✨ Use dynamic kubeclient #433
Conversation
There was a problem hiding this comment.
Amazing! This is what I always wanted and never knew existed! Is there documentation that you use for discovery and dyanmic client or just the godoc? I have googled so many times for "how to unmarshal kubernetes objects from yaml in go" and never found it!!
My main concern is that we need the namespace resources, the rest are nits.
| // Namespace has to be included as a resource to audit if it is specified. | ||
| if apiresource.Name == "namespaces" && options.Namespace != "" { |
There was a problem hiding this comment.
If I'm understanding correctly, we need to treat namespaces differently because it's a Get instead of a List? We need the namespace resources for the netpol audit so I think we always want to include the namespace resource. If options.Namespace != "" then we only want to include the namespace resource where the namespace name is equal to options.Namespace, but it looks like kc.dynamicClient.Resource(gvr).Get(context.Background(), options.Namespace, metav1.GetOptions{}) takes care of that filtering?
| // Namespace has to be included as a resource to audit if it is specified. | |
| if apiresource.Name == "namespaces" && options.Namespace != "" { | |
| // Namespace has to be included as a resource to audit if it is specified. | |
| if apiresource.Name == "namespaces" { |
There was a problem hiding this comment.
If the options.Namespace is not specified we want to retrieve all namespaces that is why we need to use the List function instead of the Get one.
With the options.Namespace != "" test we will use the Get will return the namespace according to the option otherwise the List will be used to return all namespaces.
If we use only the List that will return an empty unstructuredList if a namespace is specified:
kubeaudit/internal/k8sinternal/client.go
Line 155 in 6e25d12
There was a problem hiding this comment.
Ohh ok that makes sense. Neat, thank you for the clarification!
| @@ -80,25 +77,22 @@ func TestGetObjectMeta(t *testing.T) { | |||
| deployment := k8s.NewDeployment() | |||
| deployment.ObjectMeta = objectMeta | |||
| deployment.Spec.Template.ObjectMeta = podObjectMeta | |||
| assert.Equal(objectMeta, *k8s.GetObjectMeta(deployment)) | |||
| assert.Equal(podObjectMeta, *k8s.GetPodObjectMeta(deployment)) | |||
| assert.Equal(&objectMeta, k8s.GetObjectMeta(deployment)) | |||
There was a problem hiding this comment.
Out of curiosity: this looks functionally equivalent, is there an advantage to doing it this way?
There was a problem hiding this comment.
It is because the k8s.GetObjectMeta function returns the metav1.Object interface instead of a metav1.ObjectMeta struct reference.
It is provided by the ObjectMetaAccessor.GetObjectMeta() function.
Lines 70 to 77 in 5947edf
There was a problem hiding this comment.
Gotcha, missed the type switch and thought it was some go convention I didn't know about 😄
jerr
force-pushed
the
use_dynamic_kuebclient
branch
from
1b4f526 to
6e25d12
Compare
|
👆 rebase on the |
Co-authored-by: Genevieve Luyt <[email protected]>
Description
To be able to audit any type of resource a dynamic client is used instead of a clientset.
Type of change
How Has This Been Tested?
All tests related to auditing resources from a cluster still work.
This features is used by the "deprecated apis" auditor (#428) to check all resources of a cluster.
Checklist: