Shopify · genevieveluyt · Nov 17, 2021 · Nov 5, 2021 · Nov 12, 2021
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ coverage.txt
 *.swp
 /vendor
 /.vscode
+.go-version
diff --git a/cmd/commands/root.go b/cmd/commands/root.go
@@ -23,6 +23,7 @@ type rootFlags struct {
 	namespace   string
 	minSeverity string
 	exitCode    int
+	includegenerated bool
 }
 
 // RootCmd defines the shell command usage for kubeaudit.
@@ -50,6 +51,7 @@ func init() {
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.minSeverity, "minseverity", "m", "info", "Set the lowest severity level to report (one of \"error\", \"warning\", \"info\")")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.format, "format", "p", "pretty", "The output format to use (one of \"pretty\", \"logrus\", \"json\")")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.namespace, "namespace", "n", apiv1.NamespaceAll, "Only audit resources in the specified namespace. Not currently supported in manifest mode.")
+	RootCmd.PersistentFlags().BoolVarP(&rootConfig.includegenerated, "includegenerated", "g", false, "Include generated resources in scan  (eg. pods generated by deployments).")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.manifest, "manifest", "f", "", "Path to the yaml configuration to audit. Only used in manifest mode.")
 	RootCmd.PersistentFlags().IntVarP(&rootConfig.exitCode, "exitcode", "e", 2, "Exit code to use if there are results with severity of \"error\". Conventionally, 0 is used for success and all non-zero codes for an error.")
 }
@@ -101,14 +103,14 @@ func getReport(auditors ...kubeaudit.Auditable) *kubeaudit.Report {
 	}
 
 	if k8sinternal.IsRunningInCluster(k8sinternal.DefaultClient) && rootConfig.kubeConfig == "" {
-		report, err := auditor.AuditCluster(k8sinternal.ClientOptions{Namespace: rootConfig.namespace})
+		report, err := auditor.AuditCluster(k8sinternal.ClientOptions{Namespace: rootConfig.namespace, IncludeGenerated: rootConfig.includegenerated})
 		if err != nil {
 			log.WithError(err).Fatal("Error auditing cluster")
 		}
 		return report
 	}
 
-	report, err := auditor.AuditLocal(rootConfig.kubeConfig, kubeaudit.AuditOptions{Namespace: rootConfig.namespace})
+	report, err := auditor.AuditLocal(rootConfig.kubeConfig, kubeaudit.AuditOptions{Namespace: rootConfig.namespace, IncludeGenerated: rootConfig.includegenerated})
 	if err != nil {
 		log.WithError(err).Fatal("Error auditing cluster in local mode")
 	}

diff --git a/internal/k8sinternal/client.go b/internal/k8sinternal/client.go
@@ -85,6 +85,7 @@ func IsRunningInCluster(client Client) bool {
 type ClientOptions struct {
 	// Namespace filters resources by namespace. Defaults to all namespaces.
 	Namespace string
+	IncludeGenerated bool
 }
 
 // GetAllResources gets all supported resources from the cluster
@@ -103,8 +104,9 @@ func GetAllResources(clientset kubernetes.Interface, options ClientOptions) []k8
 	resources = append(resources, GetNamespaces(clientset, options)...)
 	resources = append(resources, GetServices(clientset, options)...)
 	resources = append(resources, GetJobs(clientset, options)...)
-
-	resources = excludeGenerated(resources)
+	if options.IncludeGenerated == false {
+		resources = excludeGenerated(resources)
+	}
 
 	return resources
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,3 +9,4 @@ coverage.txt @@
     *.swp
     /vendor
     /.vscode
+    .go-version