BUILD_VERSION) -X github.com/DataDog/KubeHound/pkg/config.BuildArch=$(BUILD_ARCH) -X github.com/DataDog/KubeHound/pkg/config.BuildOs=$(BUILD_OS) -s -w"
+BUILD_FLAGS := -ldflags="${GO_BUILDTAGS} -X github.com/DataDog/KubeHound/pkg/config.BuildVersion=$(BUILD_VERSION) -X github.com/DataDog/KubeHound/pkg/config.BuildBranch=$(BUILD_BRANCH) -X github.com/DataDog/KubeHound/pkg/config.BuildArch=$(BUILD_ARCH) -X github.com/DataDog/KubeHound/pkg/config.BuildOs=$(BUILD_OS)"
 
 # Need to save the MAKEFILE_LIST variable before the including the env var files
 HELP_MAKEFILE_LIST := $(MAKEFILE_LIST)
@@ -113,7 +114,7 @@ local-cluster-destroy: ## Destroy the local kind cluster
 
 .PHONY: sample-graph
 sample-graph: | local-cluster-deploy build ## Create the kind cluster, start the backend, run the application, delete the cluster
-	cd test/system && export KUBECONFIG=$(ROOT_DIR)/test/setup/${KIND_KUBECONFIG} && $(ROOT_DIR)/bin/kubehound
+	cd test/system && export KUBECONFIG=$(ROOT_DIR)/test/setup/${KIND_KUBECONFIG} && $(ROOT_DIR)/bin/build/kubehound
 	bash test/setup/manage-cluster.sh destroy
 
 .PHONY: help
@@ -131,8 +132,4 @@ thirdparty-licenses: ## Generate the list of 3rd party dependencies and write to
 .PHONY: local-wiki
 local-wiki: ## Generate and serve the mkdocs wiki on localhost
 	poetry install || pip install mkdocs-material mkdocs-awesome-pages-plugin markdown-captions
-	poetry run mkdocs serve || mksdocs serve
-
-.PHONY: local-release
-local-release: ## Generate release packages locally via goreleaser
-	goreleaser release --snapshot --clean --config .goreleaser.yaml
+	poetry run mkdocs serve || mkdocs serve