From 6e41ef6143df2e31b75f456c79fb116b7d853c27 Mon Sep 17 00:00:00 2001 From: Georgi Baltiev <82998942+georgibaltiev@users.noreply.github.com> Date: Wed, 22 Jan 2025 17:57:43 +0200 Subject: [PATCH] Add a show command to the Diki CLI (#412) * Add supported versions metadata for each ruleset instance * Add ruleset version resolving methods to the provider definitions * Add comments * Add show command implementation * Move JSON defined structures into a separate module * Move ruleset user-friendly names into constant variables for broader access * Add description comments for the new constants * Add functions that showcase each provider's metadata * Refactor showProvider command and additional tabulations * formatting * Rename variables and comments in the metadata and builder packages * Add comment and reference changes to the app command * Add additional comments to the ruleset files * Refactor metadata initalizing builder methods * Fix typo * Add constants to the provider definition files * Add constants to the metadata builder methods * Declare and utilize a new string to Metadata map in main.go * Simplify some code * Tabulation * Remove support for version v1r11 * Correct some nits * Add suggestions * Fix typo * Tabulation * Change comments --- cmd/diki/app/app.go | 68 ++++++++++++++++++- cmd/diki/main.go | 18 +++-- pkg/metadata/metadata.go | 37 ++++++++++ pkg/provider/builder/garden.go | 44 ++++++++++++ pkg/provider/builder/gardener.go | 44 ++++++++++++ pkg/provider/builder/managedk8s.go | 50 ++++++++++++++ pkg/provider/builder/virtualgarden.go | 44 ++++++++++++ pkg/provider/garden/provider.go | 7 ++ .../ruleset/securityhardenedshoot/ruleset.go | 13 +++- pkg/provider/gardener/provider.go | 7 ++ .../gardener/ruleset/disak8sstig/ruleset.go | 11 ++- pkg/provider/managedk8s/provider.go | 7 ++ .../managedk8s/ruleset/disak8sstig/ruleset.go | 11 ++- .../ruleset/securityhardenedk8s/ruleset.go | 11 ++- pkg/provider/provider.go | 10 +++ pkg/provider/virtualgarden/provider.go | 7 ++ .../ruleset/disak8sstig/ruleset.go | 11 ++- 17 files changed, 382 insertions(+), 18 deletions(-) create mode 100644 pkg/metadata/metadata.go diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index 90db8d40c..ed3dc7a48 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -21,6 +21,7 @@ import ( "k8s.io/component-base/version" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/report" "github.com/gardener/diki/pkg/rule" @@ -28,11 +29,21 @@ import ( ) // NewDikiCommand creates a new command that is used to start Diki. -func NewDikiCommand(providerCreateFuncs map[string]provider.ProviderFromConfigFunc) *cobra.Command { +func NewDikiCommand(providerOptions map[string]provider.ProviderOption) *cobra.Command { handler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}) logger := slog.New(handler) slog.SetDefault(logger) + providerCreateFuncs := map[string]provider.ProviderFromConfigFunc{} + for providerID, providerOption := range providerOptions { + providerCreateFuncs[providerID] = providerOption.ProviderFromConfigFunc + } + + metadataFuncs := map[string]provider.MetadataFunc{} + for providerID, providerOption := range providerOptions { + metadataFuncs[providerID] = providerOption.MetadataFunc + } + rootCmd := &cobra.Command{ Use: "diki", Short: "Diki a \"compliance checker\" or sorts, a detective control framework.", @@ -126,6 +137,28 @@ e.g. to check compliance of your hyperscaler accounts.`, addReportGenerateDiffFlags(generateDiffCmd, &generateDiffOpts) generateCmd.AddCommand(generateDiffCmd) + showCmd := &cobra.Command{ + Use: "show", + Short: "Show metadata information for different diki internals, i.e. providers.", + Long: "Show metadata information for different diki internals, i.e. providers.", + RunE: func(_ *cobra.Command, _ []string) error { + return errors.New("show subcommand not selected") + }, + } + + rootCmd.AddCommand(showCmd) + + showProviderCmd := &cobra.Command{ + Use: "provider", + Short: "Show detailed information for providers.", + Long: "Show detailed information for providers.", + RunE: func(_ *cobra.Command, args []string) error { + return showProviderCmd(args, metadataFuncs) + }, + } + + showCmd.AddCommand(showProviderCmd) + return rootCmd } @@ -159,6 +192,39 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { cmd.PersistentFlags().Var(cliflag.NewMapStringString(&opts.identityAttributes), "identity-attributes", "The keys are the IDs of the providers that will be present in the generated difference report and the values are metadata attributes to be used as identifiers.") } +func showProviderCmd(args []string, metadataFuncs map[string]provider.MetadataFunc) error { + if len(args) > 1 { + return errors.New("command 'show provider' accepts at most one provider") + } + + if len(args) == 0 { + var providersMetadata []metadata.Provider + + for providerID := range metadataFuncs { + providersMetadata = append(providersMetadata, metadata.Provider{ID: providerID, Name: metadataFuncs[providerID]().Name}) + } + + if bytes, err := json.Marshal(providersMetadata); err != nil { + return err + } else { + fmt.Println(string(bytes)) + } + return nil + } + + metadataFunc, ok := metadataFuncs[args[0]] + if !ok { + return fmt.Errorf("unknown provider: %s", args[0]) + } + + if bytes, err := json.Marshal(metadataFunc()); err != nil { + return err + } else { + fmt.Println(string(bytes)) + } + return nil +} + func generateDiffCmd(args []string, generateDiffOpts generateDiffOptions, rootOpts reportOptions, logger *slog.Logger) error { if len(args) == 0 { return errors.New("generate diff command requires a minimum of one filepath argument") diff --git a/cmd/diki/main.go b/cmd/diki/main.go index a57ab59f7..e4d6b8ee3 100644 --- a/cmd/diki/main.go +++ b/cmd/diki/main.go @@ -12,15 +12,21 @@ import ( "github.com/gardener/diki/cmd/diki/app" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/builder" + "github.com/gardener/diki/pkg/provider/garden" + "github.com/gardener/diki/pkg/provider/gardener" + "github.com/gardener/diki/pkg/provider/managedk8s" + "github.com/gardener/diki/pkg/provider/virtualgarden" ) func main() { - cmd := app.NewDikiCommand(map[string]provider.ProviderFromConfigFunc{ - "garden": builder.GardenProviderFromConfig, - "gardener": builder.GardenerProviderFromConfig, - "managedk8s": builder.ManagedK8SProviderFromConfig, - "virtualgarden": builder.VirtualGardenProviderFromConfig, - }) + cmd := app.NewDikiCommand( + map[string]provider.ProviderOption{ + garden.ProviderID: {ProviderFromConfigFunc: builder.GardenProviderFromConfig, MetadataFunc: builder.GardenProviderMetadata}, + gardener.ProviderID: {ProviderFromConfigFunc: builder.GardenerProviderFromConfig, MetadataFunc: builder.GardenerProviderMetadata}, + managedk8s.ProviderID: {ProviderFromConfigFunc: builder.ManagedK8SProviderFromConfig, MetadataFunc: builder.ManagedK8SProviderMetadata}, + virtualgarden.ProviderID: {ProviderFromConfigFunc: builder.VirtualGardenProviderFromConfig, MetadataFunc: builder.VirtualGardenProviderMetadata}, + }, + ) if err := cmd.ExecuteContext(controllerruntime.SetupSignalHandler()); err != nil { log.Fatal(err) diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go new file mode 100644 index 000000000..1f518a358 --- /dev/null +++ b/pkg/metadata/metadata.go @@ -0,0 +1,37 @@ +// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// +// SPDX-License-Identifier: Apache-2.0 + +package metadata + +// Version is used to represent a specific version of a ruleset. +type Version struct { + // Version is the name of the ruleset release. + Version string `json:"version"` + // Latest shows if the specific version is the latest one. + Latest bool `json:"latest"` +} + +// Ruleset is used to represent a specific ruleset and it's metadata. +type Ruleset struct { + // ID is the unique identifier of the ruleset. + ID string `json:"id"` + // Name is the user-friendly name of the ruleset. + Name string `json:"name"` + // Versions is used to showcase the supported versions of the specific ruleset. + Versions []Version `json:"versions"` +} + +// Provider is used to represent an available provider by it's name and unique identifier. +type Provider struct { + // ID is the unique identifier of the provider. + ID string `json:"id"` + // Name is the user-friendly name of the provider. + Name string `json:"name"` +} + +// ProviderDetailed is used to represent a specific provider and it's metadata. +type ProviderDetailed struct { + Provider + Rulesets []Ruleset `json:"rulesets"` +} diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index df51f4caf..695adcedd 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/garden" "github.com/gardener/diki/pkg/provider/garden/ruleset/securityhardenedshoot" @@ -48,3 +49,46 @@ func GardenProviderFromConfig(conf config.ProviderConfig) (provider.Provider, er return p, nil } + +// gardenGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Garden provider. +func gardenGetSupportedVersions(ruleset string) []string { + switch ruleset { + case securityhardenedshoot.RulesetID: + return securityhardenedshoot.SupportedVersions + default: + return nil + } +} + +// GardenProviderMetadata returns available metadata for the Garden Provider and it's supported rulesets. +func GardenProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: garden.ProviderID, + Name: garden.ProviderName, + }, + Rulesets: []metadata.Ruleset{ + { + ID: securityhardenedshoot.RulesetID, + Name: securityhardenedshoot.RulesetName, + }, + }, + } + + for i := range providerMetadata.Rulesets { + supportedVersions := gardenGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } + + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true + } + } + + return providerMetadata +} diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index d16b0e2d8..c2a9005e8 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -11,6 +11,7 @@ import ( "k8s.io/client-go/rest" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/gardener" "github.com/gardener/diki/pkg/provider/gardener/ruleset/disak8sstig" @@ -61,3 +62,46 @@ func setConfigDefaults(config *rest.Config) { config.Burst = 40 } } + +// gardenerGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Gardener provider. +func gardenerGetSupportedVersions(ruleset string) []string { + switch ruleset { + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} + +// GardenerProviderMetadata returns available metadata for the Gardener Provider and it's supported rulesets. +func GardenerProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: gardener.ProviderID, + Name: gardener.ProviderName, + }, + Rulesets: []metadata.Ruleset{ + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, + } + + for i := range providerMetadata.Rulesets { + supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } + + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true + } + } + + return providerMetadata +} diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index a0eecb845..866e348f9 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/managedk8s" "github.com/gardener/diki/pkg/provider/managedk8s/ruleset/disak8sstig" @@ -57,3 +58,52 @@ func ManagedK8SProviderFromConfig(conf config.ProviderConfig) (provider.Provider return p, nil } + +// managedK8SGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Managed K8S provider. +func managedK8SGetSupportedVersions(ruleset string) []string { + switch ruleset { + case securityhardenedk8s.RulesetID: + return securityhardenedk8s.SupportedVersions + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} + +// ManagedK8SProviderMetadata returns available metadata for the Managed Kubernetes Provider and it's supported rulesets. +func ManagedK8SProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: managedk8s.ProviderID, + Name: managedk8s.ProviderName, + }, + Rulesets: []metadata.Ruleset{ + { + ID: securityhardenedk8s.RulesetID, + Name: securityhardenedk8s.RulesetName, + }, + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, + } + + for i := range providerMetadata.Rulesets { + supportedVersions := managedK8SGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } + + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true + } + } + + return providerMetadata +} diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 37664dba3..5adbfc105 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/virtualgarden" "github.com/gardener/diki/pkg/provider/virtualgarden/ruleset/disak8sstig" @@ -48,3 +49,46 @@ func VirtualGardenProviderFromConfig(conf config.ProviderConfig) (provider.Provi return p, nil } + +// virtualGardenGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Virtual Garden provider. +func virtualGardenGetSupportedVersions(ruleset string) []string { + switch ruleset { + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} + +// VirtualGardenProviderMetadata returns available metadata for the Virtual Garden Provider and it's supported rulesets. +func VirtualGardenProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: virtualgarden.ProviderID, + Name: virtualgarden.ProviderName, + }, + Rulesets: []metadata.Ruleset{ + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, + } + + for i := range providerMetadata.Rulesets { + supportedVersions := virtualGardenGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } + + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true + } + } + + return providerMetadata +} diff --git a/pkg/provider/garden/provider.go b/pkg/provider/garden/provider.go index c24691aaf..c4ac24acf 100644 --- a/pkg/provider/garden/provider.go +++ b/pkg/provider/garden/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Garden provider. + ProviderID = "garden" + // ProviderName is a constant containing the user-friendly name of the Garden provider. + ProviderName = "Garden" +) + // Provider is a Garden Cluster Provider that can // be used to implement rules against a garden cluster. type Provider struct { diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index 07725d2e0..299289efb 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -19,11 +19,18 @@ import ( ) const ( - // RulesetID is a constant containing the id of the Security Hardened Shoot Cluster Ruleset. + // RulesetID is a constant containing the id of the Security Hardened Shoot Cluster ruleset. RulesetID = "security-hardened-shoot-cluster" + // RulesetName is a constant containing the user-friendly name of the Security Hardened Shoot Cluster ruleset. + RulesetName = "Security Hardened Shoot Cluster" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the Security Hardened Shoot Cluster Ruleset. + // Versions are sorted from newest to oldest. + SupportedVersions = []string{"v0.1.0"} +) // Ruleset implements Security Hardened Shoot Cluster. type Ruleset struct { @@ -62,7 +69,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "Security Hardened Shoot Cluster" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/gardener/provider.go b/pkg/provider/gardener/provider.go index 277cf5017..f44789aa3 100644 --- a/pkg/provider/gardener/provider.go +++ b/pkg/provider/gardener/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Gardener provider. + ProviderID = "gardener" + // ProviderName is a constant containing the user-friendly name of the Gardener provider. + ProviderName = "Gardener" +) + // Provider is a Gardener Provider that can be used to implement rules // against a shoot cluster and its controlplane (residing in a seed cluster). type Provider struct { diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index bd43ef315..94a7ef3ad 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -23,9 +23,16 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. + SupportedVersions = []string{"v2r2", "v2r1"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { @@ -71,7 +78,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/managedk8s/provider.go b/pkg/provider/managedk8s/provider.go index bd4dc411a..53be63d70 100644 --- a/pkg/provider/managedk8s/provider.go +++ b/pkg/provider/managedk8s/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Managed Kubernetes provider. + ProviderID = "managedk8s" + // ProviderName is a constant containing the user-friendly name of the Managed Kubernetes provider. + ProviderName = "Managed Kubernetes" +) + // Provider is a Managed Kubernetes Cluster Provider that can // be used to implement rules against a kubernetes cluster. type Provider struct { diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index 41b1794a8..f8d722b71 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -23,9 +23,16 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. + SupportedVersions = []string{"v2r2", "v2r1"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { @@ -69,7 +76,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index decdaf41e..987acad11 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -20,9 +20,16 @@ import ( const ( // RulesetID is a constant containing the id of the Security Hardened Kubernetes Cluster Ruleset. RulesetID = "security-hardened-k8s" + // RulesetName is a constant containing the user-friendly name of the Security Hardened Kubernetes ruleset. + RulesetName = "Security Hardened Kubernetes Cluster" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the Security Hardened Kubernetes Cluster Ruleset. + // Versions are sorted from newest to oldest. + SupportedVersions = []string{"v0.1.0"} +) // Ruleset implements Security Hardened Kubernetes Cluster. type Ruleset struct { @@ -54,7 +61,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "Security Hardened Kubernetes Cluster" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 3e7f95ea1..1194033ac 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -8,6 +8,7 @@ import ( "context" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/rule" "github.com/gardener/diki/pkg/ruleset" ) @@ -32,3 +33,12 @@ type ProviderResult struct { // ProviderFromConfigFunc constructs a Provider from ProviderConfig. type ProviderFromConfigFunc func(conf config.ProviderConfig) (Provider, error) + +// MetadataFunc constructs a detailed Provider metadata object. +type MetadataFunc func() metadata.ProviderDetailed + +// ProviderOption constructs a pair of a configuarion and metadata function for a specific provider. +type ProviderOption struct { + ProviderFromConfigFunc + MetadataFunc +} diff --git a/pkg/provider/virtualgarden/provider.go b/pkg/provider/virtualgarden/provider.go index 91f11c8e7..66c23d259 100644 --- a/pkg/provider/virtualgarden/provider.go +++ b/pkg/provider/virtualgarden/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Virtual Garden provider. + ProviderID = "virtualgarden" + // ProviderName is a constant containing the user-friendly name of the Virtual Garden provider. + ProviderName = "Virtual Garden" +) + // Provider is a Garden Cluster Provider that can be used to implement rules // against a virtual garden cluster and its controlplane (residing in a runtime cluster). type Provider struct { diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 0067831a9..dd0a66145 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -23,9 +23,16 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. + SupportedVersions = []string{"v2r2", "v2r1"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { @@ -69,7 +76,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset.