Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scorecard - handle changes from new Config Validator version w.r.t. Violation format and k8s resource handling #613

Merged
merged 5 commits into from
Apr 7, 2020
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions cli/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@ go 1.12

require (
cloud.google.com/go v0.38.0
github.com/GoogleCloudPlatform/terraform-validator v0.0.0-20190611191127-0aa9d709266e
github.com/briandowns/spinner v1.6.1
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec
github.com/golang/protobuf v1.3.2
github.com/hashicorp/terraform v0.12.2 // indirect
github.com/inconshreveable/log15 v0.0.0-20180818164646-67afb5ed74ec
github.com/open-policy-agent/opa v0.16.2
github.com/open-policy-agent/opa v0.17.2
github.com/pkg/errors v0.8.1
github.com/spf13/cobra v0.0.5
github.com/spf13/viper v1.3.2
Expand Down
11 changes: 11 additions & 0 deletions cli/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ github.com/GoogleCloudPlatform/terraform-validator v0.0.0-20190611191127-0aa9d70
github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.3 h1:wS8NNaIgtzapuArKIAjsyXtEN/IUjQkbw90xszUdS40=
github.com/OneOfOne/xxhash v1.2.3/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.5 h1:zl/OfRA6nftbBK9qTohYBJ5xvw6C/oNKizR7cZGl3cI=
github.com/OneOfOne/xxhash v1.2.5/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
Expand Down Expand Up @@ -134,6 +135,8 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI
github.com/forseti-security/config-validator v0.0.0-20190611184209-ce0fa1c12514/go.mod h1:Vau5ih3z998VJAvBiKZZV+q8MHwVY7EAs+GAE1SDikE=
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1 h1:jbuKpXia0YmT2ynKeuI0hm01hzjmgJtvGdtBgdhBT6c=
github.com/forseti-security/config-validator v0.0.0-20200214190434-b3da3b61dbb1/go.mod h1:/ZIphx5XmfeeY6igAkKAQN6o1zUjUnmhD4Xyevon6po=
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec h1:FwTf62tmlCgFGs4xNMsmwzIaOkPcNwlkxQD+fCpcqAY=
github.com/forseti-security/config-validator v0.0.0-20200317212309-6f70138af9ec/go.mod h1:H16On75JtsrqF1/vtb19/vgiiyI/x+dvvmRTNTz9IT4=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/gammazero/deque v0.0.0-20180920172122-f6adf94963e4/go.mod h1:GeIq9qoE43YdGnDXURnmKTnGg15pQz4mYkXSTChbneI=
Expand Down Expand Up @@ -252,6 +255,7 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go v2.0.0+incompatible h1:j0GKcs05QVmm7yesiZq2+9cxHkNK9YM6zKx4D2qucQU=
github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
github.com/googleapis/gax-go v2.0.2+incompatible h1:silFMLAnr330+NRuag/VjIGF7TLp/LBrV2CJKFLWEww=
github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
Expand Down Expand Up @@ -454,6 +458,8 @@ github.com/open-policy-agent/gatekeeper v0.0.0-20200130050101-a7990e5bc83a/go.mo
github.com/open-policy-agent/opa v0.11.0/go.mod h1:rlfeSeHuZmMEpmrcGla42AjkOUjP4rGIpS96H12un3o=
github.com/open-policy-agent/opa v0.16.2 h1:Fdt1ysSA3p7z88HVHmUFiPM6hqqXbLDDZF9cQFYaIP0=
github.com/open-policy-agent/opa v0.16.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
github.com/open-policy-agent/opa v0.17.2 h1:E7l8FvgoyrmphQGtD+h9HfSTcf8b7d3X4PDQ4avrEmo=
github.com/open-policy-agent/opa v0.17.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
github.com/packer-community/winrmcp v0.0.0-20180102160824-81144009af58/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk=
Expand Down Expand Up @@ -535,6 +541,7 @@ github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:Udh
github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.1 h1:qgMbHoJbPbw579P+1zVY+6n4nIFuIchaIjzZ/I/Yq8M=
github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
Expand Down Expand Up @@ -595,6 +602,7 @@ go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL
go.mongodb.org/mongo-driver v1.1.1 h1:Sq1fR+0c58RME5EoqKdjkiQAmPjmfHlZOoRI6fTUOcs=
go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
go.opencensus.io v0.21.0 h1:mU6zScU4U1YAFPHEHYk+3JC4SY7JxgkqS10ZOSyksNg=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
Expand Down Expand Up @@ -655,6 +663,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190502183928-7f726cade0ab/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 h1:k7pJ2yAPLPgbskkFdhRCsA77k2fySZ1zf2zCjvQCiIM=
Expand Down Expand Up @@ -696,6 +705,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f h1:25KHgbfyiSm6vwQLbM3zZIe1v9p/3ea4Rz+nnM5K/i4=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
Expand Down Expand Up @@ -763,6 +773,7 @@ google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3
google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.23.0 h1:AzbTB6ux+okLTzP8Ru1Xs41C303zdcfEht7MQnYJt5A=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
Expand Down
2 changes: 1 addition & 1 deletion cli/scorecard/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ import (
log "github.com/inconshreveable/log15"
)

// Scorecard log15 handler
// Log (log15) handler for Scorecard
var Log = log.New()
1 change: 0 additions & 1 deletion cli/scorecard/proto_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,3 @@ func TestDataTypeTransformation(t *testing.T) {
}
})
}

18 changes: 8 additions & 10 deletions cli/scorecard/score.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"io"
"os"
"path/filepath"
"strings"

"github.com/forseti-security/config-validator/pkg/api/validator"
"github.com/forseti-security/config-validator/pkg/gcv"
Expand Down Expand Up @@ -77,17 +78,16 @@ func (c constraintCategory) Count() int {

// constraintViolations holds violations for a particular constraint
type constraintViolations struct {
constraint *validator.Constraint
constraint string
Violations []*validator.Violation `protobuf:"bytes,1,rep,name=violations,proto3" json:"violations,omitempty"`
}

func (cv constraintViolations) Count() int {
return len(cv.Violations)
}

func (cv constraintViolations) GetName() string {
return cv.Violations[0].Constraint
// return cv.constraint.GetMetadata().GetStructValue().GetFields()["name"].GetStringValue()
func getConstraintShortName(constraintName string) string {
return strings.Split(constraintName, ".")[1]
}

// RichViolation holds a violation with its category
Expand Down Expand Up @@ -119,15 +119,14 @@ func (config *ScoringConfig) getConstraintForViolation(violation *validator.Viol
key := violation.GetConstraint()
cv, found := config.constraints[key]
if !found {
constraint := violation.GetConstraintConfig()
constraint := key
cv = &constraintViolations{
constraint: constraint,
}
config.constraints[key] = cv

metadata := constraint.GetMetadata()
metadata := violation.GetMetadata().GetStructValue().GetFields()["constraint"]
annotations := metadata.GetStructValue().GetFields()["annotations"].GetStructValue().GetFields()

categoryKey := otherCategoryKey
categoryValue, found := annotations["bundles.validator.forsetisecurity.org/scorecard-v1"]
if found {
Expand Down Expand Up @@ -232,7 +231,7 @@ func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string
for _, category := range config.categories {
for _, cv := range category.constraints {
for _, v := range cv.Violations {
record := []string{category.Name, v.Constraint, v.Resource, v.Message}
record := []string{category.Name, getConstraintShortName(v.Constraint), v.Resource, v.Message}
for _, field := range outputMetadataFields {
metadata := v.Metadata.GetStructValue().Fields["details"].GetStructValue().Fields[field]
value, _ := stringViaJSON(metadata)
Expand All @@ -250,7 +249,7 @@ func (inventory *InventoryConfig) Score(config *ScoringConfig, outputPath string
io.WriteString(dest, fmt.Sprintf("\n\n%v: %v issues found\n", category.Name, category.Count()))
io.WriteString(dest, fmt.Sprintf("----------\n"))
for _, cv := range category.constraints {
io.WriteString(dest, fmt.Sprintf("%v: %v issues\n", cv.GetName(), cv.Count()))
io.WriteString(dest, fmt.Sprintf("%v: %v issues\n", getConstraintShortName(cv.constraint), cv.Count()))
for _, v := range cv.Violations {
io.WriteString(dest, fmt.Sprintf("- %v\n", v.Message))
for _, field := range outputMetadataFields {
Expand Down Expand Up @@ -288,4 +287,3 @@ func uniqueViolations(violations []*validator.Violation) []*validator.Violation
}
return uniqueViolations
}

1 change: 0 additions & 1 deletion cli/scorecard/violations.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,4 +144,3 @@ func getAssetFromJSON(input []byte) (*validator.Asset, error) {
Log.Debug("Asset converted", "name", asset["name"], "ancestry", pbAsset.GetAncestryPath())
return pbAsset, nil
}

17 changes: 10 additions & 7 deletions cli/scorecard/violations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ const (

type getAssetFromJSONTestcase struct {
name string
assetJSONFile string
ancestryPath string
assetJSONFile string
ancestryPath string
isResource bool
isIamPolicy bool
}
Expand All @@ -44,14 +44,14 @@ func TestGetAssetFromJSON(t *testing.T) {
{
name: "resource",
assetJSONFile: "/shared/resource.json",
ancestryPath: "organizations/56789/projects/1234",
ancestryPath: "organizations/56789/projects/1234",
isResource: true,
isIamPolicy: false,
},
{
name: "iam policy",
assetJSONFile: "/shared/iam_policy.json",
ancestryPath: "organizations/56789/folders/2345/projects/1234",
ancestryPath: "organizations/56789/folders/2345/projects/1234",
isResource: false,
isIamPolicy: true,
},
Expand Down Expand Up @@ -86,8 +86,12 @@ func TestGetAssetFromJSON(t *testing.T) {
func TestGetViolations(t *testing.T) {
var testCases = []getViolationsTestcase{
{
resource: "//storage.googleapis.com/test-project",
constraint: "iam-gcs-blacklist-public-users",
resource: "//storage.googleapis.com/test-bucket-public",
constraint: "GCPStorageBucketWorldReadableConstraintV1.iam-gcs-blacklist-public-users",
},
{
resource: "//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9",
constraint: "K8sDumpReview.dump-review",
},
}
inventory, err := NewInventory("", localCaiDir, false, false, TargetProject("1234"), TargetFolder("2345"), TargetOrg("56789"))
Expand Down Expand Up @@ -117,4 +121,3 @@ func TestGetViolations(t *testing.T) {
})
}
}

2 changes: 1 addition & 1 deletion cli/testdata/scorecard/cai-dir/iam_inventory.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"name":"//storage.googleapis.com/test-project","asset_type":"storage.googleapis.com/Bucket","iam_policy":{"etag":"WwAAAaAaaaa=","bindings":[{"role":"roles/storage.legacyBucketOwner","members":["projectEditor:test-project","projectOwner:test-project"]},{"role":"roles/storage.objectViewer","members":["allAuthenticatedUsers"]}]},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
{"name":"//storage.googleapis.com/test-bucket-public","asset_type":"storage.googleapis.com/Bucket","iam_policy":{"etag":"WwAAAaAaaaa=","bindings":[{"role":"roles/storage.legacyBucketOwner","members":["projectEditor:test-project","projectOwner:test-project"]},{"role":"roles/storage.objectViewer","members":["allAuthenticatedUsers"]}]},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
1 change: 1 addition & 0 deletions cli/testdata/scorecard/cai-dir/resource_inventory.json
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
{"name":"//storage.googleapis.com/test-bucket-public","asset_type":"storage.googleapis.com/Bucket","resource":{"version":"v1","discovery_document_uri":"https://www.googleapis.com/discovery/v1/apis/storage/v1/rest","discovery_name":"Bucket","parent":"//cloudresourcemanager.googleapis.com/projects/1234","data":{"acl":[],"billing":{},"cors":[],"defaultObjectAcl":[],"encryption":{},"etag":"CAU=","iamConfiguration":{"bucketPolicyOnly":{"enabled":true,"lockedTime":"2019-08-05T09:26:23.996Z"},"uniformBucketLevelAccess":{"enabled":true,"lockedTime":"2019-08-05T09:26:23.996Z"}},"id":"test-bucket-public","kind":"storage#bucket","labels":{},"lifecycle":{"rule":[]},"location":"US","locationType":"multi-region","logging":{},"metageneration":5,"name":"test-bucket-public","owner":{},"projectNumber":4567,"retentionPolicy":{},"selfLink":"https://www.googleapis.com/storage/v1/b/test-bucket-public","storageClass":"MULTI_REGIONAL","timeCreated":"2019-05-07T09:26:23.996Z","updated":"2019-05-07T15:11:21.219Z","versioning":{},"website":{}}},"ancestors":["projects/1234","folders/2345","organizations/56789"]}
{"name":"//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9","asset_type":"k8s.io/Pod","resource":{"version":"v1","discovery_document_uri":"https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json","discovery_name":"io.k8s.api.core.v1.Pod","parent":"//container.googleapis.com/projects/gke-networking/zones/us-central1-a/clusters/private-cluster-demo/k8s/namespaces/default","data":{"metadata":{"annotations":{"cni.projectcalico.org/podIP":"10.10.16.68/32","kubernetes.io/limit-ranger":"LimitRanger plugin set: cpu request for container hello-world"},"creationTimestamp":"2019-12-13T04:15:29Z","generateName":"hello-world-deploy-1234567d898-","labels":{"app":"hello-world-example","pod-template-hash":"598587d898"},"name":"hello-world-deploy-1234567d898-xqwf9","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"hello-world-deploy-1234567d898","uid":"717b4db1-5a82-11e9-1111-12345a0a0fe3"}],"resourceVersion":"63643167","selfLink":"/api/v1/namespaces/default/pods/hello-world-deploy-1234567d898-xqwf9","uid":"1234567b-1d5f-11ea-9f3d-42010a0a0fe7"},"spec":{"containers":[{"image":"gcr.io/google-samples/hello-app:2.0","imagePullPolicy":"IfNotPresent","name":"hello-world","ports":[{"containerPort":8080,"protocol":"TCP"}],"resources":{"requests":{"cpu":"100m"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-123a4","readOnly":true}]}],"dnsPolicy":"ClusterFirst","hostname":"hello-world","nodeName":"gke-private-cluster-demo-default-pool-123456d1-87j0","priority":0,"restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-123a4","secret":{"defaultMode":420,"secretName":"default-token-123a4"}}]},"status":{"conditions":[{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:29Z","status":"True","type":"Initialized"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:36Z","status":"True","type":"Ready"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:36Z","status":"True","type":"ContainersReady"},{"lastProbeTime":null,"lastTransitionTime":"2019-12-13T04:15:29Z","status":"True","type":"PodScheduled"}],"containerStatuses":[{"containerID":"docker://24964fc7e2905e2fe2f41f6ef6a81e746a49f75f00fded6168a36febfc644f14","image":"gcr.io/google-samples/hello-app:2.0","imageID":"docker-pullable://gcr.io/google-samples/hello-app@sha256:37e5287945774f27b418ce567cd77f4bbc9ef44a1bcd1a2312369f31f9cce567","lastState":{},"name":"hello-world","ready":true,"restartCount":0,"state":{"running":{"startedAt":"2019-12-13T04:15:33Z"}}}],"hostIP":"10.10.10.10","phase":"Running","podIP":"10.10.16.68","qosClass":"Burstable","startTime":"2019-12-13T04:15:29Z"}}},"ancestors":["projects/1188899998888","organizations/1234512341234"]}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDumpReview
metadata:
name: dump-review
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups: [""]
kinds: ["*"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdumpreview
spec:
crd:
spec:
names:
kind: K8sDumpReview
targets:
- target: admission.k8s.gatekeeper.sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the future, it would be good to add a test which actually looks at data so we can be sure it passes through properly.

rego: |
package k8sdumpreview

violation[{"msg": msg}] {
msg := sprintf("%v", [input.review])
}