feat: Add OpenShift exceptions (#311)

* Add OpenShift exceptions * perf: move config load out of processing loop * chore: add issue linking to PR template * revert: undiscover ReplicaSet exceptions * test: namespace regex prefix with resource name regex
yonahd · Jun 18, 2024 · ced2ef2 · ced2ef2
1 parent db2b8dd
commit ced2ef2
Show file tree

Hide file tree

Showing 20 changed files with 513 additions and 36 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -22,7 +22,7 @@
 
 ## GitHub Issue
 
-[XX-XX]
+Closes [XX-XX]
 
 <!-- Notes that may be helpful for anyone reviewing this PR -->
 

diff --git a/pkg/kor/clusterroles.go b/pkg/kor/clusterroles.go
@@ -124,6 +124,11 @@ func retrieveClusterRoleNames(clientset kubernetes.Interface, filterOpts *filter
 		return nil, nil, err
 	}
 
+	config, err := unmarshalConfig(clusterRolesConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	var unusedClusterRoles []string
 	names := make([]string, 0, len(clusterRoles.Items))
 
@@ -137,11 +142,6 @@ func retrieveClusterRoleNames(clientset kubernetes.Interface, filterOpts *filter
 			continue
 		}
 
-		config, err := unmarshalConfig(clusterRolesConfig)
-		if err != nil {
-			return nil, nil, err
-		}
-
 		exceptionFound, err := isResourceException(clusterRole.Name, clusterRole.Namespace, config.ExceptionClusterRoles)
 		if err != nil {
 			return nil, nil, err

diff --git a/pkg/kor/crds.go b/pkg/kor/crds.go
@@ -29,16 +29,16 @@ func processCrds(apiExtClient apiextensionsclientset.Interface, dynamicClient dy
 		return nil, err
 	}
 
+	config, err := unmarshalConfig(crdsConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	for _, crd := range crds.Items {
 		if pass := filters.KorLabelFilter(&crd, &filters.Options{}); pass {
 			continue
 		}
 
-		config, err := unmarshalConfig(crdsConfig)
-		if err != nil {
-			return nil, err
-		}
-
 		exceptionFound, err := isResourceException(crd.Name, crd.Namespace, config.ExceptionCrds)
 		if err != nil {
 			return nil, err

diff --git a/pkg/kor/daemonsets.go b/pkg/kor/daemonsets.go
@@ -23,18 +23,18 @@ func processNamespaceDaemonSets(clientset kubernetes.Interface, namespace string
 		return nil, err
 	}
 
+	config, err := unmarshalConfig(daemonsetsConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	var daemonSetsWithoutReplicas []ResourceInfo
 
 	for _, daemonSet := range daemonSetsList.Items {
 		if pass, _ := filter.SetObject(&daemonSet).Run(filterOpts); pass {
 			continue
 		}
 
-		config, err := unmarshalConfig(daemonsetsConfig)
-		if err != nil {
-			return nil, err
-		}
-
 		exceptionFound, err := isResourceException(daemonSet.Name, daemonSet.Namespace, config.ExceptionDaemonSets)
 		if err != nil {
 			return nil, err

diff --git a/pkg/kor/exceptions/clusterroles/clusterroles.json b/pkg/kor/exceptions/clusterroles/clusterroles.json
@@ -4,14 +4,118 @@
       "Namespace": "",
       "ResourceName": "admin"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "alert-routing-edit"
+    },
     {
       "Namespace": "",
       "ResourceName": "cloud-provider"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "cluster-debugger"
+    },
     {
       "Namespace": "",
       "ResourceName": "edit"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "global-operators-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "global-operators-edit"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "global-operators-view"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "monitoring-edit"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "monitoring-rules-edit"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "monitoring-rules-view"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "olm-operators-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "olm-operators-edit"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "olm-operators-view"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-cluster-monitoring-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-cluster-monitoring-edit"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-cluster-monitoring-view"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-main-attacher-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-main-provisioner-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-main-resizer-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-main-snapshotter-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-provisioner-configmap-and-secret-reader-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-provisioner-volumeattachment-reader-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-provisioner-volumesnapshot-reader-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-resizer-infrastructure-reader-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "openshift-csi-resizer-storageclass-reader-role"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "resource-metrics-server-resources"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "storage-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "sudoer"
+    },
     {
       "Namespace": "",
       "ResourceName": "system:aggregate-to-admin"
@@ -36,6 +140,10 @@
       "Namespace": "",
       "ResourceName": "system:auth-delegator"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "system:build-strategy-custom"
+    },
     {
       "Namespace": "",
       "ResourceName": "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
@@ -72,6 +180,18 @@
       "Namespace": "",
       "ResourceName": "system:heapster"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "system:image-auditor"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:image-pusher"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:image-signer"
+    },
     {
       "Namespace": "",
       "ResourceName": "system:kube-aggregator"
@@ -92,10 +212,62 @@
       "Namespace": "",
       "ResourceName": "system:node-problem-detector"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "system:node-reader"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:aggregate-snapshots-to-storage-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:aggregate-to-storage-admin"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:hostaccess"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:hostmount"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:hostnetwork"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:nonroot"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:nonroot-v2"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:privileged"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:scc:restricted"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:openshift:templateservicebroker-client"
+    },
     {
       "Namespace": "",
       "ResourceName": "system:persistent-volume-provisioner"
     },
+    {
+      "Namespace": "",
+      "ResourceName": "system:router"
+    },
+    {
+      "Namespace": "",
+      "ResourceName": "system:sdn-manager"
+    },
     {
       "Namespace": "",
       "ResourceName": "view"

diff --git a/pkg/kor/exceptions/configmaps/configmaps.json b/pkg/kor/exceptions/configmaps/configmaps.json
@@ -5,6 +5,11 @@
       "ResourceName": "kube-root-ca\\.crt",
       "MatchRegex": true
     },
+    {
+      "Namespace": ".*",
+      "ResourceName": "openshift-service-ca\\.crt",
+      "MatchRegex": true
+    },
     {
       "Namespace": "gmp-system",
       "ResourceName": "config-images"
@@ -25,10 +30,18 @@
       "Namespace": "kube-system",
       "ResourceName": "aws-auth"
     },
+    {
+      "Namespace": "kube-system",
+      "ResourceName": "bootstrap"
+    },
     {
       "Namespace": "kube-system",
       "ResourceName": "cluster-autoscaler-status"
     },
+    {
+      "Namespace": "kube-system",
+      "ResourceName": "cluster-config-v1"
+    },
     {
       "Namespace": "kube-system",
       "ResourceName": "cluster-dns"
@@ -97,9 +110,18 @@
       "Namespace": "kube-system",
       "ResourceName": "overlay-upgrade-data"
     },
+    {
+      "Namespace": "kube-system",
+      "ResourceName": "root-ca"
+    },
     {
       "Namespace": "kubernetes-dashboard",
       "ResourceName": "kubernetes-dashboard-settings"
+    },
+    {
+      "Namespace": "openshift-.*",
+      "ResourceName": ".*",
+      "MatchRegex": true
     }
   ]
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,7 +22,7 @@ @@
     ## GitHub Issue
-    [XX-XX]
+    Closes [XX-XX]
     <!-- Notes that may be helpful for anyone reviewing this PR -->
@@ Expand Down @@