From 0b6007c9a5142843f6419e97c9fc8dbb51966bdb Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Mon, 12 Jul 2021 14:22:05 -0400 Subject: [PATCH 1/5] 345: Fix audit config --- auditors/all/all.go | 20 ++++++---- auditors/all/all_test.go | 79 ++++++++++++++++++++++++++++++++++++++++ config/config.go | 15 +++----- 3 files changed, 97 insertions(+), 17 deletions(-) diff --git a/auditors/all/all.go b/auditors/all/all.go index 2b87dae8..64303450 100644 --- a/auditors/all/all.go +++ b/auditors/all/all.go @@ -40,13 +40,8 @@ var AuditorNames = []string{ } func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { - enabledAuditors := conf.GetEnabledAuditors() - if len(enabledAuditors) == 0 { - enabledAuditors = AuditorNames - } - - auditors := make([]kubeaudit.Auditable, 0, len(enabledAuditors)) - for _, auditorName := range enabledAuditors { + auditors := []kubeaudit.Auditable{} + for _, auditorName := range getEnabledAuditors(conf) { auditor, err := initAuditor(auditorName, conf) if err != nil { return nil, err @@ -57,6 +52,17 @@ func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { return auditors, nil } +// getEnabledAuditors returns a list of all auditors excluding any explicitly disabled in the config +func getEnabledAuditors(conf config.KubeauditConfig) []string { + auditors := []string{} + for _, auditorName := range AuditorNames { + if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled { + auditors = append(auditors, auditorName) + } + } + return auditors +} + func initAuditor(name string, conf config.KubeauditConfig) (kubeaudit.Auditable, error) { switch name { case apparmor.Name: diff --git a/auditors/all/all_test.go b/auditors/all/all_test.go index 481b1264..0a6b8c19 100644 --- a/auditors/all/all_test.go +++ b/auditors/all/all_test.go @@ -8,6 +8,7 @@ import ( "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/asat" "github.com/Shopify/kubeaudit/auditors/capabilities" + "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/Shopify/kubeaudit/auditors/image" @@ -20,6 +21,7 @@ import ( "github.com/Shopify/kubeaudit/auditors/seccomp" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/test" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -97,6 +99,83 @@ func TestAllWithConfig(t *testing.T) { } } +func TestGetEnabledAuditors(t *testing.T) { + cases := []struct { + testName string + enabledAuditors map[string]bool + expectedAuditors []string + }{ + { + // If no config is provided, all auditors should be enabled + testName: "No config", + enabledAuditors: map[string]bool{}, + expectedAuditors: AuditorNames, + }, + { + // If some auditors are explicitly disabled, the rest should default to being enabled + testName: "Some disabled", + enabledAuditors: map[string]bool{ + "apparmor": false, + "rootfs": false, + }, + expectedAuditors: []string{ + asat.Name, + capabilities.Name, + hostns.Name, + image.Name, + limits.Name, + mounts.Name, + netpols.Name, + nonroot.Name, + privesc.Name, + privileged.Name, + seccomp.Name, + }, + }, + { + testName: "Some enabled", + enabledAuditors: map[string]bool{ + "apparmor": true, + "rootfs": true, + }, + expectedAuditors: AuditorNames, + }, + { + // If some auditors are explicitly disabled, the rest shou;d default to being enabled + testName: "Some enabled, some disabled", + enabledAuditors: map[string]bool{ + "asat": true, + "apparmor": false, + "capabilities": true, + "rootfs": false, + }, + expectedAuditors: []string{ + asat.Name, + capabilities.Name, + hostns.Name, + image.Name, + limits.Name, + mounts.Name, + netpols.Name, + nonroot.Name, + privesc.Name, + privileged.Name, + seccomp.Name, + }, + }, + } + + for _, tc := range cases { + t.Run(tc.testName, func(t *testing.T) { + conf := config.KubeauditConfig{ + EnabledAuditors: tc.enabledAuditors, + } + got := getEnabledAuditors(conf) + assert.ElementsMatch(t, got, tc.expectedAuditors) + }) + } +} + func enabledAuditorsToMap(enabledAuditors []string) map[string]bool { enabledAuditorMap := map[string]bool{} for _, auditorName := range AuditorNames { diff --git a/config/config.go b/config/config.go index c0761618..a9f160c8 100644 --- a/config/config.go +++ b/config/config.go @@ -1,10 +1,11 @@ package config import ( - "github.com/Shopify/kubeaudit/auditors/mounts" "io" "io/ioutil" + "github.com/Shopify/kubeaudit/auditors/mounts" + "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" @@ -31,17 +32,11 @@ type KubeauditConfig struct { AuditorConfig AuditorConfig `yaml:"auditors"` } -func (conf *KubeauditConfig) GetEnabledAuditors() []string { +func (conf *KubeauditConfig) GetEnabledAuditors() map[string]bool { if conf == nil { - return []string{} - } - enabledAuditors := make([]string, 0, len(conf.EnabledAuditors)) - for auditorName, enabled := range conf.EnabledAuditors { - if enabled { - enabledAuditors = append(enabledAuditors, auditorName) - } + return map[string]bool{} } - return enabledAuditors + return conf.EnabledAuditors } func (conf *KubeauditConfig) GetAuditorConfigs() AuditorConfig { From 221989ebb12f81669facb576df06acc6d273cabc Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Mon, 12 Jul 2021 14:26:43 -0400 Subject: [PATCH 2/5] Bump patch version --- cmd/commands/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/commands/VERSION b/cmd/commands/VERSION index 930e3000..e867cc2a 100644 --- a/cmd/commands/VERSION +++ b/cmd/commands/VERSION @@ -1 +1 @@ -0.14.1 +0.14.2 From d10a64c9b2b3547685b18f1c7a38075d4bb0491e Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Tue, 13 Jul 2021 09:32:33 -0400 Subject: [PATCH 3/5] Update auditors/all/all_test.go Co-authored-by: Dani --- auditors/all/all_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auditors/all/all_test.go b/auditors/all/all_test.go index 0a6b8c19..a1d56f30 100644 --- a/auditors/all/all_test.go +++ b/auditors/all/all_test.go @@ -141,7 +141,7 @@ func TestGetEnabledAuditors(t *testing.T) { expectedAuditors: AuditorNames, }, { - // If some auditors are explicitly disabled, the rest shou;d default to being enabled + // If some auditors are explicitly disabled, the rest should default to being enabled testName: "Some enabled, some disabled", enabledAuditors: map[string]bool{ "asat": true, From a341bdcf67f1555ac8d7f98f0b8eb0cbd266c4a1 Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Tue, 13 Jul 2021 09:37:17 -0400 Subject: [PATCH 4/5] PR feedback --- auditors/all/all.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/auditors/all/all.go b/auditors/all/all.go index 64303450..fd5d7999 100644 --- a/auditors/all/all.go +++ b/auditors/all/all.go @@ -56,6 +56,8 @@ func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { func getEnabledAuditors(conf config.KubeauditConfig) []string { auditors := []string{} for _, auditorName := range AuditorNames { + // if value is not found in the `conf.GetEnabledAuditors()` map, this means + // it wasn't added to the config file, so it should be enabled by default if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled { auditors = append(auditors, auditorName) } From 87510265d4796ec0e122b13e7a7893d28d66f722 Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Tue, 13 Jul 2021 10:08:16 -0400 Subject: [PATCH 5/5] master -> main --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8472ef43..5561877f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,9 +2,9 @@ name: CI on: push: branches: - - master + - main pull_request: - branches: [master] + branches: [main] jobs: test: runs-on: ubuntu-latest