Skip to content

Commit

Permalink
fix(cli): Handle changes from new Config Validator version w.r.t. Vio…
Browse files Browse the repository at this point in the history
…lation format and k8s resource handling (#613)

* update go.mod

* cleanup test data

* handle new Violation format from new CV wrt to constraint category and name, and minor lint changes

* add gatekeeper test case

Co-authored-by: Morgante Pell <[email protected]>
  • Loading branch information
katze120 and morgante authored Apr 7, 2020
1 parent 3cdad1a commit 35dd7c6
Show file tree
Hide file tree
Showing 11 changed files with 61 additions and 24 deletions.
5 changes: 2 additions & 3 deletions cli/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@ go 1.12

require (
cloud.google.com/go v0.38.0
github.com/GoogleCloudPlatform/terraform-validator v0.0.0-20190611191127-0aa9d709266e
github.com/briandowns/spinner v1.6.1
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec
github.com/golang/protobuf v1.3.2
github.com/hashicorp/terraform v0.12.2 // indirect
github.com/inconshreveable/log15 v0.0.0-20180818164646-67afb5ed74ec
github.com/open-policy-agent/opa v0.16.2
github.com/open-policy-agent/opa v0.17.2
github.com/pkg/errors v0.8.1
github.com/spf13/cobra v0.0.5
github.com/spf13/viper v1.3.2
Expand Down
11 changes: 11 additions & 0 deletions cli/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ github.com/GoogleCloudPlatform/terraform-validator v0.0.0-20190611191127-0aa9d70
github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.3 h1:wS8NNaIgtzapuArKIAjsyXtEN/IUjQkbw90xszUdS40=
github.com/OneOfOne/xxhash v1.2.3/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.5 h1:zl/OfRA6nftbBK9qTohYBJ5xvw6C/oNKizR7cZGl3cI=
github.com/OneOfOne/xxhash v1.2.5/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
Expand Down Expand Up @@ -134,6 +135,8 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI
github.com/forseti-security/config-validator v0.0.0-20190611184209-ce0fa1c12514/go.mod h1:Vau5ih3z998VJAvBiKZZV+q8MHwVY7EAs+GAE1SDikE=
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1 h1:jbuKpXia0YmT2ynKeuI0hm01hzjmgJtvGdtBgdhBT6c=
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1/go.mod h1:/ZIphx5XmfeeY6igAkKAQN6o1zUjUnmhD4Xyevon6po=
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec h1:FwTf62tmlCgFGs4xNMsmwzIaOkPcNwlkxQD+fCpcqAY=
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec/go.mod h1:H16On75JtsrqF1/vtb19/vgiiyI/x+dvvmRTNTz9IT4=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/gammazero/deque v0.0.0-20180920172122-f6adf94963e4/go.mod h1:GeIq9qoE43YdGnDXURnmKTnGg15pQz4mYkXSTChbneI=
Expand Down Expand Up @@ -252,6 +255,7 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go v2.0.0+incompatible h1:j0GKcs05QVmm7yesiZq2+9cxHkNK9YM6zKx4D2qucQU=
github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
github.com/googleapis/gax-go v2.0.2+incompatible h1:silFMLAnr330+NRuag/VjIGF7TLp/LBrV2CJKFLWEww=
github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
Expand Down Expand Up @@ -454,6 +458,8 @@ github.com/open-policy-agent/gatekeeper v0.0.0-20200130050101-a7990e5bc83a/go.mo
github.com/open-policy-agent/opa v0.11.0/go.mod h1:rlfeSeHuZmMEpmrcGla42AjkOUjP4rGIpS96H12un3o=
github.com/open-policy-agent/opa v0.16.2 h1:Fdt1ysSA3p7z88HVHmUFiPM6hqqXbLDDZF9cQFYaIP0=
github.com/open-policy-agent/opa v0.16.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
github.com/open-policy-agent/opa v0.17.2 h1:E7l8FvgoyrmphQGtD+h9HfSTcf8b7d3X4PDQ4avrEmo=
github.com/open-policy-agent/opa v0.17.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
github.com/packer-community/winrmcp v0.0.0-20180102160824-81144009af58/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk=
Expand Down Expand Up @@ -535,6 +541,7 @@ github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:Udh
github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.1 h1:qgMbHoJbPbw579P+1zVY+6n4nIFuIchaIjzZ/I/Yq8M=
github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
Expand Down Expand Up @@ -595,6 +602,7 @@ go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL
go.mongodb.org/mongo-driver v1.1.1 h1:Sq1fR+0c58RME5EoqKdjkiQAmPjmfHlZOoRI6fTUOcs=
go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
go.opencensus.io v0.21.0 h1:mU6zScU4U1YAFPHEHYk+3JC4SY7JxgkqS10ZOSyksNg=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
Expand Down Expand Up @@ -655,6 +663,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190502183928-7f726cade0ab/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 h1:k7pJ2yAPLPgbskkFdhRCsA77k2fySZ1zf2zCjvQCiIM=
Expand Down Expand Up @@ -696,6 +705,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f h1:25KHgbfyiSm6vwQLbM3zZIe1v9p/3ea4Rz+nnM5K/i4=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
Expand Down Expand Up @@ -763,6 +773,7 @@ google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3
google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.23.0 h1:AzbTB6ux+okLTzP8Ru1Xs41C303zdcfEht7MQnYJt5A=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
Expand Down
2 changes: 1 addition & 1 deletion cli/scorecard/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ import (
log "github.com/inconshreveable/log15"
)

// Scorecard log15 handler
// Log (log15) handler for Scorecard
var Log = log.New()
1 change: 0 additions & 1 deletion cli/scorecard/proto_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,3 @@ func TestDataTypeTransformation(t *testing.T) {
}
})
}

18 changes: 8 additions & 10 deletions cli/scorecard/score.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"io"
"os"
"path/filepath"
"strings"

"github.com/forseti-security/config-validator/pkg/api/validator"
"github.com/forseti-security/config-validator/pkg/gcv"
Expand Down Expand Up @@ -77,17 +78,16 @@ func (c constraintCategory) Count() int {

// constraintViolations holds violations for a particular constraint
type constraintViolations struct {
constraint *validator.Constraint
constraint string
Violations []*validator.Violation `protobuf:"bytes,1,rep,name=violations,proto3" json:"violations,omitempty"`
}

func (cv constraintViolations) Count() int {
return len(cv.Violations)
}

func (cv constraintViolations) GetName() string {
return cv.Violations[0].Constraint
// return cv.constraint.GetMetadata().GetStructValue().GetFields()["name"].GetStringValue()
func getConstraintShortName(constraintName string) string {
return strings.Split(constraintName, ".")[1]
}

// RichViolation holds a violation with its category
Expand Down Expand Up @@ -119,15 +119,14 @@ func (config *ScoringConfig) getConstraintForViolation(violation *validator.Viol
key := violation.GetConstraint()
cv, found := config.constraints[key]
if !found {
constraint := violation.GetConstraintConfig()
constraint := key
cv = &constraintViolations{
constraint: constraint,
}
config.constraints[key] = cv

metadata := constraint.GetMetadata()
metadata := violation.GetMetadata().GetStructValue().GetFields()["constraint"]
annotations := metadata.GetStructValue().GetFields()["annotations"].GetStructValue().GetFields()

categoryKey := otherCategoryKey
categoryValue, found := annotations["bundles.validator.forsetisecurity.org/scorecard-v1"]
if found {
Expand Down Expand Up @@ -232,7 +231,7 @@ func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string
for _, category := range config.categories {
for _, cv := range category.constraints {
for _, v := range cv.Violations {
record := []string{category.Name, v.Constraint, v.Resource, v.Message}
record := []string{category.Name, getConstraintShortName(v.Constraint), v.Resource, v.Message}
for _, field := range outputMetadataFields {
metadata := v.Metadata.GetStructValue().Fields["details"].GetStructValue().Fields[field]
value, _ := stringViaJSON(metadata)
Expand All @@ -250,7 +249,7 @@ func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string
io.WriteString(dest, fmt.Sprintf("\n\n%v: %v issues found\n", category.Name, category.Count()))
io.WriteString(dest, fmt.Sprintf("----------\n"))
for _, cv := range category.constraints {
io.WriteString(dest, fmt.Sprintf("%v: %v issues\n", cv.GetName(), cv.Count()))
io.WriteString(dest, fmt.Sprintf("%v: %v issues\n", getConstraintShortName(cv.constraint), cv.Count()))
for _, v := range cv.Violations {
io.WriteString(dest, fmt.Sprintf("- %v\n", v.Message))
for _, field := range outputMetadataFields {
Expand Down Expand Up @@ -288,4 +287,3 @@ func uniqueViolations(violations []*validator.Violation) []*validator.Violation
}
return uniqueViolations
}

1 change: 0 additions & 1 deletion cli/scorecard/violations.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,4 +144,3 @@ func getAssetFromJSON(input []byte) (*validator.Asset, error) {
Log.Debug("Asset converted", "name", asset["name"], "ancestry", pbAsset.GetAncestryPath())
return pbAsset, nil
}

17 changes: 10 additions & 7 deletions cli/scorecard/violations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ const (

type getAssetFromJSONTestcase struct {
name string
assetJSONFile string
ancestryPath string
assetJSONFile string
ancestryPath string
isResource bool
isIamPolicy bool
}
Expand All @@ -44,14 +44,14 @@ func TestGetAssetFromJSON(t *testing.T) {
{
name: "resource",
assetJSONFile: "/shared/resource.json",
ancestryPath: "organizations/56789/projects/1234",
ancestryPath: "organizations/56789/projects/1234",
isResource: true,
isIamPolicy: false,
},
{
name: "iam policy",
assetJSONFile: "/shared/iam_policy.json",
ancestryPath: "organizations/56789/folders/2345/projects/1234",
ancestryPath: "organizations/56789/folders/2345/projects/1234",
isResource: false,
isIamPolicy: true,
},
Expand Down Expand Up @@ -86,8 +86,12 @@ func TestGetAssetFromJSON(t *testing.T) {
func TestGetViolations(t *testing.T) {
var testCases = []getViolationsTestcase{
{
resource: "//storage.googleapis.com/test-project",
constraint: "iam-gcs-blacklist-public-users",
resource: "//storage.googleapis.com/test-bucket-public",
constraint: "GCPStorageBucketWorldReadableConstraintV1.iam-gcs-blacklist-public-users",
},
{
resource: "//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9",
constraint: "K8sDumpReview.dump-review",
},
}
inventory, err := NewInventory("", localCaiDir, false, false, TargetProject("1234"), TargetFolder("2345"), TargetOrg("56789"))
Expand Down Expand Up @@ -117,4 +121,3 @@ func TestGetViolations(t *testing.T) {
})
}
}

2 changes: 1 addition & 1 deletion cli/testdata/scorecard/cai-dir/iam_inventory.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"name":"//storage.googleapis.com/test-project","asset_type":"storage.googleapis.com/Bucket","iam_policy":{"etag":"WwAAAaAaaaa=","bindings":[{"role":"roles/storage.legacyBucketOwner","members":["projectEditor:test-project","projectOwner:test-project"]},{"role":"roles/storage.objectViewer","members":["allAuthenticatedUsers"]}]},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
{"name":"//storage.googleapis.com/test-bucket-public","asset_type":"storage.googleapis.com/Bucket","iam_policy":{"etag":"WwAAAaAaaaa=","bindings":[{"role":"roles/storage.legacyBucketOwner","members":["projectEditor:test-project","projectOwner:test-project"]},{"role":"roles/storage.objectViewer","members":["allAuthenticatedUsers"]}]},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
1 change: 1 addition & 0 deletions cli/testdata/scorecard/cai-dir/resource_inventory.json
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
{"name":"//storage.googleapis.com/test-bucket-public","asset_type":"storage.googleapis.com/Bucket","resource":{"version":"v1","discovery_document_uri":"https://www.googleapis.com/discovery/v1/apis/storage/v1/rest","discovery_name":"Bucket","parent":"//cloudresourcemanager.googleapis.com/projects/1234","data":{"acl":[],"billing":{},"cors":[],"defaultObjectAcl":[],"encryption":{},"etag":"CAU=","iamConfiguration":{"bucketPolicyOnly":{"enabled":true,"lockedTime":"2019-08-05T09:26:23.996Z"},"uniformBucketLevelAccess":{"enabled":true,"lockedTime":"2019-08-05T09:26:23.996Z"}},"id":"test-bucket-public","kind":"storage#bucket","labels":{},"lifecycle":{"rule":[]},"location":"US","locationType":"multi-region","logging":{},"metageneration":5,"name":"test-bucket-public","owner":{},"projectNumber":4567,"retentionPolicy":{},"selfLink":"https://www.googleapis.com/storage/v1/b/test-bucket-public","storageClass":"MULTI_REGIONAL","timeCreated":"2019-05-07T09:26:23.996Z","updated":"2019-05-07T15:11:21.219Z","versioning":{},"website":{}}},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
{"name":"//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9","asset_type":"k8s.io/Pod","resource":{"version":"v1","discovery_document_uri":"https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json","discovery_name":"io.k8s.api.core.v1.Pod","parent":"//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default","data":{"metadata":{"annotations":{"cni.projectcalico.org/podIP":"10.10.16.68/32","kubernetes.io/limit-ranger":"LimitRanger plugin set: cpu request for container hello-world"},"creationTimestamp":"2019-12-13T04:15:29Z","generateName":"hello-world-deploy-1234567d898-","labels":{"app":"hello-world-example","pod-template-hash":"598587d898"},"name":"hello-world-deploy-1234567d898-xqwf9","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"hello-world-deploy-1234567d898","uid":"717b4db1-5a82-11e9-1111-12345a0a0fe3"}],"resourceVersion":"63643167","selfLink":"/api/v1/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9","uid":"1234567b-1d5f-11ea-9f3d-42010a0a0fe7"},"spec":{"containers":[{"image":"gcr.io/google-samples/hello-app:2.0","imagePullPolicy":"IfNotPresent","name":"hello-world","ports":[{"containerPort":8080,"protocol":"TCP"}],"resources":{"requests":{"cpu":"100m"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-123a4","readOnly":true}]}],"dnsPolicy":"ClusterFirst","hostname":"hello-world","nodeName":"gke-private-cluster-demo-default-pool-123456d1-87j0","priority":0,"restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-123a4","secret":{"defaultMode":420,"secretName":"default-token-123a4"}}]},"status":{"conditions":[{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:29Z","status":"True","type":"Initialized"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:36Z","status":"True","type":"Ready"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:36Z","status":"True","type":"ContainersReady"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:29Z","status":"True","type":"PodScheduled"}],"containerStatuses":[{"containerID":"docker://24964fc7e2905e2fe2f41f6ef6a81e746a49f75f00fded6168a36febfc644f14","image":"gcr.io/google-samples/hello-app:2.0","imageID":"docker-pullable://gcr.io/google-samples/hello-app@sha256:37e5287945774f27b418ce567cd77f4bbc9ef44a1bcd1a2312369f31f9cce567","lastState":{},"name":"hello-world","ready":true,"restartCount":0,"state":{"running":{"startedAt":"2019-12-13T04:15:33Z"}}}],"hostIP":"10.10.10.10","phase":"Running","podIP":"10.10.16.68","qosClass":"Burstable","startTime":"2019-12-13T04:15:29Z"}}},"ancestors":["projects/1188899998888","organizations/1234512341234"]}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDumpReview
metadata:
name: dump-review
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups: [""]
kinds: ["*"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdumpreview
spec:
crd:
spec:
names:
kind: K8sDumpReview
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdumpreview
violation[{"msg": msg}] {
msg := sprintf("%v", [input.review])
}

0 comments on commit 35dd7c6

Please sign in to comment.