345: Fix audit config (#346)

Co-authored-by: Dani <[email protected]>
Shopify · Jul 13, 2021 · 9c59e6d · 9c59e6d
1 parent 5c9d942
commit 9c59e6d
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 20 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: CI
 on:
  push:
  branches:
- - master
+ - main
  pull_request:
- branches: [master]
+ branches: [main]
 jobs:
  test:
  runs-on: ubuntu-latest

diff --git a/auditors/all/all.go b/auditors/all/all.go
@@ -40,13 +40,8 @@ var AuditorNames = []string{
 }
 
 func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) {
- enabledAuditors := conf.GetEnabledAuditors()
- if len(enabledAuditors) == 0 {
- enabledAuditors = AuditorNames
- }
-
- auditors := make([]kubeaudit.Auditable, 0, len(enabledAuditors))
- for _, auditorName := range enabledAuditors {
+ auditors := []kubeaudit.Auditable{}
+ for _, auditorName := range getEnabledAuditors(conf) {
  auditor, err := initAuditor(auditorName, conf)
  if err != nil {
  return nil, err
@@ -57,6 +52,19 @@ func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) {
  return auditors, nil
 }
 
+// getEnabledAuditors returns a list of all auditors excluding any explicitly disabled in the config
+func getEnabledAuditors(conf config.KubeauditConfig) []string {
+ auditors := []string{}
+ for _, auditorName := range AuditorNames {
+ // if value is not found in the `conf.GetEnabledAuditors()` map, this means
+ // it wasn't added to the config file, so it should be enabled by default
+ if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled {
+ auditors = append(auditors, auditorName)
+ }
+ }
+ return auditors
+}
+
 func initAuditor(name string, conf config.KubeauditConfig) (kubeaudit.Auditable, error) {
  switch name {
  case apparmor.Name:

diff --git a/auditors/all/all_test.go b/auditors/all/all_test.go
@@ -8,6 +8,7 @@ import (
  "github.com/Shopify/kubeaudit/auditors/apparmor"
  "github.com/Shopify/kubeaudit/auditors/asat"
  "github.com/Shopify/kubeaudit/auditors/capabilities"
+ "github.com/Shopify/kubeaudit/auditors/mounts"
 
  "github.com/Shopify/kubeaudit/auditors/hostns"
  "github.com/Shopify/kubeaudit/auditors/image"
@@ -20,6 +21,7 @@ import (
  "github.com/Shopify/kubeaudit/auditors/seccomp"
  "github.com/Shopify/kubeaudit/config"
  "github.com/Shopify/kubeaudit/internal/test"
+ "github.com/stretchr/testify/assert"
  "github.com/stretchr/testify/require"
 )
 
@@ -97,6 +99,83 @@ func TestAllWithConfig(t *testing.T) {
  }
 }
 
+func TestGetEnabledAuditors(t *testing.T) {
+ cases := []struct {
+ testName string
+ enabledAuditors map[string]bool
+ expectedAuditors []string
+ }{
+ {
+ // If no config is provided, all auditors should be enabled
+ testName: "No config",
+ enabledAuditors: map[string]bool{},
+ expectedAuditors: AuditorNames,
+ },
+ {
+ // If some auditors are explicitly disabled, the rest should default to being enabled
+ testName: "Some disabled",
+ enabledAuditors: map[string]bool{
+ "apparmor": false,
+ "rootfs": false,
+ },
+ expectedAuditors: []string{
+ asat.Name,
+ capabilities.Name,
+ hostns.Name,
+ image.Name,
+ limits.Name,
+ mounts.Name,
+ netpols.Name,
+ nonroot.Name,
+ privesc.Name,
+ privileged.Name,
+ seccomp.Name,
+ },
+ },
+ {
+ testName: "Some enabled",
+ enabledAuditors: map[string]bool{
+ "apparmor": true,
+ "rootfs": true,
+ },
+ expectedAuditors: AuditorNames,
+ },
+ {
+ // If some auditors are explicitly disabled, the rest should default to being enabled
+ testName: "Some enabled, some disabled",
+ enabledAuditors: map[string]bool{
+ "asat": true,
+ "apparmor": false,
+ "capabilities": true,
+ "rootfs": false,
+ },
+ expectedAuditors: []string{
+ asat.Name,
+ capabilities.Name,
+ hostns.Name,
+ image.Name,
+ limits.Name,
+ mounts.Name,
+ netpols.Name,
+ nonroot.Name,
+ privesc.Name,
+ privileged.Name,
+ seccomp.Name,
+ },
+ },
+ }
+
+ for _, tc := range cases {
+ t.Run(tc.testName, func(t *testing.T) {
+ conf := config.KubeauditConfig{
+ EnabledAuditors: tc.enabledAuditors,
+ }
+ got := getEnabledAuditors(conf)
+ assert.ElementsMatch(t, got, tc.expectedAuditors)
+ })
+ }
+}
+
 func enabledAuditorsToMap(enabledAuditors []string) map[string]bool {
  enabledAuditorMap := map[string]bool{}
  for _, auditorName := range AuditorNames {

diff --git a/cmd/commands/VERSION b/cmd/commands/VERSION
@@ -1 +1 @@
-0.14.1
+0.14.2
diff --git a/config/config.go b/config/config.go
@@ -1,10 +1,11 @@
 package config
 
 import (
- "github.com/Shopify/kubeaudit/auditors/mounts"
  "io"
  "io/ioutil"
 
+ "github.com/Shopify/kubeaudit/auditors/mounts"
+
  "github.com/Shopify/kubeaudit/auditors/capabilities"
  "github.com/Shopify/kubeaudit/auditors/image"
  "github.com/Shopify/kubeaudit/auditors/limits"
@@ -31,17 +32,11 @@ type KubeauditConfig struct {
  AuditorConfig AuditorConfig `yaml:"auditors"`
 }
 
-func (conf *KubeauditConfig) GetEnabledAuditors() []string {
+func (conf *KubeauditConfig) GetEnabledAuditors() map[string]bool {
  if conf == nil {
- return []string{}
- }
- enabledAuditors := make([]string, 0, len(conf.EnabledAuditors))
- for auditorName, enabled := range conf.EnabledAuditors {
- if enabled {
- enabledAuditors = append(enabledAuditors, auditorName)
- }
+ return map[string]bool{}
  }
- return enabledAuditors
+ return conf.EnabledAuditors
 }
 
 func (conf *KubeauditConfig) GetAuditorConfigs() AuditorConfig {