Skip to content

Commit

Permalink
Merge pull request #32 from deggja/feat_27
Browse files Browse the repository at this point in the history
feat: implement dryrun
  • Loading branch information
deggja authored Dec 9, 2023
2 parents 25d49f9 + c8fdd52 commit 011279f
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 34 deletions.
2 changes: 1 addition & 1 deletion backend/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"github.com/spf13/cobra"
)

const version = "0.0.53"
const version = "0.0.59"

var rootCmd = &cobra.Command{
Use: "netfetch",
Expand Down
11 changes: 8 additions & 3 deletions backend/cmd/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,21 @@ import (
"github.com/spf13/cobra"
)

var dryRun bool

var scanCmd = &cobra.Command{
Use: "scan [namespace]",
Short: "Scan Kubernetes namespaces for network policies",
Long: `Scan all non-system Kubernetes namespaces for network policies and compare them with predefined standards.`,
Args: cobra.MaximumNArgs(1),
Long: `Scan Kubernetes namespaces for network policies.
You can perform a dry run of the scan using the --dryrun or -d flag,
which will simulate the scan without making any changes.`,
Args: cobra.MaximumNArgs(1),
Run: func(cmd *cobra.Command, args []string) {
var namespace string
if len(args) > 0 {
namespace = args[0]
}
_, err := k8s.ScanNetworkPolicies(namespace, false, true, true, true)
_, err := k8s.ScanNetworkPolicies(namespace, dryRun, false, true, true, true)
if err != nil {
// Handle the error appropriately
fmt.Println("Error during scan:", err)
Expand All @@ -27,5 +31,6 @@ var scanCmd = &cobra.Command{
}

func init() {
scanCmd.Flags().BoolVarP(&dryRun, "dryrun", "d", false, "Perform a dry run without applying any changes")
rootCmd.AddCommand(scanCmd)
}
51 changes: 22 additions & 29 deletions backend/pkg/k8s/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,6 @@ type ScanResult struct {
Score int
}

// Check if kubeconfig exists and is not empty
func kubeconfigExists(kubeconfigPath string) bool {
info, err := os.Stat(kubeconfigPath)
if os.IsNotExist(err) {
return false
}
return !info.IsDir() && info.Size() > 0
}

// Check if error scanning is related to network issues
func isNetworkError(err error) bool {
var urlError *url.Error
Expand All @@ -69,7 +60,7 @@ func isNetworkError(err error) bool {
}

// ScanNetworkPolicies scans namespaces for network policies
func ScanNetworkPolicies(specificNamespace string, returnResult bool, isCLI bool, printScore bool, printMessages bool) (*ScanResult, error) {
func ScanNetworkPolicies(specificNamespace string, dryRun bool, returnResult bool, isCLI bool, printScore bool, printMessages bool) (*ScanResult, error) {
var output bytes.Buffer
var namespacesToScan []string

Expand Down Expand Up @@ -178,25 +169,27 @@ func ScanNetworkPolicies(specificNamespace string, returnResult bool, isCLI bool
}
}

confirm := false
prompt := &survey.Confirm{
Message: fmt.Sprintf("Do you want to add a default deny all network policy to the namespace %s?", nsName),
}
survey.AskOne(prompt, &confirm, nil)

if confirm {
err := createAndApplyDefaultDenyPolicy(nsName)
if err != nil {
errorPolicyMsg := fmt.Sprintf("\nFailed to apply default deny policy in namespace %s: %s\n", nsName, err)
printToBoth(writer, errorPolicyMsg)
if !dryRun {
confirm := false
prompt := &survey.Confirm{
Message: fmt.Sprintf("Do you want to add a default deny all network policy to the namespace %s?", nsName),
}
survey.AskOne(prompt, &confirm, nil)

if confirm {
err := createAndApplyDefaultDenyPolicy(nsName)
if err != nil {
errorPolicyMsg := fmt.Sprintf("\nFailed to apply default deny policy in namespace %s: %s\n", nsName, err)
printToBoth(writer, errorPolicyMsg)
} else {
successPolicyMsg := fmt.Sprintf("\nApplied default deny policy in namespace %s\n", nsName)
printToBoth(writer, successPolicyMsg)
policyChangesMade = true
}
} else {
successPolicyMsg := fmt.Sprintf("\nApplied default deny policy in namespace %s\n", nsName)
printToBoth(writer, successPolicyMsg)
policyChangesMade = true
userDeniedPolicyApplication = true
deniedNamespaces = append(deniedNamespaces, nsName)
}
} else {
userDeniedPolicyApplication = true
deniedNamespaces = append(deniedNamespaces, nsName)
}
} else {
scanResult.DeniedNamespaces = append(scanResult.DeniedNamespaces, nsName)
Expand Down Expand Up @@ -345,7 +338,7 @@ func HandleScanRequest(w http.ResponseWriter, r *http.Request) {
namespace := r.URL.Query().Get("namespace")

// Perform the scan
result, err := ScanNetworkPolicies(namespace, true, false, true, false)
result, err := ScanNetworkPolicies(namespace, false, true, false, true, false)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
Expand Down Expand Up @@ -443,7 +436,7 @@ func HandleAddPolicyRequest(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{"message": "Implicit default deny all network policy successfully added to namespace " + req.Namespace})

scanResult, err := ScanNetworkPolicies(req.Namespace, true, false, false, false)
scanResult, err := ScanNetworkPolicies(req.Namespace, false, true, false, false, false)
if err != nil {
http.Error(w, "Error re-scanning after applying policy: "+err.Error(), http.StatusInternalServerError)
return
Expand Down
2 changes: 1 addition & 1 deletion backend/statik/statik.go

Large diffs are not rendered by default.

0 comments on commit 011279f

Please sign in to comment.