From 9c59e6d55692ecf5f30a4c2b0ea4afe19b487655 Mon Sep 17 00:00:00 2001 From: Genevieve Luyt <11131143+genevieveluyt@users.noreply.github.com> Date: Tue, 13 Jul 2021 10:45:39 -0400 Subject: [PATCH] 345: Fix audit config (#346) Co-authored-by: Dani --- .github/workflows/ci.yml | 4 +- auditors/all/all.go | 22 +++++++---- auditors/all/all_test.go | 79 ++++++++++++++++++++++++++++++++++++++++ cmd/commands/VERSION | 2 +- config/config.go | 15 +++----- 5 files changed, 102 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8472ef43..5561877f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,9 +2,9 @@ name: CI on: push: branches: - - master + - main pull_request: - branches: [master] + branches: [main] jobs: test: runs-on: ubuntu-latest diff --git a/auditors/all/all.go b/auditors/all/all.go index 2b87dae8..fd5d7999 100644 --- a/auditors/all/all.go +++ b/auditors/all/all.go @@ -40,13 +40,8 @@ var AuditorNames = []string{ } func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { - enabledAuditors := conf.GetEnabledAuditors() - if len(enabledAuditors) == 0 { - enabledAuditors = AuditorNames - } - - auditors := make([]kubeaudit.Auditable, 0, len(enabledAuditors)) - for _, auditorName := range enabledAuditors { + auditors := []kubeaudit.Auditable{} + for _, auditorName := range getEnabledAuditors(conf) { auditor, err := initAuditor(auditorName, conf) if err != nil { return nil, err @@ -57,6 +52,19 @@ func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { return auditors, nil } +// getEnabledAuditors returns a list of all auditors excluding any explicitly disabled in the config +func getEnabledAuditors(conf config.KubeauditConfig) []string { + auditors := []string{} + for _, auditorName := range AuditorNames { + // if value is not found in the `conf.GetEnabledAuditors()` map, this means + // it wasn't added to the config file, so it should be enabled by default + if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled { + auditors = append(auditors, auditorName) + } + } + return auditors +} + func initAuditor(name string, conf config.KubeauditConfig) (kubeaudit.Auditable, error) { switch name { case apparmor.Name: diff --git a/auditors/all/all_test.go b/auditors/all/all_test.go index 481b1264..a1d56f30 100644 --- a/auditors/all/all_test.go +++ b/auditors/all/all_test.go @@ -8,6 +8,7 @@ import ( "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/asat" "github.com/Shopify/kubeaudit/auditors/capabilities" + "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/Shopify/kubeaudit/auditors/image" @@ -20,6 +21,7 @@ import ( "github.com/Shopify/kubeaudit/auditors/seccomp" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/test" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -97,6 +99,83 @@ func TestAllWithConfig(t *testing.T) { } } +func TestGetEnabledAuditors(t *testing.T) { + cases := []struct { + testName string + enabledAuditors map[string]bool + expectedAuditors []string + }{ + { + // If no config is provided, all auditors should be enabled + testName: "No config", + enabledAuditors: map[string]bool{}, + expectedAuditors: AuditorNames, + }, + { + // If some auditors are explicitly disabled, the rest should default to being enabled + testName: "Some disabled", + enabledAuditors: map[string]bool{ + "apparmor": false, + "rootfs": false, + }, + expectedAuditors: []string{ + asat.Name, + capabilities.Name, + hostns.Name, + image.Name, + limits.Name, + mounts.Name, + netpols.Name, + nonroot.Name, + privesc.Name, + privileged.Name, + seccomp.Name, + }, + }, + { + testName: "Some enabled", + enabledAuditors: map[string]bool{ + "apparmor": true, + "rootfs": true, + }, + expectedAuditors: AuditorNames, + }, + { + // If some auditors are explicitly disabled, the rest should default to being enabled + testName: "Some enabled, some disabled", + enabledAuditors: map[string]bool{ + "asat": true, + "apparmor": false, + "capabilities": true, + "rootfs": false, + }, + expectedAuditors: []string{ + asat.Name, + capabilities.Name, + hostns.Name, + image.Name, + limits.Name, + mounts.Name, + netpols.Name, + nonroot.Name, + privesc.Name, + privileged.Name, + seccomp.Name, + }, + }, + } + + for _, tc := range cases { + t.Run(tc.testName, func(t *testing.T) { + conf := config.KubeauditConfig{ + EnabledAuditors: tc.enabledAuditors, + } + got := getEnabledAuditors(conf) + assert.ElementsMatch(t, got, tc.expectedAuditors) + }) + } +} + func enabledAuditorsToMap(enabledAuditors []string) map[string]bool { enabledAuditorMap := map[string]bool{} for _, auditorName := range AuditorNames { diff --git a/cmd/commands/VERSION b/cmd/commands/VERSION index 930e3000..e867cc2a 100644 --- a/cmd/commands/VERSION +++ b/cmd/commands/VERSION @@ -1 +1 @@ -0.14.1 +0.14.2 diff --git a/config/config.go b/config/config.go index c0761618..a9f160c8 100644 --- a/config/config.go +++ b/config/config.go @@ -1,10 +1,11 @@ package config import ( - "github.com/Shopify/kubeaudit/auditors/mounts" "io" "io/ioutil" + "github.com/Shopify/kubeaudit/auditors/mounts" + "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" @@ -31,17 +32,11 @@ type KubeauditConfig struct { AuditorConfig AuditorConfig `yaml:"auditors"` } -func (conf *KubeauditConfig) GetEnabledAuditors() []string { +func (conf *KubeauditConfig) GetEnabledAuditors() map[string]bool { if conf == nil { - return []string{} - } - enabledAuditors := make([]string, 0, len(conf.EnabledAuditors)) - for auditorName, enabled := range conf.EnabledAuditors { - if enabled { - enabledAuditors = append(enabledAuditors, auditorName) - } + return map[string]bool{} } - return enabledAuditors + return conf.EnabledAuditors } func (conf *KubeauditConfig) GetAuditorConfigs() AuditorConfig {