From b19f6509d92abc22a8cf2789a98a740af20831e6 Mon Sep 17 00:00:00 2001 From: Navraj Singh Chhina Date: Thu, 28 Mar 2019 19:11:08 -0400 Subject: [PATCH] Remove creationTS for jobspec and fix 80 char line break (#200) * remove creationTS for jobspec * add test for lines longer than 80 char * update images * update fixed file as well --- cmd/autofix_util.go | 7 +- fixtures/autofix-all-resources-fixed_v1.yml | 133 ++++++++++++++++++++ fixtures/autofix-all-resources_v1.yml | 103 +++++++++++++++ fixtures/image_tag_missing_v1.yml | 27 ++++ go.mod | 2 +- go.sum | 4 +- 6 files changed, 272 insertions(+), 4 deletions(-) diff --git a/cmd/autofix_util.go b/cmd/autofix_util.go index 48926e47..d04b4101 100644 --- a/cmd/autofix_util.go +++ b/cmd/autofix_util.go @@ -670,12 +670,13 @@ func splitYamlResources(filename string, toWriteFile string) (splitDecoded [][]b func cleanupManifest(origFile string, finalData []byte) ([]byte, error) { objectMetacreationTs := []byte("\n creationTimestamp: null\n") specTemplatecreationTs := []byte("\n creationTimestamp: null\n") + jobSpecTemplatecreationTs := []byte("\n creationTimestamp: null\n") nullStatus := []byte("\nstatus: {}\n") nullReplicaStatus := []byte("status:\n replicas: 0\n") nullLBStatus := []byte("status:\n loadBalancer: {}\n") nullMetaStatus := []byte("\n status: {}\n") - var hasObjectMetacreationTs, hasSpecTemplatecreationTs, hasNullStatus, + var hasObjectMetacreationTs, hasSpecTemplatecreationTs, hasJobSpecTemplatecreationTs, hasNullStatus, hasNullReplicaStatus, hasNullLBStatus, hasNullMetaStatus bool if origFile != "" { @@ -685,6 +686,7 @@ func cleanupManifest(origFile string, finalData []byte) ([]byte, error) { } hasObjectMetacreationTs = bytes.Contains(origData, objectMetacreationTs) hasSpecTemplatecreationTs = bytes.Contains(origData, specTemplatecreationTs) + hasJobSpecTemplatecreationTs = bytes.Contains(origData, jobSpecTemplatecreationTs) hasNullStatus = bytes.Contains(origData, nullStatus) hasNullReplicaStatus = bytes.Contains(origData, nullReplicaStatus) @@ -699,6 +701,9 @@ func cleanupManifest(origFile string, finalData []byte) ([]byte, error) { if !hasSpecTemplatecreationTs { finalData = bytes.Replace(finalData, specTemplatecreationTs, []byte("\n"), -1) } + if !hasJobSpecTemplatecreationTs { + finalData = bytes.Replace(finalData, jobSpecTemplatecreationTs, []byte("\n"), -1) + } if !hasNullStatus { finalData = bytes.Replace(finalData, nullStatus, []byte("\n"), -1) } diff --git a/fixtures/autofix-all-resources-fixed_v1.yml b/fixtures/autofix-all-resources-fixed_v1.yml index 63fa7dc8..639ade28 100644 --- a/fixtures/autofix-all-resources-fixed_v1.yml +++ b/fixtures/autofix-all-resources-fixed_v1.yml @@ -84,6 +84,139 @@ metadata: spec: {} status: {} --- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + labels: + app: testapp + env: production + name: jobs + name: testapp +spec: + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 0 + template: + metadata: + labels: + app: testapp + env: production + name: testapp + annotations: + container.apparmor.security.beta.kubernetes.io/jobs: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: role + operator: In + values: + - testapp + automountServiceAccountToken: false + containers: + - env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/gcloud/key + image: gcr.io/docker-image/testapp:<%= current_sha %> + args: + - gcr.io/docker-images + name: jobs + resources: + limits: + cpu: "1" + memory: 10Gi + requests: + cpu: "1" + memory: 10Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - name: google-service-account + mountPath: /var/run/gcloud + readOnly: true + restartPolicy: Never + tolerations: + - key: app + operator: Equal + value: testapp + effect: NoExecute + volumes: + - name: google-service-account + secret: + secretName: service-account-key + metadata: + schedule: 30 13 * * 1-5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: fakeDeploymentImg1 + namespace: fakeDeploymentImg +spec: + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + apps: fakeImage + annotations: + container.apparmor.security.beta.kubernetes.io/fakeContainerImg: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + spec: + # Trust me the following line is longer than 80 characters + containers: + - image: gcr.io/docker-images-directory/apps/production/fake-image-app:<%= current_sha %> + name: fakeContainerImg + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + automountServiceAccountToken: false + selector: null +status: {} +--- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/fixtures/autofix-all-resources_v1.yml b/fixtures/autofix-all-resources_v1.yml index d9b14d88..593f3527 100644 --- a/fixtures/autofix-all-resources_v1.yml +++ b/fixtures/autofix-all-resources_v1.yml @@ -42,3 +42,106 @@ metadata: creationTimestamp: null spec: {} status: {} + +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + labels: + app: testapp + env: production + name: jobs + name: testapp +spec: + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 0 + template: + metadata: + labels: + app: testapp + env: production + name: testapp + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: role + operator: In + values: + - testapp + automountServiceAccountToken: false + containers: + - env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/gcloud/key + image: gcr.io/docker-image/testapp:<%= current_sha %> + args: ["gcr.io/docker-images"] + name: jobs + resources: + limits: + cpu: "1" + memory: 10Gi + requests: + cpu: "1" + memory: 10Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + volumeMounts: + - name: google-service-account + mountPath: "/var/run/gcloud" + readOnly: true + restartPolicy: Never + tolerations: + - key: "app" + operator: "Equal" + value: "testapp" + effect: "NoExecute" + volumes: + - name: google-service-account + secret: + secretName: service-account-key + schedule: 30 13 * * 1-5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: fakeDeploymentImg1 + namespace: fakeDeploymentImg +spec: + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + apps: fakeImage + spec: + # Trust me the following line is longer than 80 characters + containers: + - image: gcr.io/docker-images-directory/apps/production/fake-image-app:<%= current_sha %> + name: fakeContainerImg + resources: {} +status: {} diff --git a/fixtures/image_tag_missing_v1.yml b/fixtures/image_tag_missing_v1.yml index 66c56843..a12c6d7e 100644 --- a/fixtures/image_tag_missing_v1.yml +++ b/fixtures/image_tag_missing_v1.yml @@ -1,3 +1,4 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -11,9 +12,35 @@ spec: creationTimestamp: null labels: apps: fakeImage + annotations: + container.apparmor.security.beta.kubernetes.io/fakeContainerImg: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - image: fakeContainerImg name: fakeContainerImg resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + automountServiceAccountToken: false + selector: null status: {} diff --git a/go.mod b/go.mod index e6926279..5c2738f5 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/Shopify/kubeaudit require ( cloud.google.com/go v0.34.0 // indirect - github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1 + github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d github.com/evanphx/json-patch v4.1.0+incompatible // indirect github.com/go-test/deep v1.0.1 github.com/gogo/protobuf v1.2.0 // indirect diff --git a/go.sum b/go.sum index 3cf5b4b8..15588490 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1 h1:QkXVRqdtnA8l5Dhhxo1QpFuy9vrS2NYlwMUzZKhtmzs= -github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1/go.mod h1:F+L2Ws/5G2Po8VIyt25PaorPQ61EWtQRwVNFF1P7DbI= +github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d h1:t5yaUYWv3XaeGNvWJi8vGNIsDSUqGPKaVToDkIjW/6g= +github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d/go.mod h1:kYv0kdKeZo6HHK51q/+psdHmkI5avnAoHFva9aKxK2Q= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/evanphx/json-patch v4.1.0+incompatible h1:K1MDoo4AZ4wU0GIU/fPmtZg7VpzLjCxu+UwBD1FvwOc=