Merge pull request #15 from Shopify/audit_config

new feature: audit manifest file from command line args
Shopify · Oct 2, 2017 · 79308b9 · 79308b9
2 parents ffe064e + d22fedf
commit 79308b9
Show file tree

Hide file tree

Showing 10 changed files with 236 additions and 128 deletions.
diff --git a/cmd/automountServiceAccountToken.go b/cmd/automountServiceAccountToken.go
@@ -87,30 +87,37 @@ Fix this by updating serviceAccount to serviceAccountName in your .yamls
 Example usage:
 kubeaudit rbac sat`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
-
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
 
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		pods := getPods(kube)
-		replicationControllers := getReplicationControllers(kube)
-
-		wg.Add(5)
-		go auditAutomountServiceAccountToken(kubeAuditStatefulSets{list: statefulSets})
-		go auditAutomountServiceAccountToken(kubeAuditDaemonSets{list: daemonSets})
-		go auditAutomountServiceAccountToken(kubeAuditPods{list: pods})
-		go auditAutomountServiceAccountToken(kubeAuditReplicationControllers{list: replicationControllers})
-		go auditAutomountServiceAccountToken(kubeAuditDeployments{list: deployments})
-		wg.Wait()
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
+
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			pods := getPods(kube)
+			replicationControllers := getReplicationControllers(kube)
+
+			wg.Add(5)
+			go auditAutomountServiceAccountToken(kubeAuditStatefulSets{list: statefulSets})
+			go auditAutomountServiceAccountToken(kubeAuditDaemonSets{list: daemonSets})
+			go auditAutomountServiceAccountToken(kubeAuditPods{list: pods})
+			go auditAutomountServiceAccountToken(kubeAuditReplicationControllers{list: replicationControllers})
+			go auditAutomountServiceAccountToken(kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/image.go b/cmd/image.go
@@ -92,29 +92,37 @@ Example usage:
 kubeaudit image --image gcr.io/google_containers/echoserver:1.7
 kubeaudit image -i gcr.io/google_containers/echoserver:1.7`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
-
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		replicationControllers := getReplicationControllers(kube)
-		pods := getPods(kube)
-
-		wg.Add(5)
-		go auditImages(imgConfig.img, kubeAuditStatefulSets{list: statefulSets})
-		go auditImages(imgConfig.img, kubeAuditDaemonSets{list: daemonSets})
-		go auditImages(imgConfig.img, kubeAuditPods{list: pods})
-		go auditImages(imgConfig.img, kubeAuditReplicationControllers{list: replicationControllers})
-		go auditImages(imgConfig.img, kubeAuditDeployments{list: deployments})
-		wg.Wait()
+
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
+
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			replicationControllers := getReplicationControllers(kube)
+			pods := getPods(kube)
+
+			wg.Add(5)
+			go auditImages(imgConfig.img, kubeAuditStatefulSets{list: statefulSets})
+			go auditImages(imgConfig.img, kubeAuditDaemonSets{list: daemonSets})
+			go auditImages(imgConfig.img, kubeAuditPods{list: pods})
+			go auditImages(imgConfig.img, kubeAuditReplicationControllers{list: replicationControllers})
+			go auditImages(imgConfig.img, kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/privileged.go b/cmd/privileged.go
@@ -55,30 +55,37 @@ A FAIL is generated when a container runs in a privileged mode
 Example usage:
 kubeaudit privileged`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
-
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
 
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		pods := getPods(kube)
-		replicationControllers := getReplicationControllers(kube)
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
 
-		wg.Add(5)
-		go auditPrivileged(kubeAuditStatefulSets{list: statefulSets})
-		go auditPrivileged(kubeAuditDaemonSets{list: daemonSets})
-		go auditPrivileged(kubeAuditPods{list: pods})
-		go auditPrivileged(kubeAuditReplicationControllers{list: replicationControllers})
-		go auditPrivileged(kubeAuditDeployments{list: deployments})
-		wg.Wait()
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			pods := getPods(kube)
+			replicationControllers := getReplicationControllers(kube)
+
+			wg.Add(5)
+			go auditPrivileged(kubeAuditStatefulSets{list: statefulSets})
+			go auditPrivileged(kubeAuditDaemonSets{list: daemonSets})
+			go auditPrivileged(kubeAuditPods{list: pods})
+			go auditPrivileged(kubeAuditReplicationControllers{list: replicationControllers})
+			go auditPrivileged(kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/readOnlyRootFilesystem.go b/cmd/readOnlyRootFilesystem.go
@@ -55,30 +55,37 @@ A FAIL is given when a container does not have a read only root filesystem
 Example usage:
 kubeaudit runAsNonRoot`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
-
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
 
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		pods := getPods(kube)
-		replicationControllers := getReplicationControllers(kube)
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
 
-		wg.Add(5)
-		go auditReadOnlyRootFS(kubeAuditStatefulSets{list: statefulSets})
-		go auditReadOnlyRootFS(kubeAuditDaemonSets{list: daemonSets})
-		go auditReadOnlyRootFS(kubeAuditPods{list: pods})
-		go auditReadOnlyRootFS(kubeAuditReplicationControllers{list: replicationControllers})
-		go auditReadOnlyRootFS(kubeAuditDeployments{list: deployments})
-		wg.Wait()
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			pods := getPods(kube)
+			replicationControllers := getReplicationControllers(kube)
+
+			wg.Add(5)
+			go auditReadOnlyRootFS(kubeAuditStatefulSets{list: statefulSets})
+			go auditReadOnlyRootFS(kubeAuditDaemonSets{list: daemonSets})
+			go auditReadOnlyRootFS(kubeAuditPods{list: pods})
+			go auditReadOnlyRootFS(kubeAuditReplicationControllers{list: replicationControllers})
+			go auditReadOnlyRootFS(kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/root.go b/cmd/root.go
@@ -15,6 +15,7 @@ type rootFlags struct {
 	verbose    bool
 	allPods    bool
 	json       bool
+	manifest   string
 }
 
 var RootCmd = &cobra.Command{
@@ -41,4 +42,5 @@ func init() {
 	RootCmd.PersistentFlags().BoolVarP(&rootConfig.verbose, "verbose", "v", false, "Enable debug (verbose) logging")
 	RootCmd.PersistentFlags().BoolVarP(&rootConfig.json, "json", "j", false, "Enable json logging")
 	RootCmd.PersistentFlags().BoolVarP(&rootConfig.allPods, "allPods", "a", false, "Audit againsts pods in all the phases (default Running Phase)")
+	RootCmd.PersistentFlags().StringVarP(&rootConfig.manifest, "manifest", "f", "", "yaml configuration to audit")
 }
diff --git a/cmd/runAsNonRoot.go b/cmd/runAsNonRoot.go
@@ -57,30 +57,37 @@ A FAIL is generated when a container runs as root
 Example usage:
 kubeaudit runAsNonRoot`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
-
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
 
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		pods := getPods(kube)
-		replicationControllers := getReplicationControllers(kube)
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
 
-		wg.Add(5)
-		go auditRunAsNonRoot(kubeAuditStatefulSets{list: statefulSets})
-		go auditRunAsNonRoot(kubeAuditDaemonSets{list: daemonSets})
-		go auditRunAsNonRoot(kubeAuditPods{list: pods})
-		go auditRunAsNonRoot(kubeAuditReplicationControllers{list: replicationControllers})
-		go auditRunAsNonRoot(kubeAuditDeployments{list: deployments})
-		wg.Wait()
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			pods := getPods(kube)
+			replicationControllers := getReplicationControllers(kube)
+
+			wg.Add(5)
+			go auditRunAsNonRoot(kubeAuditStatefulSets{list: statefulSets})
+			go auditRunAsNonRoot(kubeAuditDaemonSets{list: daemonSets})
+			go auditRunAsNonRoot(kubeAuditPods{list: pods})
+			go auditRunAsNonRoot(kubeAuditReplicationControllers{list: replicationControllers})
+			go auditRunAsNonRoot(kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/securityContext.go b/cmd/securityContext.go
@@ -91,28 +91,37 @@ kubeaudit sc
 kubeaudit sc nonroot
 kubeaudit sc rootfs`,
 	Run: func(cmd *cobra.Command, args []string) {
-		kube, err := kubeClient(rootConfig.kubeConfig)
-		if err != nil {
-			log.Error(err)
-		}
 		if rootConfig.json {
 			log.SetFormatter(&log.JSONFormatter{})
 		}
-		// fetch deployments, statefulsets, daemonsets
-		// and pods which do not belong to another abstraction
-		deployments := getDeployments(kube)
-		statefulSets := getStatefulSets(kube)
-		daemonSets := getDaemonSets(kube)
-		pods := getPods(kube)
-		replicationControllers := getReplicationControllers(kube)
-
-		wg.Add(5)
-		go auditSecurityContext(kubeAuditStatefulSets{list: statefulSets})
-		go auditSecurityContext(kubeAuditDaemonSets{list: daemonSets})
-		go auditSecurityContext(kubeAuditPods{list: pods})
-		go auditSecurityContext(kubeAuditReplicationControllers{list: replicationControllers})
-		go auditSecurityContext(kubeAuditDeployments{list: deployments})
-		wg.Wait()
+
+		if rootConfig.manifest != "" {
+			wg.Add(1)
+			resource := getKubeResource(rootConfig.manifest)
+			auditSecurityContext(resource)
+			wg.Wait()
+		} else {
+			kube, err := kubeClient(rootConfig.kubeConfig)
+			if err != nil {
+				log.Error(err)
+			}
+
+			// fetch deployments, statefulsets, daemonsets
+			// and pods which do not belong to another abstraction
+			deployments := getDeployments(kube)
+			statefulSets := getStatefulSets(kube)
+			daemonSets := getDaemonSets(kube)
+			pods := getPods(kube)
+			replicationControllers := getReplicationControllers(kube)
+
+			wg.Add(5)
+			go auditSecurityContext(kubeAuditStatefulSets{list: statefulSets})
+			go auditSecurityContext(kubeAuditDaemonSets{list: daemonSets})
+			go auditSecurityContext(kubeAuditPods{list: pods})
+			go auditSecurityContext(kubeAuditReplicationControllers{list: replicationControllers})
+			go auditSecurityContext(kubeAuditDeployments{list: deployments})
+			wg.Wait()
+		}
 	},
 }
 

diff --git a/cmd/securityContext_test.go b/cmd/securityContext_test.go
@@ -1,8 +1,9 @@
 package cmd
 
 import (
-	"github.com/Shopify/kubeaudit/fakeaudit"
 	"testing"
+
+	"github.com/Shopify/kubeaudit/fakeaudit"
 )
 
 func init() {
@@ -176,4 +177,4 @@ func TestReplicationControllerSC(t *testing.T) {
 			t.Error("Test 6: Failed to identify caps were added. Refer: fakeReplicationControllerSC4.yml")
 		}
 	}
-}
+}