diff --git a/.github/workflows/on_pull_request_go.yaml b/.github/workflows/on_pull_request_go.yaml index 1ec9b0c..dc5d9ad 100644 --- a/.github/workflows/on_pull_request_go.yaml +++ b/.github/workflows/on_pull_request_go.yaml @@ -18,6 +18,7 @@ jobs: # this might remove tools that are actually needed, # if set to "true" but frees about 6 GB tool-cache: false + swap-storage: false - uses: actions/checkout@v3 diff --git a/Tiltfile b/Tiltfile index 5e10427..fa209f0 100644 --- a/Tiltfile +++ b/Tiltfile @@ -236,7 +236,7 @@ k8s_resource( port_forwards=['2345:2345', '8080:8080'], resource_deps=[ # 'go-build', - # 'go-test', + 'go-test', 'k8s:namespace', 'argocd', 'argocd-crds', diff --git a/docs/usage.md.tpl b/docs/usage.md.tpl index 863bfc0..44ebb34 100644 --- a/docs/usage.md.tpl +++ b/docs/usage.md.tpl @@ -41,4 +41,4 @@ The full list of supported environment variables is described below: {{- end }} -See [integration](#integration) for more information on the tools integrated into `kubechecks` . \ No newline at end of file +See [integrations](./integrations) for more information on the tools integrated into `kubechecks` . \ No newline at end of file diff --git a/pkg/checks/kyverno/kyverno_test.go b/pkg/checks/kyverno/kyverno_test.go index abc5664..44b9d89 100644 --- a/pkg/checks/kyverno/kyverno_test.go +++ b/pkg/checks/kyverno/kyverno_test.go @@ -108,10 +108,3 @@ policy ` + "`policy`" + ` -> resource ` + "`namespace1/Pod/mypod`" + ` failed: }) } } - -// Placeholder function for engineapi.Policy -type MockPolicy struct { - name string -} - -func (m MockPolicy) GetName() string { return m.name } diff --git a/pkg/kyverno-kubectl/command.go b/pkg/kyverno-kubectl/command.go index 9241e26..0b4eebf 100644 --- a/pkg/kyverno-kubectl/command.go +++ b/pkg/kyverno-kubectl/command.go @@ -37,8 +37,6 @@ import ( "k8s.io/client-go/kubernetes" ) -const divider = "----------------------------------------------------------------------" - type SkippedInvalidPolicies struct { Skipped []string Invalid []string @@ -60,8 +58,6 @@ type ApplyCommandConfig struct { ResourcePaths []string PolicyPaths []string GitBranch string - warnExitCode int - warnNoPassed bool Exception []string ContinueOnFail bool inlineExceptions bool @@ -80,7 +76,10 @@ type Result struct { func RunKyvernoApply(policyPaths []string, resourcePaths []string) Result { logging.InitFlags(nil) - logging.Setup(logging.TextFormat, logging.DefaultTime, 4) + err := logging.Setup(logging.TextFormat, logging.DefaultTime, 4) + if err != nil { + log.Log.Error(err, "failed to set kyverno logging") + } applyCommandConfig := &ApplyCommandConfig{} applyCommandConfig.ResourcePaths = resourcePaths result := Result{} diff --git a/pkg/kyverno-kubectl/doc.go b/pkg/kyverno-kubectl/doc.go deleted file mode 100644 index b398c61..0000000 --- a/pkg/kyverno-kubectl/doc.go +++ /dev/null @@ -1,35 +0,0 @@ -// Copied from https://github.com/kyverno/kyverno/blob/25032e363f3b0ee302134dfebd191b03500987e9/cmd/cli/kubectl-kyverno/commands/apply/doc.go -package apply - -var websiteUrl = `https://kyverno.io/docs/kyverno-cli/#apply` - -var description = []string{ - `Applies policies on resources.`, -} - -var examples = [][]string{ - { - "# Apply on a resource", - "kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2", - }, - { - "# Apply on a folder of resources", - "kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resources/", - }, - { - "# Apply on a cluster", - "kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --cluster", - }, - { - "# Apply policies from a gitSourceURL on a cluster", - "kyverno apply https://github.com/kyverno/policies/openshift/ --git-branch main --cluster", - }, - { - "# Apply single policy with variable on single resource", - "kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set =,=", - }, - { - "# Apply multiple policy with variable on multiple resource", - "kyverno apply /path/to/policy1.yaml /path/to/policy2.yaml --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml -f /path/to/value.yaml", - }, -} diff --git a/pkg/kyverno-kubectl/print.go b/pkg/kyverno-kubectl/print.go deleted file mode 100644 index 92a80ab..0000000 --- a/pkg/kyverno-kubectl/print.go +++ /dev/null @@ -1,169 +0,0 @@ -// Copied from https://github.com/kyverno/kyverno/blob/25032e363f3b0ee302134dfebd191b03500987e9/cmd/cli/kubectl-kyverno/commands/apply/print.go -package apply - -import ( - "encoding/json" - "fmt" - "io" - "regexp" - "strings" - "time" - - kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" - "github.com/kyverno/kyverno/api/policyreport/v1alpha2" - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/processor" - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/report" - engineapi "github.com/kyverno/kyverno/pkg/engine/api" - kyvernoreports "github.com/kyverno/kyverno/pkg/utils/report" - "github.com/opentracing/opentracing-go/log" - "github.com/pkg/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/yaml" -) - -func printSkippedAndInvalidPolicies(out io.Writer, skipInvalidPolicies SkippedInvalidPolicies) { - if len(skipInvalidPolicies.Skipped) > 0 { - fmt.Fprintln(out, divider) - fmt.Fprintln(out, "Policies Skipped (as required variables are not provided by the user):") - for i, policyName := range skipInvalidPolicies.Skipped { - fmt.Fprintf(out, "%d. %s\n", i+1, policyName) - } - fmt.Fprintln(out, divider) - } - if len(skipInvalidPolicies.Invalid) > 0 { - fmt.Fprintln(out, divider) - fmt.Fprintln(out, "Invalid Policies:") - for i, policyName := range skipInvalidPolicies.Invalid { - fmt.Fprintf(out, "%d. %s\n", i+1, policyName) - } - fmt.Fprintln(out, divider) - } -} - -func printReports(out io.Writer, engineResponses []engineapi.EngineResponse, auditWarn bool) { - clustered, namespaced := report.ComputePolicyReports(auditWarn, engineResponses...) - if len(clustered) > 0 { - report := report.MergeClusterReports(clustered) - yamlReport, _ := yaml.Marshal(report) - fmt.Fprintln(out, string(yamlReport)) - } - for _, r := range namespaced { - fmt.Fprintln(out, string("---")) - yamlReport, _ := yaml.Marshal(r) - fmt.Fprintln(out, string(yamlReport)) - } -} - -func printExceptions(out io.Writer, engineResponses []engineapi.EngineResponse, auditWarn bool, ttl time.Duration) { - clustered, _ := report.ComputePolicyReports(auditWarn, engineResponses...) - for _, report := range clustered { - for _, result := range report.Results { - if result.Result == "fail" { - if err := printException(out, result, ttl); err != nil { - log.Error(err) - } - } - } - } -} - -func printException(out io.Writer, result v1alpha2.PolicyReportResult, ttl time.Duration) error { - for _, r := range result.Resources { - name := strings.Join([]string{result.Policy, result.Rule, r.Namespace, r.Name}, "-") - - kinds := []string{r.Kind} - names := []string{r.Name} - rules := []string{result.Rule} - if strings.HasPrefix(result.Rule, "autogen-") { - if r.Kind == "CronJob" { - kinds = append(kinds, "Job") - rules = append(rules, strings.ReplaceAll(result.Rule, "autogen-cronjob-", "autogen-")) - kinds = append(kinds, "Pod") - rules = append(rules, result.Rule[len("autogen-cronjob-"):]) - } else { - kinds = append(kinds, "Pod") - rules = append(rules, result.Rule[len("autogen-"):]) - } - names = append(names, r.Name+"-*") - } - - exception := kyvernov2beta1.PolicyException{ - TypeMeta: metav1.TypeMeta{ - Kind: "PolicyException", - APIVersion: kyvernov2beta1.SchemeGroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: kyvernov2beta1.PolicyExceptionSpec{ - Match: kyvernov2beta1.MatchResources{ - All: kyvernov1.ResourceFilters{ - kyvernov1.ResourceFilter{ - ResourceDescription: kyvernov1.ResourceDescription{ - Kinds: kinds, - Names: names, - Namespaces: []string{r.Namespace}, - }, - }, - }, - }, - Exceptions: []kyvernov2beta1.Exception{ - { - PolicyName: result.Policy, - RuleNames: rules, - }, - }, - }, - } - - if ttl > 0 { - exception.ObjectMeta.Labels = map[string]string{ - "cleanup.kyverno.io/ttl": ttl.String(), - } - } - - if controlList, ok := result.Properties["controlsJSON"]; ok { - pssList := make([]kyvernov1.PodSecurityStandard, 0) - var controls []kyvernoreports.Control - err := json.Unmarshal([]byte(controlList), &controls) - if err != nil { - return errors.Wrapf(err, "failed to unmarshall PSS controls %s", controlList) - } - for _, c := range controls { - pss := kyvernov1.PodSecurityStandard{ - ControlName: c.Name, - } - if c.Images != nil { - pss.Images = wildcardTagOrDigest(c.Images) - } - pssList = append(pssList, pss) - } - exception.Spec.PodSecurity = pssList - } - - exceptionYAML, err := yaml.Marshal(exception) - if err != nil { - return err - } - - fmt.Fprint(out, "---\n") - fmt.Fprint(out, string(exceptionYAML)) - fmt.Fprint(out, "\n") - } - - return nil -} - -var regexpTagOrDigest = regexp.MustCompile(":.*|@.*") - -func wildcardTagOrDigest(images []string) []string { - for i, s := range images { - images[i] = regexpTagOrDigest.ReplaceAllString(s, "*") - } - return images -} - -func printViolations(out io.Writer, rc *processor.ResultCounts) { - fmt.Fprintf(out, "\npass: %d, fail: %d, warn: %d, error: %d, skip: %d \n", rc.Pass, rc.Fail, rc.Warn, rc.Error, rc.Skip) -} diff --git a/pkg/kyverno-kubectl/table.go b/pkg/kyverno-kubectl/table.go deleted file mode 100644 index be2af9f..0000000 --- a/pkg/kyverno-kubectl/table.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copied from https://github.com/kyverno/kyverno/blob/25032e363f3b0ee302134dfebd191b03500987e9/cmd/cli/kubectl-kyverno/commands/apply/table.go -package apply - -import ( - "io" - - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/output/color" - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/output/table" - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations" - engineapi "github.com/kyverno/kyverno/pkg/engine/api" -) - -func printTable(out io.Writer, compact, auditWarn bool, engineResponses ...engineapi.EngineResponse) { - var resultsTable table.Table - id := 1 - for _, engineResponse := range engineResponses { - policy := engineResponse.Policy() - policyName := policy.GetName() - policyNamespace := policy.GetNamespace() - scored := annotations.Scored(policy.GetAnnotations()) - resourceKind := engineResponse.Resource.GetKind() - resourceNamespace := engineResponse.Resource.GetNamespace() - resourceName := engineResponse.Resource.GetName() - - for _, ruleResponse := range engineResponse.PolicyResponse.Rules { - var row table.Row - row.ID = id - id++ - row.Policy = color.Policy(policyNamespace, policyName) - if policy.GetType() == engineapi.KyvernoPolicyType { - row.Rule = color.Rule(ruleResponse.Name()) - } - row.Resource = color.Resource(resourceKind, resourceNamespace, resourceName) - if ruleResponse.Status() == engineapi.RuleStatusPass { - row.Result = color.ResultPass() - } else if ruleResponse.Status() == engineapi.RuleStatusFail { - if !scored { - row.Result = color.ResultWarn() - } else if auditWarn && engineResponse.GetValidationFailureAction().Audit() { - row.Result = color.ResultWarn() - } else { - row.Result = color.ResultFail() - } - } else if ruleResponse.Status() == engineapi.RuleStatusWarn { - row.Result = color.ResultWarn() - } else if ruleResponse.Status() == engineapi.RuleStatusError { - row.Result = color.ResultError() - } else if ruleResponse.Status() == engineapi.RuleStatusSkip { - row.Result = color.ResultSkip() - } - row.Message = ruleResponse.Message() - resultsTable.Add(row) - } - } - printer := table.NewTablePrinter(out) - printer.Print(resultsTable.Rows(compact)) -}