From 80bd186e5fdc6a8b1c3fc718a7708b8a5e98c0e3 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Mon, 4 Jan 2021 16:04:40 -0800 Subject: [PATCH] Read multi-line value from the default-profiles configmap and use approprite profile per cluster's k8s version --- pkg/apis/cis.cattle.io/v1/doc.go | 2 +- .../cis.cattle.io/v1/zz_generated_deepcopy.go | 2 +- .../v1/zz_generated_list_types.go | 2 +- .../cis.cattle.io/v1/zz_generated_register.go | 2 +- .../cis.cattle.io/zz_generated_register.go | 2 +- .../controllers/cis.cattle.io/factory.go | 2 +- .../controllers/cis.cattle.io/interface.go | 2 +- .../cis.cattle.io/v1/clusterscan.go | 2 +- .../cis.cattle.io/v1/clusterscanbenchmark.go | 2 +- .../cis.cattle.io/v1/clusterscanprofile.go | 2 +- .../cis.cattle.io/v1/clusterscanreport.go | 2 +- .../controllers/cis.cattle.io/v1/interface.go | 2 +- pkg/securityscan/scanHandler.go | 43 ++++++++++++++++++- 13 files changed, 53 insertions(+), 14 deletions(-) diff --git a/pkg/apis/cis.cattle.io/v1/doc.go b/pkg/apis/cis.cattle.io/v1/doc.go index f64133c3..edab3d47 100644 --- a/pkg/apis/cis.cattle.io/v1/doc.go +++ b/pkg/apis/cis.cattle.io/v1/doc.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/apis/cis.cattle.io/v1/zz_generated_deepcopy.go b/pkg/apis/cis.cattle.io/v1/zz_generated_deepcopy.go index c07a2922..c59bf096 100644 --- a/pkg/apis/cis.cattle.io/v1/zz_generated_deepcopy.go +++ b/pkg/apis/cis.cattle.io/v1/zz_generated_deepcopy.go @@ -1,7 +1,7 @@ // +build !ignore_autogenerated /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/apis/cis.cattle.io/v1/zz_generated_list_types.go b/pkg/apis/cis.cattle.io/v1/zz_generated_list_types.go index d5a0a13d..153a413f 100644 --- a/pkg/apis/cis.cattle.io/v1/zz_generated_list_types.go +++ b/pkg/apis/cis.cattle.io/v1/zz_generated_list_types.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/apis/cis.cattle.io/v1/zz_generated_register.go b/pkg/apis/cis.cattle.io/v1/zz_generated_register.go index 625355a6..b1461e6c 100644 --- a/pkg/apis/cis.cattle.io/v1/zz_generated_register.go +++ b/pkg/apis/cis.cattle.io/v1/zz_generated_register.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/apis/cis.cattle.io/zz_generated_register.go b/pkg/apis/cis.cattle.io/zz_generated_register.go index 2f737493..a014028e 100644 --- a/pkg/apis/cis.cattle.io/zz_generated_register.go +++ b/pkg/apis/cis.cattle.io/zz_generated_register.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/factory.go b/pkg/generated/controllers/cis.cattle.io/factory.go index a0790591..865d2b03 100644 --- a/pkg/generated/controllers/cis.cattle.io/factory.go +++ b/pkg/generated/controllers/cis.cattle.io/factory.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/interface.go b/pkg/generated/controllers/cis.cattle.io/interface.go index 74679617..4521e8d8 100644 --- a/pkg/generated/controllers/cis.cattle.io/interface.go +++ b/pkg/generated/controllers/cis.cattle.io/interface.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/v1/clusterscan.go b/pkg/generated/controllers/cis.cattle.io/v1/clusterscan.go index b775c3e3..f8cab9a1 100644 --- a/pkg/generated/controllers/cis.cattle.io/v1/clusterscan.go +++ b/pkg/generated/controllers/cis.cattle.io/v1/clusterscan.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanbenchmark.go b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanbenchmark.go index c0bc7619..6417ebb6 100644 --- a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanbenchmark.go +++ b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanbenchmark.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanprofile.go b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanprofile.go index 7fa1e4b0..89e1567c 100644 --- a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanprofile.go +++ b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanprofile.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanreport.go b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanreport.go index 2e1e1559..f2d0e239 100644 --- a/pkg/generated/controllers/cis.cattle.io/v1/clusterscanreport.go +++ b/pkg/generated/controllers/cis.cattle.io/v1/clusterscanreport.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/generated/controllers/cis.cattle.io/v1/interface.go b/pkg/generated/controllers/cis.cattle.io/v1/interface.go index f88bb9ed..8c1cede1 100644 --- a/pkg/generated/controllers/cis.cattle.io/v1/interface.go +++ b/pkg/generated/controllers/cis.cattle.io/v1/interface.go @@ -1,5 +1,5 @@ /* -Copyright 2020 Rancher Labs, Inc. +Copyright 2021 Rancher Labs, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/pkg/securityscan/scanHandler.go b/pkg/securityscan/scanHandler.go index caef67c1..1da754d9 100644 --- a/pkg/securityscan/scanHandler.go +++ b/pkg/securityscan/scanHandler.go @@ -1,6 +1,7 @@ package securityscan import ( + "bufio" "context" "fmt" "strings" @@ -179,7 +180,7 @@ func (c *Controller) getClusterScanProfile(scan *v1.ClusterScan) (*v1.ClusterSca profileName = scan.Spec.ScanProfileName } else { //pick the default profile by checking the cluster provider - profileName, err = c.getDefaultClusterScanProfile(c.ClusterProvider) + profileName, err = c.getDefaultClusterScanProfile(c.ClusterProvider, c.KubernetesVersion) if err != nil { return nil, err } @@ -200,7 +201,7 @@ func (c *Controller) getClusterScanBenchmark(profile *v1.ClusterScanProfile) (*v return clusterscanbmks.Get(profile.Spec.BenchmarkVersion, metav1.GetOptions{}) } -func (c *Controller) getDefaultClusterScanProfile(clusterprovider string) (string, error) { +func (c *Controller) getDefaultClusterScanProfile(clusterprovider string, clusterK8sVersion string) (string, error) { var err error configmaps := c.coreFactory.Core().V1().ConfigMap() cm, err := configmaps.Cache().Get(v1.ClusterScanNS, v1.DefaultClusterScanProfileConfigMap) @@ -211,9 +212,47 @@ func (c *Controller) getDefaultClusterScanProfile(clusterprovider string) (strin if !ok { profileName = cm.Data["default"] } + lines := c.splitLines(profileName) + if len(lines) > 1 { + logrus.Debugf("profilename is determined by k8s version %v", lines) + for _, line := range lines { + parts := strings.Split(line, ":") + if len(parts) > 1 { + k8sRange := parts[0] + profile := parts[1] + // validate cluster's k8s version matches the profile's k8s version range + clusterK8sToMatch, err := semver.Make(clusterK8sVersion[1:]) + if err != nil { + return "", fmt.Errorf("cluster's k8sVersion is not semver %s %v", c.KubernetesVersion, err) + } + if k8sRange != "" { + benchmarkK8sRange, err := semver.ParseRange(k8sRange) + if err != nil { + logrus.Errorf("K8s range set for profile %s is not semver: %v, error: %v", profile, k8sRange, err) + continue + } + if !benchmarkK8sRange(clusterK8sToMatch) { + logrus.Debugf("Kubernetes version mismatch, ClusterScanProfile %v is not valid for this cluster's K8s version %v", profile, c.KubernetesVersion) + continue + } + return strings.TrimSpace(profile), nil + } + } + } + return cm.Data["default"], nil + } return profileName, nil } +func (c *Controller) splitLines(s string) []string { + var lines []string + sc := bufio.NewScanner(strings.NewReader(s)) + for sc.Scan() { + lines = append(lines, sc.Text()) + } + return lines +} + func (c Controller) validateClusterScanProfile(profile *v1.ClusterScanProfile) error { // validate benchmarkVersion is valid and is applicable to this cluster clusterscanbmks := c.cisFactory.Cis().V1().ClusterScanBenchmark()