Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory:Rebuild
kubeaudit
kubeaudit-0.22.2.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File kubeaudit-0.22.2.obscpio of Package kubeaudit
07070100000000000081A400000000000000000000000166C635DC0000002E000000000000000000000000000000000000001F00000000kubeaudit-0.22.2/.dockerignore.* docs/ Makefile LICENSE *.md *.sh Dockerfile07070100000001000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001900000000kubeaudit-0.22.2/.github07070100000002000081A400000000000000000000000166C635DC00000665000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/.github/ISSUE_TEMPLATE.md# 🚨 Deprecation Notice 🚨 Kubeaudit is planned for deprecation by October 2024. We are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us. For users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained. Thank you to the community for your contributions and support. <!-- Please erase any parts of this template not applicable to your issue. --> ##### ISSUE TYPE - [ ] Bug Report - [ ] Feature Idea # BUG REPORT ##### SUMMARY <!-- Briefly describe the problem/enhancement. --> ##### ENVIRONMENT * Kubeaudit version: X.Y.Z * Kubeaudit install method: DIY-BUILD/Binary/Kubectl-Plugin ##### STEPS TO REPRODUCE <!-- Please describe exactly how to reproduce the problem. --> ##### EXPECTED RESULTS <!-- What did you expect to happen when running the steps above? --> ##### ACTUAL RESULTS <!-- What actually happened? --> ##### ADDITIONAL INFORMATION <!-- Include any screenshots or other information. --> # FEATURE IDEA - [ ] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.<sup>1</sup> **Proposal:** <!-- provide details on the behaviour you'd like to see and why it would be useful --> <sup><small>1</small></sup> <sub>This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.</sub> 07070100000003000081A400000000000000000000000166C635DC000007A0000000000000000000000000000000000000003200000000kubeaudit-0.22.2/.github/PULL_REQUEST_TEMPLATE.md<!-- Please erase any parts of this template not applicable to your Pull Request. --> <!-- All code PR must be labeled with :bug: (patch fixes), :sparkles: (backwards-compatible features), or :warning: (breaking changes) --> # 🚨 Deprecation Notice 🚨 Kubeaudit is planned for deprecation by October 2024. We are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us. For users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained. Thank you to the community for your contributions and support. ##### Description <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> Fixes # (issue) ##### Type of change <!-- Please delete options that are not relevant. ---> - [ ] Bug fix :bug: - [ ] New feature :sparkles: - [ ] This change requires a documentation update :book: - [ ] Breaking changes :warning: ##### How Has This Been Tested? <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> - [ ] Test A - [ ] Test B ##### Checklist: - [ ] I have :tophat: my changes (A 🎩 specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken) - [ ] I have performed a self-review of my own code - [ ] I have made corresponding changes to the documentation - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] The test coverage did not decrease - [ ] I have signed the appropriate [Contributor License Agreement](https://cla.shopify.com/) 07070100000004000081A400000000000000000000000166C635DC00000080000000000000000000000000000000000000002800000000kubeaudit-0.22.2/.github/dependabot.ymlversion: 2 updates: - package-ecosystem: gomod directory: "/" schedule: interval: daily open-pull-requests-limit: 100 07070100000005000081A400000000000000000000000166C635DC000000BD000000000000000000000000000000000000002500000000kubeaudit-0.22.2/.github/labeler.ymlcore: - '/cmd' legal: - any: ['LICENSE*', 'CODE_OF_CONDUCT*'] config: - any: ['.github','build','Makefile','/config'] go-modules: - 'go.*' readme: - 'README*' datafiles: - '/fixtures' 07070100000006000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002300000000kubeaudit-0.22.2/.github/workflows07070100000007000081A400000000000000000000000166C635DC00000259000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/.github/workflows/ci.ymlname: CI on: push: branches: - main pull_request: branches: [main] jobs: test: runs-on: ubuntu-latest steps: - name: Install Go uses: actions/setup-go@v2 with: go-version-file: "go.mod" - name: Clone repo uses: actions/checkout@v2 - name: Install kubectl run: sudo snap install kubectl --classic - name: Install kind run: go get sigs.k8s.io/kind - name: Go mod download and go tidy run: make setup - name: Run tests env: USE_KIND: "true" run: make test 07070100000008000081A400000000000000000000000166C635DC0000025B000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/.github/workflows/cla.ymlname: Contributor License Agreement (CLA) on: pull_request_target: types: [opened, synchronize, reopened] issue_comment: types: [created] jobs: cla: runs-on: ubuntu-latest if: | (github.event.issue.pull_request && !github.event.issue.pull_request.merged_at && contains(github.event.comment.body, 'signed') ) || (github.event.pull_request && !github.event.pull_request.merged) steps: - uses: Shopify/shopify-cla-action@v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} cla-token: ${{ secrets.CLA_TOKEN }} 07070100000009000081A400000000000000000000000166C635DC00000240000000000000000000000000000000000000003900000000kubeaudit-0.22.2/.github/workflows/first-interaction.ymlname: Notify new contributors on: pull_request: types: - opened issues: types: - opened jobs: notify: runs-on: ubuntu-latest steps: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-message: 'Thanks for opening your first issue here! Be sure to follow the issue template!' pr-message: 'Thanks for opening this pull request! Please check out our [contributing guidelines](https://github.com/Shopify/kubeaudit#Contributing) and [sign the CLA](https://cla.shopify.com/).' 0707010000000A000081A400000000000000000000000166C635DC000000F7000000000000000000000000000000000000003200000000kubeaudit-0.22.2/.github/workflows/pr-labeler.ymlname: "Pull Request Labeler" on: - pull_request_target jobs: triage: permissions: pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" 0707010000000B000081A400000000000000000000000166C635DC00000428000000000000000000000000000000000000002F00000000kubeaudit-0.22.2/.github/workflows/release.ymlname: release on: push: tags: [ v*.*.* ] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: release: runs-on: ubuntu-latest permissions: contents: write packages: write steps: - name: Checkout uses: actions/checkout@v3 with: fetch-depth: 0 - name: Log into registry ${{ env.REGISTRY }} uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Go uses: actions/setup-go@v3 with: go-version: 1.22.1 check-latest: true cache: true - name: Release uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 with: distribution: goreleaser version: v1.10.3 args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 0707010000000C000081A400000000000000000000000166C635DC0000007A000000000000000000000000000000000000001C00000000kubeaudit-0.22.2/.gitignore/kubeaudit /kubeaudit_unix /tmp /.glide /.dev .DS_Store coverage.txt /dist *.swp /vendor /.vscode .go-version profile.out 0707010000000D000081A400000000000000000000000166C635DC00000476000000000000000000000000000000000000002100000000kubeaudit-0.22.2/.goreleaser.ymlproject_name: kubeaudit release: github: owner: Shopify name: kubeaudit draft: true name_template: "{{.ProjectName}}-v{{.Version}}" dockers: - dockerfile: goreleaser.Dockerfile goos: linux goarch: amd64 goarm: '' image_templates: - "ghcr.io/shopify/kubeaudit:latest" - "ghcr.io/shopify/kubeaudit:{{ .Tag }}" - "ghcr.io/shopify/kubeaudit:v{{ .Major }}.{{ .Minor }}" builds: - goos: - linux - darwin - windows goarm: - 6 - 7 main: ./cmd/main.go binary: kubeaudit ldflags: - -s -w -X github.com/Shopify/kubeaudit/cmd.Version={{.Version}} -X github.com/Shopify/kubeaudit/cmd.Commit={{.Commit}} -X github.com/Shopify/kubeaudit/cmd.BuildDate={{.Date}} changelog: sort: asc filters: exclude: - "^docs:" - "^test:" - ^Merge archives: - format: tar.gz name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}' files: - licence* - LICENCE* - readme* - README* - changelog* - CHANGELOG* snapshot: name_template: SNAPSHOT-{{ .Commit }} checksum: name_template: '{{ .ProjectName }}_{{ .Version }}_checksums.txt' 0707010000000E000081A400000000000000000000000166C635DC00000C78000000000000000000000000000000000000002400000000kubeaudit-0.22.2/CODE_OF_CONDUCT.md# Contributor Covenant Code of Conduct ## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences * Gracefully accepting constructive criticism * Focusing on what is best for the community * Showing empathy towards other community members Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment * Publishing others' private information, such as a physical or electronic address, without explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at opensource@shopify.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct/ [homepage]: https://www.contributor-covenant.org 0707010000000F000081A400000000000000000000000166C635DC0000052B000000000000000000000000000000000000001C00000000kubeaudit-0.22.2/DockerfileFROM golang:1.22.1 AS builder # no need to include cgo bindings ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 # add ca certificates and timezone data files # hadolint ignore=DL3008 RUN apt-get install --yes --no-install-recommends ca-certificates tzdata # add unprivileged user RUN adduser --shell /bin/true --uid 1000 --disabled-login --no-create-home --gecos '' app \ && sed -i -r "/^(app|root)/!d" /etc/group /etc/passwd \ && sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd # this is where we build our app WORKDIR /go/src/app/ # download and cache our dependencies VOLUME /go/pkg/mod COPY go.mod go.sum ./ RUN go mod download # compile kubeaudit COPY . ./ RUN go build -a -ldflags '-w -s -extldflags "-static"' -o /go/bin/kubeaudit ./cmd/ \ && chmod +x /go/bin/kubeaudit # # --- # # start with empty image FROM scratch # add-in our timezone data file COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo # add-in our unprivileged user COPY --from=builder /etc/passwd /etc/group /etc/shadow /etc/ # add-in our ca certificates COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # add-in our application COPY --from=builder --chown=app /go/bin/kubeaudit /kubeaudit # from now on, run as the unprivileged user USER 1000 # entrypoint ENTRYPOINT ["/kubeaudit"] CMD ["all"] 07070100000010000081A400000000000000000000000166C635DC00000433000000000000000000000000000000000000001900000000kubeaudit-0.22.2/LICENSEThe MIT License (MIT) Copyright 2017 Shopify Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 07070100000011000081A400000000000000000000000166C635DC00000659000000000000000000000000000000000000001A00000000kubeaudit-0.22.2/Makefile# Go parameters GOCMD=go GOBUILD=$(GOCMD) build GOCLEAN=$(GOCMD) clean GOTEST=$(GOCMD) test GOMOD=$(GOCMD) mod BINARY_NAME=kubeaudit BINARY_UNIX=$(BINARY_NAME)_unix LDFLAGS=$(shell build/ldflags.sh) # kubernetes client won't build with go<1.10 GOVERSION:=$(shell go version | awk '{print $$3}') GOVERSION_MIN:=go1.22.1 GOVERSION_CHECK=$(shell printf "%s\n%s\n" "$(GOVERSION)" "$(GOVERSION_MIN)" | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n | head -n 1) # Test parameters TEST_CLUSTER_NAME="kubeaudit-test" export GO111MODULE=on ifneq ($(GOVERSION_MIN), $(GOVERSION_CHECK)) $(error Detected Go version $(GOVERSION) < required version $(GOVERSION_MIN)) endif all: test build build: $(GOBUILD) -o $(BINARY_NAME) -v -ldflags=all="$(LDFLAGS)" cmd/main.go install: cp $(BINARY_NAME) $(GOPATH)/bin/kubeaudit plugin: cp $(BINARY_NAME) $(GOPATH)/bin/kubectl-audit test: ./test.sh test-setup: kind create cluster --name ${TEST_CLUSTER_NAME} --image kindest/node:v1.20.15@sha256:6f2d011dffe182bad80b85f6c00e8ca9d86b5b8922cdf433d53575c4c5212248 test-teardown: kind delete cluster --name ${TEST_CLUSTER_NAME} show-coverage: test go tool cover -html=coverage.txt setup: $(GOMOD) download $(GOMOD) tidy clean: $(GOCLEAN) rm -f $(BINARY_NAME) rm -f $(BINARY_UNIX) # Cross Compilation build-linux: CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GOBUILD) -o $(BINARY_UNIX) -v docker-build: docker run --rm -it -v "$(GOPATH)":/go -w /go/src/github.com/Shopify/kubeaudit golang:1.12 go build -o "$(BINARY_UNIX)" -v .PHONY: all build install plugin test test-setup test-teardown show-coverage clean build-linux docker-build 07070100000012000081A400000000000000000000000166C635DC0000484F000000000000000000000000000000000000001B00000000kubeaudit-0.22.2/README.md[](https://github.com/Shopify/kubeaudit/actions) [](https://goreportcard.com/report/github.com/Shopify/kubeaudit) [](https://godoc.org/github.com/Shopify/kubeaudit) > It is now a requirement for clusters to run Kubernetes >=1.19. > override labels with unregistered `kubernetes.io` annotations will be deprecated. It'll soon be a requirement to use `kubeaudit.io` instead. Refer to this [discussion](https://github.com/Shopify/kubeaudit/issues/457) for additional context. # 🚨 Deprecation Notice 🚨 Kubeaudit is planned for deprecation by October 2024. We are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us. For users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained. Thank you to the community for your contributions and support. # kubeaudit :cloud: :lock: :muscle: `kubeaudit` is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: * run as non-root * use a read-only root filesystem * drop scary capabilities, don't add new ones * don't run privileged * and more! **tldr. `kubeaudit` makes sure you deploy secure containers!** ## Package To use kubeaudit as a Go package, see the [package docs](https://pkg.go.dev/github.com/Shopify/kubeaudit). The rest of this README will focus on how to use kubeaudit as a command line tool. ## Command Line Interface (CLI) * [Installation](#installation) * [Quick Start](#quick-start) * [Audit Results](#audit-results) * [Commands](#commands) * [Configuration File](#configuration-file) * [Override Errors](#override-errors) * [Contributing](#contributing) ## Installation ### Brew ``` brew install kubeaudit ``` ### Download a binary Kubeaudit has official releases that are blessed and stable: [Official releases](https://github.com/Shopify/kubeaudit/releases) ### DIY build Main may have newer features than the stable releases. If you need a newer feature not yet included in a release, make sure you're using the latest Go and run the following: ```sh go get -v github.com/Shopify/kubeaudit ``` Start using `kubeaudit` with the [Quick Start](#quick-start) or view all the [supported commands](#commands). ### Kubectl Plugin Prerequisite: kubectl v1.12.0 or later With kubectl v1.12.0 introducing [easy pluggability](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) of external functions, kubeaudit can be invoked as `kubectl audit` by - running `make plugin` and having `$GOPATH/bin` available in your path. or - renaming the binary to `kubectl-audit` and having it available in your path. ### Docker We no longer release images to Docker Hub (since Docker Hub sunset Free Team organizations). For the time being, [old images](https://hub.docker.com/r/shopify/kubeaudit) are still available but may stop being available at any time. We will start publishing images to the Github Container registry soon. To run kubeaudit as a job in your cluster see [Running kubeaudit in a cluster](docs/cluster.md). ## Quick Start kubeaudit has three modes: 1. Manifest mode 1. Local mode 1. Cluster mode ### Manifest Mode If a Kubernetes manifest file is provided using the `-f/--manifest` flag, kubeaudit will audit the manifest file. Example command: ``` kubeaudit all -f "/path/to/manifest.yml" ``` Example output: ``` $ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: deployment-apps-v1 -------------------------------------------- -- [error] AppArmorAnnotationMissing Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added. Metadata: Container: container MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container -- [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. -- [error] CapabilityShouldDropAll Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list. Metadata: Container: container Capability: AUDIT_WRITE ... ``` If no errors with a given minimum severity are found, the following is returned: ```shell All checks completed. 0 high-risk vulnerabilities found ``` #### Autofix Manifest mode also supports autofixing all security issues using the `autofix` command: ``` kubeaudit autofix -f "/path/to/manifest.yml" ``` To write the fixed manifest to a new file instead of modifying the source file, use the `-o/--output` flag. ``` kubeaudit autofix -f "/path/to/manifest.yml" -o "/path/to/fixed" ``` To fix a manifest based on custom rules specified on a kubeaudit config file, use the `-k/--kconfig` flag. ``` kubeaudit autofix -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" -o "/path/to/fixed" ``` ### Cluster Mode Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster: ``` kubeaudit all ``` ### Local Mode Kubeaudit will try to connect to a cluster using the local kubeconfig file (`$HOME/.kube/config`). A different kubeconfig location can be specified using the `--kubeconfig` flag. To specify a context of the kubeconfig, use the `-c/--context` flag. ``` kubeaudit all --kubeconfig "/path/to/config" --context my_cluster ``` For more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ ## Audit Results Kubeaudit produces results with three levels of severity: - `Error`: A security issue or invalid kubernetes configuration - `Warning`: A best practice recommendation - `Info`: Informational, no action required. This includes results that are [overridden](#override-errors) The minimum severity level can be set using the `--minSeverity/-m` flag. By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the `--format json` flag. To output results as logs (the previous default) use `--format logrus`. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the `--no-color` flag. You can generate a kubeaudit report in [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html) using the `--format sarif` flag. To write the SARIF results to a file, you can redirect the output with `>`. For example: ``` kubeaudit all -f path-to-my-file.yaml --format="sarif" > example.sarif ``` If there are results of severity level `error`, kubeaudit will exit with exit code 2. This can be changed using the `--exitcode/-e` flag. For all the ways kubeaudit can be customized, see [Global Flags](#global-flags). ## Commands | Command | Description | Documentation | | :-------- | :------------------------------------------------------------------------ | :---------------------- | | `all` | Runs all available auditors, or those specified using a kubeaudit config. | [docs](docs/all.md) | | `autofix` | Automatically fixes security issues. | [docs](docs/autofix.md) | | `version` | Prints the current kubeaudit version. | | ### Auditors Auditors can also be run individually. | Command | Description | Documentation | | :--------------- | :------------------------------------------------------------------------------------------------------------- | :-------------------------------------- | | `apparmor` | Finds containers running without AppArmor. | [docs](docs/auditors/apparmor.md) | | `asat` | Finds pods using an automatically mounted default service account | [docs](docs/auditors/asat.md) | | `capabilities` | Finds containers that do not drop the recommended capabilities or add new ones. | [docs](docs/auditors/capabilities.md) | | `deprecatedapis` | Finds any resource defined with a deprecated API version. | [docs](docs/auditors/deprecatedapis.md) | | `hostns` | Finds containers that have HostPID, HostIPC or HostNetwork enabled. | [docs](docs/auditors/hostns.md) | | `image` | Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. | [docs](docs/auditors/image.md) | | `limits` | Finds containers which exceed the specified CPU and memory limits or do not specify any. | [docs](docs/auditors/limits.md) | | `mounts` | Finds containers that have sensitive host paths mounted. | [docs](docs/auditors/mounts.md) | | `netpols` | Finds namespaces that do not have a default-deny network policy. | [docs](docs/auditors/netpols.md) | | `nonroot` | Finds containers running as root. | [docs](docs/auditors/nonroot.md) | | `privesc` | Finds containers that allow privilege escalation. | [docs](docs/auditors/privesc.md) | | `privileged` | Finds containers running as privileged. | [docs](docs/auditors/privileged.md) | | `rootfs` | Finds containers which do not have a read-only filesystem. | [docs](docs/auditors/rootfs.md) | | `seccomp` | Finds containers running without Seccomp. | [docs](docs/auditors/seccomp.md) | ### Global Flags | Short | Long | Description | | :---- | :----------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | | | --format | The output format to use (one of "sarif", "pretty", "logrus", "json") (default is "pretty") | | | --kubeconfig | Path to local Kubernetes config file. Only used in local mode (default is `$HOME/.kube/config`) | | -c | --context | The name of the kubeconfig context to use | | -f | --manifest | Path to the yaml configuration to audit. Only used in manifest mode. You may use `-` to read from stdin. | | -n | --namespace | Only audit resources in the specified namespace. Not currently supported in manifest mode. | | -g | --includegenerated | Include generated resources in scan (such as Pods generated by deployments). If you would like kubeaudit to produce results for generated resources (for example if you have custom resources or want to catch orphaned resources where the owner resource no longer exists) you can use this flag. | | -m | --minseverity | Set the lowest severity level to report (one of "error", "warning", "info") (default is "info") | | -e | --exitcode | Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) | | | --no-color | Don't use colors in the output (default is false) | ## Configuration File The kubeaudit config can be used for two things: 1. Enabling only some auditors 1. Specifying configuration for auditors Any configuration that can be specified using flags for the individual auditors can be represented using the config. The config has the following format: ```yaml enabledAuditors: # Auditors are enabled by default if they are not explicitly set to "false" apparmor: false asat: false capabilities: true deprecatedapis: true hostns: true image: true limits: true mounts: true netpols: true nonroot: true privesc: true privileged: true rootfs: true seccomp: true auditors: capabilities: # add capabilities needed to the add list, so kubeaudit won't report errors allowAddList: ['AUDIT_WRITE', 'CHOWN'] deprecatedapis: # If no versions are specified and the'deprecatedapis' auditor is enabled, WARN # results will be genereted for the resources defined with a deprecated API. currentVersion: '1.22' targetedVersion: '1.25' image: # If no image is specified and the 'image' auditor is enabled, WARN results # will be generated for containers which use an image without a tag image: 'myimage:mytag' limits: # If no limits are specified and the 'limits' auditor is enabled, WARN results # will be generated for containers which have no cpu or memory limits specified cpu: '750m' memory: '500m' ``` For more details about each auditor, including a description of the auditor-specific configuration in the config, see the [Auditor Docs](#auditors). **Note**: The kubeaudit config is not the same as the kubeconfig file specified with the `--kubeconfig` flag, which refers to the Kubernetes config file (see [Local Mode](/README.md#local-mode)). Also note that only the `all` and `autofix` commands support using a kubeaudit config. It will not work with other commands. **Note**: If flags are used in combination with the config file, flags will take precedence. ## Override Errors Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce `info` results instead of `error` results and the audit result name will have `Allowed` appended to it. The labels are documented in each auditor's documentation, but the general format for auditors that support overrides is as follows: An override label consists of a `key` and a `value`. The `key` is a combination of the override type (container or pod) and an `override identifier` which is unique to each auditor (see the [docs](#auditors) for the specific auditor). The `key` can take one of two forms depending on the override type: 1. **Container overrides**, which override the auditor for that specific container, are formatted as follows: ```yaml container.kubeaudit.io/[container name].[override identifier] ``` 2. **Pod overrides**, which override the auditor for all containers within the pod, are formatted as follows: ```yaml kubeaudit.io/[override identifier] ``` If the `value` is set to a non-empty string, it will be displayed in the `info` result as the `OverrideReason`: ``` $ kubeaudit asat -f "auditors/asat/fixtures/service-account-token-true-allowed.yml" ---------------- Results for --------------- apiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-allowed -------------------------------------------- -- [info] AutomountServiceAccountTokenTrueAndDefaultSAAllowed Message: Audit result overridden: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. Metadata: OverrideReason: SomeReason ``` As per Kubernetes spec, `value` must be 63 characters or less and must be empty or begin and end with an alphanumeric character (`[a-z0-9A-Z]`) with dashes (`-`), underscores (`_`), dots (`.`), and alphanumerics between. Multiple override labels (for multiple auditors) can be added to the same resource. See the specific [auditor docs](#auditors) for the auditor you wish to override for examples. To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## Contributing If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our [Code of Conduct](./CODE_OF_CONDUCT.md). 1. Create your own fork! 1. Get the source: `go get github.com/Shopify/kubeaudit` 1. Go to the source: `cd $GOPATH/src/github.com/Shopify/kubeaudit` 1. Add your forked repo as a fork: `git remote add fork https://github.com/you-are-awesome/kubeaudit` 1. Create your feature branch: `git checkout -b awesome-new-feature` 1. Install [Kind](https://kind.sigs.k8s.io/#installation-and-usage) 1. Run the tests to see everything is working as expected: `USE_KIND=true make test` (to run tests without Kind: `make test`) 1. Commit your changes: `git commit -am 'Adds awesome feature'` 1. Push to the branch: `git push fork` 1. Sign the [Contributor License Agreement](https://cla.shopify.com/) 1. Submit a PR (All PR must be labeled with :bug: (Bug fix), :sparkles: (New feature), :book: (Documentation update), or :warning: (Breaking changes) ) 1. ??? 1. Profit Note that if you didn't sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says "I've signed the CLA!"! 070701000000130000A1FF00000000000000000000000166C635DC00000014000000000000000000000000000000000000001900000000kubeaudit-0.22.2/VERSIONcmd/commands/VERSION07070100000014000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001A00000000kubeaudit-0.22.2/auditors07070100000015000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001E00000000kubeaudit-0.22.2/auditors/all07070100000016000081A400000000000000000000000166C635DC00000BBB000000000000000000000000000000000000002500000000kubeaudit-0.22.2/auditors/all/all.gopackage all import ( "errors" "fmt" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/asat" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/deprecatedapis" "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/netpols" "github.com/Shopify/kubeaudit/auditors/nonroot" "github.com/Shopify/kubeaudit/auditors/privesc" "github.com/Shopify/kubeaudit/auditors/privileged" "github.com/Shopify/kubeaudit/auditors/rootfs" "github.com/Shopify/kubeaudit/auditors/seccomp" "github.com/Shopify/kubeaudit/config" ) var ErrUnknownAuditor = errors.New("Unknown auditor") var AuditorNames = []string{ apparmor.Name, asat.Name, capabilities.Name, deprecatedapis.Name, hostns.Name, image.Name, limits.Name, mounts.Name, netpols.Name, nonroot.Name, privesc.Name, privileged.Name, rootfs.Name, seccomp.Name, } func Auditors(conf config.KubeauditConfig) ([]kubeaudit.Auditable, error) { auditors := []kubeaudit.Auditable{} for _, auditorName := range getEnabledAuditors(conf) { auditor, err := initAuditor(auditorName, conf) if err != nil { return nil, err } auditors = append(auditors, auditor) } return auditors, nil } // getEnabledAuditors returns a list of all auditors excluding any explicitly disabled in the config func getEnabledAuditors(conf config.KubeauditConfig) []string { auditors := []string{} for _, auditorName := range AuditorNames { // if value is not found in the `conf.GetEnabledAuditors()` map, this means // it wasn't added to the config file, so it should be enabled by default if enabled, ok := conf.GetEnabledAuditors()[auditorName]; !ok || enabled { auditors = append(auditors, auditorName) } } return auditors } func initAuditor(name string, conf config.KubeauditConfig) (kubeaudit.Auditable, error) { switch name { case apparmor.Name: return apparmor.New(), nil case asat.Name: return asat.New(), nil case capabilities.Name: return capabilities.New(conf.GetAuditorConfigs().Capabilities), nil case deprecatedapis.Name: return deprecatedapis.New(conf.GetAuditorConfigs().DeprecatedAPIs) case hostns.Name: return hostns.New(), nil case image.Name: return image.New(conf.GetAuditorConfigs().Image), nil case limits.Name: return limits.New(conf.GetAuditorConfigs().Limits) case mounts.Name: return mounts.New(conf.GetAuditorConfigs().Mounts), nil case netpols.Name: return netpols.New(), nil case nonroot.Name: return nonroot.New(), nil case privesc.Name: return privesc.New(), nil case privileged.Name: return privileged.New(), nil case rootfs.Name: return rootfs.New(), nil case seccomp.Name: return seccomp.New(), nil } return nil, fmt.Errorf("unknown auditor %s: %w", name, ErrUnknownAuditor) } 07070100000017000081A400000000000000000000000166C635DC0000154A000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/all/all_test.gopackage all import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/asat" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/deprecatedapis" "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" "github.com/Shopify/kubeaudit/auditors/netpols" "github.com/Shopify/kubeaudit/auditors/nonroot" "github.com/Shopify/kubeaudit/auditors/privesc" "github.com/Shopify/kubeaudit/auditors/privileged" "github.com/Shopify/kubeaudit/auditors/rootfs" "github.com/Shopify/kubeaudit/auditors/seccomp" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) const fixtureDir = "../../internal/test/fixtures/all_resources" func TestAuditAll(t *testing.T) { allErrors := []string{ apparmor.AppArmorAnnotationMissing, asat.AutomountServiceAccountTokenTrueAndDefaultSA, capabilities.CapabilityOrSecurityContextMissing, hostns.NamespaceHostNetworkTrue, hostns.NamespaceHostIPCTrue, hostns.NamespaceHostPIDTrue, image.ImageTagMissing, limits.LimitsNotSet, netpols.MissingDefaultDenyIngressAndEgressNetworkPolicy, nonroot.RunAsNonRootPSCNilCSCNil, privesc.AllowPrivilegeEscalationNil, privileged.PrivilegedNil, rootfs.ReadOnlyRootFilesystemNil, seccomp.SeccompProfileMissing, } allAuditors, err := Auditors( // Not all the tested resources raise an deprecated API error config.KubeauditConfig{EnabledAuditors: map[string]bool{deprecatedapis.Name: false}}) require.NoError(t, err) for _, file := range test.GetAllFileNames(t, fixtureDir) { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) file := file t.Run(file, func(t *testing.T) { t.Parallel() test.AuditMultiple(t, fixtureDir, file, allAuditors, allErrors, "", test.MANIFEST_MODE) test.AuditMultiple(t, fixtureDir, file, allAuditors, allErrors, strings.Split(file, ".")[0], test.LOCAL_MODE) }) } } func TestFixAll(t *testing.T) { allAuditors, err := Auditors(config.KubeauditConfig{}) require.NoError(t, err) files := test.GetAllFileNames(t, fixtureDir) for _, file := range files { t.Run(file, func(t *testing.T) { _, report := test.FixSetupMultiple(t, fixtureDir, file, allAuditors) for _, result := range report.Results() { for _, auditResult := range result.GetAuditResults() { require.NotEqual(t, kubeaudit.Error, auditResult.Severity) } } }) } } // Test all auditors with config func TestAllWithConfig(t *testing.T) { enabledAuditors := []string{ apparmor.Name, seccomp.Name, } expectedErrors := []string{ apparmor.AppArmorAnnotationMissing, seccomp.SeccompProfileMissing, } conf := config.KubeauditConfig{ EnabledAuditors: enabledAuditorsToMap(enabledAuditors), } auditors, err := Auditors(conf) require.NoError(t, err) for _, file := range test.GetAllFileNames(t, fixtureDir) { t.Run(file, func(t *testing.T) { test.AuditMultiple(t, fixtureDir, file, auditors, expectedErrors, "", test.MANIFEST_MODE) }) } } func TestGetEnabledAuditors(t *testing.T) { cases := []struct { testName string enabledAuditors map[string]bool expectedAuditors []string }{ { // If no config is provided, all auditors should be enabled testName: "No config", enabledAuditors: map[string]bool{}, expectedAuditors: AuditorNames, }, { // If some auditors are explicitly disabled, the rest should default to being enabled testName: "Some disabled", enabledAuditors: map[string]bool{ "apparmor": false, "rootfs": false, }, expectedAuditors: []string{ asat.Name, capabilities.Name, deprecatedapis.Name, hostns.Name, image.Name, limits.Name, mounts.Name, netpols.Name, nonroot.Name, privesc.Name, privileged.Name, seccomp.Name, }, }, { testName: "Some enabled", enabledAuditors: map[string]bool{ "apparmor": true, "rootfs": true, }, expectedAuditors: AuditorNames, }, { // If some auditors are explicitly disabled, the rest should default to being enabled testName: "Some enabled, some disabled", enabledAuditors: map[string]bool{ "asat": true, "apparmor": false, "capabilities": true, "rootfs": false, }, expectedAuditors: []string{ asat.Name, capabilities.Name, deprecatedapis.Name, hostns.Name, image.Name, limits.Name, mounts.Name, netpols.Name, nonroot.Name, privesc.Name, privileged.Name, seccomp.Name, }, }, } for _, tc := range cases { t.Run(tc.testName, func(t *testing.T) { conf := config.KubeauditConfig{ EnabledAuditors: tc.enabledAuditors, } got := getEnabledAuditors(conf) assert.ElementsMatch(t, got, tc.expectedAuditors) }) } } func enabledAuditorsToMap(enabledAuditors []string) map[string]bool { enabledAuditorMap := map[string]bool{} for _, auditorName := range AuditorNames { enabledAuditorMap[auditorName] = false } for _, auditorName := range enabledAuditors { enabledAuditorMap[auditorName] = true } return enabledAuditorMap } 07070100000018000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002300000000kubeaudit-0.22.2/auditors/apparmor07070100000019000081A400000000000000000000000166C635DC00001882000000000000000000000000000000000000002F00000000kubeaudit-0.22.2/auditors/apparmor/apparmor.gopackage apparmor import ( "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/fix" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "apparmor" const ( // AppArmorAnnotationMissing occurs when the apparmor annotation is missing AppArmorAnnotationMissing = "AppArmorAnnotationMissing" // AppArmorDisabled occurs when the apparmor annotation is set to the unconfined value AppArmorDisabled = "AppArmorDisabled" // AppArmorDisabled occurs when the apparmor annotation is set to a bad value AppArmorBadValue = "AppArmorBadValue" // AppArmorInvalidAnnotation occurs when the apparmor annotation key refers to a container which doesn't exist. This will // prevent the manifest from being applied to a cluster with AppArmor enabled. AppArmorInvalidAnnotation = "AppArmorInvalidAnnotation" ) // As of Jan 14, 2020 these constants are not in the K8s API package, but once they are they should be replaced // https://github.com/kubernetes/kubernetes/blob/master/pkg/security/apparmor/helpers.go#L25 const ( // The prefix to an annotation key specifying a container profile. ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" // The profile specifying the runtime default. ProfileRuntimeDefault = "runtime/default" // The profile specifying the unconfined profile. ProfileUnconfined = "unconfined" // The prefix for specifying profiles loaded on the node. ProfileNamePrefix = "localhost/" ) const OverrideLabel = "allow-disabled-apparmor" // AppArmor implements Auditable type AppArmor struct{} func New() *AppArmor { return &AppArmor{} } // Audit checks that AppArmor is enabled for all containers func (a *AppArmor) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult var containerNames []string for _, container := range k8s.GetContainers(resource) { containerName := container.Name containerNames = append(containerNames, containerName) auditResult := auditContainer(container, resource) auditResult = applyDisabledOverride(auditResult, containerName, resource) if auditResult != nil { auditResults = append(auditResults, auditResult) } } auditResults = append(auditResults, auditPodAnnotations(resource, containerNames)...) return auditResults, nil } func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudit.AuditResult { annotations := k8s.GetAnnotations(resource) containerAnnotation := getContainerAnnotation(container) if isAppArmorAnnotationMissing(containerAnnotation, annotations) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: AppArmorAnnotationMissing, Severity: kubeaudit.Error, Message: fmt.Sprintf("AppArmor annotation missing. The annotation '%s' should be added.", containerAnnotation), Metadata: kubeaudit.Metadata{ "Container": container.Name, "MissingAnnotation": containerAnnotation, }, PendingFix: &fix.ByAddingPodAnnotation{ Key: containerAnnotation, Value: ProfileRuntimeDefault, }, } } if isAppArmorDisabled(containerAnnotation, annotations) { var rule string if isAppArmorUnconfined(containerAnnotation, annotations) { rule = AppArmorDisabled } else { rule = AppArmorBadValue } return &kubeaudit.AuditResult{ Auditor: Name, Rule: rule, Message: fmt.Sprintf("AppArmor is disabled. The apparmor annotation should be set to '%s' or start with '%s'.", ProfileRuntimeDefault, ProfileNamePrefix), Severity: kubeaudit.Error, Metadata: kubeaudit.Metadata{ "Container": container.Name, "Annotation": containerAnnotation, "AnnotationValue": getProfileName(containerAnnotation, annotations), }, PendingFix: &fix.BySettingPodAnnotation{ Key: containerAnnotation, Value: ProfileRuntimeDefault, }, } } return nil } func applyDisabledOverride(auditResult *kubeaudit.AuditResult, containerName string, resource k8s.Resource) *kubeaudit.AuditResult { if auditResult == nil || auditResult.Rule != AppArmorDisabled { return auditResult } return override.ApplyOverride(auditResult, Name, containerName, resource, OverrideLabel) } func auditPodAnnotations(resource k8s.Resource, containerNames []string) []*kubeaudit.AuditResult { var auditResults []*kubeaudit.AuditResult for annotationKey, annotationValue := range k8s.GetAnnotations(resource) { if !strings.HasPrefix(annotationKey, ContainerAnnotationKeyPrefix) { continue } containerName := strings.Split(annotationKey, "/")[1] if !contains(containerNames, containerName) { auditResults = append(auditResults, &kubeaudit.AuditResult{ Auditor: Name, Rule: AppArmorInvalidAnnotation, Severity: kubeaudit.Error, Message: fmt.Sprintf("AppArmor annotation key refers to a container that doesn't exist. Remove the annotation '%s: %s'.", annotationKey, annotationValue), Metadata: kubeaudit.Metadata{ "Container": containerName, "Annotation": fmt.Sprintf("%s: %s", annotationKey, annotationValue), }, PendingFix: &fix.ByRemovingPodAnnotations{ Keys: []string{annotationKey}, }, }) } } return auditResults } func isAppArmorAnnotationMissing(apparmorAnnotation string, annotations map[string]string) bool { _, ok := annotations[apparmorAnnotation] return !ok } func isAppArmorDisabled(apparmorAnnotation string, annotations map[string]string) bool { profileName, ok := annotations[apparmorAnnotation] return !ok || profileName != ProfileRuntimeDefault && !strings.HasPrefix(profileName, ProfileNamePrefix) } func isAppArmorUnconfined(apparmorAnnotation string, annotations map[string]string) bool { profileName, ok := annotations[apparmorAnnotation] return ok && profileName == ProfileUnconfined } func getContainerAnnotation(container *k8s.ContainerV1) string { return ContainerAnnotationKeyPrefix + container.Name } func getProfileName(apparmorAnnotation string, annotations map[string]string) string { profileName := annotations[apparmorAnnotation] return profileName } func contains(arr []string, val string) bool { for _, arrVal := range arr { if arrVal == val { return true } } return false } 0707010000001A000081A400000000000000000000000166C635DC00000AA4000000000000000000000000000000000000003400000000kubeaudit-0.22.2/auditors/apparmor/apparmor_test.gopackage apparmor import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" "github.com/stretchr/testify/assert" ) const fixtureDir = "fixtures" func TestAuditAppArmor(t *testing.T) { cases := []struct { file string expectedErrors []string testLocalMode bool }{ {"apparmor-enabled.yml", nil, true}, {"apparmor-annotation-missing.yml", []string{AppArmorAnnotationMissing}, true}, {"apparmor-annotation-init-container-enabled.yml", nil, true}, {"apparmor-annotation-init-container-missing.yml", []string{AppArmorAnnotationMissing}, true}, {"apparmor-disabled.yml", []string{AppArmorDisabled}, true}, {"apparmor-disabled-overriden.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true}, {"apparmor-disabled-overriden-old-label.yml", []string{override.GetOverriddenResultName(AppArmorDisabled)}, true}, {"apparmor-disabled-overriden-multiple.yml", []string{AppArmorAnnotationMissing, override.GetOverriddenResultName(AppArmorDisabled)}, true}, // These are invalid manifests so we should only test it in manifest mode as kubernetes will fail to apply it {"apparmor-bad-value.yml", []string{AppArmorBadValue}, false}, {"apparmor-bad-value-override.yml", []string{AppArmorBadValue}, false}, {"apparmor-invalid-annotation.yml", []string{AppArmorInvalidAnnotation}, false}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(), tc.expectedErrors) if tc.testLocalMode { test.AuditLocal(t, fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) } }) } } func TestFixAppArmor(t *testing.T) { cases := []struct { file string expectedAnnotationValue string }{ {"apparmor-enabled.yml", "localhost/something"}, {"apparmor-annotation-missing.yml", ProfileRuntimeDefault}, {"apparmor-disabled.yml", ProfileRuntimeDefault}, {"apparmor-invalid-annotation.yml", ProfileRuntimeDefault}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, tc.file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) annotations := k8s.GetAnnotations(resource) for _, container := range containers { containerAnnotation := getContainerAnnotation(container) assert.Equal(t, tc.expectedAnnotationValue, annotations[containerAnnotation]) } } }) } } 0707010000001B000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002C00000000kubeaudit-0.22.2/auditors/apparmor/fixtures0707010000001C000081A400000000000000000000000166C635DC00000198000000000000000000000000000000000000005B00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-annotation-init-container-enabled.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-annotation-init-container-enabled annotations: container.apparmor.security.beta.kubernetes.io/container: localhost/someval container.apparmor.security.beta.kubernetes.io/init-container: localhost/someval spec: initContainers: - name: init-container image: scratch containers: - name: container image: scratch 0707010000001D000081A400000000000000000000000166C635DC00000143000000000000000000000000000000000000005B00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-annotation-init-container-missing.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-annotation-init-container-missing annotations: container.apparmor.security.beta.kubernetes.io/container: localhost/someval spec: initContainers: - name: init-container image: scratch containers: - name: container image: scratch 0707010000001E000081A400000000000000000000000166C635DC00000097000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-annotation-missing.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-annotation-missing spec: containers: - name: container image: scratch 0707010000001F000081A400000000000000000000000166C635DC00000140000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-bad-value-override.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-bad-value-override annotations: container.apparmor.security.beta.kubernetes.io/container: badval labels: container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container image: scratch 07070100000020000081A400000000000000000000000166C635DC000000E2000000000000000000000000000000000000004300000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-bad-value.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-bad-value annotations: container.apparmor.security.beta.kubernetes.io/container: badval spec: containers: - name: container image: scratch 07070100000021000081A400000000000000000000000166C635DC0000017B000000000000000000000000000000000000005500000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-disabled-overriden-multiple.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-disabled-overriden-multiple annotations: container.apparmor.security.beta.kubernetes.io/container2: unconfined labels: container.kubeaudit.io/container2.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container image: scratch - name: container2 image: scratch 07070100000022000081A400000000000000000000000166C635DC000001B1000000000000000000000000000000000000005600000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-disabled-overriden-old-label.yml# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) apiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-disabled-overriden-old-label annotations: container.apparmor.security.beta.kubernetes.io/container: unconfined labels: container.audit.kubernetes.io/container.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container image: scratch 07070100000023000081A400000000000000000000000166C635DC00000191000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-disabled-overriden.yml# this tests then new kubeaudit labels for overriding errors (kubeaudit.io) apiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-disabled-overriden annotations: container.apparmor.security.beta.kubernetes.io/container: unconfined labels: container.kubeaudit.io/container.allow-disabled-apparmor: "SomeReason" spec: containers: - name: container image: scratch 07070100000024000081A400000000000000000000000166C635DC000000E5000000000000000000000000000000000000004200000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-disabled.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-disabled annotations: container.apparmor.security.beta.kubernetes.io/container: unconfined spec: containers: - name: container image: scratch 07070100000025000081A400000000000000000000000166C635DC000000ED000000000000000000000000000000000000004100000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-enabled.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-enabled annotations: container.apparmor.security.beta.kubernetes.io/container: localhost/something spec: containers: - name: container image: scratch 07070100000026000081A400000000000000000000000166C635DC00000138000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/apparmor/fixtures/apparmor-invalid-annotation.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-enabled annotations: container.apparmor.security.beta.kubernetes.io/container: runtime/default container.apparmor.security.beta.kubernetes.io/container2: runtime/default spec: containers: - name: container image: scratch 07070100000027000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001F00000000kubeaudit-0.22.2/auditors/asat07070100000028000081A400000000000000000000000166C635DC00000F0F000000000000000000000000000000000000002700000000kubeaudit-0.22.2/auditors/asat/asat.gopackage asat import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "asat" const ( // AutomountServiceAccountTokenDeprecated occurs when the deprecated serviceAccount field is non-empty AutomountServiceAccountTokenDeprecated = "AutomountServiceAccountTokenDeprecated" // AutomountServiceAccountTokenTrueAndDefaultSA occurs when automountServiceAccountToken is either not set // (which defaults to true) or explicitly set to true, and serviceAccountName is either not set or set to "default" AutomountServiceAccountTokenTrueAndDefaultSA = "AutomountServiceAccountTokenTrueAndDefaultSA" ) const OverrideLabel = "allow-automount-service-account-token" // AutomountServiceAccountToken implements Auditable type AutomountServiceAccountToken struct{} func New() *AutomountServiceAccountToken { return &AutomountServiceAccountToken{} } // Audit checks that the deprecated serviceAccount field is not used and that the default service account is not // being automatically mounted func (a *AutomountServiceAccountToken) Audit(resource k8s.Resource, resources []k8s.Resource) ([]*kubeaudit.AuditResult, error) { auditResult := auditResource(resource, resources) auditResult = override.ApplyOverride(auditResult, Name, "", resource, OverrideLabel) if auditResult != nil { return []*kubeaudit.AuditResult{auditResult}, nil } return nil, nil } func auditResource(resource k8s.Resource, resources []k8s.Resource) *kubeaudit.AuditResult { podSpec := k8s.GetPodSpec(resource) if podSpec == nil { return nil } if isDeprecatedServiceAccountName(podSpec) && !hasServiceAccountName(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: AutomountServiceAccountTokenDeprecated, Severity: kubeaudit.Warn, Message: "serviceAccount is a deprecated alias for serviceAccountName. serviceAccountName should be used instead.", PendingFix: &fixDeprecatedServiceAccountName{ podSpec: podSpec, }, Metadata: kubeaudit.Metadata{ "DeprecatedServiceAccount": podSpec.DeprecatedServiceAccount, }, } } defaultServiceAccount := getDefaultServiceAccount(resources) if usesDefaultServiceAccount(podSpec) && isAutomountTokenTrue(podSpec, defaultServiceAccount) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: AutomountServiceAccountTokenTrueAndDefaultSA, Severity: kubeaudit.Error, Message: "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.", PendingFix: &fixDefaultServiceAccountWithAutomountToken{ podSpec: podSpec, defaultServiceAccount: defaultServiceAccount, }, } } return nil } func isDeprecatedServiceAccountName(podSpec *k8s.PodSpecV1) bool { return podSpec.DeprecatedServiceAccount != "" } func hasServiceAccountName(podSpec *k8s.PodSpecV1) bool { return podSpec.ServiceAccountName != "" } func isAutomountTokenTrue(podSpec *k8s.PodSpecV1, defaultServiceAccount *k8s.ServiceAccountV1) bool { if podSpec.AutomountServiceAccountToken != nil { return *podSpec.AutomountServiceAccountToken } return defaultServiceAccount == nil || defaultServiceAccount.AutomountServiceAccountToken == nil || *defaultServiceAccount.AutomountServiceAccountToken } func usesDefaultServiceAccount(podSpec *k8s.PodSpecV1) bool { return podSpec.ServiceAccountName == "" || podSpec.ServiceAccountName == "default" } func getDefaultServiceAccount(resources []k8s.Resource) (serviceAccount *k8s.ServiceAccountV1) { for _, resource := range resources { serviceAccount, ok := resource.(*k8s.ServiceAccountV1) if ok && (k8s.GetObjectMeta(serviceAccount).GetName() == "default") { return serviceAccount } } return } 07070100000029000081A400000000000000000000000166C635DC0000079C000000000000000000000000000000000000002C00000000kubeaudit-0.22.2/auditors/asat/asat_test.gopackage asat import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditAutomountServiceAccountToken(t *testing.T) { cases := []struct { file string expectedErrors []string testLocalMode bool }{ // When this yaml is applied into the cluster, both the deprecated and new service account fields are populated // with the service account value, so there is no error in local mode {"service-account-token-deprecated.yml", []string{AutomountServiceAccountTokenDeprecated}, false}, {"service-account-token-true-and-no-name.yml", []string{AutomountServiceAccountTokenTrueAndDefaultSA}, true}, {"service-account-token-nil-and-no-name.yml", []string{AutomountServiceAccountTokenTrueAndDefaultSA}, true}, {"service-account-token-true-allowed.yml", []string{ override.GetOverriddenResultName(AutomountServiceAccountTokenTrueAndDefaultSA)}, true, }, {"service-account-token-true-and-default-name.yml", []string{AutomountServiceAccountTokenTrueAndDefaultSA}, true}, {"service-account-token-false.yml", []string{}, true}, {"service-account-token-redundant-override.yml", []string{kubeaudit.RedundantAuditorOverride}, true}, {"service-account-token-nil-and-no-name-and-default-sa.yml", []string{}, true}, {"service-account-token-true-and-default-sa.yml", []string{AutomountServiceAccountTokenTrueAndDefaultSA}, true}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(), tc.expectedErrors) if tc.testLocalMode { test.AuditLocal(t, fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) } }) } } 0707010000002A000081A400000000000000000000000166C635DC00000627000000000000000000000000000000000000002600000000kubeaudit-0.22.2/auditors/asat/fix.gopackage asat import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) type fixDeprecatedServiceAccountName struct { podSpec *k8s.PodSpecV1 } func (f *fixDeprecatedServiceAccountName) Plan() string { return fmt.Sprintf("Set serviceAccountName to '%s' and set serviceAccount to '' in PodSpec", f.podSpec.DeprecatedServiceAccount) } func (f *fixDeprecatedServiceAccountName) Apply(resource k8s.Resource) []k8s.Resource { f.podSpec.ServiceAccountName = f.podSpec.DeprecatedServiceAccount f.podSpec.DeprecatedServiceAccount = "" return nil } type fixDefaultServiceAccountWithAutomountToken struct { podSpec *k8s.PodSpecV1 defaultServiceAccount *k8s.ServiceAccountV1 } func (f *fixDefaultServiceAccountWithAutomountToken) Plan() string { if f.defaultServiceAccount != nil { plan := "Set automountServiceAccountToken to 'false' in ServiceAccount" if f.podSpec.AutomountServiceAccountToken != nil && *(f.podSpec.AutomountServiceAccountToken) { plan += " and set automountServiceAccountToken to 'nil' in PodSpec" } return plan } return "Set automountServiceAccountToken to 'false' in PodSpec" } func (f *fixDefaultServiceAccountWithAutomountToken) Apply(resource k8s.Resource) []k8s.Resource { if f.defaultServiceAccount != nil { f.defaultServiceAccount.AutomountServiceAccountToken = k8s.NewFalse() if (f.podSpec.AutomountServiceAccountToken != nil) && *(f.podSpec.AutomountServiceAccountToken) { f.podSpec.AutomountServiceAccountToken = nil } } else { f.podSpec.AutomountServiceAccountToken = k8s.NewFalse() } return nil } 0707010000002B000081A400000000000000000000000166C635DC00000930000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/asat/fix_test.gopackage asat import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixAutomountServiceAccountToken(t *testing.T) { cases := []struct { file string expectedDeprecatedServiceAccount string expectedServiceAccountName string expectedAutomountToken *bool }{ {"service-account-token-deprecated.yml", "", "deprecated", nil}, {"service-account-token-nil-and-no-name.yml", "", "", k8s.NewFalse()}, {"service-account-token-redundant-override.yml", "", "", k8s.NewFalse()}, {"service-account-token-true-allowed.yml", "", "", k8s.NewTrue()}, {"service-account-token-true-and-default-name.yml", "", "default", k8s.NewFalse()}, {"service-account-token-true-and-no-name.yml", "", "", k8s.NewFalse()}, {"service-account-token-false.yml", "", "", k8s.NewFalse()}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, tc.file, New()) for _, resource := range resources { podSpec := k8s.GetPodSpec(resource) assert.Equal(t, tc.expectedDeprecatedServiceAccount, podSpec.DeprecatedServiceAccount) assert.Equal(t, tc.expectedServiceAccountName, podSpec.ServiceAccountName) if tc.expectedAutomountToken == nil { assert.Nil(t, podSpec.AutomountServiceAccountToken) } else { assert.Equal(t, *tc.expectedAutomountToken, *podSpec.AutomountServiceAccountToken) } } }) } // Test that if a default ServiceAccount was found, its 'automountServiceAccountToken' is set to false // instead of on the PodSpec files := []string{ "service-account-token-nil-and-no-name-and-default-sa.yml", "service-account-token-true-and-default-sa.yml", } for _, file := range files { t.Run(file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, file, New()) for _, resource := range resources { if serviceAccount, ok := resource.(*k8s.ServiceAccountV1); ok { assert.Equal(t, serviceAccount.AutomountServiceAccountToken, k8s.NewFalse()) continue } podSpec := k8s.GetPodSpec(resource) assert.Equal(t, "", podSpec.DeprecatedServiceAccount) assert.Equal(t, "", podSpec.ServiceAccountName) assert.Nil(t, podSpec.AutomountServiceAccountToken) } }) } } 0707010000002C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002800000000kubeaudit-0.22.2/auditors/asat/fixtures0707010000002D000081A400000000000000000000000166C635DC0000014F000000000000000000000000000000000000004D00000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-deprecated.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-deprecated spec: template: metadata: labels: name: replicationcontroller spec: serviceAccount: deprecated containers: - name: replicationcontroller image: scratch 0707010000002E000081A400000000000000000000000166C635DC00000147000000000000000000000000000000000000004800000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-false.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-false spec: template: metadata: labels: name: replicationcontroller spec: automountServiceAccountToken: false containers: - name: container image: scratch 0707010000002F000081A400000000000000000000000166C635DC000001AA000000000000000000000000000000000000006100000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-nil-and-no-name-and-default-sa.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-nil-and-no-name-and-default-sa spec: template: metadata: labels: name: replicationcontroller spec: containers: - name: replicationcontroller image: scratch --- apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false 07070100000030000081A400000000000000000000000166C635DC00000133000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-nil-and-no-name.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-nil-and-no-name spec: template: metadata: labels: name: replicationcontroller spec: containers: - name: replicationcontroller image: scratch 07070100000031000081A400000000000000000000000166C635DC0000019D000000000000000000000000000000000000005500000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-redundant-override.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-redundant-override spec: template: metadata: labels: name: replicationcontroller kubeaudit.io/allow-automount-service-account-token: "SomeReason" spec: automountServiceAccountToken: false containers: - name: container image: scratch 07070100000032000081A400000000000000000000000166C635DC00000196000000000000000000000000000000000000004F00000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-true-allowed.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-allowed spec: template: metadata: labels: name: replicationcontroller kubeaudit.io/allow-automount-service-account-token: "SomeReason" spec: automountServiceAccountToken: true containers: - name: container image: scratch 07070100000033000081A400000000000000000000000166C635DC00000178000000000000000000000000000000000000005800000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-true-and-default-name.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-and-default-name spec: template: metadata: labels: name: replicationcontroller spec: automountServiceAccountToken: true serviceAccountName: default containers: - name: container image: scratch 07070100000034000081A400000000000000000000000166C635DC000001BC000000000000000000000000000000000000005600000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-true-and-default-sa.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-and-default-sa spec: template: metadata: labels: name: replicationcontroller spec: automountServiceAccountToken: true containers: - name: container image: scratch --- apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false 07070100000035000081A400000000000000000000000166C635DC0000015D000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/asat/fixtures/service-account-token-true-and-no-name.ymlapiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-and-no-name spec: template: metadata: labels: name: replicationcontroller spec: automountServiceAccountToken: true containers: - name: replicationcontroller image: scratch 07070100000036000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002700000000kubeaudit-0.22.2/auditors/capabilities07070100000037000081A400000000000000000000000166C635DC000010C2000000000000000000000000000000000000003700000000kubeaudit-0.22.2/auditors/capabilities/capabilities.gopackage capabilities import ( "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "capabilities" const ( // CapabilityAdded occurs when a capability is in the capability add list of a container's security context CapabilityAdded = "CapabilityAdded" // CapabilityShouldDropAll occurs when there's a drop list instead of having drop "ALL" CapabilityShouldDropAll = "CapabilityShouldDropAll" // CapabilityOrSecurityContextMissing occurs when either the Security Context or Capabilities are not specified CapabilityOrSecurityContextMissing = "CapabilityOrSecurityContextMissing" ) const overrideLabelPrefix = "allow-capability-" var DefaultDropList = []string{"ALL"} var DefaultAllowAddList = []string{""} // Capabilities implements Auditable type Capabilities struct { allowAddList []string } func New(config Config) *Capabilities { return &Capabilities{ allowAddList: config.GetAllowAddList(), } } // Audit checks that bad capabilities are dropped with ALL and no capabilities are added func (a *Capabilities) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainerForDropAll(container) if auditResult != nil { auditResults = append(auditResults, auditResult) } for _, capability := range uniqueCapabilities(container) { for _, auditResult := range auditContainer(container, capability, a.allowAddList) { auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, getOverrideLabel(capability)) if auditResult != nil { auditResults = append(auditResults, auditResult) } } } } return auditResults, nil } func getOverrideLabel(capability string) string { return overrideLabelPrefix + strings.Replace(strings.ToLower(capability), "_", "-", -1) } func auditContainer(container *k8s.ContainerV1, capability string, allowAddList []string) []*kubeaudit.AuditResult { var auditResults []*kubeaudit.AuditResult if isCapabilityInArray(capability, allowAddList) { return auditResults } if SecurityContextOrCapabilities(container) { if IsCapabilityInAddList(container, capability) { message := fmt.Sprintf("Capability \"%s\" added. It should be removed from the capability add list. If you need this capability, add an override label such as '%s: SomeReason'.", capability, override.GetContainerOverrideLabel(container.Name, getOverrideLabel(capability))) auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: CapabilityAdded, Severity: kubeaudit.Error, Message: message, PendingFix: &fixCapabilityAdded{ container: container, capability: capability, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, "Metadata": capability, }, } auditResults = append(auditResults, auditResult) } } // We need the audit result to be nil for ApplyOverride to check for RedundantAuditorOverride errors if len(auditResults) == 0 { return []*kubeaudit.AuditResult{nil} } return auditResults } func auditContainerForDropAll(container *k8s.ContainerV1) *kubeaudit.AuditResult { if !SecurityContextOrCapabilities(container) { message := "Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL." return &kubeaudit.AuditResult{ Auditor: Name, Rule: CapabilityOrSecurityContextMissing, Severity: kubeaudit.Error, Message: message, PendingFix: &fixMissingSecurityContextOrCapability{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if !IsDropAll(container) { message := "Capability Drop list should be set to ALL. Add the specific ones you need to the Add list and set an override label." return &kubeaudit.AuditResult{ Auditor: Name, Rule: CapabilityShouldDropAll, Severity: kubeaudit.Error, Message: message, PendingFix: &fixCapabilityNotDroppedAll{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } 07070100000038000081A400000000000000000000000166C635DC0000079B000000000000000000000000000000000000003C00000000kubeaudit-0.22.2/auditors/capabilities/capabilities_test.gopackage capabilities import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditCapabilities(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"capabilities-nil.yml", fixtureDir, []string{CapabilityOrSecurityContextMissing}}, {"capabilities-added.yml", fixtureDir, []string{CapabilityAdded}}, {"capabilities-added-not-dropped.yml", fixtureDir, []string{CapabilityAdded, CapabilityShouldDropAll}}, {"capabilities-some-allowed.yml", fixtureDir, []string{ override.GetOverriddenResultName(CapabilityAdded), CapabilityAdded, }}, {"capabilities-some-dropped.yml", fixtureDir, []string{CapabilityShouldDropAll}}, {"capabilities-dropped-all.yml", fixtureDir, []string{}}, {"capabilities-some-allowed-multi-containers-all-labels.yml", fixtureDir, []string{ CapabilityAdded, CapabilityShouldDropAll, override.GetOverriddenResultName(CapabilityAdded), }}, {"capabilities-some-allowed-multi-containers-some-labels.yml", fixtureDir, []string{ CapabilityAdded, CapabilityShouldDropAll, override.GetOverriddenResultName(CapabilityAdded), }}, {"capabilities-some-allowed-multi-containers-mix-labels.yml", fixtureDir, []string{ CapabilityAdded, CapabilityShouldDropAll, override.GetOverriddenResultName(CapabilityAdded), }}, {"capabilities-some-allowed-multi-containers-mix-old-labels.yml", fixtureDir, []string{ CapabilityAdded, CapabilityShouldDropAll, override.GetOverriddenResultName(CapabilityAdded), }}, } for _, tc := range cases { tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, tc.fixtureDir, tc.file, New(Config{}), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(Config{}), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 07070100000039000081A400000000000000000000000166C635DC00000102000000000000000000000000000000000000003100000000kubeaudit-0.22.2/auditors/capabilities/config.gopackage capabilities type Config struct { AllowAddList []string `yaml:"allowAddList"` } func (config *Config) GetAllowAddList() []string { if config == nil || len(config.AllowAddList) == 0 { return DefaultAllowAddList } return config.AllowAddList } 0707010000003A000081A400000000000000000000000166C635DC00000A7F000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/capabilities/fix.gopackage capabilities import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" v1 "k8s.io/api/core/v1" ) type fixCapabilityAdded struct { container *k8s.ContainerV1 capability string } func (f *fixCapabilityAdded) Plan() string { return fmt.Sprintf("Remove capability '%s' from the capability add list in the container SecurityContext for container %s", f.capability, f.container.Name) } func (f *fixCapabilityAdded) Apply(resource k8s.Resource) []k8s.Resource { removeCapabilityFromAddList(f.container, f.capability) return nil } type fixCapabilityNotDroppedAll struct { container *k8s.ContainerV1 capability string } func (f *fixCapabilityNotDroppedAll) Plan() string { return fmt.Sprintf("Remove '%s' capability from drop list in the container SecurityContext for container %s", f.capability, f.container.Name) } func (f *fixCapabilityNotDroppedAll) Apply(resource k8s.Resource) []k8s.Resource { dropCapabilityFromDropList(f.container, f.capability) return nil } func dropCapabilityFromDropList(container *k8s.ContainerV1, capability string) { if container.SecurityContext == nil { container.SecurityContext = &k8s.SecurityContextV1{} } if container.SecurityContext.Capabilities == nil { container.SecurityContext.Capabilities = &k8s.CapabilitiesV1{} } if container.SecurityContext.Capabilities.Drop == nil { container.SecurityContext.Capabilities.Drop = []k8s.CapabilityV1{} } container.SecurityContext.Capabilities.Drop = []v1.Capability{"ALL"} } func removeCapabilityFromAddList(container *k8s.ContainerV1, capability string) { added := container.SecurityContext.Capabilities.Add for i, add := range added { if string(add) == capability { added = append(added[:i], added[i+1:]...) break } } container.SecurityContext.Capabilities.Add = added } type fixMissingSecurityContextOrCapability struct { container *k8s.ContainerV1 } func (f *fixMissingSecurityContextOrCapability) Plan() string { return fmt.Sprintf("Adds security context and capabilities to %s. The capabilities Drop list is set to ALL.", f.container.Name) } func (f *fixMissingSecurityContextOrCapability) Apply(resource k8s.Resource) []k8s.Resource { setDropToAll(f.container) return nil } func setDropToAll(container *k8s.ContainerV1) { if container.SecurityContext == nil { container.SecurityContext = &k8s.SecurityContextV1{} } if container.SecurityContext.Capabilities == nil { container.SecurityContext.Capabilities = &k8s.CapabilitiesV1{} } if container.SecurityContext.Capabilities.Drop == nil { container.SecurityContext.Capabilities.Drop = []k8s.CapabilityV1{} } container.SecurityContext.Capabilities.Drop = []v1.Capability{"ALL"} } 0707010000003B000081A400000000000000000000000166C635DC0000159A000000000000000000000000000000000000003300000000kubeaudit-0.22.2/auditors/capabilities/fix_test.gopackage capabilities import ( "fmt" "testing" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" "github.com/stretchr/testify/assert" ) func TestFixCapabilities(t *testing.T) { customAllowAddList := []string{"apple", "banana"} cases := []struct { testName string overrides []string add []string expectedAdd []string drop []string expectedDrop []string }{ { testName: "Capabilities not set to ALL", overrides: []string{}, add: []string{}, expectedAdd: []string{}, drop: []string{"orange", "banana"}, expectedDrop: []string{"ALL"}, }, { testName: "Nothing to fix - no caps added and drop is set to all", overrides: []string{}, add: []string{}, expectedAdd: []string{}, drop: []string{"all"}, expectedDrop: []string{"all"}, }, { testName: "No capabilities specified", overrides: []string{}, add: []string{}, expectedAdd: []string{}, drop: []string{}, expectedDrop: []string{"ALL"}, }, { testName: "Capability Added with with override specified in AddList and 2 capabilities dropped", overrides: []string{}, add: []string{customAllowAddList[0], customAllowAddList[1], "orange"}, expectedAdd: []string{customAllowAddList[0], customAllowAddList[1]}, drop: []string{"pineapple", "pomegranate"}, expectedDrop: []string{"ALL"}, }, { testName: "CapabilityAdded - all", overrides: []string{}, add: []string{"ALL"}, expectedAdd: []string{}, drop: []string{"orange"}, expectedDrop: []string{"ALL"}, }, { testName: "CapabilityAdded", overrides: []string{}, add: []string{"orange"}, expectedAdd: []string{}, drop: []string{}, expectedDrop: []string{"ALL"}, }, { testName: "Pod override", overrides: []string{override.GetOverrideLabel(getOverrideLabel("orange"))}, add: []string{"orange"}, expectedAdd: []string{"orange"}, drop: []string{}, expectedDrop: []string{"ALL"}, }, { testName: "Container override", overrides: []string{override.GetContainerOverrideLabel("mycontainer", getOverrideLabel("pear"))}, add: []string{customAllowAddList[0], "pear", "orange"}, expectedAdd: []string{customAllowAddList[0], "pear"}, drop: []string{}, expectedDrop: []string{"ALL"}, }, { testName: "CapabilityAdded with 3 override labels", overrides: []string{override.GetContainerOverrideLabel("mycontainer", getOverrideLabel("blueberries")), override.GetContainerOverrideLabel("mycontainer", getOverrideLabel("strawberries")), override.GetContainerOverrideLabel("mycontainer", getOverrideLabel("raspberries"))}, add: []string{customAllowAddList[0], "blueberries", "raspberries", "strawberries", "orange"}, expectedAdd: []string{customAllowAddList[0], "blueberries", "raspberries", "strawberries"}, drop: []string{}, expectedDrop: []string{"ALL"}, }, } auditor := New(Config{AllowAddList: customAllowAddList}) for _, tc := range cases { t.Run(tc.testName, func(t *testing.T) { resource := newPod(tc.add, tc.drop, tc.overrides) auditResults, err := auditor.Audit(resource, nil) if !assert.Nil(t, err) { return } for _, auditResult := range auditResults { auditResult.Fix(resource) ok, plan := auditResult.FixPlan() if ok { fmt.Println(plan) } } capabilities := k8s.GetContainers(resource)[0].SecurityContext.Capabilities assertCapabilitiesEqual(t, capabilities.Add, tc.expectedAdd) assertCapabilitiesEqual(t, capabilities.Drop, tc.expectedDrop) }) } t.Run("Nil security context", func(t *testing.T) { resource := &k8s.PodV1{ Spec: k8s.PodSpecV1{ Containers: []k8s.ContainerV1{{}}, }, } auditResults, err := auditor.Audit(resource, nil) if !assert.Nil(t, err) { return } for _, auditResult := range auditResults { auditResult.Fix(resource) ok, plan := auditResult.FixPlan() if ok { fmt.Println(plan) } } capabilities := k8s.GetContainers(resource)[0].SecurityContext.Capabilities assertCapabilitiesEqual(t, capabilities.Drop, []string{"ALL"}) }) } func assertCapabilitiesEqual(t *testing.T, capabilities []k8s.CapabilityV1, expected []string) { assert := assert.New(t) if !assert.Equal(len(expected), len(capabilities)) { return } m := make(map[string]bool) for _, cap := range capabilities { m[string(cap)] = true } for _, cap := range expected { ok, val := m[cap] assert.True(ok) assert.True(val) } } func newPod(add, drop, overrides []string) k8s.Resource { pod := k8s.NewPod() container := k8s.ContainerV1{ Name: "mycontainer", SecurityContext: &k8s.SecurityContextV1{ Capabilities: &k8s.CapabilitiesV1{ Add: capabilitiesFromStringArray(add), Drop: capabilitiesFromStringArray(drop), }, }, } k8s.GetPodSpec(pod).Containers = []k8s.ContainerV1{container} overrideLabels := make(map[string]string) for _, override := range overrides { overrideLabels[override] = "SomeReason" } k8s.GetPodObjectMeta(pod).SetLabels(overrideLabels) return pod } func capabilitiesFromStringArray(arr []string) []k8s.CapabilityV1 { capabilities := make([]k8s.CapabilityV1, 0, len(arr)) for _, str := range arr { capabilities = append(capabilities, k8s.CapabilityV1(str)) } return capabilities } 0707010000003C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000003000000000kubeaudit-0.22.2/auditors/capabilities/fixtures0707010000003D000081A400000000000000000000000166C635DC0000030A000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-added-not-dropped.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-added-not-dropped spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: capabilities: add: - AUDIT_WRITE drop: - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 0707010000003E000081A400000000000000000000000166C635DC000001D2000000000000000000000000000000000000004700000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-added.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-added spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: capabilities: add: - NET_ADMIN - CHOWN drop: - ALL 0707010000003F000081A400000000000000000000000166C635DC00000191000000000000000000000000000000000000004D00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-dropped-all.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-dropped-all spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: capabilities: drop: - all 07070100000040000081A400000000000000000000000166C635DC0000012A000000000000000000000000000000000000004500000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-nil.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-nil spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch 07070100000041000081A400000000000000000000000166C635DC000006AA000000000000000000000000000000000000006A00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-all-labels.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed-multi-containers-all-labels spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" container.kubeaudit.io/container2.allow-capability-chown: "SomeReason" container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT - name: container2 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 07070100000042000081A400000000000000000000000166C635DC00000695000000000000000000000000000000000000006A00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-labels.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed-multi-containers-mix-labels spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-capability-chown: "SomeReason" container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" container.kubeaudit.io/container2.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT - name: container2 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 07070100000043000081A400000000000000000000000166C635DC00000716000000000000000000000000000000000000006E00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-mix-old-labels.yml# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed-multi-containers-mix-old-labels spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment audit.kubernetes.io/pod.allow-capability-chown: "SomeReason" container.audit.kubernetes.io/container1.allow-capability-chown: "SomeReason" container.audit.kubernetes.io/container1.allow-capability-sys-time: "SomeReason" container.audit.kubernetes.io/container2.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT - name: container2 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 07070100000044000081A400000000000000000000000166C635DC0000060A000000000000000000000000000000000000006B00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-allowed-multi-containers-some-labels.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed-multi-containers-some-labels spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment container.kubeaudit.io/container1.allow-capability-chown: "SomeReason" container.kubeaudit.io/container1.allow-capability-sys-time: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT - name: container2 image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE drop: - AUDIT_WRITE - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 07070100000045000081A400000000000000000000000166C635DC0000026C000000000000000000000000000000000000004E00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-allowed.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-capability-chown: "SomeReason" kubeaudit.io/allow-capability-sys-time: "SomeReason" spec: containers: - name: container image: scratch securityContext: capabilities: add: - SYS_TIME - SYS_MODULE - CHOWN drop: - ALL 07070100000046000081A400000000000000000000000166C635DC000002D4000000000000000000000000000000000000004E00000000kubeaudit-0.22.2/auditors/capabilities/fixtures/capabilities-some-dropped.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-dropped spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: capabilities: drop: - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL - MKNOD - NET_BIND_SERVICE - NET_RAW - SETFCAP - SETGID - SETUID - SETPCAP - SYS_CHROOT 07070100000047000081A400000000000000000000000166C635DC000006C2000000000000000000000000000000000000002F00000000kubeaudit-0.22.2/auditors/capabilities/util.gopackage capabilities import ( "sort" "strings" "github.com/Shopify/kubeaudit/pkg/k8s" ) // uniqueCapabilities creates an array of all unique capabilities in the custom drop list and container add list func uniqueCapabilities(container *k8s.ContainerV1) []string { if !SecurityContextOrCapabilities(container) { return DefaultDropList } m := make(map[string]bool) for _, cap := range container.SecurityContext.Capabilities.Add { m[string(cap)] = true } merged := make([]string, 0, len(m)) // "ALL" and "all" mean the same thing so we don't want to count both all := false for k := range m { if isCapabilityAll(k) { all = true continue } merged = append(merged, k) } if all { merged = append(merged, "ALL") } sort.Strings(merged) return merged } func isCapabilityAll(capability string) bool { return capability == "ALL" || capability == "all" } func isCapabilityInArray(capability string, capabilities []string) bool { if len(capabilities) == 0 { return false } for _, cap := range capabilities { if cap == capability { return true } } return false } func IsDropAll(container *k8s.ContainerV1) bool { for _, cap := range container.SecurityContext.Capabilities.Drop { if strings.ToUpper(string(cap)) == "ALL" { return true } } return false } func IsCapabilityInAddList(container *k8s.ContainerV1, capability string) bool { for _, cap := range container.SecurityContext.Capabilities.Add { if string(cap) == capability { return true } } return false } func SecurityContextOrCapabilities(container *k8s.ContainerV1) bool { if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil { return false } return true } 07070100000048000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/deprecatedapis07070100000049000081A400000000000000000000000166C635DC000003FE000000000000000000000000000000000000003300000000kubeaudit-0.22.2/auditors/deprecatedapis/config.gopackage deprecatedapis import ( "fmt" "regexp" "strconv" ) type Config struct { CurrentVersion string `yaml:"currentVersion"` TargetedVersion string `yaml:"targetedVersion"` } type Version struct { Major int Minor int } func (config *Config) GetCurrentVersion() (*Version, error) { if config == nil { return nil, nil } return toMajorMinor(config.CurrentVersion) } func (config *Config) GetTargetedVersion() (*Version, error) { if config == nil { return nil, nil } return toMajorMinor(config.TargetedVersion) } func toMajorMinor(version string) (*Version, error) { if len(version) == 0 { return nil, nil } re := regexp.MustCompile(`^(\d{1,2})\.(\d{1,2})$`) if !re.MatchString(version) { return nil, fmt.Errorf("error parsing version: %s", version) } major, err := strconv.Atoi(re.FindStringSubmatch(version)[1]) if err != nil { return nil, err } minor, err := strconv.Atoi(re.FindStringSubmatch(version)[2]) if err != nil { return nil, err } return &Version{major, minor}, nil } 0707010000004A000081A400000000000000000000000166C635DC00001742000000000000000000000000000000000000003C00000000kubeaudit-0.22.2/auditors/deprecatedapis/depreceatedapis.gopackage deprecatedapis import ( "fmt" "strconv" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/pkg/k8s" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" ) const Name = "deprecatedapis" const ( // DeprecatedAPIUsed occurs when a deprecated resource type version is used DeprecatedAPIUsed = "DeprecatedAPIUsed" ) // DeprecatedAPIs implements Auditable type DeprecatedAPIs struct { CurrentVersion *Version TargetedVersion *Version } func New(config Config) (*DeprecatedAPIs, error) { currentVersion, err := config.GetCurrentVersion() if err != nil { return nil, fmt.Errorf("error creating DeprecatedAPIs auditor: %w", err) } targetedVersion, err := config.GetTargetedVersion() if err != nil { return nil, fmt.Errorf("error creating DeprecatedAPIs auditor: %w", err) } return &DeprecatedAPIs{ CurrentVersion: currentVersion, TargetedVersion: targetedVersion, }, nil } // APILifecycleDeprecated is a generated function on the available APIs, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. // https://github.com/kubernetes/code-generator/blob/v0.24.1/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators/status.go#L475-L479 type apiLifecycleDeprecated interface { APILifecycleDeprecated() (major, minor int) } // APILifecycleRemoved is a generated function on the available APIs, returning the release in which the API is no longer served as int versions of major and minor for comparison. // https://github.com/kubernetes/code-generator/blob/v0.24.1/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators/status.go#L491-L495 type apiLifecycleRemoved interface { APILifecycleRemoved() (major, minor int) } // APILifecycleReplacement is a generated function on the available APIs, returning the group, version, and kind that should be used instead of this deprecated type. // https://github.com/kubernetes/code-generator/blob/v0.24.1/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators/status.go#L482-L487 type apiLifecycleReplacement interface { APILifecycleReplacement() schema.GroupVersionKind } // APILifecycleIntroduced is a generated function on the available APIs, returning the release in which the API struct was introduced as int versions of major and minor for comparison. // https://github.com/kubernetes/code-generator/blob/v0.24.1/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators/status.go#L467-L473 type apiLifecycleIntroduced interface { APILifecycleIntroduced() (major, minor int) } // Audit checks that the resource API version is not deprecated func (deprecatedAPIs *DeprecatedAPIs) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult lastApplied, ok := k8s.GetAnnotations(resource)[v1.LastAppliedConfigAnnotation] if ok && len(lastApplied) > 0 { resource, _ = k8sinternal.DecodeResource([]byte(lastApplied)) } deprecated, isDeprecated := resource.(apiLifecycleDeprecated) if isDeprecated { deprecatedMajor, deprecatedMinor := deprecated.APILifecycleDeprecated() if deprecatedMajor == 0 && deprecatedMinor == 0 { return nil, fmt.Errorf("version not found %s (%d.%d)", deprecated, deprecatedMajor, deprecatedMinor) } else { severity := kubeaudit.Warn metadata := kubeaudit.Metadata{ "DeprecatedMajor": strconv.Itoa(deprecatedMajor), "DeprecatedMinor": strconv.Itoa(deprecatedMinor), } if deprecatedAPIs.CurrentVersion != nil && (deprecatedAPIs.CurrentVersion.Major < deprecatedMajor || deprecatedAPIs.CurrentVersion.Major == deprecatedMajor && deprecatedAPIs.CurrentVersion.Minor < deprecatedMinor) { severity = kubeaudit.Info } gvk := resource.GetObjectKind().GroupVersionKind() if gvk.Empty() { return nil, fmt.Errorf("GroupVersionKind not found %s", resource) } else { deprecationMessage := fmt.Sprintf("%s %s is deprecated in v%d.%d+", gvk.GroupVersion().String(), gvk.Kind, deprecatedMajor, deprecatedMinor) if removed, hasRemovalInfo := resource.(apiLifecycleRemoved); hasRemovalInfo { removedMajor, removedMinor := removed.APILifecycleRemoved() if removedMajor != 0 || removedMinor != 0 { deprecationMessage = deprecationMessage + fmt.Sprintf(", unavailable in v%d.%d+", removedMajor, removedMinor) metadata["RemovedMajor"] = strconv.Itoa(removedMajor) metadata["RemovedMinor"] = strconv.Itoa(removedMinor) } if deprecatedAPIs.TargetedVersion != nil && deprecatedAPIs.TargetedVersion.Major >= removedMajor && deprecatedAPIs.TargetedVersion.Minor >= removedMinor { severity = kubeaudit.Error } } if introduced, hasIntroduced := resource.(apiLifecycleIntroduced); hasIntroduced { introducedMajor, introducedMinor := introduced.APILifecycleIntroduced() if introducedMajor != 0 || introducedMinor != 0 { deprecationMessage = deprecationMessage + fmt.Sprintf(", introduced in v%d.%d+", introducedMajor, introducedMinor) metadata["IntroducedMajor"] = strconv.Itoa(introducedMajor) metadata["IntroducedMinor"] = strconv.Itoa(introducedMinor) } } if replaced, hasReplacement := resource.(apiLifecycleReplacement); hasReplacement { replacement := replaced.APILifecycleReplacement() if !replacement.Empty() { deprecationMessage = deprecationMessage + fmt.Sprintf("; use %s %s", replacement.GroupVersion().String(), replacement.Kind) metadata["ReplacementGroup"] = replacement.GroupVersion().String() metadata["ReplacementKind"] = replacement.Kind } } auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: DeprecatedAPIUsed, Severity: severity, Message: deprecationMessage, Metadata: metadata, } auditResults = append(auditResults, auditResult) } } } return auditResults, nil } 0707010000004B000081A400000000000000000000000166C635DC00000C58000000000000000000000000000000000000004100000000kubeaudit-0.22.2/auditors/deprecatedapis/depreceatedapis_test.gopackage deprecatedapis import ( "fmt" "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) const fixtureDir = "fixtures" func TestAuditDeprecatedAPIs(t *testing.T) { cases := []struct { file string currentVersion string targetedVersion string expectedSeverity kubeaudit.SeverityLevel }{ {"cronjob.yml", "", "", kubeaudit.Warn}, // Warn is the serverity by default {"cronjob.yml", "1.20", "1.21", kubeaudit.Info}, // Info, not yet deprecated in the current version {"cronjob.yml", "1.21", "1.22", kubeaudit.Warn}, // Warn, deprecated in the current version {"cronjob.yml", "1.22", "1.25", kubeaudit.Error}, // Error, not available in the targeted version {"cronjob.yml", "1.20", "1.25", kubeaudit.Error}, // Error, not yet deprecated in the current version but not available in the targeted version {"cronjob.yml", "1.20", "", kubeaudit.Info}, // Info, not yet deprecated in the current version and no targeted version defined {"cronjob.yml", "1.21", "", kubeaudit.Warn}, // Warn, deprecated in the current version {"cronjob.yml", "", "1.20", kubeaudit.Warn}, // Warn is the serverity by default if no current version {"cronjob.yml", "", "1.25", kubeaudit.Error}, // Error, not available in the targeted version } message := "batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+, introduced in v1.8+; use batch/v1 CronJob" metadata := kubeaudit.Metadata{ "DeprecatedMajor": "1", "DeprecatedMinor": "21", "RemovedMajor": "1", "RemovedMinor": "25", "IntroducedMajor": "1", "IntroducedMinor": "8", "ReplacementGroup": "batch/v1", "ReplacementKind": "CronJob", } for i, tc := range cases { // These lines are needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc i := i t.Run(tc.file+"-"+tc.currentVersion+"-"+tc.targetedVersion, func(t *testing.T) { t.Parallel() auditor, err := New(Config{CurrentVersion: tc.currentVersion, TargetedVersion: tc.targetedVersion}) require.Nil(t, err) report := test.AuditManifest(t, fixtureDir, tc.file, auditor, []string{DeprecatedAPIUsed}) assertReport(t, report, tc.expectedSeverity, message, metadata) report = test.AuditLocal(t, fixtureDir, tc.file, auditor, fmt.Sprintf("%s-%d", strings.Split(tc.file, ".")[0], i), []string{DeprecatedAPIUsed}) if report != nil { assertReport(t, report, tc.expectedSeverity, message, metadata) } }) } } func assertReport(t *testing.T, report *kubeaudit.Report, expectedSeverity kubeaudit.SeverityLevel, message string, metadata map[string]string) { assert.Equal(t, 1, len(report.Results())) for _, result := range report.Results() { assert.Equal(t, 1, len(result.GetAuditResults())) for _, auditResult := range result.GetAuditResults() { require.Equal(t, expectedSeverity, auditResult.Severity) require.Equal(t, message, auditResult.Message) require.Equal(t, metadata, auditResult.Metadata) } } } 0707010000004C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000003200000000kubeaudit-0.22.2/auditors/deprecatedapis/fixtures0707010000004D000081A400000000000000000000000166C635DC000001A1000000000000000000000000000000000000003E00000000kubeaudit-0.22.2/auditors/deprecatedapis/fixtures/cronjob.ymlapiVersion: batch/v1beta1 kind: CronJob metadata: name: hello spec: schedule: "* * * * *" jobTemplate: spec: template: spec: containers: - name: hello image: busybox imagePullPolicy: IfNotPresent command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster restartPolicy: OnFailure0707010000004E000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002100000000kubeaudit-0.22.2/auditors/hostns0707010000004F000081A400000000000000000000000166C635DC00000355000000000000000000000000000000000000002800000000kubeaudit-0.22.2/auditors/hostns/fix.gopackage hostns import "github.com/Shopify/kubeaudit/pkg/k8s" type fixHostNetworkTrue struct { podSpec *k8s.PodSpecV1 } func (f *fixHostNetworkTrue) Plan() string { return "Set hostNetwork to 'false' in PodSpec" } func (f *fixHostNetworkTrue) Apply(resource k8s.Resource) []k8s.Resource { f.podSpec.HostNetwork = false return nil } type fixHostIPCTrue struct { podSpec *k8s.PodSpecV1 } func (f *fixHostIPCTrue) Plan() string { return "Set hostIPC to 'false' in PodSpec" } func (f *fixHostIPCTrue) Apply(resource k8s.Resource) []k8s.Resource { f.podSpec.HostIPC = false return nil } type fixHostPIDTrue struct { podSpec *k8s.PodSpecV1 } func (f *fixHostPIDTrue) Plan() string { return "Set hostPID to 'false' in PodSpec" } func (f *fixHostPIDTrue) Apply(resource k8s.Resource) []k8s.Resource { f.podSpec.HostPID = false return nil } 07070100000050000081A400000000000000000000000166C635DC000004CA000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/hostns/fix_test.gopackage hostns import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixHostNamespaces(t *testing.T) { cases := []struct { file string expectedHostNetwork bool expectedHostIPC bool expectedHostPID bool }{ {"host-network-true.yml", false, false, false}, {"host-ipc-true.yml", false, false, false}, {"host-pid-true.yml", false, false, false}, {"host-network-true-allowed.yml", true, false, false}, {"host-ipc-true-allowed.yml", false, true, false}, {"host-pid-true-allowed.yml", false, false, true}, {"namespaces-redundant-override.yml", false, false, false}, {"namespaces-all-true.yml", false, false, false}, {"namespaces-all-true-allowed.yml", true, true, true}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, tc.file, New()) for _, resource := range resources { podSpec := k8s.GetPodSpec(resource) assert.Equal(t, tc.expectedHostNetwork, podSpec.HostNetwork) assert.Equal(t, tc.expectedHostIPC, podSpec.HostIPC) assert.Equal(t, tc.expectedHostPID, podSpec.HostPID) } }) } } 07070100000051000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/hostns/fixtures07070100000052000081A400000000000000000000000166C635DC000000E3000000000000000000000000000000000000004400000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-ipc-true-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-ipc-true-allowed labels: kubeaudit.io/allow-namespace-host-IPC: "SomeReason" spec: hostIPC: true containers: - name: container image: scratch 07070100000053000081A400000000000000000000000166C635DC00000099000000000000000000000000000000000000003C00000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-ipc-true.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-ipc-true spec: hostIPC: true containers: - name: container image: scratch 07070100000054000081A400000000000000000000000166C635DC000000EF000000000000000000000000000000000000004800000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-network-true-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-network-true-allowed labels: kubeaudit.io/allow-namespace-host-network: "SomeReason" spec: hostNetwork: true containers: - name: container image: scratch 07070100000055000081A400000000000000000000000166C635DC000000A1000000000000000000000000000000000000004000000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-network-true.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-network-true spec: hostNetwork: true containers: - name: container image: scratch 07070100000056000081A400000000000000000000000166C635DC000000E3000000000000000000000000000000000000004400000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-pid-true-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-pid-true-allowed labels: kubeaudit.io/allow-namespace-host-PID: "SomeReason" spec: hostPID: true containers: - name: container image: scratch 07070100000057000081A400000000000000000000000166C635DC00000099000000000000000000000000000000000000003C00000000kubeaudit-0.22.2/auditors/hostns/fixtures/host-pid-true.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: host-pid-true spec: hostPID: true containers: - name: container image: scratch 07070100000058000081A400000000000000000000000166C635DC00000181000000000000000000000000000000000000004A00000000kubeaudit-0.22.2/auditors/hostns/fixtures/namespaces-all-true-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: namespaces-all-true-allowed labels: kubeaudit.io/allow-namespace-host-network: "SomeReason" kubeaudit.io/allow-namespace-host-IPC: "SomeReason" kubeaudit.io/allow-namespace-host-PID: "SomeReason" spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000059000081A400000000000000000000000166C635DC000000C3000000000000000000000000000000000000004200000000kubeaudit-0.22.2/auditors/hostns/fixtures/namespaces-all-true.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: namespaces-all-true spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 0707010000005A000081A400000000000000000000000166C635DC000000F4000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/hostns/fixtures/namespaces-redundant-override.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: namespaces-redundant-override labels: kubeaudit.io/allow-namespace-host-network: "SomeReason" spec: hostNetwork: false containers: - name: container image: scratch 0707010000005B000081A400000000000000000000000166C635DC00000CBA000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/hostns/hostns.gopackage hostns import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "hostns" const ( // NamespaceHostNetworkTrue occurs when hostNetwork is set to true in the container podspec NamespaceHostNetworkTrue = "NamespaceHostNetworkTrue" // NamespaceHostIPCTrue occurs when hostIPC is set to true in the container podspec NamespaceHostIPCTrue = "NamespaceHostIPCTrue" // NamespaceHostPIDTrue occurs when hostPID is set to true in the container podspec NamespaceHostPIDTrue = "NamespaceHostPIDTrue" ) // HostNamespaces implements Auditable type HostNamespaces struct{} func New() *HostNamespaces { return &HostNamespaces{} } const HostNetworkOverrideLabel = "allow-namespace-host-network" const HostIPCOverrideLabel = "allow-namespace-host-IPC" const HostPIDOverrideLabel = "allow-namespace-host-PID" // Audit checks that hostNetwork, hostIPC and hostPID are set to false in container podSpecs func (a *HostNamespaces) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult podSpec := k8s.GetPodSpec(resource) if podSpec == nil { return nil, nil } for _, check := range []struct { auditFunc func(*k8s.PodSpecV1) *kubeaudit.AuditResult overrideLabel string }{ {auditHostNetwork, HostNetworkOverrideLabel}, {auditHostIPC, HostIPCOverrideLabel}, {auditHostPID, HostPIDOverrideLabel}, } { auditResult := check.auditFunc(podSpec) auditResult = override.ApplyOverride(auditResult, Name, "", resource, check.overrideLabel) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditHostNetwork(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { if podSpec.HostNetwork { metadata := kubeaudit.Metadata{} if podSpec.Hostname != "" { metadata["PodHost"] = podSpec.Hostname } return &kubeaudit.AuditResult{ Auditor: Name, Rule: NamespaceHostNetworkTrue, Severity: kubeaudit.Error, Message: "hostNetwork is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostNetworkTrue{ podSpec: podSpec, }, Metadata: metadata, } } return nil } func auditHostIPC(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { if podSpec.HostIPC { metadata := kubeaudit.Metadata{} if podSpec.Hostname != "" { metadata["PodHost"] = podSpec.Hostname } return &kubeaudit.AuditResult{ Auditor: Name, Rule: NamespaceHostIPCTrue, Severity: kubeaudit.Error, Message: "hostIPC is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostIPCTrue{ podSpec: podSpec, }, Metadata: metadata, } } return nil } func auditHostPID(podSpec *k8s.PodSpecV1) *kubeaudit.AuditResult { if podSpec.HostPID { metadata := kubeaudit.Metadata{} if podSpec.Hostname != "" { metadata["PodHost"] = podSpec.Hostname } return &kubeaudit.AuditResult{ Auditor: Name, Rule: NamespaceHostPIDTrue, Severity: kubeaudit.Error, Message: "hostPID is set to 'true' in PodSpec. It should be set to 'false'.", PendingFix: &fixHostPIDTrue{ podSpec: podSpec, }, Metadata: metadata, } } return nil } 0707010000005C000081A400000000000000000000000166C635DC00000681000000000000000000000000000000000000003000000000kubeaudit-0.22.2/auditors/hostns/hostns_test.gopackage hostns import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditHostNamespaces(t *testing.T) { cases := []struct { file string expectedErrors []string }{ {"host-network-true.yml", []string{NamespaceHostNetworkTrue}}, {"host-ipc-true.yml", []string{NamespaceHostIPCTrue}}, {"host-pid-true.yml", []string{NamespaceHostPIDTrue}}, {"host-network-true-allowed.yml", []string{override.GetOverriddenResultName(NamespaceHostNetworkTrue)}}, {"host-ipc-true-allowed.yml", []string{override.GetOverriddenResultName(NamespaceHostIPCTrue)}}, {"host-pid-true-allowed.yml", []string{override.GetOverriddenResultName(NamespaceHostPIDTrue)}}, {"namespaces-redundant-override.yml", []string{kubeaudit.RedundantAuditorOverride}}, {"namespaces-all-true.yml", []string{NamespaceHostNetworkTrue, NamespaceHostIPCTrue, NamespaceHostPIDTrue}}, {"namespaces-all-true-allowed.yml", []string{ override.GetOverriddenResultName(NamespaceHostNetworkTrue), override.GetOverriddenResultName(NamespaceHostIPCTrue), override.GetOverriddenResultName(NamespaceHostPIDTrue), }}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 0707010000005D000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002000000000kubeaudit-0.22.2/auditors/image0707010000005E000081A400000000000000000000000166C635DC000000A8000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/image/config.gopackage image type Config struct { Image string `yaml:"image"` } func (config *Config) GetImage() string { if config == nil { return "" } return config.Image } 0707010000005F000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/image/fixtures07070100000060000081A400000000000000000000000166C635DC000001C3000000000000000000000000000000000000003F00000000kubeaudit-0.22.2/auditors/image/fixtures/image-tag-missing.yml--- apiVersion: apps/v1 kind: Deployment metadata: name: deployment spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment annotations: container.apparmor.security.beta.kubernetes.io/container: runtime/default spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: container image: scratch 07070100000061000081A400000000000000000000000166C635DC00000111000000000000000000000000000000000000003F00000000kubeaudit-0.22.2/auditors/image/fixtures/image-tag-present.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: deployment image: scratch:1.5 07070100000062000081A400000000000000000000000166C635DC00000A94000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/image/image.gopackage image import ( "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" ) const Name = "image" const ( // ImageTagMissing occurs when the container image tag is missing ImageTagMissing = "ImageTagMissing" // ImageTagIncorrect occurs when the container image tag does not match the user-provided value ImageTagIncorrect = "ImageTagIncorrect" // ImageCorrect occurs when the container image tag is correct ImageCorrect = "ImageCorrect" ) // Image implements Auditable type Image struct { image string } func New(config Config) *Image { return &Image{ image: config.GetImage(), } } // Audit checks that the container image matches the provided image func (image *Image) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container, image.image) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditContainer(container *k8s.ContainerV1, image string) *kubeaudit.AuditResult { name, tag := splitImageString(image) containerName, containerTag := splitImageString(container.Image) if isImageTagMissing(containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: ImageTagMissing, Severity: kubeaudit.Warn, Message: "Image tag is missing.", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isImageTagIncorrect(name, tag, containerName, containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: ImageTagIncorrect, Severity: kubeaudit.Error, Message: fmt.Sprintf("Container tag is incorrect. It should be set to '%s'.", tag), Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isImageCorrect(name, tag, containerName, containerTag) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: ImageCorrect, Severity: kubeaudit.Info, Message: "Image tag is correct", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } func isImageTagMissing(tag string) bool { return tag == "" } func isImageTagIncorrect(name, tag, containerName, containerTag string) bool { return containerName == name && containerTag != tag } func isImageCorrect(name, tag, containerName, containerTag string) bool { return containerName == name && containerTag == tag } func splitImageString(image string) (name, tag string) { tokens := strings.Split(image, ":") if len(tokens) > 0 { name = tokens[0] } if len(tokens) > 1 { tag = tokens[1] } return } 07070100000063000081A400000000000000000000000166C635DC00000696000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/image/image_test.gopackage image import ( "fmt" "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" ) const fixtureDir = "fixtures" func TestSplitImageString(t *testing.T) { cases := []struct { testName string image string expectedName string expectedTag string }{ {"Correct image and tag", "myimage:mytag", "myimage", "mytag"}, {"No tag", "myimage", "myimage", ""}, {"No image", ":mytag", "", "mytag"}, {"Empty string", "", "", ""}, } for _, tc := range cases { t.Run(tc.testName, func(t *testing.T) { image, tag := splitImageString(tc.image) assert.Equal(t, tc.expectedName, image) assert.Equal(t, tc.expectedTag, tag) }) } } func TestAuditImage(t *testing.T) { cases := []struct { file string image string expectedErrors []string }{ {"image-tag-missing.yml", "scratch:1.6", []string{ImageTagMissing}}, {"image-tag-missing.yml", "", []string{ImageTagMissing}}, {"image-tag-present.yml", "scratch:1.6", []string{ImageTagIncorrect}}, {"image-tag-present.yml", "", []string{}}, {"image-tag-present.yml", "scratch:1.5", []string{ImageCorrect}}, } for i, tc := range cases { // These lines are needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc i := i t.Run(tc.file+" "+tc.image, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(Config{Image: tc.image}), tc.expectedErrors) test.AuditLocal(t, fixtureDir, tc.file, New(Config{Image: tc.image}), fmt.Sprintf("%s%d", strings.Split(tc.file, ".")[0], i), tc.expectedErrors) }) } } 07070100000064000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002100000000kubeaudit-0.22.2/auditors/limits07070100000065000081A400000000000000000000000166C635DC0000036A000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/limits/config.gopackage limits import ( "fmt" k8sResource "k8s.io/apimachinery/pkg/api/resource" ) type Config struct { CPU string `yaml:"cpu"` Memory string `yaml:"memory"` } func (config *Config) GetCPU() (k8sResource.Quantity, error) { cpuArg := "" if config != nil { cpuArg = config.CPU } if cpuArg != "" { CPU, err := k8sResource.ParseQuantity(cpuArg) if err != nil { return CPU, fmt.Errorf("error parsing max CPU limit: %w", err) } return CPU, nil } return k8sResource.Quantity{}, nil } func (config *Config) GetMemory() (k8sResource.Quantity, error) { memoryArg := "" if config != nil { memoryArg = config.Memory } if memoryArg != "" { memory, err := k8sResource.ParseQuantity(memoryArg) if err != nil { return memory, fmt.Errorf("error parsing max memory limit: %w", err) } return memory, nil } return k8sResource.Quantity{}, nil } 07070100000066000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/limits/fixtures07070100000067000081A400000000000000000000000166C635DC0000006E000000000000000000000000000000000000004200000000kubeaudit-0.22.2/auditors/limits/fixtures/resources-limit-nil.ymlapiVersion: v1 kind: Pod metadata: name: pod spec: containers: - name: container image: scratch 07070100000068000081A400000000000000000000000166C635DC000000A7000000000000000000000000000000000000004500000000kubeaudit-0.22.2/auditors/limits/fixtures/resources-limit-no-cpu.ymlapiVersion: v1 kind: Pod metadata: name: pod spec: containers: - name: container image: scratch resources: limits: memory: 512Mi 07070100000069000081A400000000000000000000000166C635DC000000A2000000000000000000000000000000000000004800000000kubeaudit-0.22.2/auditors/limits/fixtures/resources-limit-no-memory.ymlapiVersion: v1 kind: Pod metadata: name: pod spec: containers: - name: container image: scratch resources: limits: cpu: "1" 0707010000006A000081A400000000000000000000000166C635DC000000F9000000000000000000000000000000000000003E00000000kubeaudit-0.22.2/auditors/limits/fixtures/resources-limit.ymlapiVersion: v1 kind: Pod metadata: name: pod spec: containers: - name: container image: scratch resources: limits: cpu: 750m memory: 512Mi requests: cpu: 500m memory: 256Mi 0707010000006B000081A400000000000000000000000166C635DC0000147E000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/limits/limits.gopackage limits import ( "fmt" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" v1 "k8s.io/api/core/v1" k8sResource "k8s.io/apimachinery/pkg/api/resource" ) const Name = "limits" const ( // LimitsNotSet occurs when there are no cpu and memory limits specified for a container LimitsNotSet = "LimitsNotSet" // LimitsCPUNotSet occurs when there is no cpu limit specified for a container LimitsCPUNotSet = "LimitsCPUNotSet" // LimitsMemoryNotSet occurs when there is no memory limit specified for a container LimitsMemoryNotSet = "LimitsMemoryNotSet" // LimitsCPUExceeded occurs when the CPU limit specified for a container is higher than the specified max CPU limit LimitsCPUExceeded = "LimitsCPUExceeded" // LimitsMemoryExceeded occurs when the memory limit specified for a container is higher than the specified max memory limit LimitsMemoryExceeded = "LimitsMemoryExceeded" ) // Limits implements Auditable type Limits struct { maxCPU k8sResource.Quantity maxMemory k8sResource.Quantity } func New(config Config) (*Limits, error) { maxCPU, err := config.GetCPU() if err != nil { return nil, fmt.Errorf("error creating Limits auditor: %w", err) } maxMemory, err := config.GetMemory() if err != nil { return nil, fmt.Errorf("error creating Limits auditor: %w", err) } return &Limits{ maxCPU: maxCPU, maxMemory: maxMemory, }, nil } // Audit checks that the container cpu and memory limits do not exceed specified limits func (limits *Limits) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { for _, auditResult := range limits.auditContainer(container) { if auditResult != nil { auditResults = append(auditResults, auditResult) } } } return auditResults, nil } func (limits *Limits) auditContainer(container *k8s.ContainerV1) (auditResults []*kubeaudit.AuditResult) { if isLimitsNil(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: LimitsNotSet, Severity: kubeaudit.Warn, Message: "Resource limits not set.", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } return []*kubeaudit.AuditResult{auditResult} } containerLimits := getLimits(container) cpu := containerLimits.Cpu().String() memory := containerLimits.Memory().String() if isCPULimitUnset(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: LimitsCPUNotSet, Severity: kubeaudit.Warn, Message: "Resource CPU limit not set.", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } auditResults = append(auditResults, auditResult) } else if exceedsCPULimit(container, limits) { maxCPU := limits.maxCPU.String() auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: LimitsCPUExceeded, Severity: kubeaudit.Warn, Message: fmt.Sprintf("CPU limit exceeded. It is set to '%s' which exceeds the max CPU limit of '%s'.", cpu, maxCPU), Metadata: kubeaudit.Metadata{ "Container": container.Name, "ContainerCpuLimit": cpu, "MaxCPU": maxCPU, }, } auditResults = append(auditResults, auditResult) } if isMemoryLimitUnset(container) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: LimitsMemoryNotSet, Severity: kubeaudit.Warn, Message: "Resource Memory limit not set.", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } auditResults = append(auditResults, auditResult) } else if exceedsMemoryLimit(container, limits) { maxMemory := limits.maxMemory.String() auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: LimitsMemoryExceeded, Severity: kubeaudit.Warn, Message: fmt.Sprintf("Memory limit exceeded. It is set to '%s' which exceeds the max Memory limit of '%s'.", memory, maxMemory), Metadata: kubeaudit.Metadata{ "Container": container.Name, "ContainerMemoryLimit": memory, "MaxMemory": maxMemory, }, } auditResults = append(auditResults, auditResult) } return } func exceedsCPULimit(container *k8s.ContainerV1, limits *Limits) bool { containerLimits := getLimits(container) cpuLimit := containerLimits.Cpu().MilliValue() maxCPU := limits.maxCPU.MilliValue() return maxCPU > 0 && cpuLimit > maxCPU } func exceedsMemoryLimit(container *k8s.ContainerV1, limits *Limits) bool { containerLimits := getLimits(container) memoryLimit := containerLimits.Memory().Value() maxMemory := limits.maxMemory.Value() return maxMemory > 0 && memoryLimit > maxMemory } func isLimitsNil(container *k8s.ContainerV1) bool { return container.Resources.Limits == nil } func isCPULimitUnset(container *k8s.ContainerV1) bool { limits := getLimits(container) cpu := limits.Cpu() return cpu == nil || cpu.IsZero() } func isMemoryLimitUnset(container *k8s.ContainerV1) bool { limits := getLimits(container) memory := limits.Memory() return memory == nil || memory.IsZero() } func getLimits(container *k8s.ContainerV1) v1.ResourceList { if isLimitsNil(container) { return v1.ResourceList{} } return container.Resources.Limits } 0707010000006C000081A400000000000000000000000166C635DC00000692000000000000000000000000000000000000003000000000kubeaudit-0.22.2/auditors/limits/limits_test.gopackage limits import ( "fmt" "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" ) const fixtureDir = "fixtures" func TestAuditLimits(t *testing.T) { cases := []struct { file string maxCPU string maxMemory string expectedErrors []string }{ {"resources-limit-nil.yml", "", "", []string{LimitsNotSet}}, {"resources-limit-no-cpu.yml", "", "", []string{LimitsCPUNotSet}}, {"resources-limit-no-memory.yml", "", "", []string{LimitsMemoryNotSet}}, {"resources-limit.yml", "", "", []string{}}, {"resources-limit.yml", "600m", "", []string{LimitsCPUExceeded}}, {"resources-limit.yml", "", "384", []string{LimitsMemoryExceeded}}, {"resources-limit.yml", "600m", "384", []string{LimitsCPUExceeded, LimitsMemoryExceeded}}, {"resources-limit.yml", "750m", "512Mi", []string{}}, } for i, tc := range cases { // These lines are needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc i := i t.Run(fmt.Sprintf("%s %s %s", tc.file, tc.maxCPU, tc.maxMemory), func(t *testing.T) { t.Parallel() auditor, err := New(Config{CPU: tc.maxCPU, Memory: tc.maxMemory}) assert.Nil(t, err) test.AuditManifest(t, fixtureDir, tc.file, auditor, tc.expectedErrors) test.AuditLocal(t, fixtureDir, tc.file, auditor, fmt.Sprintf("%s%d", strings.Split(tc.file, ".")[0], i), tc.expectedErrors) }) } t.Run("Bad arguments", func(t *testing.T) { _, err := New(Config{CPU: "badvalue", Memory: ""}) assert.NotNil(t, err) _, err = New(Config{CPU: "", Memory: "badvalue"}) assert.NotNil(t, err) }) } 0707010000006D000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002100000000kubeaudit-0.22.2/auditors/mounts0707010000006E000081A400000000000000000000000166C635DC00000106000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/mounts/config.gopackage mounts type Config struct { SensitivePaths []string `yaml:"denyPathsList"` } func (config *Config) GetSensitivePaths() []string { if config == nil || len(config.SensitivePaths) == 0 { return DefaultSensitivePaths } return config.SensitivePaths } 0707010000006F000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/mounts/fixtures07070100000070000081A400000000000000000000000166C635DC0000014D000000000000000000000000000000000000004200000000kubeaudit-0.22.2/auditors/mounts/fixtures/docker-sock-mounted.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: docker-sock-mounted spec: containers: - name: container image: scratch volumeMounts: - mountPath: /var/run/docker.sock name: docker-sock-volume volumes: - name: docker-sock-volume hostPath: path: /var/run/docker.sock 07070100000071000081A400000000000000000000000166C635DC00000286000000000000000000000000000000000000006100000000kubeaudit-0.22.2/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-multi-labels.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason" container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed-multi-containers-multi-labels spec: containers: - name: container1 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume - name: container2 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc 07070100000072000081A400000000000000000000000166C635DC00000230000000000000000000000000000000000000006100000000kubeaudit-0.22.2/auditors/mounts/fixtures/proc-mounted-allowed-multi-containers-single-label.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container1.allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed-multi-containers-single-label spec: containers: - name: container1 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume - name: container2 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc 07070100000073000081A400000000000000000000000166C635DC00000180000000000000000000000000000000000000004300000000kubeaudit-0.22.2/auditors/mounts/fixtures/proc-mounted-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason" namespace: proc-mounted-allowed spec: containers: - name: container image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc 07070100000074000081A400000000000000000000000166C635DC0000011F000000000000000000000000000000000000003B00000000kubeaudit-0.22.2/auditors/mounts/fixtures/proc-mounted.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: proc-mounted spec: containers: - name: container image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc 07070100000075000081A400000000000000000000000166C635DC00000E95000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/mounts/mounts.gopackage mounts import ( "fmt" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" v1 "k8s.io/api/core/v1" ) const Name = "mounts" const ( // SensitivePathsMounted occurs when a container has sensitive host paths mounted SensitivePathsMounted = "SensitivePathsMounted" ) // DefaultSensitivePaths is the default list of sensitive mount paths (from Falco rule: https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml#L1945) var DefaultSensitivePaths = []string{"/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/run/containerd/containerd.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"} const overrideLabelPrefix = "allow-host-path-mount-" const ( MountNameMetadataKey = "MountName" MountPathMetadataKey = "MountPath" MountReadOnlyMetadataKey = "MountReadOnly" MountVolumeNameKey = "MountVolume" MountVolumeHostPathKey = "MountVolumeHostPath" ) // SensitivePathMounts implements Auditable type SensitivePathMounts struct { sensitivePaths map[string]bool } func New(config Config) *SensitivePathMounts { paths := make(map[string]bool) for _, path := range config.GetSensitivePaths() { paths[path] = true } return &SensitivePathMounts{ sensitivePaths: paths, } } // Audit checks that the container does not have any sensitive host path func (sensitive *SensitivePathMounts) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult spec := k8s.GetPodSpec(resource) if spec == nil { return auditResults, nil } sensitiveVolumes := auditPodVolumes(spec, sensitive.sensitivePaths) if len(sensitiveVolumes) == 0 { return auditResults, nil } for _, container := range k8s.GetContainers(resource) { for _, auditResult := range auditContainer(container, sensitiveVolumes) { auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, getOverrideLabel(auditResult.Metadata[MountNameMetadataKey])) if auditResult != nil { auditResults = append(auditResults, auditResult) } } } return auditResults, nil } func auditPodVolumes(podSpec *k8s.PodSpecV1, sensitivePaths map[string]bool) map[string]v1.Volume { if podSpec.Volumes == nil { return nil } found := make(map[string]v1.Volume) for _, volume := range podSpec.Volumes { if volume.HostPath == nil { continue } if _, ok := sensitivePaths[volume.HostPath.Path]; ok { found[volume.Name] = volume } } return found } func auditContainer(container *k8s.ContainerV1, sensitiveVolumes map[string]v1.Volume) []*kubeaudit.AuditResult { if container.VolumeMounts == nil { return nil } var auditResults []*kubeaudit.AuditResult for _, mount := range container.VolumeMounts { if volume, ok := sensitiveVolumes[mount.Name]; ok { auditResults = append(auditResults, &kubeaudit.AuditResult{ Auditor: Name, Rule: SensitivePathsMounted, Severity: kubeaudit.Error, Message: fmt.Sprintf("Sensitive path mounted as volume: %s (hostPath: %s). It should be removed from the container's mounts list.", mount.Name, volume.HostPath.Path), Metadata: kubeaudit.Metadata{ "Container": container.Name, MountNameMetadataKey: mount.Name, MountPathMetadataKey: mount.MountPath, MountReadOnlyMetadataKey: fmt.Sprintf("%t", mount.ReadOnly), MountVolumeNameKey: volume.Name, MountVolumeHostPathKey: volume.HostPath.Path, }, }) } } return auditResults } func getOverrideLabel(mountName string) string { return overrideLabelPrefix + mountName } 07070100000076000081A400000000000000000000000166C635DC00000494000000000000000000000000000000000000003000000000kubeaudit-0.22.2/auditors/mounts/mounts_test.gopackage mounts import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestSensitivePathsMounted(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"docker-sock-mounted.yml", fixtureDir, []string{SensitivePathsMounted}}, {"proc-mounted.yml", fixtureDir, []string{SensitivePathsMounted}}, {"proc-mounted-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(SensitivePathsMounted)}}, {"proc-mounted-allowed-multi-containers-multi-labels.yml", fixtureDir, []string{override.GetOverriddenResultName(SensitivePathsMounted)}}, {"proc-mounted-allowed-multi-containers-single-label.yml", fixtureDir, []string{SensitivePathsMounted, override.GetOverriddenResultName(SensitivePathsMounted)}}, } config := Config{} for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { test.AuditManifest(t, tc.fixtureDir, tc.file, New(config), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(config), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 07070100000077000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002200000000kubeaudit-0.22.2/auditors/netpols07070100000078000081A400000000000000000000000166C635DC0000062C000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/netpols/fix.gopackage netpols import ( "fmt" "strings" "github.com/Shopify/kubeaudit/pkg/k8s" ) const DefaultDenyNetworkPolicyName = "default-deny" type fixByAddingNetworkPolicy struct { policyList []string namespace string } func (f *fixByAddingNetworkPolicy) Plan() string { return fmt.Sprintf("Create a new NetworkPolicy resource which denies all %s traffic", strings.Join(f.policyList, " and ")) } func (f *fixByAddingNetworkPolicy) Apply(resource k8s.Resource) []k8s.Resource { return []k8s.Resource{newDefaultDenyNetworkPolicy(f.namespace, f.policyList)} } type fixByAddingPolicyToNetPol struct { networkPolicy *k8s.NetworkPolicyV1 policyType string } func (f *fixByAddingPolicyToNetPol) Plan() string { return fmt.Sprintf("Add the '%s' policy type to the network policy", f.policyType) } func (f *fixByAddingPolicyToNetPol) Apply(resource k8s.Resource) []k8s.Resource { f.networkPolicy.Spec.PolicyTypes = append(f.networkPolicy.Spec.PolicyTypes, k8s.PolicyTypeV1(f.policyType)) return nil } func newDefaultDenyNetworkPolicy(namespace string, policyList []string) k8s.Resource { policies := make([]k8s.PolicyTypeV1, 0, len(policyList)) for _, policy := range policyList { policies = append(policies, k8s.PolicyTypeV1(policy)) } networkPolicy := &k8s.NetworkPolicyV1{ ObjectMeta: k8s.ObjectMetaV1{ Name: DefaultDenyNetworkPolicyName, Namespace: namespace, }, Spec: k8s.NetworkPolicySpecV1{ PolicyTypes: policies, }, } networkPolicy.Kind = "NetworkPolicy" networkPolicy.APIVersion = "networking.k8s.io/v1" return networkPolicy } 07070100000079000081A400000000000000000000000166C635DC000004F7000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/netpols/fix_test.gopackage netpols import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" ) func TestFixDefaultDenyNetworkPolicies(t *testing.T) { cases := []struct { file string expectedDenyAllIngress bool expectedDenyAllEgress bool }{ {"namespace-missing-default-deny-netpol.yml", true, true}, {"namespace-missing-default-deny-egress-netpol.yml", true, true}, {"namespace-missing-default-deny-ingress-netpol.yml", true, true}, {"namespace-has-default-deny-netpol.yml", true, true}, {"namespace-has-default-deny-and-allow-all-netpol.yml", true, true}, {"namespace-missing-default-deny-netpol-allowed.yml", false, false}, {"namespace-missing-default-deny-egress-netpol-allowed.yml", true, false}, {"namespace-missing-default-deny-ingress-netpol-allowed.yml", false, true}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { assert := assert.New(t) resources, _ := test.FixSetup(t, fixtureDir, tc.file, New()) networkPolicies := getNetworkPolicies(resources, strings.Split(tc.file, ".")[0]) assert.Equal(tc.expectedDenyAllIngress, hasDenyAllIngress(networkPolicies)) assert.Equal(tc.expectedDenyAllEgress, hasDenyAllEgress(networkPolicies)) }) } } 0707010000007A000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/netpols/fixtures0707010000007B000081A400000000000000000000000166C635DC0000026A000000000000000000000000000000000000006600000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-allow-missing-default-deny-ingress-old-label.yml# this is to test backwards compatibility with old unregistered annotations (kubernetes.io) apiVersion: v1 kind: Namespace metadata: name: namespace-allow-missing-default-deny-ingress-old-label labels: audit.kubernetes.io/namespace.allow-non-default-deny-ingress-network-policy: "SomeReason" --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-allow-missing-default-deny-ingress-old-label spec: podSelector: {} policyTypes: - Egress 0707010000007C000081A400000000000000000000000166C635DC00000233000000000000000000000000000000000000005F00000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-has-default-deny-and-allow-all-netpol.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-has-default-deny-and-allow-all-netpol --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-has-default-deny-and-allow-all-netpol spec: podSelector: {} policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all namespace: namespace-has-default-deny-and-allow-all-netpol spec: podSelector: {} ingress: - {} egress: - {} policyTypes: - Ingress - Egress 0707010000007D000081A400000000000000000000000166C635DC0000011C000000000000000000000000000000000000005100000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-has-default-deny-netpol.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-has-default-deny-netpol --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-has-default-deny-netpol spec: podSelector: {} policyTypes: - Ingress - Egress 0707010000007E000081A400000000000000000000000166C635DC000001F8000000000000000000000000000000000000006400000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol-allowed.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-egress-netpol-allowed labels: kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason" --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-missing-default-deny-egress-netpol-allowed spec: podSelector: {} policyTypes: - Ingress 0707010000007F000081A400000000000000000000000166C635DC00000192000000000000000000000000000000000000005C00000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-egress-netpol.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-egress-netpol --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-missing-default-deny-egress-netpol spec: podSelector: {} policyTypes: - Ingress 07070100000080000081A400000000000000000000000166C635DC000001FA000000000000000000000000000000000000006500000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol-allowed.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-ingress-netpol-allowed labels: kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason" --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-missing-default-deny-ingress-netpol-allowed spec: podSelector: {} policyTypes: - Egress 07070100000081000081A400000000000000000000000166C635DC00000192000000000000000000000000000000000000005D00000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-ingress-netpol.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-ingress-netpol --- # https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: namespace-missing-default-deny-ingress-netpol spec: podSelector: {} policyTypes: - Egress 07070100000082000081A400000000000000000000000166C635DC00000379000000000000000000000000000000000000005D00000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-netpol-allowed.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-netpol-allowed labels: kubeaudit.io/allow-non-default-deny-egress-network-policy: "SomeReason" kubeaudit.io/allow-non-default-deny-ingress-network-policy: "SomeReason" --- # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: web-allow-all-ns-monitoring namespace: namespace-missing-default-deny-netpol-allowed spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: # chooses all pods in namespaces labelled with team=operations matchLabels: team: operations podSelector: # chooses pods with type=monitoring matchLabels: type: monitoring 07070100000083000081A400000000000000000000000166C635DC000002C6000000000000000000000000000000000000005500000000kubeaudit-0.22.2/auditors/netpols/fixtures/namespace-missing-default-deny-netpol.ymlapiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-netpol --- # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/07-allow-traffic-from-some-pods-in-another-namespace.md kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: web-allow-all-ns-monitoring namespace: namespace-missing-default-deny-netpol spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: # chooses all pods in namespaces labelled with team=operations matchLabels: team: operations podSelector: # chooses pods with type=monitoring matchLabels: type: monitoring 07070100000084000081A400000000000000000000000166C635DC00001EDA000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/netpols/netpols.gopackage netpols import ( "fmt" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "netpols" const ( // MissingDefaultDenyIngressAndEgressNetworkPolicy occurs when there is no default deny network policy for // ingress and egress traffic MissingDefaultDenyIngressAndEgressNetworkPolicy = "MissingDefaultDenyIngressAndEgressNetworkPolicy" // MissingDefaultDenyIngressNetworkPolicy occurs when there is no default deny network policy for // ingress traffic MissingDefaultDenyIngressNetworkPolicy = "MissingDefaultDenyIngressNetworkPolicy" // MissingDefaultDenyEgressNetworkPolicy occurs when there is no default deny network policy for // egress traffic MissingDefaultDenyEgressNetworkPolicy = "MissingDefaultDenyEgressNetworkPolicy" // AllowAllIngressNetworkPolicyExists occurs when there is a network policy which allows all ingress traffic AllowAllIngressNetworkPolicyExists = "AllowAllIngressNetworkPolicyExists" // AllowAllEgressNetworkPolicyExists occurs when there is a network policy which allows all egress traffic AllowAllEgressNetworkPolicyExists = "AllowAllEgressNetworkPolicyExists" ) const ( IngressOverrideLabel = "allow-non-default-deny-ingress-network-policy" EgressOverrideLabel = "allow-non-default-deny-egress-network-policy" Ingress = "Ingress" Egress = "Egress" ) // DefaultDenyNetworkPolicies implements Auditable type DefaultDenyNetworkPolicies struct{} func New() *DefaultDenyNetworkPolicies { return &DefaultDenyNetworkPolicies{} } // Audit checks that each namespace resource has a default deny NetworkPolicy for all ingress and egress traffic func (a *DefaultDenyNetworkPolicies) Audit(resource k8s.Resource, resources []k8s.Resource) ([]*kubeaudit.AuditResult, error) { if !k8s.IsNamespaceV1(resource) { return nil, nil } var auditResults []*kubeaudit.AuditResult auditResults = append(auditResults, auditNetworkPoliciesForAllowAll(resource, resources)...) auditResults = append(auditResults, auditNetworkPoliciesForDenyAll(resource, resources)...) return auditResults, nil } func auditNetworkPoliciesForAllowAll(resource k8s.Resource, resources []k8s.Resource) []*kubeaudit.AuditResult { var auditResults []*kubeaudit.AuditResult namespace := getResourceNamespace(resource) networkPolicies := getNetworkPolicies(resources, namespace) for _, networkPolicy := range networkPolicies { auditResults = append(auditResults, auditNetworkPolicy(networkPolicy)...) } return auditResults } func auditNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) []*kubeaudit.AuditResult { var auditResults []*kubeaudit.AuditResult if allIngressTrafficAllowed(networkPolicy) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: AllowAllIngressNetworkPolicyExists, Severity: kubeaudit.Warn, Message: "Found allow all ingress traffic NetworkPolicy.", Metadata: kubeaudit.Metadata{ "PolicyName": networkPolicy.ObjectMeta.Name, }, } auditResults = append(auditResults, auditResult) } if allEgressTrafficAllowed(networkPolicy) { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: AllowAllEgressNetworkPolicyExists, Severity: kubeaudit.Warn, Message: "Found allow all egress traffic NetworkPolicy.", Metadata: kubeaudit.Metadata{ "PolicyName": networkPolicy.ObjectMeta.Name, }, } auditResults = append(auditResults, auditResult) } return auditResults } func auditNetworkPoliciesForDenyAll(resource k8s.Resource, resources []k8s.Resource) []*kubeaudit.AuditResult { var auditResults []*kubeaudit.AuditResult namespace := getResourceNamespace(resource) networkPolicies := getNetworkPolicies(resources, namespace) hasCatchAllNetPol, catchAllNetPol := hasCatchAllNetworkPolicy(networkPolicies) hasDefaultDenyIngress := hasDenyAllIngress(networkPolicies) hasDefaultDenyEgress := hasDenyAllEgress(networkPolicies) if hasCatchAllNetPol { if !hasDefaultDenyIngress { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: MissingDefaultDenyIngressNetworkPolicy, Severity: kubeaudit.Error, Message: fmt.Sprintf("All ingress traffic should be blocked by default for namespace %s.", namespace), Metadata: kubeaudit.Metadata{ "Namespace": namespace, }, PendingFix: &fixByAddingPolicyToNetPol{ networkPolicy: catchAllNetPol, policyType: Ingress, }, } auditResult = override.ApplyOverride(auditResult, Name, "", resource, IngressOverrideLabel) auditResults = append(auditResults, auditResult) } if !hasDefaultDenyEgress { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: MissingDefaultDenyEgressNetworkPolicy, Severity: kubeaudit.Error, Message: fmt.Sprintf("All egress traffic should be blocked by default for namespace %s.", namespace), Metadata: kubeaudit.Metadata{ "Namespace": namespace, }, PendingFix: &fixByAddingPolicyToNetPol{ networkPolicy: catchAllNetPol, policyType: Egress, }, } auditResult = override.ApplyOverride(auditResult, Name, "", resource, EgressOverrideLabel) auditResults = append(auditResults, auditResult) } return auditResults } // We need to manually figure out the overrides because this case involves two override labels hasIngressOverride, ingressOverrideReason := override.GetResourceOverrideReason(resource, IngressOverrideLabel) hasEgressOverride, egressOverrideReason := override.GetResourceOverrideReason(resource, EgressOverrideLabel) if !hasIngressOverride && !hasEgressOverride { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: MissingDefaultDenyIngressAndEgressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny ingress and egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ "Namespace": namespace, }, PendingFix: &fixByAddingNetworkPolicy{ policyList: []string{"Ingress", "Egress"}, namespace: namespace, }, } return []*kubeaudit.AuditResult{auditResult} } if hasIngressOverride && hasEgressOverride { auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy), Severity: kubeaudit.Warn, Message: "Namespace is missing a default deny ingress and egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ "Namespace": namespace, "OverrideReason": fmt.Sprintf("Ingress: %s, Egress: %s", ingressOverrideReason, egressOverrideReason), }, } return []*kubeaudit.AuditResult{auditResult} } // At this point there is exactly one override label for either ingress or egress which means one needs to be // fixed and the other is overridden auditResult := &kubeaudit.AuditResult{ Auditor: Name, Rule: MissingDefaultDenyIngressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny ingress NetworkPolicy.", Metadata: kubeaudit.Metadata{ "Namespace": namespace, }, PendingFix: &fixByAddingNetworkPolicy{ policyList: []string{Ingress}, namespace: namespace, }, } auditResult = override.ApplyOverride(auditResult, Name, "", resource, IngressOverrideLabel) auditResults = append(auditResults, auditResult) auditResult = &kubeaudit.AuditResult{ Auditor: Name, Rule: MissingDefaultDenyEgressNetworkPolicy, Severity: kubeaudit.Error, Message: "Namespace is missing a default deny egress NetworkPolicy.", Metadata: kubeaudit.Metadata{ "Namespace": namespace, }, PendingFix: &fixByAddingNetworkPolicy{ policyList: []string{Egress}, namespace: namespace, }, } auditResult = override.ApplyOverride(auditResult, Name, "", resource, EgressOverrideLabel) auditResults = append(auditResults, auditResult) return auditResults } 07070100000085000081A400000000000000000000000166C635DC0000072B000000000000000000000000000000000000003200000000kubeaudit-0.22.2/auditors/netpols/netpols_test.gopackage netpols import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditDefaultDenyNetworkPolicies(t *testing.T) { cases := []struct { file string expectedErrors []string }{ {"namespace-missing-default-deny-netpol.yml", []string{MissingDefaultDenyIngressAndEgressNetworkPolicy}}, {"namespace-missing-default-deny-egress-netpol.yml", []string{MissingDefaultDenyEgressNetworkPolicy}}, {"namespace-missing-default-deny-ingress-netpol.yml", []string{MissingDefaultDenyIngressNetworkPolicy}}, {"namespace-has-default-deny-netpol.yml", nil}, {"namespace-has-default-deny-and-allow-all-netpol.yml", []string{AllowAllIngressNetworkPolicyExists, AllowAllEgressNetworkPolicyExists}}, {"namespace-missing-default-deny-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressAndEgressNetworkPolicy)}}, {"namespace-missing-default-deny-egress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyEgressNetworkPolicy)}}, {"namespace-missing-default-deny-ingress-netpol-allowed.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}}, {"namespace-allow-missing-default-deny-ingress-old-label.yml", []string{override.GetOverriddenResultName(MissingDefaultDenyIngressNetworkPolicy)}}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 07070100000086000081A400000000000000000000000166C635DC00000AE4000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/netpols/util.gopackage netpols import "github.com/Shopify/kubeaudit/pkg/k8s" const AllNamespaces = "" func getNetworkPolicies(resources []k8s.Resource, namespace string) (networkPolicies []*k8s.NetworkPolicyV1) { for _, resource := range resources { networkPolicy, ok := resource.(*k8s.NetworkPolicyV1) if ok && (namespace == AllNamespaces || getResourceNamespace(resource) == namespace) { networkPolicies = append(networkPolicies, networkPolicy) } } return } // isNetworkPolicyType checks if the NetworkPolicy applies to the specified policy type (Ingress or Egress) func isNetworkPolicyType(netPol *k8s.NetworkPolicyV1, netPolType string) bool { for _, polType := range netPol.Spec.PolicyTypes { if string(polType) == netPolType { return true } } return false } func getResourceNamespace(resource k8s.Resource) string { switch kubeType := resource.(type) { case *k8s.NamespaceV1: return kubeType.ObjectMeta.Name case *k8s.NetworkPolicyV1: return kubeType.ObjectMeta.Namespace } return "" } func allIngressTrafficAllowed(networkPolicy *k8s.NetworkPolicyV1) bool { for _, ingress := range networkPolicy.Spec.Ingress { if (len(ingress.From)) == 0 { return true } } return false } func allEgressTrafficAllowed(networkPolicy *k8s.NetworkPolicyV1) bool { for _, egress := range networkPolicy.Spec.Egress { if (len(egress.To)) == 0 { return true } } return false } func hasCatchAllNetworkPolicy(networkPolicies []*k8s.NetworkPolicyV1) (bool, *k8s.NetworkPolicyV1) { for _, networkPolicy := range networkPolicies { if isCatchAllNetworkPolicy(networkPolicy) { return true, networkPolicy } } return false, nil } func isCatchAllNetworkPolicy(networkPolicy *k8s.NetworkPolicyV1) bool { // No PodSelector is set via MatchLabels -> Catch all pods if len(networkPolicy.Spec.PodSelector.MatchLabels) > 0 { return false } // No PodSelector is set via MatchExpressions -> Catch all Pods if len(networkPolicy.Spec.PodSelector.MatchExpressions) > 0 { return false } return true } func hasDenyAllIngress(networkPolicies []*k8s.NetworkPolicyV1) bool { for _, networkPolicy := range networkPolicies { if networkPolicy == nil { continue } if len(networkPolicy.Spec.Ingress) != 0 { continue } if !isNetworkPolicyType(networkPolicy, Ingress) { continue } if isCatchAllNetworkPolicy(networkPolicy) { return true } } return false } func hasDenyAllEgress(networkPolicies []*k8s.NetworkPolicyV1) bool { for _, networkPolicy := range networkPolicies { if networkPolicy == nil { continue } if len(networkPolicy.Spec.Egress) != 0 { continue } if !isNetworkPolicyType(networkPolicy, Egress) { continue } if isCatchAllNetworkPolicy(networkPolicy) { return true } } return false } 07070100000087000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002200000000kubeaudit-0.22.2/auditors/nonroot07070100000088000081A400000000000000000000000166C635DC000002B3000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/nonroot/fix.gopackage nonroot import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) type fixRunAsNonRoot struct { container *k8s.ContainerV1 } func (f *fixRunAsNonRoot) Plan() string { return fmt.Sprintf("Set runAsNonRoot to 'true' in container SecurityContext for container %s", f.container.Name) } func (f *fixRunAsNonRoot) Apply(resource k8s.Resource) []k8s.Resource { if f.container.SecurityContext == nil { f.container.SecurityContext = &k8s.SecurityContextV1{} } if f.container.SecurityContext.RunAsUser != nil && *f.container.SecurityContext.RunAsUser == 0 { f.container.SecurityContext.RunAsUser = nil } f.container.SecurityContext.RunAsNonRoot = k8s.NewTrue() return nil } 07070100000089000081A400000000000000000000000166C635DC00000F14000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/nonroot/fix_test.gopackage nonroot import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixRunAsNonRoot(t *testing.T) { cases := []struct { file string fixtureDir string expectedValue *bool }{ {"run-as-non-root-nil.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-false-allowed.yml", fixtureDir, k8s.NewFalse()}, {"run-as-non-root-redundant-override-container.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-redundant-override-pod.yml", fixtureDir, nil}, {"run-as-non-root-psc-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-true-csc-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-false-csc-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-false-allowed.yml", fixtureDir, nil}, {"run-as-non-root-psc-false-csc-true.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-false-csc-nil-multiple-cont.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-false-csc-true-multiple-cont.yml", fixtureDir, k8s.NewTrue()}, {"run-as-non-root-psc-false-allowed-multi-containers-single-label.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-0.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-0-allowed.yml", fixtureDir, nil}, {"run-as-user-psc-0.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-psc-0-allowed.yml", fixtureDir, nil}, {"run-as-user-psc-1.yml", fixtureDir, nil}, {"run-as-user-psc-1-csc-0.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-psc-0-csc-0.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-psc-0-csc-1.yml", fixtureDir, nil}, {"run-as-user-redundant-override-container.yml", fixtureDir, nil}, {"run-as-user-redundant-override-pod.yml", fixtureDir, nil}, {"run-as-user-psc-0-csc-1-multiple-cont.yml", fixtureDir, nil}, {"run-as-user-psc-0-allowed-multi-containers-multi-labels.yml", fixtureDir, nil}, {"run-as-user-psc-0-allowed-multi-containers-single-label.yml", fixtureDir, nil}, {"run-as-user-0-run-as-non-root-true.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-0-run-as-non-root-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-psc-0-run-as-non-root-psc-true.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-psc-0-run-as-non-root-psc-false.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-1-run-as-non-root-true.yml", fixtureDir, k8s.NewTrue()}, {"run-as-user-1-run-as-non-root-false.yml", fixtureDir, k8s.NewFalse()}, {"run-as-user-psc-1-run-as-non-root-psc-true.yml", fixtureDir, nil}, {"run-as-user-psc-1-run-as-non-root-psc-false.yml", fixtureDir, nil}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, tc.fixtureDir, tc.file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { if tc.expectedValue == nil { assert.True(t, (container.SecurityContext == nil || container.SecurityContext.RunAsNonRoot == nil)) } else { assert.Equal(t, *tc.expectedValue, *container.SecurityContext.RunAsNonRoot) } } } }) } files := []string{ "run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml", "run-as-user-psc-0-csc-nil-multiple-cont.yml", } for _, file := range files { t.Run(file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { switch container.Name { case "container1": assert.True(t, (container.SecurityContext == nil || container.SecurityContext.RunAsNonRoot == nil)) case "container2": assert.True(t, *container.SecurityContext.RunAsNonRoot) } } } }) } } 0707010000008A000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/nonroot/fixtures0707010000008B000081A400000000000000000000000166C635DC000001BA000000000000000000000000000000000000004D00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-false-allowed.yml--- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-non-root-false-allowed spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container image: scratch securityContext: runAsNonRoot: false 0707010000008C000081A400000000000000000000000166C635DC0000016A000000000000000000000000000000000000004500000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-false.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-non-root-false spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsNonRoot: false 0707010000008D000081A400000000000000000000000166C635DC0000012D000000000000000000000000000000000000004300000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-nil.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-non-root-nil spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch 0707010000008E000081A400000000000000000000000166C635DC00000207000000000000000000000000000000000000006F00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-multi-labels.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed-multi-containers-multi-labels spec: securityContext: runAsNonRoot: false containers: - name: container1 image: scratch - name: container2 image: scratch securityContext: runAsNonRoot: true 0707010000008F000081A400000000000000000000000166C635DC000001E5000000000000000000000000000000000000006F00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed-multi-containers-single-label.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed-multi-containers-single-label spec: securityContext: runAsNonRoot: false containers: - name: container1 image: scratch securityContext: runAsNonRoot: true - name: container2 image: scratch securityContext: runAsNonRoot: false 07070100000090000081A400000000000000000000000166C635DC00000120000000000000000000000000000000000000005100000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-psc-false-allowed spec: securityContext: runAsNonRoot: false containers: - name: container image: scratch 07070100000091000081A400000000000000000000000166C635DC000000FD000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-csc-false.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-non-root-psc-false-csc-false spec: securityContext: runAsNonRoot: false containers: - name: container image: scratch securityContext: runAsNonRoot: false 07070100000092000081A400000000000000000000000166C635DC00000135000000000000000000000000000000000000005F00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-csc-nil-multiple-cont.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-non-root-psc-false-csc-nil-multiple-cont spec: securityContext: runAsNonRoot: false containers: - name: container1 image: scratch securityContext: runAsNonRoot: true - name: container2 image: scratch 07070100000093000081A400000000000000000000000166C635DC00000168000000000000000000000000000000000000006000000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-csc-true-multiple-cont.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-non-root-psc-false-csc-true-multiple-cont spec: securityContext: runAsNonRoot: false containers: - name: container1 image: scratch securityContext: runAsNonRoot: true - name: container2 image: scratch securityContext: runAsNonRoot: true 07070100000094000081A400000000000000000000000166C635DC000000FB000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false-csc-true.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-non-root-psc-false-csc-true spec: securityContext: runAsNonRoot: false containers: - name: container image: scratch securityContext: runAsNonRoot: true 07070100000095000081A400000000000000000000000166C635DC000000D8000000000000000000000000000000000000004900000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-false.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-non-root-psc-false spec: securityContext: runAsNonRoot: false containers: - name: container image: scratch 07070100000096000081A400000000000000000000000166C635DC000000FB000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-true-csc-false.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-non-root-psc-true-csc-false spec: securityContext: runAsNonRoot: true containers: - name: container image: scratch securityContext: runAsNonRoot: false 07070100000097000081A400000000000000000000000166C635DC000000D6000000000000000000000000000000000000004800000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-psc-true.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-non-root-psc-true spec: securityContext: runAsNonRoot: true containers: - name: container image: scratch 07070100000098000081A400000000000000000000000166C635DC000001C4000000000000000000000000000000000000005C00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-redundant-override-container.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-non-root-redundant-override-container spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container image: scratch securityContext: runAsNonRoot: true 07070100000099000081A400000000000000000000000166C635DC00000124000000000000000000000000000000000000005600000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-non-root-redundant-override-pod.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-non-root-redundant-override-pod spec: securityContext: runAsNonRoot: true containers: - name: container image: scratch 0707010000009A000081A400000000000000000000000166C635DC000001AB000000000000000000000000000000000000004500000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-0-allowed.yml--- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-0-allowed spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container image: scratch securityContext: runAsUser: 0 0707010000009B000081A400000000000000000000000166C635DC00000191000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-0-run-as-non-root-false.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-0-run-as-non-root-false spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsUser: 0 runAsNonRoot: false 0707010000009C000081A400000000000000000000000166C635DC0000018F000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-0-run-as-non-root-true.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-0-run-as-non-root-true spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsUser: 0 runAsNonRoot: true 0707010000009D000081A400000000000000000000000166C635DC0000015B000000000000000000000000000000000000003D00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-0.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-0 spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsUser: 0 0707010000009E000081A400000000000000000000000166C635DC00000191000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-1-run-as-non-root-false.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-1-run-as-non-root-false spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsUser: 1 runAsNonRoot: false 0707010000009F000081A400000000000000000000000166C635DC0000018F000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-1-run-as-non-root-true.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-1-run-as-non-root-true spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch securityContext: runAsUser: 1 runAsNonRoot: true 070701000000A0000081A400000000000000000000000166C635DC000001F2000000000000000000000000000000000000006700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-multi-labels.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container1.allow-run-as-root: "SuperuserPrivilegesNeeded" container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed-multi-containers-multi-labels spec: securityContext: runAsUser: 0 containers: - name: container1 image: scratch - name: container2 image: scratch securityContext: runAsUser: 1 070701000000A1000081A400000000000000000000000166C635DC000001C9000000000000000000000000000000000000006700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-allowed-multi-containers-single-label.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod container.kubeaudit.io/container2.allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed-multi-containers-single-label spec: securityContext: runAsUser: 0 containers: - name: container1 image: scratch securityContext: runAsUser: 1 - name: container2 image: scratch securityContext: runAsUser: 0 070701000000A2000081A400000000000000000000000166C635DC00000111000000000000000000000000000000000000004900000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-allowed.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-psc-0-allowed spec: securityContext: runAsUser: 0 containers: - name: container image: scratch 070701000000A3000081A400000000000000000000000166C635DC000000E3000000000000000000000000000000000000004700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-csc-0.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-user-psc-0-csc-0 spec: securityContext: runAsUser: 0 containers: - name: container image: scratch securityContext: runAsUser: 0 070701000000A4000081A400000000000000000000000166C635DC0000014A000000000000000000000000000000000000005500000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-csc-1-multiple-cont.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-user-psc-0-csc-1-multiple-cont spec: securityContext: runAsUser: 0 containers: - name: container1 image: scratch securityContext: runAsUser: 1 - name: container2 image: scratch securityContext: runAsUser: 1 070701000000A5000081A400000000000000000000000166C635DC000000E3000000000000000000000000000000000000004700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-csc-1.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-user-psc-0-csc-1 spec: securityContext: runAsUser: 0 containers: - name: container image: scratch securityContext: runAsUser: 1 070701000000A6000081A400000000000000000000000166C635DC00000120000000000000000000000000000000000000005700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-csc-nil-multiple-cont.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-user-psc-0-csc-nil-multiple-cont spec: securityContext: runAsUser: 0 containers: - name: container1 image: scratch securityContext: runAsUser: 1 - name: container2 image: scratch 070701000000A7000081A400000000000000000000000166C635DC000000FB000000000000000000000000000000000000005B00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-run-as-non-root-psc-false.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-0-run-as-non-root-psc-false spec: securityContext: runAsUser: 0 runAsNonRoot: false containers: - name: container image: scratch 070701000000A8000081A400000000000000000000000166C635DC000000F9000000000000000000000000000000000000005A00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0-run-as-non-root-psc-true.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-0-run-as-non-root-psc-true spec: securityContext: runAsUser: 0 runAsNonRoot: true containers: - name: container image: scratch 070701000000A9000081A400000000000000000000000166C635DC000000C9000000000000000000000000000000000000004100000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-0.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-0 spec: securityContext: runAsUser: 0 containers: - name: container image: scratch 070701000000AA000081A400000000000000000000000166C635DC000000E3000000000000000000000000000000000000004700000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-1-csc-0.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: run-as-user-psc-1-csc-0 spec: securityContext: runAsUser: 1 containers: - name: container image: scratch securityContext: runAsUser: 0 070701000000AB000081A400000000000000000000000166C635DC000000FB000000000000000000000000000000000000005B00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-1-run-as-non-root-psc-false.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-1-run-as-non-root-psc-false spec: securityContext: runAsUser: 1 runAsNonRoot: false containers: - name: container image: scratch 070701000000AC000081A400000000000000000000000166C635DC000000F9000000000000000000000000000000000000005A00000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-1-run-as-non-root-psc-true.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-1-run-as-non-root-psc-true spec: securityContext: runAsUser: 1 runAsNonRoot: true containers: - name: container image: scratch 070701000000AD000081A400000000000000000000000166C635DC000000C9000000000000000000000000000000000000004100000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-psc-1.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod namespace: run-as-user-psc-1 spec: securityContext: runAsUser: 1 containers: - name: container image: scratch 070701000000AE000081A400000000000000000000000166C635DC000001BA000000000000000000000000000000000000005800000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-redundant-override-container.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-user-redundant-override-container spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" spec: containers: - name: container image: scratch securityContext: runAsUser: 1 070701000000AF000081A400000000000000000000000166C635DC0000011A000000000000000000000000000000000000005200000000kubeaudit-0.22.2/auditors/nonroot/fixtures/run-as-user-redundant-override-pod.ymlapiVersion: v1 kind: Pod metadata: name: pod labels: name: pod kubeaudit.io/allow-run-as-root: "SuperuserPrivilegesNeeded" namespace: run-as-user-redundant-override-pod spec: securityContext: runAsUser: 1 containers: - name: container image: scratch 070701000000B0000081A400000000000000000000000166C635DC00001830000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/nonroot/nonroot.gopackage nonroot import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "nonroot" const ( // RunAsUserCSCRoot occurs when runAsUser is set to 0 in the container SecurityContext RunAsUserCSCRoot = "RunAsUserCSCRoot" // RunAsUserPSCRoot occurs when runAsUser is set to 0 in the pod SecurityContext RunAsUserPSCRoot = "RunAsUserPSCRoot" // RunAsNonRootCSCFalse occurs when runAsNonRoot is set to false in the container SecurityContext RunAsNonRootCSCFalse = "RunAsNonRootCSCFalse" // RunAsNonRootPSCNilCSCNil occurs when runAsNonRoot is not set in the container SecurityContext nor the pod // security context. runAsNonRoot defaults to false so this is bad RunAsNonRootPSCNilCSCNil = "RunAsNonRootPSCNilCSCNil" // RunAsNonRootPSCFalseCSCNil occurs when runAsNonRoot is not set in the container SecurityContext and is set to // false in the PodSecurityContext RunAsNonRootPSCFalseCSCNil = "RunAsNonRootPSCFalseCSCNil" ) const OverrideLabel = "allow-run-as-root" // RunAsNonRoot implements Auditable type RunAsNonRoot struct{} func New() *RunAsNonRoot { return &RunAsNonRoot{} } // Audit checks that runAsNonRoot is set to true in every container's security context func (a *RunAsNonRoot) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container, resource) auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, OverrideLabel) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudit.AuditResult { podSpec := k8s.GetPodSpec(resource) if podSpec == nil { return nil } if !isContainerRunAsUserNil(container) { if *container.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsUserCSCRoot, Severity: kubeaudit.Error, Message: "runAsUser is set to UID 0 (root user) in the container SecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", PendingFix: &fixRunAsNonRoot{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if !isPodRunAsUserNil(podSpec) { if *podSpec.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsUserPSCRoot, Severity: kubeaudit.Warn, Message: "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } } return nil } if !isPodRunAsUserNil(podSpec) { if *podSpec.SecurityContext.RunAsUser == 0 { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsUserPSCRoot, Severity: kubeaudit.Error, Message: "runAsUser is set to UID 0 (root user) in the PodSecurityContext. Either set it to a value > 0 or remove it and set runAsNonRoot to true.", PendingFix: &fixRunAsNonRoot{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } if isContainerRunAsNonRootCSCFalse(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsNonRootCSCFalse, Severity: kubeaudit.Error, Message: "runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.", PendingFix: &fixRunAsNonRoot{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isContainerRunAsNonRootNil(container) { if isPodRunAsNonRootNil(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsNonRootPSCNilCSCNil, Severity: kubeaudit.Error, Message: "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.", PendingFix: &fixRunAsNonRoot{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isPodRunAsNonRootFalse(podSpec) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: RunAsNonRootPSCFalseCSCNil, Severity: kubeaudit.Error, Message: "runAsNonRoot is set to false in the PodSecurityContext. Either set it to true or set runAsUser to a value > 0.", PendingFix: &fixRunAsNonRoot{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } } return nil } // returns true if runAsNonRoot is explicitly set to false in the pod's security context. Returns true if the // security context is nil even though the default value for runAsNonRoot is false func isPodRunAsNonRootFalse(podSpec *k8s.PodSpecV1) bool { if isPodRunAsNonRootNil(podSpec) { return false } return !*podSpec.SecurityContext.RunAsNonRoot } func isPodRunAsNonRootNil(podSpec *k8s.PodSpecV1) bool { return podSpec.SecurityContext == nil || podSpec.SecurityContext.RunAsNonRoot == nil } // returns true if runAsNonRoot is explicitly set to false in the container's security context. Returns true if the // security context is nil even though the default value for runAsNonRoot is false func isContainerRunAsNonRootCSCFalse(container *k8s.ContainerV1) bool { if isContainerRunAsNonRootNil(container) { return false } return !*container.SecurityContext.RunAsNonRoot } func isContainerRunAsNonRootNil(container *k8s.ContainerV1) bool { return container.SecurityContext == nil || container.SecurityContext.RunAsNonRoot == nil } func isContainerRunAsUserNil(container *k8s.ContainerV1) bool { return container.SecurityContext == nil || container.SecurityContext.RunAsUser == nil } func isPodRunAsUserNil(podSpec *k8s.PodSpecV1) bool { return podSpec.SecurityContext == nil || podSpec.SecurityContext.RunAsUser == nil } 070701000000B1000081A400000000000000000000000166C635DC0000110B000000000000000000000000000000000000003200000000kubeaudit-0.22.2/auditors/nonroot/nonroot_test.gopackage nonroot import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditRunAsNonRoot(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"run-as-non-root-nil.yml", fixtureDir, []string{RunAsNonRootPSCNilCSCNil}}, {"run-as-non-root-false.yml", fixtureDir, []string{RunAsNonRootCSCFalse}}, {"run-as-non-root-false-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(RunAsNonRootCSCFalse)}}, {"run-as-non-root-redundant-override-container.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"run-as-non-root-redundant-override-pod.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"run-as-non-root-psc-false.yml", fixtureDir, []string{RunAsNonRootPSCFalseCSCNil}}, {"run-as-non-root-psc-true.yml", fixtureDir, []string{}}, {"run-as-non-root-psc-true-csc-false.yml", fixtureDir, []string{RunAsNonRootCSCFalse}}, {"run-as-non-root-psc-false-csc-false.yml", fixtureDir, []string{RunAsNonRootCSCFalse}}, {"run-as-non-root-psc-false-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(RunAsNonRootPSCFalseCSCNil)}}, {"run-as-non-root-psc-false-csc-true.yml", fixtureDir, []string{}}, {"run-as-non-root-psc-false-csc-nil-multiple-cont.yml", fixtureDir, []string{RunAsNonRootPSCFalseCSCNil}}, {"run-as-non-root-psc-false-csc-true-multiple-cont.yml", fixtureDir, []string{}}, {"run-as-non-root-psc-false-allowed-multi-containers-multi-labels.yml", fixtureDir, []string{ override.GetOverriddenResultName(RunAsNonRootPSCFalseCSCNil), kubeaudit.RedundantAuditorOverride, }}, {"run-as-non-root-psc-false-allowed-multi-containers-single-label.yml", fixtureDir, []string{ kubeaudit.RedundantAuditorOverride, RunAsNonRootCSCFalse, }}, {"run-as-user-0.yml", fixtureDir, []string{RunAsUserCSCRoot}}, {"run-as-user-0-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(RunAsUserCSCRoot)}}, {"run-as-user-psc-0.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-psc-0-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(RunAsUserPSCRoot)}}, {"run-as-user-psc-1.yml", fixtureDir, []string{}}, {"run-as-user-psc-1-csc-0.yml", fixtureDir, []string{RunAsUserCSCRoot}}, {"run-as-user-psc-0-csc-0.yml", fixtureDir, []string{RunAsUserCSCRoot}}, {"run-as-user-psc-0-csc-1.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-redundant-override-container.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"run-as-user-redundant-override-pod.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"run-as-user-psc-0-csc-nil-multiple-cont.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-psc-0-csc-1-multiple-cont.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-psc-0-allowed-multi-containers-multi-labels.yml", fixtureDir, []string{ override.GetOverriddenResultName(RunAsUserPSCRoot), }}, {"run-as-user-psc-0-allowed-multi-containers-single-label.yml", fixtureDir, []string{ override.GetOverriddenResultName(RunAsUserCSCRoot), RunAsUserPSCRoot, }}, {"run-as-user-0-run-as-non-root-true.yml", fixtureDir, []string{RunAsUserCSCRoot}}, {"run-as-user-0-run-as-non-root-false.yml", fixtureDir, []string{RunAsUserCSCRoot}}, {"run-as-user-psc-0-run-as-non-root-psc-true.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-psc-0-run-as-non-root-psc-false.yml", fixtureDir, []string{RunAsUserPSCRoot}}, {"run-as-user-1-run-as-non-root-true.yml", fixtureDir, []string{}}, {"run-as-user-1-run-as-non-root-false.yml", fixtureDir, []string{}}, {"run-as-user-psc-1-run-as-non-root-psc-true.yml", fixtureDir, []string{}}, {"run-as-user-psc-1-run-as-non-root-psc-false.yml", fixtureDir, []string{}}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, tc.fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 070701000000B2000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002200000000kubeaudit-0.22.2/auditors/privesc070701000000B3000081A400000000000000000000000166C635DC0000028A000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/privesc/fix.gopackage privesc import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) type fixBySettingAllowPrivilegeEscalationFalse struct { container *k8s.ContainerV1 } func (f *fixBySettingAllowPrivilegeEscalationFalse) Plan() string { return fmt.Sprintf("Set AllowPrivilegeEscalation to 'false' in the container SecurityContext for container %s", f.container.Name) } func (f *fixBySettingAllowPrivilegeEscalationFalse) Apply(resource k8s.Resource) []k8s.Resource { if f.container.SecurityContext == nil { f.container.SecurityContext = &k8s.SecurityContextV1{} } f.container.SecurityContext.AllowPrivilegeEscalation = k8s.NewFalse() return nil } 070701000000B4000081A400000000000000000000000166C635DC0000067F000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/privesc/fix_test.gopackage privesc import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixPrivilegeEscalation(t *testing.T) { cases := []struct { file string fixtureDir string expectedValue bool }{ {"allow-privilege-escalation-nil.yml", fixtureDir, false}, {"allow-privilege-escalation-redundant-override.yml", fixtureDir, false}, {"allow-privilege-escalation-true-allowed.yml", fixtureDir, true}, {"allow-privilege-escalation-true-multi-allowed-multi-containers.yml", fixtureDir, true}, {"allow-privilege-escalation-true.yml", fixtureDir, false}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, tc.fixtureDir, tc.file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { assert.Equal(t, tc.expectedValue, *container.SecurityContext.AllowPrivilegeEscalation) } } }) } file := "allow-privilege-escalation-true-single-allowed-multi-containers.yml" t.Run(file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { switch container.Name { case "container1": assert.False(t, *container.SecurityContext.AllowPrivilegeEscalation) case "container2": assert.True(t, *container.SecurityContext.AllowPrivilegeEscalation) default: assert.Failf(t, "unexpected container name", container.Name) } } } }) } 070701000000B5000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/privesc/fixtures070701000000B6000081A400000000000000000000000166C635DC00000157000000000000000000000000000000000000004E00000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-nil.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-nil spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset spec: containers: - name: container image: scratch 070701000000B7000081A400000000000000000000000166C635DC000001FA000000000000000000000000000000000000005D00000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-redundant-override.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-redundant-override spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset kubeaudit.io/allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container image: scratch securityContext: allowPrivilegeEscalation: false 070701000000B8000081A400000000000000000000000166C635DC000001DA000000000000000000000000000000000000005700000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-true-allowed.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-true-allowed spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset kubeaudit.io/allow-privilege-escalation: "" spec: containers: - name: container image: scratch securityContext: allowPrivilegeEscalation: true 070701000000B9000081A400000000000000000000000166C635DC000002FC000000000000000000000000000000000000006E00000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-true-multi-allowed-multi-containers.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-true-multi-allowed-multi-containers spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset container.kubeaudit.io/container1.allow-privilege-escalation: "SuperuserPrivilegesNeeded" container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container1 image: scratch securityContext: allowPrivilegeEscalation: true - name: container2 image: scratch securityContext: allowPrivilegeEscalation: true 070701000000BA000081A400000000000000000000000166C635DC00000269000000000000000000000000000000000000006F00000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-true-single-allowed-multi-containers.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-true-single-allowed-multi-containers spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset container.kubeaudit.io/container2.allow-privilege-escalation: "SuperuserPrivilegesNeeded" spec: containers: - name: container1 securityContext: allowPrivilegeEscalation: true - name: container2 securityContext: allowPrivilegeEscalation: true 070701000000BB000081A400000000000000000000000166C635DC0000019E000000000000000000000000000000000000004F00000000kubeaudit-0.22.2/auditors/privesc/fixtures/allow-privilege-escalation-true.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-true spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset spec: containers: - name: container image: scratch securityContext: allowPrivilegeEscalation: true 070701000000BC000081A400000000000000000000000166C635DC00000A83000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/privesc/privesc.gopackage privesc import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "privesc" const ( // AllowPrivilegeEscalationNil occurs when the AllowPrivilegeEscalation field is missing or unset in the // container SecurityContext AllowPrivilegeEscalationNil = "AllowPrivilegeEscalationNil" // AllowPrivilegeEscalationTrue occurs when the AllowPrivilegeEscalation field is set to true in the container // security context AllowPrivilegeEscalationTrue = "AllowPrivilegeEscalationTrue" ) const OverrideLabel = "allow-privilege-escalation" // AllowPrivilegeEscalation implements Auditable type AllowPrivilegeEscalation struct{} func New() *AllowPrivilegeEscalation { return &AllowPrivilegeEscalation{} } // Audit checks that AllowPrivilegeEscalation is disabled (set to false) in the container SecurityContext func (a *AllowPrivilegeEscalation) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container) auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, OverrideLabel) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditContainer(container *k8s.ContainerV1) *kubeaudit.AuditResult { if isAllowPrivilegeEscalationNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: AllowPrivilegeEscalationNil, Severity: kubeaudit.Error, Message: "allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.", PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isAllowPrivilegeEscalationTrue(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: AllowPrivilegeEscalationTrue, Severity: kubeaudit.Error, Message: "allowPrivilegeEscalation set to 'true'. It should be set to 'false'.", PendingFix: &fixBySettingAllowPrivilegeEscalationFalse{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } func isAllowPrivilegeEscalationNil(container *k8s.ContainerV1) bool { return container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil } func isAllowPrivilegeEscalationTrue(container *k8s.ContainerV1) bool { return container.SecurityContext != nil && *container.SecurityContext.AllowPrivilegeEscalation } 070701000000BD000081A400000000000000000000000166C635DC00000627000000000000000000000000000000000000003200000000kubeaudit-0.22.2/auditors/privesc/privesc_test.gopackage privesc import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditPrivilegeEscalation(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"allow-privilege-escalation-nil.yml", fixtureDir, []string{AllowPrivilegeEscalationNil}}, {"allow-privilege-escalation-redundant-override.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"allow-privilege-escalation-true-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(AllowPrivilegeEscalationTrue)}}, {"allow-privilege-escalation-true-multi-allowed-multi-containers.yml", fixtureDir, []string{override.GetOverriddenResultName(AllowPrivilegeEscalationTrue)}}, {"allow-privilege-escalation-true-single-allowed-multi-containers.yml", fixtureDir, []string{AllowPrivilegeEscalationTrue, override.GetOverriddenResultName(AllowPrivilegeEscalationTrue)}}, {"allow-privilege-escalation-true.yml", fixtureDir, []string{AllowPrivilegeEscalationTrue}}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, tc.fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 070701000000BE000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002500000000kubeaudit-0.22.2/auditors/privileged070701000000BF000081A400000000000000000000000166C635DC00000219000000000000000000000000000000000000002C00000000kubeaudit-0.22.2/auditors/privileged/fix.gopackage privileged import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) type fixPrivileged struct { container *k8s.ContainerV1 } func (f *fixPrivileged) Plan() string { return fmt.Sprintf("Set privileged to 'false' in container SecurityContext for container %s", f.container.Name) } func (f *fixPrivileged) Apply(resource k8s.Resource) []k8s.Resource { if f.container.SecurityContext == nil { f.container.SecurityContext = &k8s.SecurityContextV1{} } f.container.SecurityContext.Privileged = k8s.NewFalse() return nil } 070701000000C0000081A400000000000000000000000166C635DC000005FC000000000000000000000000000000000000003100000000kubeaudit-0.22.2/auditors/privileged/fix_test.gopackage privileged import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixPrivileged(t *testing.T) { cases := []struct { file string fixtureDir string expectedValue bool }{ {"privileged-nil.yml", fixtureDir, false}, {"privileged-true.yml", fixtureDir, false}, {"privileged-true-allowed.yml", fixtureDir, true}, {"privileged-redundant-override.yml", fixtureDir, false}, {"privileged-true-allowed-multi-containers-multi-labels.yml", fixtureDir, true}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, tc.fixtureDir, tc.file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { assert.Equal(t, tc.expectedValue, *container.SecurityContext.Privileged) } } }) } file := "privileged-true-allowed-multi-containers-single-label.yml" t.Run(file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { switch container.Name { case "container1": assert.False(t, *container.SecurityContext.Privileged) case "container2": assert.True(t, *container.SecurityContext.Privileged) default: assert.Failf(t, "unexpected container name", container.Name) } } } }) } 070701000000C1000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/privileged/fixtures070701000000C2000081A400000000000000000000000166C635DC00000124000000000000000000000000000000000000004100000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-nil.ymlapiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-nil spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset spec: containers: - name: container image: scratch 070701000000C3000081A400000000000000000000000166C635DC000001A0000000000000000000000000000000000000005000000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-redundant-override.ymlapiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-redundant-override spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset kubeaudit.io/allow-privileged: "SomeReason" spec: containers: - name: container image: scratch securityContext: privileged: false 070701000000C4000081A400000000000000000000000166C635DC00000286000000000000000000000000000000000000006800000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml--- apiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-true-allowed-multi-containers-multi-labels spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset container.kubeaudit.io/container1.allow-privileged: "SomeReason" container.kubeaudit.io/container2.allow-privileged: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: privileged: true - name: container2 image: scratch securityContext: privileged: true 070701000000C5000081A400000000000000000000000166C635DC0000023D000000000000000000000000000000000000006800000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml--- apiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-true-allowed-multi-containers-single-label spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset container.kubeaudit.io/container2.allow-privileged: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: privileged: true - name: container2 image: scratch securityContext: privileged: true 070701000000C6000081A400000000000000000000000166C635DC0000019D000000000000000000000000000000000000004A00000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-true-allowed.yml--- apiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-true-allowed spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset kubeaudit.io/allow-privileged: "SomeReason" spec: containers: - name: container image: scratch securityContext: privileged: true 070701000000C7000081A400000000000000000000000166C635DC0000015D000000000000000000000000000000000000004200000000kubeaudit-0.22.2/auditors/privileged/fixtures/privileged-true.ymlapiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-true spec: selector: matchLabels: name: daemonset template: metadata: labels: name: daemonset spec: containers: - name: container image: scratch securityContext: privileged: true 070701000000C8000081A400000000000000000000000166C635DC00000977000000000000000000000000000000000000003300000000kubeaudit-0.22.2/auditors/privileged/privileged.gopackage privileged import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "privileged" const ( // PrivilegedTrue occurs when privileged is set to true in the container SecurityContext PrivilegedTrue = "PrivilegedTrue" // PrivilegedNil occurs when privileged is not set in the container SecurityContext. // Privileged defaults to false so this is ok PrivilegedNil = "PrivilegedNil" ) const OverrideLabel = "allow-privileged" // Privileged implements Auditable type Privileged struct{} func New() *Privileged { return &Privileged{} } // Audit checks that privileged is set to false in every container's security context func (a *Privileged) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container, resource) auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, OverrideLabel) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudit.AuditResult { if isPrivilegedNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: PrivilegedNil, Severity: kubeaudit.Warn, Message: "privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.", PendingFix: &fixPrivileged{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isPrivilegedTrue(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: PrivilegedTrue, Severity: kubeaudit.Error, Message: "privileged is set to 'true' in container SecurityContext. It should be set to 'false'.", PendingFix: &fixPrivileged{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } func isPrivilegedTrue(container *k8s.ContainerV1) bool { if isPrivilegedNil(container) { return false } return *container.SecurityContext.Privileged } func isPrivilegedNil(container *k8s.ContainerV1) bool { return container.SecurityContext == nil || container.SecurityContext.Privileged == nil } 070701000000C9000081A400000000000000000000000166C635DC00000585000000000000000000000000000000000000003800000000kubeaudit-0.22.2/auditors/privileged/privileged_test.gopackage privileged import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditPrivileged(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"privileged-nil.yml", fixtureDir, []string{PrivilegedNil}}, {"privileged-true.yml", fixtureDir, []string{PrivilegedTrue}}, {"privileged-true-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(PrivilegedTrue)}}, {"privileged-redundant-override.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"privileged-true-allowed-multi-containers-multi-labels.yml", fixtureDir, []string{override.GetOverriddenResultName(PrivilegedTrue)}}, {"privileged-true-allowed-multi-containers-single-label.yml", fixtureDir, []string{ PrivilegedTrue, override.GetOverriddenResultName(PrivilegedTrue)}, }, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, tc.fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 070701000000CA000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002100000000kubeaudit-0.22.2/auditors/rootfs070701000000CB000081A400000000000000000000000166C635DC0000024F000000000000000000000000000000000000002800000000kubeaudit-0.22.2/auditors/rootfs/fix.gopackage rootfs import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) type fixReadOnlyRootFilesystem struct { container *k8s.ContainerV1 } func (f *fixReadOnlyRootFilesystem) Plan() string { return fmt.Sprintf("Set readOnlyRootFilesystem to 'true' in container SecurityContext for container %s", f.container.Name) } func (f *fixReadOnlyRootFilesystem) Apply(resource k8s.Resource) []k8s.Resource { if f.container.SecurityContext == nil { f.container.SecurityContext = &k8s.SecurityContextV1{} } f.container.SecurityContext.ReadOnlyRootFilesystem = k8s.NewTrue() return nil } 070701000000CC000081A400000000000000000000000166C635DC00000663000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/rootfs/fix_test.gopackage rootfs import ( "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" ) func TestFixReadOnlyRootFilesystem(t *testing.T) { cases := []struct { file string fixtureDir string expectedValue bool }{ {"read-only-root-filesystem-nil.yml", fixtureDir, true}, {"read-only-root-filesystem-false.yml", fixtureDir, true}, {"read-only-root-filesystem-false-allowed.yml", fixtureDir, false}, {"read-only-root-filesystem-redundant-override.yml", fixtureDir, true}, {"read-only-root-filesystem-false-allowed-multi-labels.yml", fixtureDir, false}, } for _, tc := range cases { t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, tc.fixtureDir, tc.file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { assert.Equal(t, tc.expectedValue, *container.SecurityContext.ReadOnlyRootFilesystem) } } }) } file := "read-only-root-filesystem-false-allowed-single-label.yml" t.Run(file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, file, New()) for _, resource := range resources { containers := k8s.GetContainers(resource) for _, container := range containers { switch container.Name { case "container1": assert.False(t, *container.SecurityContext.ReadOnlyRootFilesystem) case "container2": assert.True(t, *container.SecurityContext.ReadOnlyRootFilesystem) default: assert.Failf(t, "unexpected container name", container.Name) } } } }) } 070701000000CD000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/auditors/rootfs/fixtures070701000000CE000081A400000000000000000000000166C635DC000002EC000000000000000000000000000000000000006300000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-multi-labels.yml--- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-false-allowed-multi-labels spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset container.kubeaudit.io/container1.allow-read-only-root-filesystem-false: "SomeReason" container.kubeaudit.io/container2.allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: readOnlyRootFilesystem: false - name: container2 image: scratch securityContext: readOnlyRootFilesystem: false 070701000000CF000081A400000000000000000000000166C635DC0000028E000000000000000000000000000000000000006300000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed-single-label.yml--- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-false-allowed-single-label spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset container.kubeaudit.io/container1.allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container1 image: scratch securityContext: readOnlyRootFilesystem: false - name: container2 image: scratch securityContext: readOnlyRootFilesystem: false 070701000000D0000081A400000000000000000000000166C635DC000001F2000000000000000000000000000000000000005600000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-false-allowed.yml--- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-false-allowed spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset kubeaudit.io/allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container image: scratch securityContext: readOnlyRootFilesystem: false 070701000000D1000081A400000000000000000000000166C635DC0000019D000000000000000000000000000000000000004E00000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-false.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-false spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset spec: containers: - name: container image: scratch securityContext: readOnlyRootFilesystem: false 070701000000D2000081A400000000000000000000000166C635DC00000156000000000000000000000000000000000000004C00000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-nil.ymlapiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-nil spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset spec: containers: - name: container image: scratch 070701000000D3000081A400000000000000000000000166C635DC000001F6000000000000000000000000000000000000005B00000000kubeaudit-0.22.2/auditors/rootfs/fixtures/read-only-root-filesystem-redundant-override.yml--- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-redundant-override spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset kubeaudit.io/allow-read-only-root-filesystem-false: "SomeReason" spec: containers: - name: container image: scratch securityContext: readOnlyRootFilesystem: true 070701000000D4000081A400000000000000000000000166C635DC00000AAD000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/rootfs/rootfs.gopackage rootfs import ( "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/Shopify/kubeaudit/pkg/override" ) const Name = "rootfs" const ( // ReadOnlyRootFilesystemFalse occurs when readOnlyRootFilesystem is set to false in the container SecurityContext ReadOnlyRootFilesystemFalse = "ReadOnlyRootFilesystemFalse" // ReadOnlyRootFilesystemNil occurs when readOnlyRootFilesystem is not set in the container SecurityContext. // readOnlyRootFilesystem defaults to false so this is bad ReadOnlyRootFilesystemNil = "ReadOnlyRootFilesystemNil" ) const OverrideLabel = "allow-read-only-root-filesystem-false" // ReadOnlyRootFilesystem implements Auditable type ReadOnlyRootFilesystem struct{} func New() *ReadOnlyRootFilesystem { return &ReadOnlyRootFilesystem{} } // Audit checks that readOnlyRootFilesystem is set to true in every container's security context func (a *ReadOnlyRootFilesystem) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container, resource) auditResult = override.ApplyOverride(auditResult, Name, container.Name, resource, OverrideLabel) if auditResult != nil { auditResults = append(auditResults, auditResult) } } return auditResults, nil } func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudit.AuditResult { if isReadOnlyRootFilesystemNil(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: ReadOnlyRootFilesystemNil, Severity: kubeaudit.Error, Message: "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.", PendingFix: &fixReadOnlyRootFilesystem{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } if isReadOnlyRootFilesystemFalse(container) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: ReadOnlyRootFilesystemFalse, Severity: kubeaudit.Error, Message: "readOnlyRootFilesystem is set to 'false' in container SecurityContext. It should be set to 'true'.", PendingFix: &fixReadOnlyRootFilesystem{ container: container, }, Metadata: kubeaudit.Metadata{ "Container": container.Name, }, } } return nil } func isReadOnlyRootFilesystemFalse(container *k8s.ContainerV1) bool { if isReadOnlyRootFilesystemNil(container) { return true } return !*container.SecurityContext.ReadOnlyRootFilesystem } func isReadOnlyRootFilesystemNil(container *k8s.ContainerV1) bool { return container.SecurityContext == nil || container.SecurityContext.ReadOnlyRootFilesystem == nil } 070701000000D5000081A400000000000000000000000166C635DC00000613000000000000000000000000000000000000003000000000kubeaudit-0.22.2/auditors/rootfs/rootfs_test.gopackage rootfs import ( "strings" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/override" ) const fixtureDir = "fixtures" func TestAuditReadOnlyRootFilesystem(t *testing.T) { cases := []struct { file string fixtureDir string expectedErrors []string }{ {"read-only-root-filesystem-nil.yml", fixtureDir, []string{ReadOnlyRootFilesystemNil}}, {"read-only-root-filesystem-false.yml", fixtureDir, []string{ReadOnlyRootFilesystemFalse}}, {"read-only-root-filesystem-false-allowed.yml", fixtureDir, []string{override.GetOverriddenResultName(ReadOnlyRootFilesystemFalse)}}, {"read-only-root-filesystem-redundant-override.yml", fixtureDir, []string{kubeaudit.RedundantAuditorOverride}}, {"read-only-root-filesystem-false-allowed-multi-labels.yml", fixtureDir, []string{override.GetOverriddenResultName(ReadOnlyRootFilesystemFalse)}}, {"read-only-root-filesystem-false-allowed-single-label.yml", fixtureDir, []string{ override.GetOverriddenResultName(ReadOnlyRootFilesystemFalse), ReadOnlyRootFilesystemFalse, }}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, tc.fixtureDir, tc.file, New(), tc.expectedErrors) test.AuditLocal(t, tc.fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) }) } } 070701000000D6000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002200000000kubeaudit-0.22.2/auditors/seccomp070701000000D7000081A400000000000000000000000166C635DC00000745000000000000000000000000000000000000002900000000kubeaudit-0.22.2/auditors/seccomp/fix.gopackage seccomp import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" apiv1 "k8s.io/api/core/v1" ) type BySettingSeccompProfile struct { seccompProfileType apiv1.SeccompProfileType } func (pending *BySettingSeccompProfile) Plan() string { return fmt.Sprintf("Set SeccompProfile type to '%s' in pod SecurityContext", pending.seccompProfileType) } func (pending *BySettingSeccompProfile) Apply(resource k8s.Resource) []k8s.Resource { podSpec := k8s.GetPodSpec(resource) if podSpec.SecurityContext == nil { podSpec.SecurityContext = &apiv1.PodSecurityContext{} } podSpec.SecurityContext.SeccompProfile = &apiv1.SeccompProfile{Type: pending.seccompProfileType} return nil } type BySettingSeccompProfileInContainer struct { container *k8s.ContainerV1 seccompProfileType apiv1.SeccompProfileType } func (pending *BySettingSeccompProfileInContainer) Plan() string { return fmt.Sprintf("Set SeccompProfile type to '%s' in SecurityContext for container `%s`", pending.seccompProfileType, pending.container.Name) } func (pending *BySettingSeccompProfileInContainer) Apply(resource k8s.Resource) []k8s.Resource { if pending.container.SecurityContext == nil { pending.container.SecurityContext = &apiv1.SecurityContext{} } pending.container.SecurityContext.SeccompProfile = &apiv1.SeccompProfile{Type: pending.seccompProfileType} return nil } type ByRemovingSeccompProfileInContainer struct { container *k8s.ContainerV1 } func (pending *ByRemovingSeccompProfileInContainer) Plan() string { return fmt.Sprintf("Remove SeccompProfile in SecurityContext for container `%s`", pending.container.Name) } func (pending *ByRemovingSeccompProfileInContainer) Apply(resource k8s.Resource) []k8s.Resource { if pending.container.SecurityContext == nil { return nil } pending.container.SecurityContext.SeccompProfile = nil return nil } 070701000000D8000081A400000000000000000000000166C635DC00000C74000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/auditors/seccomp/fix_test.gopackage seccomp import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" apiv1 "k8s.io/api/core/v1" ) const fixtureDir = "fixtures" const emptyProfile = apiv1.SeccompProfileType("EMPTY") const defaultProfile = apiv1.SeccompProfileTypeRuntimeDefault const localhostProfile = apiv1.SeccompProfileTypeLocalhost func TestFixSeccomp(t *testing.T) { cases := []struct { file string expectedPodSeccompProfile apiv1.SeccompProfileType expectedContainerSeccompProfiles []apiv1.SeccompProfileType }{ {"seccomp-profile-missing.yml", defaultProfile, []apiv1.SeccompProfileType{emptyProfile}}, {"seccomp-profile-missing-disabled-container.yml", defaultProfile, []apiv1.SeccompProfileType{emptyProfile}}, {"seccomp-profile-missing-annotations.yml", defaultProfile, []apiv1.SeccompProfileType{emptyProfile}}, {"seccomp-disabled-pod.yml", defaultProfile, []apiv1.SeccompProfileType{defaultProfile}}, {"seccomp-disabled.yml", defaultProfile, []apiv1.SeccompProfileType{emptyProfile, emptyProfile}}, {"seccomp-disabled-localhost.yml", localhostProfile, []apiv1.SeccompProfileType{defaultProfile, emptyProfile}}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { resources, _ := test.FixSetup(t, fixtureDir, tc.file, New()) require.Len(t, resources, 1) resource := resources[0] updatedPodSpec := k8s.GetPodSpec(resource) checkPodSeccompProfile(t, updatedPodSpec, tc.expectedPodSeccompProfile) checkContainerSeccompProfiles(t, updatedPodSpec, tc.expectedContainerSeccompProfiles) checkNoSeccompAnnotations(t, resource) }) } } func checkPodSeccompProfile(t *testing.T, podSpec *apiv1.PodSpec, expectedPodSeccompProfile apiv1.SeccompProfileType) { securityContext := podSpec.SecurityContext if expectedPodSeccompProfile == emptyProfile { require.Nil(t, securityContext) } else { assert.Equal(t, expectedPodSeccompProfile, securityContext.SeccompProfile.Type) } } func checkContainerSeccompProfiles(t *testing.T, podSpec *apiv1.PodSpec, expectedContainerSeccompProfiles []apiv1.SeccompProfileType) { for i, container := range podSpec.Containers { securityContext := container.SecurityContext expectedProfile := expectedContainerSeccompProfiles[i] if expectedProfile == emptyProfile { require.True(t, securityContext == nil || securityContext.SeccompProfile == nil) } else { assert.Equal(t, expectedProfile, securityContext.SeccompProfile.Type) } } } func checkNoSeccompAnnotations(t *testing.T, resource k8s.Resource) { annotations := k8s.GetAnnotations(resource) if annotations == nil { return } seccompAnnotations := []string{} for annotation := range annotations { if annotation == PodAnnotationKey || strings.HasPrefix(annotation, ContainerAnnotationKeyPrefix) { seccompAnnotations = append(seccompAnnotations, annotation) } } assert.Empty(t, seccompAnnotations) } 070701000000D9000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/auditors/seccomp/fixtures070701000000DA000081A400000000000000000000000166C635DC0000017A000000000000000000000000000000000000004A00000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-disabled-localhost.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-disabled-localhost spec: securityContext: seccompProfile: type: Localhost localhostProfile: my-seccomp-profile.json containers: - name: container1 image: scratch securityContext: seccompProfile: type: Unconfined - name: container2 image: scratch 070701000000DB000081A400000000000000000000000166C635DC0000011C000000000000000000000000000000000000004400000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-disabled-pod.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-disabled-pod spec: securityContext: seccompProfile: type: Unconfined containers: - name: container image: scratch securityContext: seccompProfile: type: RuntimeDefault 070701000000DC000081A400000000000000000000000166C635DC00000145000000000000000000000000000000000000004000000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-disabled.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-disabled spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: container1 image: scratch securityContext: seccompProfile: type: Unconfined - name: container2 image: scratch 070701000000DD000081A400000000000000000000000166C635DC000000FC000000000000000000000000000000000000004300000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-enabled-pod.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-enabled-pod spec: securityContext: seccompProfile: type: Localhost localhostProfile: my-seccomp-profile.json containers: - name: container image: scratch 070701000000DE000081A400000000000000000000000166C635DC000000D9000000000000000000000000000000000000003F00000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-enabled.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-enabled spec: containers: - name: container image: scratch securityContext: seccompProfile: type: RuntimeDefault 070701000000DF000081A400000000000000000000000166C635DC00000138000000000000000000000000000000000000005300000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-profile-missing-annotations.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-profile-missing-annotations annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default container.seccomp.security.alpha.kubernetes.io/container: localhost/bla spec: containers: - name: container image: scratch 070701000000E0000081A400000000000000000000000166C635DC000000F0000000000000000000000000000000000000005A00000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-profile-missing-disabled-container.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-profile-missing-disabled-container spec: containers: - name: container image: scratch securityContext: seccompProfile: type: Unconfined 070701000000E1000081A400000000000000000000000166C635DC00000093000000000000000000000000000000000000004700000000kubeaudit-0.22.2/auditors/seccomp/fixtures/seccomp-profile-missing.ymlapiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-profile-missing spec: containers: - name: container image: scratch 070701000000E2000081A400000000000000000000000166C635DC00002233000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/auditors/seccomp/seccomp.gopackage seccomp import ( "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/fix" "github.com/Shopify/kubeaudit/pkg/k8s" apiv1 "k8s.io/api/core/v1" ) const Name = "seccomp" const ( // SeccompDeprecatedAnnotations occurs when deprecated seccomp annotations are present SeccompDeprecatedAnnotations = "SeccompDeprecatedAnnotations" // SeccompProfileMissing occurs when there are no seccomp profiles (pod nor container level) SeccompProfileMissing = "SeccompProfileMissing" // SeccompDisabledPod occurs when the pod-level seccomp profile is set to a value which disables seccomp SeccompDisabledPod = "SeccompDisabledPod" // SeccompDisabledContainer occurs when the container-level seccomp profile is set to a value which disables seccomp SeccompDisabledContainer = "SeccompDisabledContainer" ) const ( // ProfileRuntimeDefault represents the default seccomp profile used by container runtime ProfileRuntimeDefault = apiv1.SeccompProfileTypeRuntimeDefault // ProfileLocalhost represents the localhost seccomp profile used by container runtime ProfileLocalhost = apiv1.SeccompProfileTypeLocalhost // ContainerAnnotationKeyPrefix represents the key of a seccomp profile applied to one container of a pod ContainerAnnotationKeyPrefix = apiv1.SeccompContainerAnnotationKeyPrefix // PodAnnotationKey represents the key of a seccomp profile applied to all containers of a pod PodAnnotationKey = apiv1.SeccompPodAnnotationKey ) // Seccomp implements Auditable type Seccomp struct{} func New() *Seccomp { return &Seccomp{} } // Audit checks that Seccomp is enabled for all containers func (a *Seccomp) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { var auditResults []*kubeaudit.AuditResult annotationAuditResult := auditAnnotations(resource) auditResults = appendNotNil(auditResults, annotationAuditResult) auditResult := auditPod(resource) auditResults = appendNotNil(auditResults, auditResult) for _, container := range k8s.GetContainers(resource) { auditResult := auditContainer(container, resource) auditResults = appendNotNil(auditResults, auditResult) } return auditResults, nil } func appendNotNil(auditResults []*kubeaudit.AuditResult, auditResult *kubeaudit.AuditResult) []*kubeaudit.AuditResult { if auditResult != nil { return append(auditResults, auditResult) } return auditResults } func auditAnnotations(resource k8s.Resource) *kubeaudit.AuditResult { podSpec := k8s.GetPodSpec(resource) if podSpec == nil { return nil } // We check annotations only when seccomp profile is missing for both pod and all containers // This way we ensure that we're in Manifest mode. // In Local and Cluster mode Kubernetes automatically populates seccomp profile in Security context when seccomp annotations are provided. if !isPodSeccompProfileMissing(podSpec.SecurityContext) || !isSeccompProfileMissingForAllContainers(resource) { return nil } seccompAnnotations := findSeccompAnnotations(resource) if len(seccompAnnotations) > 0 { return &kubeaudit.AuditResult{ Auditor: Name, Rule: SeccompDeprecatedAnnotations, Severity: kubeaudit.Warn, Message: "Pod Seccomp annotations are deprecated. Seccomp profile should be added to the pod SecurityContext.", PendingFix: &fix.ByRemovingPodAnnotations{Keys: seccompAnnotations}, Metadata: kubeaudit.Metadata{"AnnotationKeys": strings.Join(seccompAnnotations, ", ")}, } } return nil } func auditPod(resource k8s.Resource) *kubeaudit.AuditResult { podSpec := k8s.GetPodSpec(resource) if podSpec == nil { return nil } if isPodSeccompProfileMissing(podSpec.SecurityContext) { // If all the containers have container-level seccomp profiles then we don't need a pod-level profile if isSeccompEnabledForAllContainers(resource) { return nil } return &kubeaudit.AuditResult{ Auditor: Name, Rule: SeccompProfileMissing, Severity: kubeaudit.Error, Message: "Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext.", PendingFix: &BySettingSeccompProfile{seccompProfileType: ProfileRuntimeDefault}, Metadata: kubeaudit.Metadata{}, } } podSeccompProfileType := podSpec.SecurityContext.SeccompProfile.Type if !isSeccompEnabled(podSeccompProfileType) { return &kubeaudit.AuditResult{ Auditor: Name, Rule: SeccompDisabledPod, Severity: kubeaudit.Error, Message: fmt.Sprintf("Pod Seccomp profile is set to %s which disables Seccomp. It should be set to the `%s` or `%s`.", podSeccompProfileType, ProfileRuntimeDefault, ProfileLocalhost), PendingFix: &BySettingSeccompProfile{seccompProfileType: ProfileRuntimeDefault}, Metadata: kubeaudit.Metadata{"SeccompProfileType": string(podSeccompProfileType)}, } } return nil } func auditContainer(container *k8s.ContainerV1, resource k8s.Resource) *kubeaudit.AuditResult { // Assume that the container will be covered by the pod-level seccomp profile. If there is no pod-level // seccomp profile, assume that it will be added as part of the pod seccomp profile audit / autofix if isContainerSeccompProfileMissing(container.SecurityContext) { return nil } containerSeccompProfile := container.SecurityContext.SeccompProfile.Type if !isSeccompEnabled(containerSeccompProfile) { // If the pod seccomp profile is set to Localhost, and the container seccomp profile is disabled, // then set the container seccomp profile to the default profile. // Otherwise, remove the container seccomp profile in favour of the pod profile. var pendingFix kubeaudit.PendingFix var msg string podSpec := k8s.GetPodSpec(resource) if isPodSeccompProfileMissing(podSpec.SecurityContext) || isSeccompProfileDefault(podSpec.SecurityContext.SeccompProfile.Type) { pendingFix = &ByRemovingSeccompProfileInContainer{container: container} msg = fmt.Sprintf("Container Seccomp profile is set to %s which disables Seccomp. It should be removed from the container SecurityContext, as the pod SeccompProfile is set.", containerSeccompProfile) } else { pendingFix = &BySettingSeccompProfileInContainer{container: container, seccompProfileType: ProfileRuntimeDefault} msg = fmt.Sprintf("Container Seccomp profile is set to %s which disables Seccomp. It should be set to the `%s` or `%s`.", containerSeccompProfile, ProfileRuntimeDefault, ProfileLocalhost) } return &kubeaudit.AuditResult{ Auditor: Name, Rule: SeccompDisabledContainer, Severity: kubeaudit.Error, Message: msg, PendingFix: pendingFix, Metadata: kubeaudit.Metadata{ "Container": container.Name, "SeccompProfileType": string(containerSeccompProfile), }, } } return nil } func isPodSeccompProfileMissing(securityContext *apiv1.PodSecurityContext) bool { return securityContext == nil || securityContext.SeccompProfile == nil } func isContainerSeccompProfileMissing(securityContext *apiv1.SecurityContext) bool { return securityContext == nil || securityContext.SeccompProfile == nil } // returns false if there is at least one container that is not covered by a container-level seccomp annotation func isSeccompEnabledForAllContainers(resource k8s.Resource) bool { for _, container := range k8s.GetContainers(resource) { securityContext := container.SecurityContext if isContainerSeccompProfileMissing(securityContext) { return false } containerSeccompProfileType := securityContext.SeccompProfile.Type if !isSeccompEnabled(containerSeccompProfileType) { return false } } return true } func isSeccompProfileMissingForAllContainers(resource k8s.Resource) bool { for _, container := range k8s.GetContainers(resource) { securityContext := container.SecurityContext if !isContainerSeccompProfileMissing(securityContext) { return false } } return true } func isSeccompEnabled(seccompProfileType apiv1.SeccompProfileType) bool { return isSeccompProfileDefault(seccompProfileType) || isSeccompProfileLocalhost(seccompProfileType) } func isSeccompProfileDefault(seccompProfileType apiv1.SeccompProfileType) bool { return seccompProfileType == apiv1.SeccompProfileTypeRuntimeDefault } func isSeccompProfileLocalhost(seccompProfileType apiv1.SeccompProfileType) bool { return seccompProfileType == apiv1.SeccompProfileTypeLocalhost } func findSeccompAnnotations(resource k8s.Resource) []string { annotations := k8s.GetAnnotations(resource) seccompAnnotations := []string{} for annotation := range annotations { if annotation == PodAnnotationKey || strings.HasPrefix(annotation, ContainerAnnotationKeyPrefix) { seccompAnnotations = append(seccompAnnotations, annotation) } } return seccompAnnotations } 070701000000E3000081A400000000000000000000000166C635DC0000050F000000000000000000000000000000000000003200000000kubeaudit-0.22.2/auditors/seccomp/seccomp_test.gopackage seccomp import ( "strings" "testing" "github.com/Shopify/kubeaudit/internal/test" ) func TestAuditSeccomp(t *testing.T) { cases := []struct { file string expectedErrors []string testLocalMode bool }{ {"seccomp-profile-missing.yml", []string{SeccompProfileMissing}, true}, {"seccomp-profile-missing-disabled-container.yml", []string{SeccompProfileMissing, SeccompDisabledContainer}, true}, {"seccomp-profile-missing-annotations.yml", []string{SeccompProfileMissing, SeccompDeprecatedAnnotations}, false}, {"seccomp-disabled-pod.yml", []string{SeccompDisabledPod}, true}, {"seccomp-disabled.yml", []string{SeccompDisabledContainer}, true}, {"seccomp-disabled-localhost.yml", []string{SeccompDisabledContainer}, true}, {"seccomp-enabled-pod.yml", nil, true}, {"seccomp-enabled.yml", nil, true}, } for _, tc := range cases { // This line is needed because of how scopes work with parallel tests (see https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721) tc := tc t.Run(tc.file, func(t *testing.T) { t.Parallel() test.AuditManifest(t, fixtureDir, tc.file, New(), tc.expectedErrors) if tc.testLocalMode { test.AuditLocal(t, fixtureDir, tc.file, New(), strings.Split(tc.file, ".")[0], tc.expectedErrors) } }) } } 070701000000E4000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001700000000kubeaudit-0.22.2/build070701000000E5000081ED00000000000000000000000166C635DC0000026C000000000000000000000000000000000000002200000000kubeaudit-0.22.2/build/ldflags.sh#!/usr/bin/env bash set -eu -o pipefail VERSION=${VERSION:-$(git describe --abbrev=0 --broken)} COMMIT=${COMMIT:-$(git rev-parse --short HEAD)} # BSD date command doesn't support RFC3339/ISO8601 or subsecond precision. BUILDDATE=${BUILDDATE:-$(date -u -Ins 2> /dev/null || true)} BUILDDATE=${BUILDDATE:-$(date -u +%FT%T000000000%z)} new_ldflags="-X \"github.com/Shopify/kubeaudit/cmd.Version=${VERSION}\"" new_ldflags+=" -X \"github.com/Shopify/kubeaudit/cmd.Commit=${COMMIT}\"" new_ldflags+=" -X \"github.com/Shopify/kubeaudit/cmd.BuildDate=${BUILDDATE}\"" export LDFLAGS="$new_ldflags ${LDFLAGS:-}" echo "$LDFLAGS" 070701000000E6000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001500000000kubeaudit-0.22.2/cmd070701000000E7000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001E00000000kubeaudit-0.22.2/cmd/commands070701000000E8000081A400000000000000000000000166C635DC00000007000000000000000000000000000000000000002600000000kubeaudit-0.22.2/cmd/commands/VERSION0.22.2 070701000000E9000081A400000000000000000000000166C635DC0000091F000000000000000000000000000000000000002500000000kubeaudit-0.22.2/cmd/commands/all.gopackage commands import ( "os" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) var auditAllConfig struct { configFile string } func auditAll(cmd *cobra.Command, args []string) { conf := loadKubeAuditConfigFromFile(auditAllConfig.configFile) // Config options set via flags override the config file conf = setConfigFromFlags(cmd, conf) auditors, err := all.Auditors(conf) if err != nil { log.WithError(err).Fatal("Error creating auditors") } runAudit(auditors...)(cmd, args) } func setConfigFromFlags(cmd *cobra.Command, conf config.KubeauditConfig) config.KubeauditConfig { flagset := cmd.Flags() for _, item := range []struct { flag string flagVal string configVal *string }{ {imageFlagName, imageConfig.Image, &conf.AuditorConfig.Image.Image}, {limitCpuFlagName, limitsConfig.CPU, &conf.AuditorConfig.Limits.CPU}, {limitMemoryFlagName, limitsConfig.Memory, &conf.AuditorConfig.Limits.Memory}, } { if flagset.Changed(item.flag) { *item.configVal = item.flagVal } } if flagset.Changed(capsAddFlagName) { conf.AuditorConfig.Capabilities.AllowAddList = capabilitiesConfig.AllowAddList } if flagset.Changed(sensitivePathsFlagName) { conf.AuditorConfig.Mounts.SensitivePaths = mountsConfig.SensitivePaths } return conf } func loadKubeAuditConfigFromFile(configFile string) config.KubeauditConfig { if configFile == "" { return config.KubeauditConfig{} } reader, err := os.Open(configFile) if err != nil { log.WithError(err).Fatal("Unable to open config file ", configFile) } conf, err := config.New(reader) if err != nil { log.WithError(err).Fatal("Error parsing config file ", configFile) } return conf } var auditAllCmd = &cobra.Command{ Use: "all", Short: "Run all audits", Long: `Run all audits Example usage: kubeaudit all -f /path/to/yaml kubeaudit all -k /path/to/kubeaudit-config.yaml /path/to/yaml `, Run: auditAll, } func init() { RootCmd.AddCommand(auditAllCmd) auditAllCmd.Flags().StringVarP(&auditAllConfig.configFile, "kconfig", "k", "", "Path to kubeaudit config") // Set flags for the auditors that have them setImageFlags(auditAllCmd) setLimitsFlags(auditAllCmd) setCapabilitiesFlags(auditAllCmd) setPathsFlags(auditAllCmd) } 070701000000EA000081A400000000000000000000000166C635DC000001FC000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/cmd/commands/apparmor.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/spf13/cobra" ) var appArmorCmd = &cobra.Command{ Use: "apparmor", Short: "Audit containers running without AppArmor", Long: `This command determines which containers are running without AppArmor enabled. An ERROR result is generated when a container has AppArmor disabled or misconfigured. Example usage: kubeaudit apparmor`, Run: runAudit(apparmor.New()), } func init() { RootCmd.AddCommand(appArmorCmd) } 070701000000EB000081A400000000000000000000000166C635DC00000378000000000000000000000000000000000000002600000000kubeaudit-0.22.2/cmd/commands/asat.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/asat" "github.com/spf13/cobra" ) var asatCmd = &cobra.Command{ Use: "asat", Aliases: []string{"sat"}, Short: "Audit pods using an automatically mounted default service account", Long: `This command determines which pods are running with autoMountServiceAcccountToken = true (or nil) and using a default service account. An ERROR result is generated when a container matches one of the following: automountServiceAccountToken = true and serviceAccountName is blank (default service account) automountServiceAccountToken = nil (defaults to true) and serviceAccountName is blank (default service account) A WARN result is generated when a pod is found using the deprecated 'serviceAccount' field. Example usage: kubeaudit asat`, Run: runAudit(asat.New()), } func init() { RootCmd.AddCommand(asatCmd) } 070701000000EC000081A400000000000000000000000166C635DC0000076A000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/autofix.gopackage commands import ( "io" "os" "github.com/Shopify/kubeaudit/auditors/all" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) var autofixConfig struct { outFile string kubeauditConfigFile string } func autofix(cmd *cobra.Command, args []string) { conf := loadKubeAuditConfigFromFile(autofixConfig.kubeauditConfigFile) conf = setConfigFromFlags(cmd, conf) auditors, err := all.Auditors(conf) if err != nil { log.WithError(err).Fatal("Error creating auditors") } report := getReport(auditors...) var f io.Writer if autofixConfig.outFile != "" { f, err = os.Create(autofixConfig.outFile) if err != nil { log.WithError(err).Fatal("Error opening out file") } } else { f, err = os.OpenFile(rootConfig.manifest, os.O_WRONLY|os.O_TRUNC, 0755) if err != nil { log.WithError(err).Fatal("Error opening manifest file") } } err = report.Fix(f) if err != nil { log.WithError(err).Fatal("Error fixing manifest") } } var autofixCmd = &cobra.Command{ Use: "autofix", Short: "Automagically make a manifest secure", Long: `This command automatically fixes all identified security issues for a given manifest (ie. all ERROR results generated by 'kubeaudit all'). If no output file is specified using the -o flag, the source manifest will be modified. You can use the -k flag followed by the path to the kubeaudit config file to run fixes based on custom rules. Example usage: kubeaudit autofix -f /path/to/yaml kubeaudit autofix -f /path/to/yaml -o /path/for/fixed/yaml kubeaudit autofix -k /path/to/kubeaudit-config.yaml -f /path/to/yaml `, Run: autofix, } func init() { RootCmd.AddCommand(autofixCmd) autofixCmd.Flags().StringVarP(&autofixConfig.outFile, "outfile", "o", "", "File to write fixed manifest to") autofixCmd.Flags().StringVarP(&autofixConfig.kubeauditConfigFile, "kconfig", "k", "", "Path to kubeaudit config") } 070701000000ED000081A400000000000000000000000166C635DC000004E1000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/cmd/commands/capabilities.gopackage commands import ( "fmt" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/spf13/cobra" ) var capabilitiesConfig capabilities.Config const capsAddFlagName = "allow-add-list" var capabilitiesCmd = &cobra.Command{ Use: "capabilities", Aliases: []string{"caps"}, Short: "Audit containers not dropping ALL capabilities", Long: fmt.Sprintf(`This command determines which pods either have capabilities added or not set to ALL: An ERROR result is generated when a pod does not have drop ALL specified or when a capability is added. In case you need specific capabilities you can add them with the '--allow-add-list' flag, so kubeaudit will not report errors. Example usage: kubeaudit capabilities kubeaudit capabilities --allow-add-list "%s"`, "CHOWN"), Run: func(cmd *cobra.Command, args []string) { runAudit(capabilities.New(capabilitiesConfig))(cmd, args) }, } func setCapabilitiesFlags(cmd *cobra.Command) { cmd.Flags().StringSliceVar(&capabilitiesConfig.AllowAddList, capsAddFlagName, capabilities.DefaultAllowAddList, "Comma separated list of added capabilities that can be ignored by kubeaudit reports") } func init() { RootCmd.AddCommand(capabilitiesCmd) setCapabilitiesFlags(capabilitiesCmd) } 070701000000EE000081A400000000000000000000000166C635DC000005F0000000000000000000000000000000000000003000000000kubeaudit-0.22.2/cmd/commands/deprecatedapis.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/deprecatedapis" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) var deprecatedapisConfig deprecatedapis.Config const ( currentVersionFlagName = "current-k8s-version" targetedVersionFlagName = "targeted-k8s-version" ) var deprecatedapisCmd = &cobra.Command{ Use: "deprecatedapis", Short: "Audit resource API version deprecations", Long: `This command determines which resource is defined with a deprecated API version. An ERROR result is generated for API version not available in the targeted version A WARN result is generated for API version deprecated in the current version An INFO result is generated for API version not yet deprecated in the current version Example usage: kubeaudit deprecatedapis kubeaudit deprecatedapis --current-k8s-version 1.22 --targeted-k8s-version 1.24`, Run: func(cmd *cobra.Command, args []string) { auditor, err := deprecatedapis.New(deprecatedapisConfig) if err != nil { log.Fatal("failed to create deprecatedapis auditor") } runAudit(auditor)(cmd, args) }, } func setdeprecatedapisFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&deprecatedapisConfig.CurrentVersion, currentVersionFlagName, "", "Kubernetes current version (eg 1.22)") cmd.Flags().StringVar(&deprecatedapisConfig.TargetedVersion, targetedVersionFlagName, "", "Kubernetes version to migrate to (eg 1.24)") } func init() { RootCmd.AddCommand(deprecatedapisCmd) setdeprecatedapisFlags(deprecatedapisCmd) } 070701000000EF000081A400000000000000000000000166C635DC0000024E000000000000000000000000000000000000002800000000kubeaudit-0.22.2/cmd/commands/hostns.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/spf13/cobra" ) var hostnsCmd = &cobra.Command{ Use: "hostns", Aliases: []string{"namespaces"}, Short: "Audit pods with hostNetwork, hostIPC or hostPID enabled", Long: `This command determines which pods are running with hostNetwork, hostIPC or hostPID set to 'true'. An ERROR result is generated when a pod has at least one of hostNetwork, hostIPC or hostPID set to 'true'. Example usage: kubeaudit hostns`, Run: runAudit(hostns.New()), } func init() { RootCmd.AddCommand(hostnsCmd) } 070701000000F0000081A400000000000000000000000166C635DC000003F0000000000000000000000000000000000000002700000000kubeaudit-0.22.2/cmd/commands/image.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/image" "github.com/spf13/cobra" ) var imageConfig image.Config const imageFlagName = "image" var imageCmd = &cobra.Command{ Use: "image", Short: "Audit containers not using a specified image:tag", Long: `This command audits a container against a given image:tag. An ERROR result is generated when a container does not match the image:tag An INFO result is generated when a container has a matching image:tag. This command is also a root command, check 'kubeaudit image --help'. Example usage: kubeaudit image --image gcr.io/google_containers/echoserver:1.7 kubeaudit image -i gcr.io/google_containers/echoserver:1.7`, Run: func(cmd *cobra.Command, args []string) { runAudit(image.New(imageConfig))(cmd, args) }, } func setImageFlags(cmd *cobra.Command) { cmd.Flags().StringVarP(&imageConfig.Image, imageFlagName, "i", "", "Image to check against") } func init() { RootCmd.AddCommand(imageCmd) setImageFlags(imageCmd) } 070701000000F1000081A400000000000000000000000166C635DC000004DB000000000000000000000000000000000000002800000000kubeaudit-0.22.2/cmd/commands/limits.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/limits" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" ) var limitsConfig limits.Config const ( limitMemoryFlagName = "memory" limitCpuFlagName = "cpu" ) var limitsCmd = &cobra.Command{ Use: "limits", Short: "Audit containers exceeding a specified CPU or memory limit", Long: `This command determines which containers exceed the specified CPU and memory limits, or have no limits configured. A WARN result is generated for each of the following cases: - The CPU limit is unset or exceeds the specified CPU limit - The memory limit is unset or exceeds the specified memory limit Example usage: kubeaudit limits kubeaudit limits --cpu 500m --memory 256Mi`, Run: func(cmd *cobra.Command, args []string) { auditor, err := limits.New(limitsConfig) if err != nil { log.Fatal("failed to create limits auditor") } runAudit(auditor)(cmd, args) }, } func setLimitsFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&limitsConfig.CPU, limitCpuFlagName, "", "Max CPU limit") cmd.Flags().StringVar(&limitsConfig.Memory, limitMemoryFlagName, "", "Max memory limit") } func init() { RootCmd.AddCommand(limitsCmd) setLimitsFlags(limitsCmd) } 070701000000F2000081A400000000000000000000000166C635DC00000518000000000000000000000000000000000000002800000000kubeaudit-0.22.2/cmd/commands/mounts.gopackage commands import ( "bytes" "fmt" "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/spf13/cobra" "strings" ) const sensitivePathsFlagName = "denyPathsList" var mountsConfig mounts.Config var mountsCmd = &cobra.Command{ Use: "mounts", Short: "Audit containers that mount sensitive paths", Long: fmt.Sprintf(`This command determines which containers mount sensitive host paths. If no paths list is provided, the following paths are used: %s A WARN result is generated when a container mounts one or more paths specified with the '--denyPathsList' argument. Example usage: kubeaudit mounts --denyPathsList "%s"`, formatPathsList(), strings.Join(mounts.DefaultSensitivePaths[:3], ",")), Run: func(cmd *cobra.Command, args []string) { runAudit(mounts.New(mountsConfig))(cmd, args) }, } func init() { RootCmd.AddCommand(mountsCmd) setPathsFlags(mountsCmd) } func setPathsFlags(cmd *cobra.Command) { cmd.Flags().StringSliceVarP(&mountsConfig.SensitivePaths, sensitivePathsFlagName, "d", mounts.DefaultSensitivePaths, "List of sensitive paths that shouldn't be mounted") } func formatPathsList() string { var buffer bytes.Buffer for _, path := range mounts.DefaultSensitivePaths { buffer.WriteString("\n- ") buffer.WriteString(path) } return buffer.String() } 070701000000F3000081A400000000000000000000000166C635DC0000035C000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/netpols.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/netpols" "github.com/spf13/cobra" ) var netpolsCmd = &cobra.Command{ Use: "netpols", Aliases: []string{"np"}, Short: "Audit namespaces that do not have a default deny network policy", Long: `This command determines which namespaces do not have a default deny NetworkPolicy. An ERROR result is generated for each of the followign cases: - A namespace does not have a default deny-all-ingress NetworkPolicy - A namespace does not have a default deny-all-egress NetworkPolicy A WARN result is generated for each of the following cases: - A namespace has a default allow-all-ingress NetworkPolicy - A namespace has a default allow-all-egress NetworkPolicy Example usage: kubeaudit netpols`, Run: runAudit(netpols.New()), } func init() { RootCmd.AddCommand(netpolsCmd) } 070701000000F4000081A400000000000000000000000166C635DC0000027B000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/nonroot.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/nonroot" "github.com/spf13/cobra" ) var runAsNonRootCmd = &cobra.Command{ Use: "nonroot", Short: "Audit containers allowing for root user", Long: `This command determines which containers are allowed to run as root (uid=0). An ERROR result is generated when container does not have 'runAsNonRoot = true' or if a root user (UID 0) is explicitly set using 'runAsUser' in either its container SecurityContext or its pod SecurityContext. Example usage: kubeaudit nonroot`, Run: runAudit(nonroot.New()), } func init() { RootCmd.AddCommand(runAsNonRootCmd) } 070701000000F5000081A400000000000000000000000166C635DC0000025B000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/privesc.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/privesc" "github.com/spf13/cobra" ) var allowPrivilegeEscalationCmd = &cobra.Command{ Use: "privesc", Aliases: []string{"allowpe"}, Short: "Audit containers that allow privilege escalation", Long: `This command determines which containers allow privilege escalation. An ERROR result is generated when a container does not have 'allowPrivilegeEscalation = false' in its SecurityContext. Example usage: kubeaudit privesc`, Run: runAudit(privesc.New()), } func init() { RootCmd.AddCommand(allowPrivilegeEscalationCmd) } 070701000000F6000081A400000000000000000000000166C635DC000002D6000000000000000000000000000000000000002C00000000kubeaudit-0.22.2/cmd/commands/privileged.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/privileged" "github.com/spf13/cobra" ) var privilegedCmd = &cobra.Command{ Use: "privileged", Aliases: []string{"priv"}, Short: "Audit containers running as privileged", Long: `This command determines which containers are running as privileged. An ERROR result is generated when a container has 'privileged = true' in its SecurityContext. A WARN result is generated a when a container has 'privileged = nil' in its SecurityContext. 'privileged' defaults to 'true' so this is ok, but it should be explicitly set to 'true'. Example usage: kubeaudit priv`, Run: runAudit(privileged.New()), } func init() { RootCmd.AddCommand(privilegedCmd) } 070701000000F7000081A400000000000000000000000166C635DC00001D0B000000000000000000000000000000000000002600000000kubeaudit-0.22.2/cmd/commands/root.gopackage commands import ( "fmt" "os" "strings" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" apiv1 "k8s.io/api/core/v1" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/color" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/sarif" ) var rootConfig rootFlags type rootFlags struct { format string kubeConfig string context string manifest string namespace string minSeverity string exitCode int includeGenerated bool noColor bool } // RootCmd defines the shell command usage for kubeaudit. var RootCmd = &cobra.Command{ Use: "kubeaudit", Short: "A Kubernetes security auditor", Long: `🚨 Deprecation Notice 🚨 Kubeaudit is planned for deprecation by October 2024. We are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us. For users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained. Thank you to the community for your contributions and support. -------------------------------------------------------------------- Kubeaudit audits Kubernetes clusters for common security controls. kubeaudit has three modes: 1. Manifest mode: If a Kubernetes manifest file is provided using the -f/--manifest flag, kubeaudit will audit the manifest file. Kubeaudit also supports autofixing in manifest mode using the 'autofix' command. This will fix the manifest in-place. The fixed manifest can be written to a different file using the -o/--out flag. 2. Cluster mode: If kubeaudit detects it is running in a cluster, it will audit the other resources in the cluster. 3. Local mode: kubeaudit will try to connect to a cluster using the local kubeconfig file ($HOME/.kube/config). A different kubeconfig location can be specified using the -c/--kubeconfig flag `, } // Execute is a wrapper for the RootCmd.Execute method which will exit the program if there is an error. func Execute() { if err := RootCmd.Execute(); err != nil { log.Fatal(err) } } func init() { RootCmd.PersistentFlags().StringVarP(&rootConfig.kubeConfig, "kubeconfig", "", "", "Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config)") RootCmd.PersistentFlags().StringVarP(&rootConfig.context, "context", "c", "", "The name of the kubeconfig context to use") RootCmd.PersistentFlags().StringVarP(&rootConfig.minSeverity, "minseverity", "m", "info", "Set the lowest severity level to report (one of \"error\", \"warning\", \"info\")") RootCmd.PersistentFlags().StringVarP(&rootConfig.format, "format", "p", "pretty", "The output format to use (one of \"sarif\",\"pretty\", \"logrus\", \"json\")") RootCmd.PersistentFlags().StringVarP(&rootConfig.namespace, "namespace", "n", apiv1.NamespaceAll, "Only audit resources in the specified namespace. Not currently supported in manifest mode.") RootCmd.PersistentFlags().BoolVarP(&rootConfig.includeGenerated, "includegenerated", "g", false, "Include generated resources in scan (eg. pods generated by deployments).") RootCmd.PersistentFlags().BoolVar(&rootConfig.noColor, "no-color", false, "Don't produce colored output.") RootCmd.PersistentFlags().StringVarP(&rootConfig.manifest, "manifest", "f", "", "Path to the yaml configuration to audit. Only used in manifest mode.") RootCmd.PersistentFlags().IntVarP(&rootConfig.exitCode, "exitcode", "e", 2, "Exit code to use if there are results with severity of \"error\". Conventionally, 0 is used for success and all non-zero codes for an error.") } // KubeauditLogLevels represents an enum for the supported log levels. var KubeauditLogLevels = map[string]kubeaudit.SeverityLevel{ "error": kubeaudit.Error, "warn": kubeaudit.Warn, "warning": kubeaudit.Warn, "info": kubeaudit.Info, } func runAudit(auditable ...kubeaudit.Auditable) func(cmd *cobra.Command, args []string) { return func(cmd *cobra.Command, args []string) { report := getReport(auditable...) fmt.Fprintln(os.Stderr, color.Yellow("\n[Deprecation Notice]: Kubeaudit is planned for deprecation by October 2024.\nWe are actively seeking maintainers who are interested in taking over the stewardship of this project. If you are passionate about continuing its development and maintenance, please reach out to us.\nFor users looking for alternatives, we recommend transitioning to Kubebench, which offers similar functionality and is actively maintained.\nThank you to the community for your contributions and support.")) fmt.Fprintln(os.Stderr, color.Yellow("\n[WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead.")) printOptions := []kubeaudit.PrintOption{ kubeaudit.WithMinSeverity(KubeauditLogLevels[strings.ToLower(rootConfig.minSeverity)]), kubeaudit.WithColor(!rootConfig.noColor), } switch rootConfig.format { case "sarif": sarifReport, err := sarif.Create(report) if err != nil { log.WithError(err).Fatal("Error generating the SARIF output") } if err := sarifReport.PrettyWrite(os.Stdout); err != nil { log.WithError(err).Fatal("Error executing SARIF PrettyWrite") } if report.HasErrors() { os.Exit(rootConfig.exitCode) } return case "json": printOptions = append(printOptions, kubeaudit.WithFormatter(&log.JSONFormatter{})) case "logrus": printOptions = append(printOptions, kubeaudit.WithFormatter(&log.TextFormatter{})) } report.PrintResults(printOptions...) if report.HasErrors() { os.Exit(rootConfig.exitCode) } } } func getReport(auditors ...kubeaudit.Auditable) *kubeaudit.Report { auditor := initKubeaudit(auditors...) if rootConfig.manifest != "" { var f *os.File if rootConfig.manifest == "-" { f = os.Stdin rootConfig.manifest = "" } else { manifest, err := os.Open(rootConfig.manifest) if err != nil { log.WithError(err).Fatal("Error opening manifest file") } f = manifest } report, err := auditor.AuditManifest(rootConfig.manifest, f) if err != nil { log.WithError(err).Fatal("Error auditing manifest") } return report } if k8sinternal.IsRunningInCluster(k8sinternal.DefaultClient) && rootConfig.kubeConfig == "" { report, err := auditor.AuditCluster(k8sinternal.ClientOptions{Namespace: rootConfig.namespace, IncludeGenerated: rootConfig.includeGenerated}) if err != nil { log.WithError(err).Fatal("Error auditing cluster") } return report } report, err := auditor.AuditLocal(rootConfig.kubeConfig, rootConfig.context, kubeaudit.AuditOptions{Namespace: rootConfig.namespace, IncludeGenerated: rootConfig.includeGenerated}) if err != nil { log.WithError(err).Fatal("Error auditing cluster in local mode") } return report } func initKubeaudit(auditable ...kubeaudit.Auditable) *kubeaudit.Kubeaudit { if len(auditable) == 0 { allAuditors, err := all.Auditors(config.KubeauditConfig{}) if err != nil { log.WithError(err).Fatal("Error initializing auditors") } auditable = allAuditors } auditor, err := kubeaudit.New(auditable) if err != nil { log.WithError(err).Fatal("Error creating auditor") } return auditor } 070701000000F8000081A400000000000000000000000166C635DC00000228000000000000000000000000000000000000002800000000kubeaudit-0.22.2/cmd/commands/rootfs.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/rootfs" "github.com/spf13/cobra" ) var readonlyfsCmd = &cobra.Command{ Use: "rootfs", Short: "Audit containers not using a read only root filesystems", Long: `This command determines which containers do not have a read only root file system. An ERROR result is generated when a container does not have 'readOnlyRootFilesystem = true' in its SecurityContext. Example usage: kubeaudit rootfs`, Run: runAudit(rootfs.New()), } func init() { RootCmd.AddCommand(readonlyfsCmd) } 070701000000F9000081A400000000000000000000000166C635DC000001F3000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/seccomp.gopackage commands import ( "github.com/Shopify/kubeaudit/auditors/seccomp" "github.com/spf13/cobra" ) var seccompCmd = &cobra.Command{ Use: "seccomp", Short: "Audit containers running without Seccomp", Long: `This command determines which containers are running without Seccomp enabled. An ERROR result is generated when a container has Seccomp disabled or misconfigured. Example usage: kubeaudit seccomp`, Run: runAudit(seccomp.New()), } func init() { RootCmd.AddCommand(seccompCmd) } 070701000000FA000081A400000000000000000000000166C635DC00000172000000000000000000000000000000000000002900000000kubeaudit-0.22.2/cmd/commands/version.gopackage commands import ( _ "embed" "fmt" "strings" "github.com/spf13/cobra" ) //go:embed VERSION var version string var versionCmd = &cobra.Command{ Use: "version", Short: "Prints the current kubeaudit version", Run: func(cmd *cobra.Command, args []string) { fmt.Println(strings.TrimSpace(version)) }, } func init() { RootCmd.AddCommand(versionCmd) } 070701000000FB000081A400000000000000000000000166C635DC00000066000000000000000000000000000000000000001D00000000kubeaudit-0.22.2/cmd/main.gopackage main import "github.com/Shopify/kubeaudit/cmd/commands" func main() { commands.Execute() } 070701000000FC000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001800000000kubeaudit-0.22.2/config070701000000FD000081A400000000000000000000000166C635DC00000545000000000000000000000000000000000000002200000000kubeaudit-0.22.2/config/config.gopackage config import ( "io" "github.com/Shopify/kubeaudit/auditors/deprecatedapis" "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" "gopkg.in/yaml.v3" ) func New(configData io.Reader) (KubeauditConfig, error) { configBytes, err := io.ReadAll(configData) if err != nil { return KubeauditConfig{}, err } config := KubeauditConfig{} err = yaml.Unmarshal(configBytes, &config) if err != nil { return KubeauditConfig{}, err } return config, nil } type KubeauditConfig struct { EnabledAuditors map[string]bool `yaml:"enabledAuditors"` AuditorConfig AuditorConfig `yaml:"auditors"` } func (conf *KubeauditConfig) GetEnabledAuditors() map[string]bool { if conf == nil { return map[string]bool{} } return conf.EnabledAuditors } func (conf *KubeauditConfig) GetAuditorConfigs() AuditorConfig { if conf == nil { return AuditorConfig{} } return conf.AuditorConfig } type AuditorConfig struct { Capabilities capabilities.Config `yaml:"capabilities"` DeprecatedAPIs deprecatedapis.Config `yaml:"config"` Image image.Config `yaml:"image"` Limits limits.Config `yaml:"limits"` Mounts mounts.Config `yaml:"mounts"` } 070701000000FE000081A400000000000000000000000166C635DC000003CA000000000000000000000000000000000000002400000000kubeaudit-0.22.2/config/config.yaml# Sample config enabledAuditors: # Auditors are enabled by default if they are not explicitly set to "false" apparmor: true asat: true capabilities: true deprecatedapis: true hostns: true image: true limits: true mounts: true netpols: true nonroot: true privesc: true privileged: true rootfs: true seccomp: true auditors: capabilities: # add capabilities needed to the add list, so kubeaudit won't report errors add: ["AUDIT_WRITE", "CHOWN", "KILL"] deprecatedapis: currentVersion: "1.22" targetedVersion: "1.25" image: image: "myimage:mytag" limits: cpu: "750m" memory: "500m" mounts: denyPathsList: ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/run/containerd/containerd.sock", /home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"] 070701000000FF000081A400000000000000000000000166C635DC00000228000000000000000000000000000000000000002700000000kubeaudit-0.22.2/config/config_test.gopackage config_test import ( "os" "testing" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // Test that the sample config includes all auditors func TestConfig(t *testing.T) { configFile := "config.yaml" reader, err := os.Open(configFile) require.NoError(t, err) conf, err := config.New(reader) require.NoError(t, err) assert.Equal(t, len(all.AuditorNames), len(conf.GetEnabledAuditors()), "Config is missing auditors") } 07070100000100000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001600000000kubeaudit-0.22.2/docs07070100000101000081A400000000000000000000000166C635DC000011BB000000000000000000000000000000000000001D00000000kubeaudit-0.22.2/docs/all.md# All Auditor (all) Runs all available auditors, or those specified using a kubeaudit config. ## General Usage ``` kubeaudit all [flags] ``` ## Flags | Short | Long | Description | Default | | :---- | :-------- | :----------------------- | :------ | | -k | --kconfig | Path to kubeaudit config | | Also see [Global Flags](/README.md#global-flags) ### Kubeaudit Config A kubeaudit config file can be used instead of flags. ``` kubeaudit all -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" ``` Also see [Configuration File](/README.md#configuration-file) ## Examples ``` $ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml" ---------------- Results for --------------- apiVersion: v1 kind: Namespace metadata: name: deployment-apps-v1 -------------------------------------------- -- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy Message: Namespace is missing a default deny ingress and egress NetworkPolicy. Metadata: Namespace: deployment-apps-v1 ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: deployment-apps-v1 -------------------------------------------- -- [error] AppArmorAnnotationMissing Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added. Metadata: Container: container MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container -- [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. -- [error] CapabilityOrSecurityContextMissing Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL. Metadata: Container: container -- [error] NamespaceHostNetworkTrue Message: hostNetwork is set to 'true' in PodSpec. It should be set to 'false'. Metadata: PodHost: -- [error] NamespaceHostIPCTrue Message: hostIPC is set to 'true' in PodSpec. It should be set to 'false'. Metadata: PodHost: -- [error] NamespaceHostPIDTrue Message: hostPID is set to 'true' in PodSpec. It should be set to 'false'. Metadata: PodHost: -- [warning] ImageTagMissing Message: Image tag is missing. Metadata: Container: container -- [warning] LimitsNotSet Message: Resource limits not set. Metadata: Container: container -- [error] RunAsNonRootPSCNilCSCNil Message: runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two. Metadata: Container: container -- [error] AllowPrivilegeEscalationNil Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'. Metadata: Container: container -- [warning] PrivilegedNil Message: privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'. Metadata: Container: container -- [error] ReadOnlyRootFilesystemNil Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'. Metadata: Container: container -- [error] SeccompProfileMissing Message: Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext. ``` ### Example with Kubeaudit Config Consider the following kubeaudit config `config.yaml` ```yaml enabledAuditors: # Auditors are enabled by default if they are not explicitly set to "false" hostns: false image: false auditors: capabilities: add: - AUDIT_WRITE - CHOWN ``` The config can be passed to the `all` command using the `-k/--kconfig` flag: ``` $ kubeaudit all -k "config.yaml" -f "auditors/all/fixtures/audit_all_v1.yml" ``` ### Example with Flags The behaviour of the `all` command can also be customized by using flags. The `all` command supports all flags supported by individual auditors (see the individual [auditor docs](/README.md#auditors) for all the flags). For example, we can use the `--memory` flag (supported by the `limits` auditor): ``` kubeaudit all -f "manifest.yml" --memory 200 ``` Here, if the memory specified is higher than 200, `kubeaudit` will report that the memory limit was exceeded. 07070100000102000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001F00000000kubeaudit-0.22.2/docs/auditors07070100000103000081A400000000000000000000000166C635DC00000C0D000000000000000000000000000000000000002B00000000kubeaudit-0.22.2/docs/auditors/apparmor.md# AppArmor Auditor (apparmor) Finds containers that do not have AppArmor enabled. ## General Usage ``` kubeaudit apparmor [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit apparmor -f "auditors/apparmor/fixtures/apparmor-annotation-missing.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-annotation-missing -------------------------------------------- -- [error] AppArmorAnnotationMissing Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added. Metadata: MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container Container: container ``` If an apparmor annotation refers to a container which doesn't exist, `kubectl apply` will fail. Kubeaudit produces an error for this case: ``` $ kubeaudit apparmor -f "auditors/apparmor/fixtures/apparmor-invalid-annotation.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod namespace: apparmor-enabled -------------------------------------------- -- [error] AppArmorInvalidAnnotation Message: AppArmor annotation key refers to a container that doesn't exist. Remove the annotation 'container.apparmor.security.beta.kubernetes.io/container2: runtime/default'. Metadata: Container: container2 Annotation: container.apparmor.security.beta.kubernetes.io/container2: runtime/default ``` ## Explanation AppArmor is a Mandatory Access Control (MAC) system used by Linux. AppArmor is enabled by adding `container.apparmor.security.beta.kubernetes.io/[container name]` as a pod-level annotation and setting its value to either `runtime/default` or a profile (`localhost/[profile name]`). Example of a resource which passes the `apparmor` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: runtime/default spec: containers: - name: myContainer ``` To learn more about AppArmor, see https://wiki.ubuntu.com/AppArmor To learn more about AppArmor in Kubernetes, see https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifier for the `unconfined` apparmor profile value: `allow-disabled-apparmor` Container overrides have the form: ```yaml container.kubeaudit.io/[container name].allow-disabled-apparmor: "SomeReason" ``` Example of resource with the `unconfined` apparmor profile overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: unconfined labels: container.kubeaudit.io/myContainer.allow-disabled-apparmor: "SomeReason" spec: containers: - name: myContainer image: scratch ``` 07070100000104000081A400000000000000000000000166C635DC00000D0B000000000000000000000000000000000000002700000000kubeaudit-0.22.2/docs/auditors/asat.md# automountServiceAccountToken Auditor (asat) Finds containers that meet either of the following conditions: 1. The deprecated `serviceAccount` field is used 1. The default service account is automatically mounted ## General Usage ``` kubeaudit asat [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` kubeaudit asat -f "auditors/asat/fixtures/service-account-token-true-and-no-name.yml" ---------------- Results for --------------- apiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-and-no-name -------------------------------------------- -- [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used. ``` ## Explanation `serviceAccount` is a deprecated field. `serviceAccountName` should be used instead. Example of a resource which fails the `asat` check because it uses `serviceAccount`: ```yaml apiVersion: v1 kind: Deployment spec: template: spec: serviceAccount: ThisFieldIsDeprecated containers: - name: myContainer ``` Automounting a default service account would allow any compromised pod to run API commands against the cluster. Either automounting should be disabled or a non-default service account with sane permissions should be used. To make sure a non-default service account is used, `serviceAccountName` must be set to a value other than `default`. To make sure a service account is not automatically mounted, `automountServiceAccountToken` must be explicitly set to `false` (it defaults to `true`) on either the ServiceAccount (for kubernetes 1.6+) or on the PodSpec. Example of disabling `automountServiceAccountToken` on the default ServiceAccount (kubernetes 1.6+): ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false ``` Example of disabling `automountServiceAccountToken` on the PodSpec of a Deployment: ```yaml apiVersion: v1 kind: Deployment spec: template: spec: automountServiceAccountToken: false containers: - name: myContainer ``` Note that if `automountServiceAccountToken` is set on the PodSpec, this will take precedence over `automountServiceAccountToken` set on the ServiceAccount, so you should never set `automountServiceAccountToken: true` in the PodSpec when using the default ServiceAccount. Example of using a non-default service account: ```yaml apiVersion: v1 kind: Deployment spec: template: spec: serviceAccountName: customServiceAccount containers: - name: myContainer ``` ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifier: `allow-automount-service-account-token` Only pod overrides are supported: ```yaml kubeaudit.io/allow-automount-service-account-token: "" ``` Example of a resource with `asat` results overridden: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-automount-service-account-token: "" spec: automountServiceAccountToken: true containers: - name: myContainer ``` 07070100000105000081A400000000000000000000000166C635DC00001B07000000000000000000000000000000000000002F00000000kubeaudit-0.22.2/docs/auditors/capabilities.md# Capabilities Auditor (capabilities) Finds containers that do not drop the recommended capabilities or add new ones. ## General Usage ``` kubeaudit capabilities [flags] ``` ### Flags | Flag | Description | | :---- | :---------------------------------------------------------------------------------- | | --allow-add-list | Comma separated list of added capabilities that can be ignored by kubeaudit reports | Also see [Global Flags](/README.md#global-flags) ## Examples ```shell $ kubeaudit capabilities -f "auditors/capabilities/fixtures/capabilities-nil.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-nil -------------------------------------------- -- [error] CapabilityOrSecurityContextMissing Message: Security Context not set. The Security Context should be specified and all Capabilities should be dropped by setting the Drop list to ALL. Metadata: Container: container ``` ### Example with Config File A custom Add list can be provided in the config file. See [docs](docs/all.md) for more information. These are the capabilities you'd like to add and not have kubeaudit raise an error. In this example, kubeaudit will only error for "CHOWN" because it wasn't added to the add list in the config. `config.yaml` ```yaml --- auditors: capabilities: # add capabilities needed to the add list, so kubeaudit won't report errors allowAddList: ['KILL', 'MKNOD'] ``` `manifest.yaml` ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: example-namespace spec: template: spec: containers: - name: container1 image: scratch securityContext: capabilities: add: - CHOWN - KILL - MKNOD drop: - ALL ``` ```shell $ kubeaudit all --kconfig "config.yaml" -f "manifest.yaml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: capabilities-some-allowed-multi-containers-some-labels -------------------------------------------- -- [error] CapabilityAdded Message: Capability "CHOWN" added. It should be removed from the capability add list. If you need this capability, add an override label such as'container.kubeaudit.io/container1.allow-capability-chown: SomeReason'. Metadata: Container: container1 ``` **Note**: if using http://man7.org/linux/man-pages/man7/capabilities.7.html as a reference for capability names, drop the `CAP_` prefix. ### Example with Custom Add List A custom add list can be provided as a comma separated value list of capabilities using the `--allow-add-list` flag. These are the capabilities you'd like to add and not have kubeaudit raise an error: `manifest.yaml` (example manifest) ```yaml capabilities: add: - CHOWN - KILL - MKNOD - NET_ADMIN ``` Here we're only adding 3 capabilities to the add list to be ignored. Since we didn't add `NET_ADMIN` to the list, kubeaudit will raise an error for this one. ```shell $ kubeaudit capabilities --allow-add-list "CHOWN,KILL,MKNOD" -f "manifest.yaml" ---------------- Results for --------------- apiVersion: apps/v1beta2 kind: Deployment metadata: name: deployment namespace: example-namespace -------------------------------------------- -- [error] CapabilityAdded Message: Capability "NET_ADMIN" added. It should be removed from the capability add list. If you need this capability, add an override label such as 'container.kubeaudit.io/container1.allow-capability-net-admin: SomeReason'. Metadata: Container: container1 Capabiliy: NET_ADMIN exit status 2 ``` ## Explanation Capabilities (specifically, Linux capabilities), are used for permission management in Linux. Some capabilities are enabled by default. Ideally, all capabilities should be dropped: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer securityContext: capabilities: drop: - ALL ``` If capabiltiies are required, only those required capabilities should be added: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer securityContext: capabilities: drop: - all add: - AUDIT_WRITE ``` In this case, an override label needs to be added to tell kubeaudit that the capability was added on purpose. See [Override Errors](#override-errors). To learn more about capabilities, see http://man7.org/linux/man-pages/man7/capabilities.7.html To learn more about capabilities in Kubernetes, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). The override identifier has the format `allow-capability-[capability]` which allows for each capability to be individually overridden. To turn a capability name into an override identifier do the following: 1. Lowercase the capability name 1. Replace underscores (`_`) with dashes (`-`) 1. Prepend `allow-capability-` For example, the override identifier for the `AUDIT_WRITE` capability would be `allow-capability-audit-write`. Container overrides have the form: ```yaml container.kubeaudit.io/[container name].[override identifier]: '' ``` Pod overrides have the form: ```yaml kubeaudit.io/[override identifier]: '' ``` Example of a resource with `AUDIT_WRITE` and `DAC_OVERRIDE` capabilities overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: container.kubeaudit.io/myContainer.allow-capability-audit-write: '' container.kubeaudit.io/myContainer.allow-capability-dac-override: '' spec: containers: - name: myContainer securityContext: capabilities: drop: - ALL add: - AUDIT_WRITE - DAC_OVERRIDE ``` Example of a resource with `AUDIT_WRITE` and `DAC_OVERRIDE` capabilities overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-capability-audit-write: '' kubeaudit.io/allow-capability-dac-override: '' spec: containers: - name: myContainer securityContext: capabilities: drop: - ALL add: - AUDIT_WRITE - DAC_OVERRIDE ``` 07070100000106000081A400000000000000000000000166C635DC00000CEF000000000000000000000000000000000000003100000000kubeaudit-0.22.2/docs/auditors/deprecatedapis.md# Kubernetes Deprecated API Auditor (deprecatedapis) Finds any resource defined with a deprecated API version. ## General Usage ``` kubeaudit deprecatedapis [flags] ``` ### Flags | Short | Long | Description | Default | | :------ | :--------------------- | :-------------------------------------------- | :------------------ | | | --current-k8s-version | Kubernetes current version | | | | --targeted-k8s-version | Kubernetes version to migrate to | | Also see [Global Flags](/README.md#global-flags) ## Examples The `deprecatedapis` auditor finds the deprecated APIs in use, reports the versions where they will be removed, and recommends replacement APIs. ``` $ kubeaudit deprecatedapis -f "auditors/deprecatedapis/fixtures/cronjob.yml" ---------------- Results for --------------- apiVersion: batch/v1beta1 kind: CronJob metadata: name: hello -------------------------------------------- -- [warning] DeprecatedAPIUsed Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+, introduced in v1.8+; use batch/v1 CronJob Metadata: DeprecatedMajor: 1 DeprecatedMinor: 21 IntroducedMajor: 1 IntroducedMinor: 8 RemovedMajor: 1 RemovedMinor: 25 ReplacementKind: CronJob ReplacementGroup: batch/v1 ``` The `deprecatedapis` auditor can be used with the `--current-k8s-version` flag. If the API is not yet deprecated for this version the auditor will produce an `info` otherwise a `warning`. ``` $ kubeaudit deprecatedapis --current-k8s-version 1.20 -f "auditors/deprecatedapis/fixtures/cronjob.yml" ---------------- Results for --------------- apiVersion: batch/v1beta1 kind: CronJob metadata: name: hello -------------------------------------------- -- [info] DeprecatedAPIUsed Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+, introduced in v1.8+; use batch/v1 CronJob Metadata: DeprecatedMajor: 1 DeprecatedMinor: 21 IntroducedMajor: 1 IntroducedMinor: 8 RemovedMajor: 1 RemovedMinor: 25 ReplacementKind: CronJob ReplacementGroup: batch/v1 ``` The `deprecatedapis` auditor can be used with the `--targeted-k8s-version` flag. If the API is not available for the targeted version the auditor will produce an `error` otherwise a `warning` or `info` if the API is not yet deprecated for this version. ``` $ kubeaudit deprecatedapis --current-k8s-version 1.20 --targeted-k8s-version 1.25 -f "auditors/deprecatedapis/fixtures/cronjob.yml" ---------------- Results for --------------- apiVersion: batch/v1beta1 kind: CronJob metadata: name: hello -------------------------------------------- -- [error] DeprecatedAPIUsed Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+, introduced in v1.8+; use batch/v1 CronJob Metadata: DeprecatedMajor: 1 DeprecatedMinor: 21 IntroducedMajor: 1 IntroducedMinor: 8 RemovedMajor: 1 RemovedMinor: 25 ReplacementKind: CronJob ReplacementGroup: batch/v1 ``` ## Override Errors Overrides are not currently supported for `deprecatedapis`. 07070100000107000081A400000000000000000000000166C635DC00000C71000000000000000000000000000000000000002900000000kubeaudit-0.22.2/docs/auditors/hostns.md# Host Namespaces Auditor (hostns) Finds containers that have HostPID, HostIPC or HostNetwork enabled. ## General Usage ``` kubeaudit hostns [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit hostns -f "auditors/hostns/fixtures/namespaces-all-true.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod namespace: namespaces-all-true -------------------------------------------- -- [error] NamespaceHostNetworkTrue Message: hostNetwork is set to 'true' in PodSpec. It should be set to 'false'. -- [error] NamespaceHostIPCTrue Message: hostIPC is set to 'true' in PodSpec. It should be set to 'false'. -- [error] NamespaceHostPIDTrue Message: hostPID is set to 'true' in PodSpec. It should be set to 'false'. ``` ## Explanation **HostPID** - Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default). **HostIPC** - Controls whether the pod containers can share the host IPC namespace. **HostNetwork** - Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. All host namespaces should be disabled unless they are needed. They default to `false` so removing them is sufficient to pass the `hostns` audit, though they can also be explicitly set to `false` if desired. Example of a resource which **fails** the `hostns` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: myContainer ``` For more information on host namespaces, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Each host namespace field can be individually overridden using their respective override identifiers: | Host Namespace | Override Identifier | | :------------- | :--------------------- | | HostPID | `allow-namespace-host-PID` | | HostIPC | `allow-namespace-host-IPC` | | HostNetwork | `allow-namespace-host-network` | Container overrides have the form: ```yaml container.kubeaudit.io/[container name].[override identifier]: "" ``` Pod overrides have the form: ```yaml kubeaudit.io/[override identifier]: "" ``` Example of a resource with `HostPID` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: container.kubeaudit.io/myContainer.allow-namespace-host-PID: "" spec: hostPID: true containers: - name: myContainer ``` Example of a resource with `HostPID` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-namespace-host-PID: "" spec: hostPID: true containers: - name: myContainer ``` 07070100000108000081A400000000000000000000000166C635DC000008F4000000000000000000000000000000000000002800000000kubeaudit-0.22.2/docs/auditors/image.md# Image Auditor (image) Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. ## General Usage ``` kubeaudit image [flags] ``` ### Flags | Short | Long | Description | Default | | :------ | :-------- | :-------------------------------------------------------- | :------------------------------- | | -i | --image | Image and tag to check against. | | Also see [Global Flags](/README.md#global-flags) ## Examples The image and tag to look for are specified using the `-i/--image image:tag` flag. For example, `-i gcr.io/google_containers/echoserver:1.7` will look for containers using the `gcr.io/google_containers/echoserver` image which have a tag other than `1.7`. ``` $ kubeaudit image -i "scratch:1.6" -f "auditors/image/fixtures/image-tag-present.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment -------------------------------------------- -- [error] ImageTagIncorrect Message: Container tag is incorrect. It should be set to '1.6'. Metadata: Container: deployment ``` If the container image matches the provided image but the container image has no tag, a warning is produced: ``` $ kubeaudit image -i "scratch:1.6" -f "auditors/image/fixtures/image-tag-missing.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment -------------------------------------------- -- [warning] ImageTagMissing Message: Image tag is missing. Metadata: Container: container ``` The `image` auditor can be used to find all containers that use an image without a tag by omitting the `-i/--image` flag: ``` $ kubeaudit image -f "auditors/image/fixtures/image-tag-missing.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment -------------------------------------------- -- [warning] ImageTagMissing Message: Image tag is missing. Metadata: Container: container ``` ## Override Errors Overrides are not currently supported for `image`. 07070100000109000081A400000000000000000000000166C635DC00000C18000000000000000000000000000000000000002900000000kubeaudit-0.22.2/docs/auditors/limits.md# Limits Auditor (limits) Finds containers which exceed the specified CPU and memory limits or do not specify any. ## General Usage ``` kubeaudit limits [flags] ``` ### Flags | Short | Long | Description | Default | | :------ | :-------- | :-------------------------------------------------------- | :------------------------------- | | | --cpu | Max CPU limit | | | | --memory | Max memory limit | | Also see [Global Flags](/README.md#global-flags) ## Examples The max CPU is specified using the `--cpu` flag: ``` $ kubeaudit limits --cpu 600m -f "auditors/limits/fixtures/resources-limit.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod -------------------------------------------- -- [warning] LimitsCPUExceeded Message: CPU limit exceeded. It is set to '750m' which exceeds the max CPU limit of '600m'. Metadata: Container: container ContainerCpuLimit: 750m MaxCPU: 600m ``` The max memory is specified using the `--memory` flag: ``` $ kubeaudit limits --memory 384 -f "auditors/limits/fixtures/resources-limit.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod -------------------------------------------- -- [warning] LimitsMemoryExceeded Message: Memory limit exceeded. It is set to '512Mi' which exceeds the max Memory limit of '384'. Metadata: MaxMemory: 384 Container: container ContainerMemoryLimit: 512Mi ``` The CPU and memory can be audited at the same time by including both the `--cpu` and `--memory` flags: ``` $ kubeaudit limits --cpu 600m --memory 384 -f "auditors/limits/fixtures/resources-limit.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod -------------------------------------------- -- [warning] LimitsCPUExceeded Message: CPU limit exceeded. It is set to '750m' which exceeds the max CPU limit of '600m'. Metadata: Container: container ContainerCpuLimit: 750m MaxCPU: 600m -- [warning] LimitsMemoryExceeded Message: Memory limit exceeded. It is set to '512Mi' which exceeds the max Memory limit of '384'. Metadata: Container: container ContainerMemoryLimit: 512Mi MaxMemory: 384 ``` The `limits` auditor can be used to find all containers which do not specify a max CPU or memory by omitting the `--cpu` and `--memory` flags: ``` $ kubeaudit limits -f "auditors/limits/fixtures/resources-limit-nil.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod -------------------------------------------- -- [warning] LimitsNotSet Message: Resource limits not set. Metadata: Container: container ``` ## Override Errors Overrides are not currently supported for `limits`. 0707010000010A000081A400000000000000000000000166C635DC0000221B000000000000000000000000000000000000002900000000kubeaudit-0.22.2/docs/auditors/mounts.md# Sensitive Host Path Mounted Auditor (mounts) Finds containers that have sensitive host paths mounted. ## General Usage ``` kubeaudit mounts [flags] ``` ### Flags | Short | Long | Description | Default | | :------ | :---------------- | :------------------------------------------------------------------- | :----------------------------------------------------------------------- | | -d | --denyPathsList | List of sensitive paths that shouldn't be mounted. | [default sensitive host paths list](#Default-sensitive-host-paths-list) | Also see [Global Flags](/README.md#global-flags) #### Default sensitive host paths list | Host path | Description | | :------------------------------ | :---------------------------------------------------------------------- | | /proc | Pseudo-filesystem which provides an interface to kernel data structures | | / | Filesystem's root | | /etc | Directory that usually contains all system related configurations files | | /root | Home directory of the `root` user | | /var/run/docker.sock | Unix socket used to communicate with Docker daemon | | /var/run/crio/crio.sock | Unix socket used to communicate with the CRI-O Container Engine | | /run/containerd/containerd.sock | Unix socket used to communicate with the Containerd container runtime | | /home/admin | Home directory of the `admin` user | | /var/lib/kubelet | Directory for Kublet-related configuration | | /var/lib/kubelet/pki | Directory containing the certificate and private key of the kublet | | /etc/kubernetes | Directory containing Kubernetes related configuration | | /etc/kubernetes/manifests | Directory containing manifest of Kubernetes components | ## Examples ``` $ kubeaudit mounts -f auditors/mounts/fixtures/proc-mounted.yml ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod namespace: proc-mounted -------------------------------------------- -- [error] SensitivePathsMounted Message: Sensitive path mounted as volume: proc-volume (/proc -> /host/proc, readOnly: false). It should be removed from the container's mounts list. Metadata: Container: container MountName: proc-volume MountPath: /host/proc MountReadOnly: false MountVolume: proc-volume MountVolumeHostPath: /proc ``` ### Example with Config File If you don't want kubeaudit to raise errors for all the paths in the default list (`DefaultSensitivePaths`), you can provide a custom paths list in the config file. See [docs](docs/all.md) for more information. That way kubeaudit will only raise errors for those specific paths listed in the config file. `config.yaml` ```yaml --- enabledAuditors: mounts: true auditors: mounts: denyPathsList: ["/etc", "/var/run/docker.sock"] ``` `manifest.yaml` ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: example-namespace spec: template: spec: containers: - name: container image: scratch volumeMounts: - mountPath: /host/etc name: etc-volume - mountPath: /var/run/docker.sock name: docker-socket-volume volumes: - name: etc-volume hostPath: path: /etc - name: docker-socket-volume hostPath: path: /var/run/docker.sock ``` ```shell $ kubeaudit all --kconfig "config.yaml" -f "manifest.yaml" ---------------- Results for --------------- apiVersion: apps/v1beta2 kind: Deployment metadata: name: deployment namespace: example-namespace -------------------------------------------- -- [error] SensitivePathsMounted Message: Sensitive path mounted as volume: etc-volume (hostPath: /etc). It should be removed from the container's mounts list. Metadata: Container: container MountName: etc-volume MountPath: /host/etc MountReadOnly: false MountVolume: etc-volume MountVolumeHostPath: /etc -- [error] SensitivePathsMounted Message: Sensitive path mounted as volume: docker-socket-volume (hostPath: /var/run/docker.sock). It should be removed from the container's mounts list. Metadata: MountReadOnly: false MountVolume: docker-socket-volume MountVolumeHostPath: /var/run/docker.sock Container: container MountName: docker-socket-volume MountPath: /var/run/docker.sock ``` ### Example with Custom Paths List A custom paths list can be provided as a comma separated value list of paths using the `--denyPathsList` flag. These are the host paths you'd like to have kubeaudit raise an error when they are mounted in a container. `manifest.yaml` (example manifest) ```yaml volumes: - name: etc-volume hostPath: path: /etc - name: docker-socket-volume hostPath: path: /var/run/docker.sock ``` ```shell $ kubeaudit mounts --denyPathsList "/etc,/var/run/docker.sock" -f "manifest.yaml" ---------------- Results for --------------- apiVersion: apps/v1beta2 kind: Deployment metadata: name: deployment namespace: example-namespace -------------------------------------------- -- [error] SensitivePathsMounted Message: Sensitive path mounted as volume: etc-volume (hostPath: /etc). It should be removed from the container's mounts list. Metadata: Container: container MountName: etc-volume MountPath: /host/etc MountReadOnly: false MountVolume: etc-volume MountVolumeHostPath: /etc -- [error] SensitivePathsMounted Message: Sensitive path mounted as volume: docker-socket-volume (hostPath: /var/run/docker.sock). It should be removed from the container's mounts list. Metadata: Container: container MountName: docker-socket-volume MountPath: /var/run/docker.sock MountReadOnly: false MountVolume: docker-socket-volume MountVolumeHostPath: /var/run/docker.sock ``` ## Explanation Mounting some sensitive host paths (like `/etc`, `/proc`, or `/var/run/docker.sock`) may allow a container to access sensitive information from the host like credentials or to spy on other workloads' activity. These sensitive paths should not be mounted. Example of a resource which **fails** the `mounts` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: container image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc ``` ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). The override identifier has the format `allow-host-path-mount-[mount name]` which allows for each mount to be individually overridden. Example of resource with `mounts` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec metadata: labels: container.kubeaudit.io/container2.allow-host-path-mount-proc-volume: "SomeReason" spec: #PodSpec containers: - name: container1 image: scratch - name: container2 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc ``` Example of resource with `mounts` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec metadata: labels: kubeaudit.io/allow-host-path-mount-proc-volume: "SomeReason" spec: #PodSpec containers: - name: container1 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume - name: container2 image: scratch volumeMounts: - mountPath: /host/proc name: proc-volume volumes: - name: proc-volume hostPath: path: /proc ``` 0707010000010B000081A400000000000000000000000166C635DC00000FD7000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/docs/auditors/netpols.md# Default Deny NetworkPolicies for Namespaces Auditor (netpols) Finds namespaces that do not have a default-deny network policy. ## General Usage ``` kubeaudit netpols [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit netpols -f "auditors/netpols/fixtures/namespace-missing-default-deny-netpol.yml" ---------------- Results for --------------- apiVersion: v1 kind: Namespace metadata: name: namespace-missing-default-deny-netpol -------------------------------------------- -- [error] MissingDefaultDenyIngressAndEgressNetworkPolicy Message: Namespace is missing a default deny ingress and egress NetworkPolicy. Metadata: Namespace: namespace-missing-default-deny-netpol ``` ## Explanation Just like with firewall rules, the best practice is to deny all internet traffic by default and explicitly allow expected traffic (that is, allow expected traffic rather than deny unexpected traffic). This can be done by creating a Network Policy for each namespace which denies all ingress (incoming) and egress (outgoing) traffic. This Network Policy should have an empty pod selector: ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress ``` To allow traffic to a pod, an additional Network Policy can be created which selects that pod. For more information on network policies, see https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). The `netpols` auditor uses a unique override label type not used by any other auditor because the label applies to a namespace (rather than a container or pod): ``` kubeaudit.io/[override identifier]: "" ``` Deny-all ingress and egress network policies can be individually overridden using their respective override identifiers: | Traffic Type | Override Identifier | | :------------- | :----------------------------------------------- | | Ingress | `allow-non-default-deny-ingress-network-policy` | | Egress | `allow-non-default-deny-egress-network-policy` | The override label is placed directly on the Namespace resource: ```yaml apiVersion: v1 kind: Namespace metadata: name: "default" labels: kubeaudit.io/allow-non-default-deny-ingress-network-policy: "" ``` ### Override Example Consider this Network Policy which denies all egress traffic in the `my-namespace` namespace, but allows all ingress traffic: ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: my-namespace spec: podSelector: {} policyTypes: - Egress --- apiVersion: v1 kind: Namespace metadata: name: my-namespace ``` The `netpols` auditor will produce an error because there is no `deny-all` Network Policy for ingress traffic: ``` ---------------- Results for --------------- apiVersion: v1 kind: Namespace metadata: name: my-namespace -------------------------------------------- -- [error] MissingDefaultDenyIngressNetworkPolicy Message: All ingress traffic should be blocked by default for namespace my-namespace. Metadata: Namespace: my-namespace ``` This error can be overridden by adding the `kubeaudit.io/allow-non-default-deny-ingress-network-policy: ""` label to the corresponding Namespace resource: ```yaml apiVersion: v1 kind: Namespace metadata: name: "my-namespace" labels: kubeaudit.io/allow-non-default-deny-ingress-network-policy: "" ``` The auditor will now produce a warning instead of an error: ``` ---------------- Results for --------------- apiVersion: v1 kind: Namespace metadata: name: my-namespace -------------------------------------------- -- [warning] MissingDefaultDenyIngressNetworkPolicyAllowed Message: All ingress traffic should be blocked by default for namespace my-namespace. Metadata: Namespace: my-namespace ``` 0707010000010C000081A400000000000000000000000166C635DC00001313000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/docs/auditors/nonroot.md# runAsNonRoot Auditor (nonroot) Finds containers allowed to run as root. ## General Usage ``` kubeaudit nonroot [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit nonroot -f "auditors/nonroot/fixtures/run-as-non-root-nil.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: run-as-non-root-nil -------------------------------------------- -- [error] RunAsNonRootPSCNilCSCNil Message: runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two. Metadata: Container: container ``` ## Explanation Containers should be run as a non-root user with the minimum required permissions (principle of least privilege). This can be done by setting `runAsNonRoot` to `true` in either the PodSecurityContext or container SecurityContext. If `runAsNonRoot` is unset in the Container SecurityContext, it will inherit the value of the Pod SecurityContext. If `runAsNonRoot` is unset in the Pod SecurityContext, it defaults to `false` which means it must be explicitly set to `true` in either the Container SecurityContext or the Pod SecurityContext for the `nonroot` audit to pass. Note that the Container SecurityContext takes precedence over the Pod SecurityContext so setting `runAsNonRoot` to `false` in the Container SecurityContext will always fail the `nonroot` audit unless an [override](#override-errors) is used. Ideally, `runAsNonRoot` should be set to `true` in the PodSecurityContext: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec spec: #PodSpec securityContext: #PodSecurityContext runAsNonRoot: true containers: - name: myContainer ``` Alternatively it's possible to enforce non-root containers by setting `runAsUser` to a non-root UID (>0) in either the PodSecurityContext or container SecurityContext. Conversely, if `runAsUser` is set to `0` in either the PodSecurityContext or container SecurityContext then the container will always run as root and so the audit will fail. If `runAsUser` is set to a non-root UID (either in PodSecurityContext or container SecurityContext) it won't matter if `runAsNonRoot` is set to `false` or `nil` and so the audit will always pass. As for `runAsNonRoot`, ideally, `runAsUser` should be set to a non-root UID in the PodSecurityContext: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec spec: #PodSpec securityContext: #PodSecurityContext runAsUser: 1000 containers: - name: myContainer ``` If a container needs to run as root, it should be enabled for that container only in the container's SecurityContext. This will require an override label so kubeaudit knows it is intentional. See [Override Errors](#override-errors). For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifer: `allow-run-as-root` Container overrides have the form: ```yaml container.kubeaudit.io/[container name].allow-run-as-root: "" ``` Pod overrides have the form: ```yaml kubeaudit.io/allow-run-as-root: "" ``` Example of resource with `nonroot` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec metadata: labels: container.kubeaudit.io/myContainer.allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsNonRoot: true containers: - name: myContainer securityContext: #SecurityContext runAsNonRoot: false - name: myContainer2 ``` Example of resource with `nonroot` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec metadata: labels: kubeaudit.io/allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsNonRoot: true containers: - name: myContainer securityContext: #SecurityContext runAsNonRoot: false - name: myContainer2 securityContext: #SecurityContext runAsNonRoot: false ``` Example of resource with `nonroot` overridden for a specific container using `runAsUser`: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: #PodTemplateSpec metadata: labels: container.kubeaudit.io/myContainer.allow-run-as-root: "" spec: #PodSpec securityContext: #PodSecurityContext runAsUser: 1000 containers: - name: myContainer securityContext: #SecurityContext runAsUser: 0 - name: myContainer2 ``` 0707010000010D000081A400000000000000000000000166C635DC00000976000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/docs/auditors/privesc.md# Privilege Escalation Allowed Auditor (privesc) Finds containers that allow privilege escalation. ## General Usage ``` kubeaudit privesc [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit privesc -f "auditors/privesc/fixtures/allow-privilege-escalation-nil.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: allow-privilege-escalation-nil -------------------------------------------- -- [error] AllowPrivilegeEscalationNil Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'. Metadata: Container: container ``` ## Explanation `allowPrivilegeEscalation` controls whether a process can gain more privileges than its parent process. Privilege escalation is disabled by setting `allowPrivilegeEscalation` to `false` in the container SecurityContext. The field defaults to `true` so it must be explicitly set to `false` to pass the `privesc` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer securityContext: allowPrivilegeEscalation: false ``` For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifier: `allow-privilege-escalation` Container overrides have the form: ```yaml container.kubeaudit.io/[container name].allow-privilege-escalation: "" ``` Pod overrides have the form: ```yaml kubeaudit.io/allow-privilege-escalation: "" ``` Example of resource with `privesc` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: container.kubeaudit.io/myContainer.allow-privilege-escalation: "" spec: containers: - name: myContainer securityContext: allowPrivilegeEscalation: true ``` Example of resource with `privesc` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-privilege-escalation: "" spec: containers: - name: myContainer securityContext: allowPrivilegeEscalation: true ``` 0707010000010E000081A400000000000000000000000166C635DC000009E6000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/docs/auditors/privileged.md# Privileged Auditor (privileged) Finds containers running as privileged. ## General Usage ``` kubeaudit privileged [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit privileged -f "auditors/privileged/fixtures/privileged-true.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset namespace: privileged-true -------------------------------------------- -- [error] PrivilegedTrue Message: privileged is set to 'true' in container SecurityContext. It should be set to 'false'. Metadata: Container: container ``` ## Explanation Running a container as privileged gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This option exists to allow special use-cases, like running Docker within Docker, but should not be used in most cases. To prevent a container from running as privileged, `privileged` should be set to `false` in the container SecurityContext. The field defaults to `false` so omitting the field is sufficient to pass the `privileged` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer securityContext: privileged: false ``` For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifier: `allow-privileged` Container overrides have the form: ```yaml container.kubeaudit.io/[container name].allow-privileged: "" ``` Pod overrides have the form: ```yaml kubeaudit.io/allow-privileged: "" ``` Example of resource with `privileged` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: container.kubeaudit.io/myContainer.allow-privilege-escalation: "" spec: containers: - name: myContainer securityContext: privileged: true ``` Example of resource with `privileged` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-privileged: "" spec: containers: - name: myContainer securityContext: privileged: true ``` 0707010000010F000081A400000000000000000000000166C635DC00000A35000000000000000000000000000000000000002900000000kubeaudit-0.22.2/docs/auditors/rootfs.md# readOnlyRootFilesystem Auditor (rootfs) Finds containers which do not have a read-only filesystem. ## General Usage ``` kubeaudit rootfs [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit rootfs -f "auditors/rootfs/fixtures/read-only-root-filesystem-nil.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: read-only-root-filesystem-nil -------------------------------------------- -- [error] ReadOnlyRootFilesystemNil Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'. Metadata: Container: container ``` ## Explanation If a container does not need to write files, it should be run with a read-only filesystem. To run a container with a read-only filesystem, `readOnlyRootFilesystem` should be set to `true` in the container SecurityContext. The field defaults to `false` so it must be explicitly set to `true` to pass the `rootfs` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer securityContext: readOnlyRootFilesystem: true ``` If a container needs to write files, an override label needs to be used so kubeaudit knows it is intentional. See [Override Errors](#override-errors). For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## Override Errors First, see the [Introduction to Override Errors](/README.md#override-errors). Override identifier: `allow-read-only-root-filesystem-false` Container overrides have the form: ```yaml container.kubeaudit.io/[container name].allow-read-only-root-filesystem-false: "" ``` Pod overrides have the form: ```yaml kubeaudit.io/allow-read-only-root-filesystem-false: "" ``` Example of resource with `rootfs` overridden for a specific container: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: container.kubeaudit.io/myContainer.allow-read-only-root-filesystem-false: "" spec: containers: - name: myContainer securityContext: readOnlyRootFilesystem: false ``` Example of resource with `rootfs` overridden for a whole pod: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: metadata: labels: kubeaudit.io/allow-read-only-root-filesystem-false: "" spec: containers: - name: myContainer securityContext: readOnlyRootFilesystem: false ``` 07070100000110000081A400000000000000000000000166C635DC00000846000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/docs/auditors/seccomp.md# Seccomp Auditor (seccomp) Finds containers running without Seccomp. ## General Usage ``` kubeaudit seccomp [flags] ``` See [Global Flags](/README.md#global-flags) ## Examples ``` $ kubeaudit seccomp -f "auditors/seccomp/fixtures/seccomp-profile-missing.yml" ---------------- Results for --------------- apiVersion: v1 kind: Pod metadata: name: pod namespace: seccomp-profile-missing -------------------------------------------- -- [error] SeccompProfileMissing Message: Pod Seccomp profile is missing. Seccomp profile should be added to the pod SecurityContext. ``` ## Explanation Seccomp (Secure computing mode) is a Linux kernel feature. Seccomp is enabled by adding a seccomp profile to the security context. The seccomp profile can be either added to a pod security context, which enables seccomp for all containers within that pod, or a security context, which enables seccomp only for that container. The seccomp profile added to a pod security context has the following format: ``` spec: securityContext: seccompProfile: type: [seccomp profile] ``` The seccomp profile added to a container security context has the following format: ``` spec: containers: - name: [container name] image: [container image] securityContext: seccompProfile: type: [seccomp profile] ``` Ideally, the pod security context should be used. The value of the seccomp profile type can be set to either the default profile (`RuntimeDefault`) or a custom profile (`Localhost`). For `Localhost` type `localhostProfile: [profile file]` should be added. Example of a resource which passes the `seccomp` audit: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: myContainer ``` To learn more about Seccomp, see https://en.wikipedia.org/wiki/Seccomp To learn more about Seccomp in Kubernetes, see https://kubernetes.io/docs/tutorials/security/seccomp/ ## Override Errors Overrides are not currently supported for `seccomp`. 07070100000111000081A400000000000000000000000166C635DC000013CC000000000000000000000000000000000000002100000000kubeaudit-0.22.2/docs/autofix.md# Autofix (autofix) Automatically fixes security issues. **Note**: `autofix` can only be used in manifest mode. ## General Usage ``` kubeaudit autofix -f [manifest] [flags] ``` ## Flags | Short | Long | Description | Default | | :------ | :--------- | :---------------------------------------- | :--------------------------------------- | | -o | --outfile | File to write fixed manifest to | | | -k | --kconfig | Path to kubeaudit config file | | Also see [Global Flags](/README.md#global-flags) ## Examples Consider this simple manifest file `manifest.yml`: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer ``` The `autofix` command will make the manifest secure!: ``` kubeaudit autofix -f "manifest.yml" ``` Fixed manifest: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: runtime/default selector: null strategy: {} metadata: ``` ### Example with Multiple Resources The `autofix` command works on manifest files containing multiple resources: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer --- apiVersion: v1 kind: Pod spec: containers: - name: myContainer2 image: polinux/stress ``` Fixed manifest: ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: myContainer resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: runtime/default selector: null strategy: {} metadata: --- apiVersion: v1 kind: Pod spec: containers: - name: myContainer2 image: polinux/stress resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer2: runtime/default ``` ### Example with Comments The `autofix` command supports comments! ```yaml # This is a sample Kubernetes config file # # Autofix supports comments! %YAML 1.1 %TAG ! !foo %TAG !yaml! tag:yaml.org,2002: --- apiVersion: apps/v1 kind: Deployment # PodSpec spec: # PodTemplate template: # ContainerSpec spec: containers: - name: myContainer # this is a sample container ``` Fixed manifest: ```yaml # This is a sample Kubernetes config file # # Autofix supports comments! %YAML 1.1 %TAG ! !foo %TAG !yaml! tag:yaml.org,2002: --- apiVersion: apps/v1 kind: Deployment # PodSpec spec: # PodTemplate template: # ContainerSpec spec: containers: - name: myContainer # this is a sample container resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault metadata: annotations: container.apparmor.security.beta.kubernetes.io/myContainer: runtime/default selector: null strategy: {} metadata: ``` ### Example with Custom Output File To write the fixed manifest to a different file, use the `--outfile/-o` flag: ``` kubeaudit autofix -f "manifest.yml" -o "fixed.yaml" ``` ### Using Custom Rules with Kubeaudit Config File To fix a manifest based on custom rules specified on a kubeaudit config file (e.g disable some auditors), use the `-k/--kconfig` flag. ``` kubeaudit autofix -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" -o "/path/to/fixed" ``` Also see [Configuration File](/README.md#configuration-file) 07070100000112000081A400000000000000000000000166C635DC00001832000000000000000000000000000000000000002100000000kubeaudit-0.22.2/docs/cluster.md# Running kubeaudit in a Cluster Kubeaudit can be run in a Kubernetes cluster by using a Docker image. We no longer release images to Docker Hub (since Docker Hub sunset Free Team organizations). For the time being, [old images](https://hub.docker.com/r/shopify/kubeaudit) are still available but may stop being available at any time. We will start publishing images to the Github Container registry soon. ## Without RBAC Example Job configuration: ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: kubeaudit namespace: default --- apiVersion: batch/v1 kind: Job metadata: name: kubeaudit namespace: default spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default spec: serviceAccountName: kubeaudit restartPolicy: OnFailure securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubeaudit image: shopify/kubeaudit:v0.11 args: ["all", "--exitcode", "0"] securityContext: allowPrivilegeEscalation: false capabilities: drop: ["all"] privileged: false readOnlyRootFilesystem: true runAsNonRoot: true ``` ## With RBAC If RBAC is enabled on the cluster: ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: kubeaudit namespace: default --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit rules: - apiGroups: [""] resources: - pods - podtemplates - replicationcontrollers - namespaces - serviceaccounts verbs: ["list"] - apiGroups: ["apps"] resources: - daemonsets - statefulsets - deployments verbs: ["list"] - apiGroups: ["batch"] resources: - cronjobs verbs: ["list"] - apiGroups: ["networking.k8s.io"] resources: - networkpolicies verbs: ["list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit subjects: - kind: ServiceAccount name: kubeaudit namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeaudit --- apiVersion: batch/v1 kind: Job metadata: name: kubeaudit namespace: default spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default spec: serviceAccountName: kubeaudit restartPolicy: OnFailure securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubeaudit image: shopify/kubeaudit:v0.11 args: ["all", "--exitcode", "0"] securityContext: allowPrivilegeEscalation: false capabilities: drop: ["all"] privileged: false readOnlyRootFilesystem: true runAsNonRoot: true ``` ## With RBAC and a Specific Namespace If you are running kubeaudit on a specific namespace and don't want to grant it cluster wide access, the binding can be made into a namespaced binding, but note that kubeaudit will still need to be able to list namespaces at the cluster level (as namespace resources don't have a namespaced scope). In the following example, the `kubeaudit` Job is created in the `kubeaudit` namespace and is assigned a ServiceAccount which can list namespaces at a cluster scope but can only list the other resources for the provided namespace. **Important**: Replace the two instances of `<TARGET_NAMESPACE>` with the namespace you want kubeaudit to audit: ```yaml # Optionally, run kubeaudit in its own namespace apiVersion: v1 kind: Namespace metadata: name: kubeaudit --- # Don't allow internet traffic in or out of the kubeaudit namespace apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: kubeaudit spec: policyTypes: - Ingress - Egress --- apiVersion: v1 kind: ServiceAccount metadata: name: kubeaudit namespace: kubeaudit --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit-namespaces rules: - apiGroups: [""] resources: - namespaces verbs: ["list"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit rules: - apiGroups: [""] resources: - pods - podtemplates - replicationcontrollers - serviceaccounts verbs: ["list"] - apiGroups: ["apps"] resources: - daemonsets - statefulsets - deployments verbs: ["list"] - apiGroups: ["batch"] resources: - cronjobs verbs: ["list"] - apiGroups: ["networking.k8s.io"] resources: - networkpolicies verbs: ["list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit-namespaces subjects: - kind: ServiceAccount name: kubeaudit namespace: kubeaudit roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeaudit-namespaces --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kubeaudit namespace: <TARGET_NAMESPACE> subjects: - kind: ServiceAccount name: kubeaudit namespace: kubeaudit roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeaudit --- apiVersion: batch/v1 kind: Job metadata: name: kubeaudit namespace: kubeaudit spec: template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/kubeaudit: runtime/default spec: serviceAccountName: kubeaudit restartPolicy: OnFailure securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubeaudit image: shopify/kubeaudit:v0.11 args: ["all", "--exitcode", "0", "--namespace", "<TARGET_NAMESPACE>"] securityContext: allowPrivilegeEscalation: false capabilities: drop: ["all"] privileged: false readOnlyRootFilesystem: true runAsNonRoot: true ``` 07070100000113000081A400000000000000000000000166C635DC000008EA000000000000000000000000000000000000002100000000kubeaudit-0.22.2/docs/release.md# How to Create a Kubeaudit Release 1. Make sure you're on main and have the latest changes. 2. Find the [latest release](https://github.com/Shopify/kubeaudit/releases). > We use [semver](https://semver.org/) versioning. In semver, version numbers have the format `v<MAJOR>.<MINOR>.<PATCH>`. However, because we still consider Kubeaudit to be in "alpha", the major number is always 0. This means that we do not maintain versions from before a breaking change, and updating to a new minor version may introduce a breaking change. If the changes since the most recent release are bug fixes only, bump the last number (the patch version). If any of the changes since the last release include a new feature or breaking change, bump the second number (the minor version) and set the last number to 0 (the patch version). For example, if the latest release is `v0.11.5` and there were only bug fixes merged to main since then, the next version number will be `v0.11.6`. If there were new features added or a breaking change was made, the next version would be `v0.12.0`. 3. Update the `VERSION` file if necessary. You'll have to open / merge a PR to do this. 4. Create a tag with the new version and push it up to Github: ``` git tag -a <VERSION> -m "<VERSION>" git push origin <VERSION> ``` For example: ``` git tag -a v0.11.6 -m "v0.11.6" git push origin v0.11.6 ``` 5. Once you push the tag, the release Github action will be triggered and generate a draft release in Github, allowing you to double check it and make changes to the Changelog. Find the [draft release](https://github.com/Shopify/kubeaudit/releases) and make sure there are no commits to main since the release. > If there are commits to main since the release, this may mean you didn't make the tag on main or your main is out of date. 6. Click `Edit` on the right of the draft release and tidy up the Changelog if necessary. We like to add thank you's to external contributors, for example: ``` 202e355 Fixed code quality issues using DeepSource (#315) - Thank you @withshubh for the contribution! ``` Optionally, you can click on "Generate release notes", which adds Markdown for all the merged pull requests from the diff and contributors of the release. 7. Click on `Publish release` at the bottom. 07070100000114000081A400000000000000000000000166C635DC00000B5D000000000000000000000000000000000000002800000000kubeaudit-0.22.2/example_custom_test.gopackage kubeaudit_test import ( "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" log "github.com/sirupsen/logrus" ) func NewCustomAuditor() kubeaudit.Auditable { return &myAuditor{} } // Your auditor must implement the Auditable interface, which requires only one method: Audit(). type myAuditor struct{} // The Audit function takes in a resource to audit and returns audit results for that resource. // // Params // resource: Read-only. The resource to audit. // resources: Read-only. A reference to all resources. Can be used for context though most auditors don't need this. // // Return // auditResults: The results for the audit. Each result can optionally include a PendingFix object to // define autofix behaviour (see below). func (a *myAuditor) Audit(resource k8s.Resource, _ []k8s.Resource) ([]*kubeaudit.AuditResult, error) { return []*kubeaudit.AuditResult{ { Auditor: "Awesome", Rule: "MyAudit", Severity: kubeaudit.Error, Message: "My custom error", PendingFix: &myAuditorFix{ newVal: "bye", }, }, }, nil } // To provide autofix behaviour for an audit result, implement the PendingFix interface. The PendingFix interface // has two methods: Plan() and Apply(). type myAuditorFix struct { newVal string } // The Plan method explains what fix will be applied by Apply(). // // Return // plan: A human-friendly explanation of what Apply() will do func (f *myAuditorFix) Plan() string { return fmt.Sprintf("Set label 'hi' to '%s'", f.newVal) } // The Apply method applies a fix to a resource. // // Params // resource: A reference to the resource that should be fixed. // // Return // newResources: New resources created as part of the fix. Generally, it should not be necessary to create // new resources, only modify the passed in resource. func (f *myAuditorFix) Apply(resource k8s.Resource) []k8s.Resource { setLabel(resource, "hi", f.newVal) return nil } // This is just a helper function func setLabel(resource k8s.Resource, key, value string) { switch kubeType := resource.(type) { case *k8s.PodV1: kubeType.Labels[key] = value case *k8s.DeploymentV1: kubeType.Labels[key] = value } } // A sample Kubernetes manifest file var manifest = ` apiVersion: apps/v1 kind: Deployment metadata: name: myAuditor spec: template: spec: containers: - name: myContainer ` // ExampleCustomAuditor shows how to use a custom auditor func Example_customAuditor() { // Initialize kubeaudit with your custom auditor auditor, err := kubeaudit.New([]kubeaudit.Auditable{NewCustomAuditor()}) if err != nil { log.Fatal(err) } // Run the audit in the mode of your choosing. Here we use manifest mode. report, err := auditor.AuditManifest("", strings.NewReader(manifest)) if err != nil { log.Fatal(err) } // Print the results to screen report.PrintResults() } 07070100000115000081A400000000000000000000000166C635DC000015C9000000000000000000000000000000000000002100000000kubeaudit-0.22.2/example_test.gopackage kubeaudit_test import ( "fmt" "os" "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/config" "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus" ) // Example shows how to audit and fix a Kubernetes manifest file func Example() { // A sample Kubernetes manifest file manifest := ` apiVersion: apps/v1 kind: Deployment metadata: name: myAuditor spec: template: spec: containers: - name: myContainer ` // Initialize all the security auditors using default configuration allAuditors, err := all.Auditors(config.KubeauditConfig{}) if err != nil { log.Fatal(err) } // Initialize kubeaudit auditor, err := kubeaudit.New(allAuditors) if err != nil { log.Fatal(err) } // Run the audit in manifest mode report, err := auditor.AuditManifest("", strings.NewReader(manifest)) if err != nil { log.Fatal(err) } // Print the audit results to screen report.PrintResults() // Print the plan to screen. These are the steps that will be taken by calling "report.Fix()". fmt.Println("\nPlan:") report.PrintPlan(os.Stdout) // Print the fixed manifest to screen. Note that this leaves the original manifest unmodified. fmt.Println("\nFixed manifest:") err = report.Fix(os.Stdout) if err != nil { log.Fatal(err) } } // ExampleAuditLocal shows how to run kubeaudit in local mode func Example_auditLocal() { // Initialize all the security auditors using default configuration allAuditors, err := all.Auditors(config.KubeauditConfig{}) if err != nil { log.WithError(err).Fatal("Error initializing all auditors") } // Initialize kubeaudit auditor, err := kubeaudit.New(allAuditors) if err != nil { log.Fatal(err) } // Run the audit in local mode report, err := auditor.AuditLocal("", "", kubeaudit.AuditOptions{}) if err != nil { log.Fatal(err) } // Print the audit results to screen report.PrintResults() } // ExampleAuditCluster shows how to run kubeaudit in cluster mode (only works if kubeaudit is being run from a container insdie of a cluster) func Example_auditCluster() { // Initialize all the security auditors using default configuration allAuditors, err := all.Auditors(config.KubeauditConfig{}) if err != nil { log.Fatal(err) } // Initialize kubeaudit auditor, err := kubeaudit.New(allAuditors) if err != nil { log.Fatal(err) } // Run the audit in cluster mode. Note this will fail if kubeaudit is not running within a cluster. report, err := auditor.AuditCluster(kubeaudit.AuditOptions{}) if err != nil { log.Fatal(err) } // Print the audit results to screen report.PrintResults() } // ExampleAuditorSubset shows how to run kubeaudit with a subset of auditors func Example_auditorSubset() { // A sample Kubernetes manifest file manifest := ` apiVersion: apps/v1 kind: Deployment metadata: name: myAuditor spec: template: spec: containers: - name: myContainer ` // Initialize the auditors you want to use auditor, err := kubeaudit.New([]kubeaudit.Auditable{ apparmor.New(), image.New(image.Config{Image: "myimage:mytag"}), }) if err != nil { log.Fatal(err) } // Run the audit in the mode of your choosing. Here we use manifest mode. report, err := auditor.AuditManifest("", strings.NewReader(manifest)) if err != nil { log.Fatal(err) } // Print the audit results to screen report.PrintResults() } // ExampleConfig shows how to use a kubeaudit with a config file. // A kubeaudit config can be used to specify which security auditors to run, and to specify configuration // for those auditors. func Example_config() { configFile := "config/config.yaml" // A sample Kubernetes manifest file manifest := ` apiVersion: apps/v1 kind: Deployment metadata: name: myAuditor spec: template: spec: containers: - name: myContainer ` // Open the configuration file reader, err := os.Open(configFile) if err != nil { log.WithError(err).Fatal("Unable to open config file ", configFile) } // Load the config conf, err := config.New(reader) if err != nil { log.WithError(err).Fatal("Error parsing config file ", configFile) } // Initialize security auditors using the configuration auditors, err := all.Auditors(conf) if err != nil { log.Fatal(err) } // Initialize kubeaudit auditor, err := kubeaudit.New(auditors) if err != nil { log.Fatal(err) } // Run the audit in the mode of your choosing. Here we use manifest mode. report, err := auditor.AuditManifest("", strings.NewReader(manifest)) if err != nil { log.Fatal(err) } // Print the audit results to screen report.PrintResults() } // ExamplePrintOptions shows how to use different print options for printing audit results. func Example_printOptions() { auditor, err := kubeaudit.New([]kubeaudit.Auditable{apparmor.New()}) if err != nil { log.Fatal(err) } report, err := auditor.AuditLocal("", "", kubeaudit.AuditOptions{}) if err != nil { log.Fatal(err) } // Print the audit results to a file f, err := os.Create("output.txt") if err != nil { log.Fatal(err) } defer f.Close() defer os.Remove("output.txt") report.PrintResults(kubeaudit.WithWriter(f)) // Only print audit results with severity of Error (ignore info and warning) report.PrintResults(kubeaudit.WithMinSeverity(kubeaudit.Error)) // Print results as JSON report.PrintResults(kubeaudit.WithFormatter(&logrus.JSONFormatter{})) } 07070100000116000081A400000000000000000000000166C635DC00001105000000000000000000000000000000000000001800000000kubeaudit-0.22.2/fix.gopackage kubeaudit import ( "bytes" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/yaml" "github.com/Shopify/kubeaudit/pkg/k8s" ) func fix(results []Result) ([]byte, error) { var outputBytes [][]byte var newResources []k8s.Resource if len(results) == 0 { return []byte{}, nil } // Fix all the resources for _, result := range results { for _, auditResult := range result.GetAuditResults() { newResources = append(newResources, auditResult.Fix(result.GetResource().Object())...) } } // Convert all the resources to bytes for _, result := range results { if result.GetResource().Object() == nil { outputBytes = append(outputBytes, result.GetResource().Bytes()) continue } fixedresourceBytes, err := resourceToBytes(result.GetResource().Object(), result.GetResource().Bytes()) if err != nil { return nil, err } outputBytes = append(outputBytes, fixedresourceBytes) } // Convert all the new resources to bytes for _, newResource := range newResources { fixedresourceBytes, err := resourceToBytes(newResource, nil) if err != nil { return nil, err } outputBytes = append(outputBytes, fixedresourceBytes) } fixedManifest := bytes.Join(outputBytes, []byte("---")) return fixedManifest, nil } func resourceToBytes(fixedResource k8s.Resource, origResourceBytes []byte) ([]byte, error) { fixedresourceBytes, err := k8sinternal.EncodeResource(fixedResource) if err != nil { return nil, err } if origResourceBytes == nil { // This is a new resource (not in the original manifest) // Add a leading newline fixedresourceBytes = append([]byte{'\n'}, fixedresourceBytes...) } else { fixedresourceBytes, err = yaml.Merge(origResourceBytes, fixedresourceBytes) if err != nil { return nil, err } // Add any leading and trailing whitespace that was present in the original fixedresourceBytes = bytes.Replace(origResourceBytes, bytes.TrimSpace(origResourceBytes), fixedresourceBytes, 1) // Remove the redundant trailing newline if fixedresourceBytes[len(fixedresourceBytes)-1] == '\n' { fixedresourceBytes = fixedresourceBytes[:len(fixedresourceBytes)-1] } } fixedresourceBytes, err = cleanupManifest(origResourceBytes, fixedresourceBytes) if err != nil { return nil, err } return fixedresourceBytes, nil } // TODO do this better?? func cleanupManifest(origData, finalData []byte) ([]byte, error) { objectMetacreationTs := []byte("\n creationTimestamp: null\n") specTemplatecreationTs := []byte("\n creationTimestamp: null\n") jobSpecTemplatecreationTs := []byte("\n creationTimestamp: null\n") nullStatus := []byte("\nstatus: {}\n") nullReplicaStatus := []byte("status:\n replicas: 0\n") nullLBStatus := []byte("status:\n loadBalancer: {}\n") nullMetaStatus := []byte("\n status: {}\n") var hasObjectMetacreationTs, hasSpecTemplatecreationTs, hasJobSpecTemplatecreationTs, hasNullStatus, hasNullReplicaStatus, hasNullLBStatus, hasNullMetaStatus bool if origData != nil { hasObjectMetacreationTs = bytes.Contains(origData, objectMetacreationTs) hasSpecTemplatecreationTs = bytes.Contains(origData, specTemplatecreationTs) hasJobSpecTemplatecreationTs = bytes.Contains(origData, jobSpecTemplatecreationTs) hasNullStatus = bytes.Contains(origData, nullStatus) hasNullReplicaStatus = bytes.Contains(origData, nullReplicaStatus) hasNullLBStatus = bytes.Contains(origData, nullLBStatus) hasNullMetaStatus = bytes.Contains(origData, nullMetaStatus) } // null value is false in case of origFile if !hasObjectMetacreationTs { finalData = bytes.Replace(finalData, objectMetacreationTs, []byte("\n"), -1) } if !hasSpecTemplatecreationTs { finalData = bytes.Replace(finalData, specTemplatecreationTs, []byte("\n"), -1) } if !hasJobSpecTemplatecreationTs { finalData = bytes.Replace(finalData, jobSpecTemplatecreationTs, []byte("\n"), -1) } if !hasNullStatus { finalData = bytes.Replace(finalData, nullStatus, []byte("\n"), -1) } if !hasNullReplicaStatus { finalData = bytes.Replace(finalData, nullReplicaStatus, []byte("\n"), -1) } if !hasNullLBStatus { finalData = bytes.Replace(finalData, nullLBStatus, []byte("\n"), -1) } if !hasNullMetaStatus { finalData = bytes.Replace(finalData, nullMetaStatus, []byte("\n"), -1) } return finalData, nil } 07070100000117000081A400000000000000000000000166C635DC0000052B000000000000000000000000000000000000001D00000000kubeaudit-0.22.2/fix_test.gopackage kubeaudit_test import ( "os" "path/filepath" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // Test that fixing all fixtures in auditors/* results in manifests that pass all audits func TestFix(t *testing.T) { auditorDirs, err := os.ReadDir("auditors") if !assert.Nil(t, err) { return } allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(t, err) for _, auditorDir := range auditorDirs { if !auditorDir.IsDir() { continue } fixturesDirPath := filepath.Join("..", auditorDir.Name(), "fixtures") fixtureFiles, err := os.ReadDir(fixturesDirPath) if os.IsNotExist(err) { continue } if !assert.Nil(t, err) { return } for _, fixture := range fixtureFiles { t.Run(filepath.Join(fixturesDirPath, fixture.Name()), func(t *testing.T) { _, report := test.FixSetupMultiple(t, fixturesDirPath, fixture.Name(), allAuditors) for _, result := range report.Results() { for _, auditResult := range result.GetAuditResults() { if !assert.NotEqual(t, kubeaudit.Error, auditResult.Severity) { return } } } }) } } } 07070100000118000081A400000000000000000000000166C635DC00000CAB000000000000000000000000000000000000001800000000kubeaudit-0.22.2/go.modmodule github.com/Shopify/kubeaudit require ( github.com/jetstack/cert-manager v1.6.1 github.com/owenrumney/go-sarif/v2 v2.1.2 github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.6.1 github.com/stretchr/testify v1.8.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.24.3 k8s.io/apiextensions-apiserver v0.23.5 k8s.io/apimachinery v0.24.4 k8s.io/client-go v0.24.3 ) require ( cloud.google.com/go v0.99.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.19 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.14 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/go-logr/logr v1.2.0 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.5 // indirect github.com/go-openapi/swag v0.19.14 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stretchr/objx v0.4.0 // indirect golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.27.1 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.60.1 // indirect k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.2.0 // indirect ) go 1.22.1 07070100000119000081A400000000000000000000000166C635DC00019259000000000000000000000000000000000000001800000000kubeaudit-0.22.2/go.sumcloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go v0.99.0 h1:y/cM2iqGgGi5D5DQZl6D9STN/3dR/Vx5Mp8s752oJTY= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest v0.11.19 h1:7/IqD2fEYVha1EPeaiytVKhzmPV223pfkRIQUGOK2IE= github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.14 h1:G8hexQdV5D4khOXrWG2YuLCFKhWYmWD8bHYaXN5ophk= github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/cel-go v0.9.0/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jetstack/cert-manager v1.6.1 h1:VME4bVID2gVTfebO5X4Nq9FvKvvi3+VLcA0mmtYlKuw= github.com/jetstack/cert-manager v1.6.1/go.mod h1:1nXjnzzsYcIFvl4eLTkVqpvh9NQogkCq4FaCmgvNDDY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU= github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U= github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201102152239-715cce707fb0/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= k8s.io/api v0.24.3 h1:tt55QEmKd6L2k5DP6G/ZzdMQKvG5ro4H4teClqm0sTY= k8s.io/api v0.24.3/go.mod h1:elGR/XSZrS7z7cSZPzVWaycpJuGIw57j9b95/1PdJNI= k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= k8s.io/apimachinery v0.24.3/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= k8s.io/apimachinery v0.24.4 h1:S0Ur3J/PbivTcL43EdSdPhqCqKla2NIuneNwZcTDeGQ= k8s.io/apimachinery v0.24.4/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4= k8s.io/client-go v0.24.3 h1:Nl1840+6p4JqkFWEW2LnMKU667BUxw03REfLAVhuKQY= k8s.io/client-go v0.24.3/go.mod h1:AAovolf5Z9bY1wIg2FZ8LPQlEdKHjLI7ZD4rw920BJw= k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 h1:Gii5eqf+GmIEwGNKQYQClCayuJCe2/4fZUvF7VG99sU= k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= 0707010000011A000081A400000000000000000000000166C635DC000003D0000000000000000000000000000000000000002700000000kubeaudit-0.22.2/goreleaser.DockerfileFROM golang:1.22.1 AS builder # no need to include cgo bindings ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 # add ca certificates and timezone data files # hadolint ignore=DL3008 RUN apt-get install --yes --no-install-recommends ca-certificates tzdata # add unprivileged user RUN adduser --shell /bin/true --uid 1000 --disabled-login --no-create-home --gecos '' app \ && sed -i -r "/^(app|root)/!d" /etc/group /etc/passwd \ && sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd # # --- # # start with empty image FROM scratch # add-in our timezone data file COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo # add-in our unprivileged user COPY --from=builder /etc/passwd /etc/group /etc/shadow /etc/ # add-in our ca certificates COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # add-in our application COPY kubeaudit / # from now on, run as the unprivileged user USER 1000 # entrypoint ENTRYPOINT ["/kubeaudit"] CMD ["all"] 0707010000011B000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001A00000000kubeaudit-0.22.2/internal0707010000011C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002000000000kubeaudit-0.22.2/internal/color0707010000011D000081A400000000000000000000000166C635DC00000420000000000000000000000000000000000000002900000000kubeaudit-0.22.2/internal/color/color.gopackage color import "runtime" var Reset = "\033[0m" var RedColor = "\033[31m" var GreenColor = "\033[32m" var YellowColor = "\033[33m" var BlueColor = "\033[34m" var PurpleColor = "\033[35m" var CyanColor = "\033[36m" var GrayColor = "\033[37m" var WhiteColor = "\033[97m" func Red(s string) string { return Colored(RedColor, s) } func Green(s string) string { return Colored(GreenColor, s) } func Yellow(s string) string { return Colored(YellowColor, s) } func Blue(s string) string { return Colored(BlueColor, s) } func Purple(s string) string { return Colored(PurpleColor, s) } func Cyan(s string) string { return Colored(CyanColor, s) } func Gray(s string) string { return Colored(GrayColor, s) } func White(s string) string { return Colored(WhiteColor, s) } func Colored(color, s string) string { return color + s + Reset } func init() { if runtime.GOOS == "windows" { Reset = "" RedColor = "" GreenColor = "" YellowColor = "" BlueColor = "" PurpleColor = "" CyanColor = "" GrayColor = "" WhiteColor = "" } } 0707010000011E000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002600000000kubeaudit-0.22.2/internal/k8sinternal0707010000011F000081A400000000000000000000000166C635DC00001C1F000000000000000000000000000000000000003000000000kubeaudit-0.22.2/internal/k8sinternal/client.gopackage k8sinternal import ( "context" "errors" "os" "github.com/Shopify/kubeaudit/pkg/k8s" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" runtime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/version" "k8s.io/client-go/discovery" "k8s.io/client-go/dynamic" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" // add authentication support to the kubernetes code _ "k8s.io/client-go/plugin/pkg/client/auth/azure" _ "k8s.io/client-go/plugin/pkg/client/auth/exec" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" _ "k8s.io/client-go/plugin/pkg/client/auth/oidc" _ "k8s.io/client-go/plugin/pkg/client/auth/openstack" ) // ErrNoReadableKubeConfig represents any error that prevents the client from opening a kubeconfig file. var ErrNoReadableKubeConfig = errors.New("unable to open kubeconfig file") var DefaultClient = k8sClient{} // Client abstracts the API to allow testing. type Client interface { InClusterConfig() (*rest.Config, error) } // k8sClient wraps kubernetes client-go so it can be mocked. type k8sClient struct{} // InClusterConfig wraps the client-go method with the same name. func (kc k8sClient) InClusterConfig() (*rest.Config, error) { return rest.InClusterConfig() } // NewKubeClientLocal creates a new kube client for local mode func NewKubeClientLocal(configPath string, context string) (KubeClient, error) { var kubeconfig *rest.Config var err error if configPath == "" { kubeconfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig( clientcmd.NewDefaultClientConfigLoadingRules(), &clientcmd.ConfigOverrides{CurrentContext: context, ClusterInfo: clientcmdapi.Cluster{Server: ""}}, ).ClientConfig() } else { if _, err = os.Stat(configPath); err != nil { return nil, ErrNoReadableKubeConfig } kubeconfig, err = clientcmd.BuildConfigFromFlags("", configPath) } if err != nil { return nil, err } // Ignore warnings from kubeclient as they are expected to be reported by the deprecatedapi auditor. kubeconfig.WarningHandler = rest.NoWarnings{} return newKubeClientFromConfig(kubeconfig) } // NewKubeClientCluster creates a new kube client for cluster mode func NewKubeClientCluster(client Client) (KubeClient, error) { config, err := client.InClusterConfig() if err != nil { return nil, err } log.Info("Running inside cluster, using the cluster config") return newKubeClientFromConfig(config) } // newKubeClientFromConfig creates a new dynamic client with discovery or returns an error. func newKubeClientFromConfig(config *rest.Config) (KubeClient, error) { discovery, err := discovery.NewDiscoveryClientForConfig(config) if err != nil { return nil, err } dynamic, err := dynamic.NewForConfig(config) if err != nil { return nil, err } return NewKubeClient(dynamic, discovery), nil } // IsRunningInCluster returns true if kubeaudit is running inside a cluster func IsRunningInCluster(client Client) bool { _, err := client.InClusterConfig() return err == nil } type ClientOptions struct { // Namespace filters resources by namespace. Defaults to all namespaces. Namespace string // IncludeGenerated is a boolean option to include generated resources. IncludeGenerated bool } type KubeClient interface { // GetAllResources gets all supported resources from the cluster GetAllResources(options ClientOptions) ([]k8s.Resource, error) // GetKubernetesVersion returns the kubernetes client version GetKubernetesVersion() (*version.Info, error) // ServerPreferredResources returns the supported resources with the version preferred by the server. ServerPreferredResources() ([]*metav1.APIResourceList, error) } type kubeClient struct { dynamicClient dynamic.Interface discoveryClient discovery.DiscoveryInterface } func NewKubeClient(dynamic dynamic.Interface, discovery discovery.DiscoveryInterface) KubeClient { return &kubeClient{dynamicClient: dynamic, discoveryClient: discovery} } // GetAllResources gets all supported resources from the cluster func (kc kubeClient) GetAllResources(options ClientOptions) ([]k8s.Resource, error) { var resources []k8s.Resource lists, err := kc.ServerPreferredResources() if err != nil { return nil, err } for _, list := range lists { if list == nil || len(list.APIResources) == 0 { continue } gv, err := schema.ParseGroupVersion(list.GroupVersion) if err != nil { continue } for _, apiresource := range list.APIResources { if len(apiresource.Verbs) == 0 { continue } gvr := schema.GroupVersionResource{Group: gv.Group, Version: gv.Version, Resource: apiresource.Name} // Namespace has to be included as a resource to audit if it is specified. if apiresource.Name == "namespaces" && options.Namespace != "" { unstructured, err := kc.dynamicClient.Resource(gvr).Get(context.Background(), options.Namespace, metav1.GetOptions{}) if err == nil { r, err := unstructuredToObject(unstructured) if err == nil { resources = append(resources, r) } } } else { unstructuredList, err := kc.dynamicClient.Resource(gvr).Namespace(options.Namespace).List(context.Background(), metav1.ListOptions{}) if err == nil { for _, unstructured := range unstructuredList.Items { r, err := unstructuredToObject(&unstructured) if err == nil { resources = append(resources, r) } } } } } } if !options.IncludeGenerated { resources = excludeGenerated(resources) } return resources, nil } // unstructuredToObject unstructured to Go typed object conversions func unstructuredToObject(unstructured *unstructured.Unstructured) (k8s.Resource, error) { obj, err := scheme.New(unstructured.GroupVersionKind()) if err == nil { err = runtime.DefaultUnstructuredConverter.FromUnstructured(unstructured.UnstructuredContent(), obj) } return obj, err } // excludeGenerated filters out generated resources (eg. pods generated by deployments) func excludeGenerated(resources []k8s.Resource) []k8s.Resource { var filteredResources []k8s.Resource for _, resource := range resources { if resource != nil { obj, _ := resource.(metav1.ObjectMetaAccessor) if obj != nil { meta := obj.GetObjectMeta() if meta != nil { if len(meta.GetOwnerReferences()) == 0 { filteredResources = append(filteredResources, resource) } } } } } return filteredResources } // GetKubernetesVersion returns the kubernetes client version func (kc kubeClient) GetKubernetesVersion() (*version.Info, error) { return kc.discoveryClient.ServerVersion() } // ServerPreferredResources returns the supported resources with the version preferred by the server. func (kc kubeClient) ServerPreferredResources() ([]*metav1.APIResourceList, error) { list, err := discovery.ServerPreferredResources(kc.discoveryClient) // If a group is not served by the cluster the resources of this group will not be audited. var e *discovery.ErrGroupDiscoveryFailed if errors.As(err, &e) { return list, nil } return list, err } 07070100000120000081A400000000000000000000000166C635DC00001CDF000000000000000000000000000000000000003500000000kubeaudit-0.22.2/internal/k8sinternal/client_test.gopackage k8sinternal_test import ( "errors" "testing" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" runtime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/version" fakediscovery "k8s.io/client-go/discovery/fake" fakedynamic "k8s.io/client-go/dynamic/fake" fakeclientset "k8s.io/client-go/kubernetes/fake" _ "k8s.io/client-go/plugin/pkg/client/auth/azure" // auth for AKS clusters _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" // auth for GKE clusters _ "k8s.io/client-go/plugin/pkg/client/auth/oidc" // auth for OIDC "k8s.io/client-go/rest" ) type MockK8sClient struct { mock.Mock } func (kc *MockK8sClient) InClusterConfig() (*rest.Config, error) { args := kc.Called() return args.Get(0).(*rest.Config), args.Error(1) } func TestKubeClientConfigLocal(t *testing.T) { assert := assert.New(t) _, err := k8sinternal.NewKubeClientLocal("/notarealfile", "") assert.Equal(k8sinternal.ErrNoReadableKubeConfig, err) _, err = k8sinternal.NewKubeClientLocal("client.go", "") assert.NotEqual(k8sinternal.ErrNoReadableKubeConfig, err) assert.NotNil(err) } func TestKubeClientConfigCluster(t *testing.T) { assert := assert.New(t) client := &MockK8sClient{} var config *rest.Config = nil client.On("InClusterConfig").Return(config, errors.New("mock error")) kubeclient, err := k8sinternal.NewKubeClientCluster(client) assert.Nil(kubeclient) assert.NotNil(err) client = &MockK8sClient{} client.On("InClusterConfig").Return(&rest.Config{}, nil) kubeclient, err = k8sinternal.NewKubeClientCluster(client) assert.NotNil(kubeclient) assert.NoError(err) } func TestIsRunningInCluster(t *testing.T) { assert := assert.New(t) client := &MockK8sClient{} var config *rest.Config = nil client.On("InClusterConfig").Return(config, errors.New("mock error")) assert.False(k8sinternal.IsRunningInCluster(client)) client = &MockK8sClient{} client.On("InClusterConfig").Return(&rest.Config{}, nil) assert.True(k8sinternal.IsRunningInCluster(client)) } func TestGetAllResources(t *testing.T) { resourceTemplates := []k8s.Resource{ k8s.NewDeployment(), k8s.NewPod(), k8s.NewNamespace(), k8s.NewDaemonSet(), k8s.NewNetworkPolicy(), k8s.NewReplicationController(), k8s.NewStatefulSet(), k8s.NewPodTemplate(), k8s.NewCronJob(), k8s.NewServiceAccount(), k8s.NewService(), k8s.NewJob(), } namespaces := []string{"foo", "bar"} resources := make([]runtime.Object, 0, len(resourceTemplates)*len(namespaces)) for _, template := range resourceTemplates { for _, namespace := range namespaces { resource := template.DeepCopyObject() setNamespace(resource, namespace) resources = append(resources, resource) } } client := newFakeKubeClient(resources...) k8sresources, err := client.GetAllResources(k8sinternal.ClientOptions{}) require.NoError(t, err) assert.Len(t, k8sresources, len(resourceTemplates)*len(namespaces)) k8sresources, err = client.GetAllResources(k8sinternal.ClientOptions{Namespace: namespaces[0]}) require.NoError(t, err) assert.Len(t, k8sresources, len(resourceTemplates)) } func setNamespace(resource k8s.Resource, namespace string) { if _, ok := resource.(*k8s.NamespaceV1); ok { k8s.GetObjectMeta(resource).SetName(namespace) } else { k8s.GetObjectMeta(resource).SetNamespace(namespace) } } func TestGetKubernetesVersion(t *testing.T) { serverVersion := &version.Info{ Major: "0", Minor: "0", GitCommit: "0000", Platform: "ACME 8-bit", } client := newFakeKubeClientWithServerVersion(serverVersion) r, err := client.GetKubernetesVersion() assert.Nil(t, err) assert.EqualValues(t, *serverVersion, *r) } func TestIncludeGenerated(t *testing.T) { // The "IncludeGenerated" option only applies to local and cluster mode if !test.UseKind() { return } namespace := "include-generated" defer test.DeleteNamespace(t, namespace) test.CreateNamespace(t, namespace) test.ApplyManifest(t, "./fixtures/include-generated.yml", namespace) client, err := k8sinternal.NewKubeClientLocal("", "") require.NoError(t, err) // Test IncludeGenerated = false resources, err := client.GetAllResources( k8sinternal.ClientOptions{Namespace: namespace, IncludeGenerated: false}, ) require.NoError(t, err) assert.False(t, hasPod(resources), "Expected no pods for IncludeGenerated=false") // Test IncludeGenerated unspecified defaults to false resources, err = client.GetAllResources( k8sinternal.ClientOptions{Namespace: namespace}, ) require.NoError(t, err) assert.False(t, hasPod(resources), "Expected no pods if IncludeGenerated is unspecified (ie. default to false)") // Test IncludeGenerated = true resources, err = client.GetAllResources( k8sinternal.ClientOptions{Namespace: namespace, IncludeGenerated: true}, ) require.NoError(t, err) assert.True(t, hasPod(resources), "Expected pods for IncludeGenerated=true") } func hasPod(resources []k8s.Resource) bool { for _, resource := range resources { if k8s.IsPodV1(resource) { return true } } return false } func newFakeKubeClient(resources ...runtime.Object) k8sinternal.KubeClient { return newFakeKubeClientWithServerVersion(nil, resources...) } func newFakeKubeClientWithServerVersion(serverversion *version.Info, resources ...runtime.Object) k8sinternal.KubeClient { clientset := fakeclientset.NewSimpleClientset() fakeDiscovery, _ := clientset.Discovery().(*fakediscovery.FakeDiscovery) if serverversion != nil { fakeDiscovery.FakedServerVersion = serverversion } unstructuredresources := []runtime.Object{} gvrToListKind := map[schema.GroupVersionResource]string{} gvAPIResources := map[string][]metav1.APIResource{} for _, r := range resources { gvk := r.GetObjectKind().GroupVersionKind() listGVK := gvk listGVK.Kind += "List" u := unstructured.Unstructured{} u.SetGroupVersionKind(r.GetObjectKind().GroupVersionKind()) u.SetName(k8s.GetObjectMeta(r).GetName()) u.SetNamespace(k8s.GetObjectMeta(r).GetNamespace()) unstructuredresources = (append(unstructuredresources, &u)) kind := r.GetObjectKind().GroupVersionKind().Kind plural, _ := meta.UnsafeGuessKindToResource(r.GetObjectKind().GroupVersionKind()) apiresource := metav1.APIResource{Name: plural.Resource, Namespaced: false, Group: gvk.Group, Version: gvk.Version, Kind: kind, Verbs: metav1.Verbs{"list"}} gvr := schema.GroupVersionResource{Group: apiresource.Group, Version: apiresource.Version, Resource: apiresource.Name} if _, ok := gvrToListKind[gvr]; !ok { gvrToListKind[gvr] = kind + "List" gv := gvk.GroupVersion().String() gvAPIResources[gv] = append(gvAPIResources[gv], apiresource) } } for gv, apiresources := range gvAPIResources { fakeDiscovery.Resources = append(fakeDiscovery.Resources, &metav1.APIResourceList{ GroupVersion: gv, APIResources: apiresources}) } fakedynamic := fakedynamic.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, unstructuredresources...) return k8sinternal.NewKubeClient(fakedynamic, fakeDiscovery) } 07070100000121000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002F00000000kubeaudit-0.22.2/internal/k8sinternal/fixtures07070100000122000081A400000000000000000000000166C635DC0000010C000000000000000000000000000000000000004500000000kubeaudit-0.22.2/internal/k8sinternal/fixtures/include-generated.ymlapiVersion: apps/v1 kind: Deployment metadata: name: deployment spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: containers: - name: container image: scratch 07070100000123000081A400000000000000000000000166C635DC00000107000000000000000000000000000000000000004600000000kubeaudit-0.22.2/internal/k8sinternal/fixtures/test-encode-decode.ymlapiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null namespace: foo spec: selector: null strategy: {} template: metadata: creationTimestamp: null spec: containers: - name: bar resources: {} status: {} 07070100000124000081A400000000000000000000000166C635DC000002DC000000000000000000000000000000000000003100000000kubeaudit-0.22.2/internal/k8sinternal/runtime.gopackage k8sinternal import ( "github.com/Shopify/kubeaudit/pkg/k8s" k8sRuntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) func DecodeResource(b []byte) (k8s.Resource, error) { decoder := codecs.UniversalDeserializer() return k8sRuntime.Decode(decoder, b) } func EncodeResource(resource k8s.Resource) ([]byte, error) { info, _ := k8sRuntime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), "application/yaml") groupVersion := schema.GroupVersion{Group: resource.GetObjectKind().GroupVersionKind().Group, Version: resource.GetObjectKind().GroupVersionKind().Version} encoder := codecs.EncoderForVersion(info.Serializer, groupVersion) return k8sRuntime.Encode(encoder, resource) } 07070100000125000081A400000000000000000000000166C635DC00000EB7000000000000000000000000000000000000003600000000kubeaudit-0.22.2/internal/k8sinternal/runtime_test.gopackage k8sinternal_test import ( "bytes" "os" "path" "testing" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/test" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestNewTrue(t *testing.T) { assert.True(t, *k8s.NewTrue()) } func TestNewFalse(t *testing.T) { assert.False(t, *k8s.NewFalse()) } func TestEncodeDecode(t *testing.T) { assert := assert.New(t) require := require.New(t) deployment := k8s.NewDeployment() deployment.ObjectMeta = k8s.ObjectMetaV1{Namespace: "foo"} deployment.Spec.Template.Spec.Containers = []k8s.ContainerV1{{Name: "bar"}} expectedManifest, err := os.ReadFile("fixtures/test-encode-decode.yml") require.NoError(err) encoded, err := k8sinternal.EncodeResource(deployment) require.NoError(err) assert.Equal(string(expectedManifest), string(encoded)) decoded, err := k8sinternal.DecodeResource(expectedManifest) require.NoError(err) assert.Equal(deployment, decoded) } func TestGetContainers(t *testing.T) { for _, resource := range getAllResources(t) { containers := k8s.GetContainers(resource) switch resource.(type) { case *k8s.NamespaceV1: assert.Nil(t, containers) default: assert.NotEmpty(t, containers) } } } func TestGetAnnotations(t *testing.T) { annotations := map[string]string{"foo": "bar"} deployment := k8s.NewDeployment() deployment.Spec.Template.ObjectMeta.SetAnnotations(annotations) assert.Equal(t, annotations, k8s.GetAnnotations(deployment)) } func TestGetLabels(t *testing.T) { labels := map[string]string{"foo": "bar"} deployment := k8s.NewDeployment() deployment.Spec.Template.ObjectMeta.SetLabels(labels) assert.Equal(t, labels, k8s.GetLabels(deployment)) } func TestGetObjectMeta(t *testing.T) { assert := assert.New(t) objectMeta := k8s.ObjectMetaV1{Name: "foo"} podObjectMeta := k8s.ObjectMetaV1{Name: "bar"} deployment := k8s.NewDeployment() deployment.ObjectMeta = objectMeta deployment.Spec.Template.ObjectMeta = podObjectMeta assert.Equal(&objectMeta, k8s.GetObjectMeta(deployment)) assert.Equal(&podObjectMeta, k8s.GetPodObjectMeta(deployment)) pod := k8s.NewPod() pod.ObjectMeta = objectMeta assert.Equal(&objectMeta, k8s.GetObjectMeta(pod)) assert.Equal(&objectMeta, k8s.GetPodObjectMeta(pod)) namespace := k8s.NewNamespace() namespace.ObjectMeta = objectMeta assert.Equal(&objectMeta, k8s.GetObjectMeta(namespace)) assert.Equal(&objectMeta, k8s.GetPodObjectMeta(namespace)) } func TestGetPodTemplateSpec(t *testing.T) { for _, resource := range getAllResources(t) { podTemplateSpec := k8s.GetPodTemplateSpec(resource) switch resource.(type) { case *k8s.PodV1, *k8s.NamespaceV1: assert.Nil(t, podTemplateSpec) default: assert.NotNil(t, podTemplateSpec) } } } func TestUnsupportedResource(t *testing.T) { unsupported := &k8s.UnsupportedType{} assert.Nil(t, k8s.GetAnnotations(unsupported)) assert.Nil(t, k8s.GetLabels(unsupported)) assert.Nil(t, k8s.GetContainers(unsupported)) } func getAllResources(t *testing.T) (resources []k8s.Resource) { fixtureDir := "../test/fixtures/all_resources" for _, fixture := range test.GetAllFileNames(t, fixtureDir) { resources = append(resources, getResourcesFromManifest(t, path.Join(fixtureDir, fixture))...) } return } func getResourcesFromManifest(t *testing.T, manifest string) (resources []k8s.Resource) { assert := assert.New(t) data, err := os.ReadFile(manifest) require.NoError(t, err) bufSlice := bytes.Split(data, []byte("---")) for _, b := range bufSlice { resource, err := k8sinternal.DecodeResource(b) if err != nil { continue } assert.NotNil(resource) resources = append(resources, resource) } return } 07070100000126000081A400000000000000000000000166C635DC000003F8000000000000000000000000000000000000003000000000kubeaudit-0.22.2/internal/k8sinternal/scheme.gopackage k8sinternal import ( certmanagerv1alpha2 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" serializer "k8s.io/apimachinery/pkg/runtime/serializer" utilruntime "k8s.io/apimachinery/pkg/util/runtime" kubescheme "k8s.io/client-go/kubernetes/scheme" ) var scheme = kubescheme.Scheme var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ certmanagerv1alpha2.AddToScheme, apiextensionsv1.AddToScheme, apiextensionsv1beta1.AddToScheme, } // AddToScheme adds localScheme to Scheme var addToScheme = localSchemeBuilder.AddToScheme func init() { v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"}) utilruntime.Must(addToScheme(scheme)) } 07070100000127000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002000000000kubeaudit-0.22.2/internal/sarif07070100000128000081A400000000000000000000000166C635DC000007C8000000000000000000000000000000000000002900000000kubeaudit-0.22.2/internal/sarif/rules.gopackage sarif import ( "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/asat" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/deprecatedapis" "github.com/Shopify/kubeaudit/auditors/hostns" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" "github.com/Shopify/kubeaudit/auditors/mounts" "github.com/Shopify/kubeaudit/auditors/netpols" "github.com/Shopify/kubeaudit/auditors/nonroot" "github.com/Shopify/kubeaudit/auditors/privesc" "github.com/Shopify/kubeaudit/auditors/privileged" "github.com/Shopify/kubeaudit/auditors/rootfs" "github.com/Shopify/kubeaudit/auditors/seccomp" ) var allAuditors = map[string]string{ apparmor.Name: "Finds containers that do not have AppArmor enabled", asat.Name: "Finds containers where the deprecated SA field is used or with a mounted default SA", capabilities.Name: "Finds containers that do not drop the recommended capabilities or add new ones", deprecatedapis.Name: "Finds any resource defined with a deprecated API version", hostns.Name: "Finds containers that have HostPID, HostIPC or HostNetwork enabled", image.Name: "Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag", limits.Name: "Finds containers which exceed the specified CPU and memory limits or do not specify any", mounts.Name: "Finds containers that have sensitive host paths mounted", netpols.Name: "Finds namespaces that do not have a default-deny network policy", nonroot.Name: "Finds containers allowed to run as root", privesc.Name: "Finds containers that allow privilege escalation", privileged.Name: "Finds containers running as privileged", rootfs.Name: "Finds containers which do not have a read-only filesystem", seccomp.Name: "Finds containers running without seccomp", } 07070100000129000081A400000000000000000000000166C635DC000001C9000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/internal/sarif/rules_test.gopackage sarif import ( "testing" "github.com/Shopify/kubeaudit/auditors/all" "github.com/stretchr/testify/assert" ) func TestAuditorsLengthAndDescription(t *testing.T) { // if new auditors are created // make sure they're added with a matching description for _, auditorName := range all.AuditorNames { description, ok := allAuditors[auditorName] assert.Truef(t, ok && description != "", "missing description for auditor %s", auditorName) } } 0707010000012A000081A400000000000000000000000166C635DC00000E64000000000000000000000000000000000000002900000000kubeaudit-0.22.2/internal/sarif/sarif.gopackage sarif import ( "bytes" "encoding/json" "fmt" "strings" "github.com/Shopify/kubeaudit" "github.com/owenrumney/go-sarif/v2/sarif" ) const repoURL = "https://github.com/Shopify/kubeaudit" // Create generates new sarif Report or returns an error func Create(kubeauditReport *kubeaudit.Report) (*sarif.Report, error) { // create a new report object report, err := sarif.New(sarif.Version210) if err != nil { return nil, err } // create a run for kubeaudit run := sarif.NewRunWithInformationURI("kubeaudit", repoURL) report.AddRun(run) var results []*kubeaudit.AuditResult for _, reportResult := range kubeauditReport.Results() { r := reportResult.GetAuditResults() results = append(results, r...) } for _, result := range results { severityLevel := result.Severity.String() auditor := strings.ToLower(result.Auditor) var metadataTxt string if len(result.Metadata) > 0 { formattedMap := make(map[string]string) for k, v := range result.Metadata { formattedMap[k] = v } metadata, jsonErr := json.Marshal(formattedMap) if jsonErr != nil { metadata = []byte(jsonErr.Error()) } metadataTxt = fmt.Sprintf("Metadata: %s\n", string(metadata)) } docsURL := "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/" + auditor + ".md" helpText := fmt.Sprintf("Type: kubernetes\nAuditor Docs: To find out more about the issue and how to fix it, follow [this link](%s)\nDescription: %s\n%s\n\n Note: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit ", docsURL, allAuditors[auditor], metadataTxt) helpMarkdown := fmt.Sprintf("**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](%s)\n**Description:** %s\n **Metadata**: %s\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit ", docsURL, allAuditors[auditor], metadataTxt) // we only add rules to the report based on the result findings run.AddRule(result.Rule). WithName(result.Auditor). WithHelp(&sarif.MultiformatMessageString{Text: &helpText, Markdown: &helpMarkdown}). WithShortDescription(&sarif.MultiformatMessageString{Text: &result.Rule}). WithProperties(sarif.Properties{ "tags": []string{ "security", "kubernetes", "infrastructure", }, }) // SARIF specifies the following severity levels: warning, error, note and none // https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html // so we're converting info to note here so we get valid SARIF output if result.Severity.String() == kubeaudit.Info.String() { severityLevel = "note" } details := fmt.Sprintf("Details: %s\n Auditor: %s\nDescription: %s\nAuditor docs: %s ", result.Message, result.Auditor, allAuditors[auditor], docsURL) location := sarif.NewPhysicalLocation(). WithArtifactLocation(sarif.NewSimpleArtifactLocation(result.FilePath).WithUriBaseId("ROOTPATH")). WithRegion(sarif.NewRegion().WithStartLine(1)) result := sarif.NewRuleResult(result.Rule). WithMessage(sarif.NewTextMessage(details)). WithLevel(severityLevel). WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)}) run.AddResult(result) } var reportBytes bytes.Buffer err = report.Write(&reportBytes) if err != nil { return nil, nil } return report, nil } 0707010000012B000081A400000000000000000000000166C635DC00000F61000000000000000000000000000000000000002E00000000kubeaudit-0.22.2/internal/sarif/sarif_test.gopackage sarif import ( "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/apparmor" "github.com/Shopify/kubeaudit/auditors/capabilities" "github.com/Shopify/kubeaudit/auditors/image" "github.com/Shopify/kubeaudit/auditors/limits" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestCreateWithResults(t *testing.T) { cases := []struct { description string auditResults []*kubeaudit.AuditResult expectedRule string expectedErrorLevel string expectedMessage string expectedURI string expectedFilePath string }{ { "apparmor invalid", []*kubeaudit.AuditResult{{ Auditor: apparmor.Name, Rule: apparmor.AppArmorInvalidAnnotation, Severity: kubeaudit.Error, Message: "AppArmor annotation key refers to a container that doesn't exist", FilePath: "apparmorPath", }}, apparmor.AppArmorInvalidAnnotation, "error", "AppArmor annotation key refers to a container that doesn't exist", "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/apparmor.md", "apparmorPath", }, { "capabilities added", []*kubeaudit.AuditResult{{ Auditor: capabilities.Name, Rule: capabilities.CapabilityAdded, Severity: kubeaudit.Error, Message: "It should be removed from the capability add list", FilePath: "capsPath", }}, capabilities.CapabilityAdded, "error", "It should be removed from the capability add list", "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/capabilities.md", "capsPath", }, { "image tag is present", []*kubeaudit.AuditResult{{ Auditor: image.Name, Rule: image.ImageCorrect, Severity: kubeaudit.Info, Message: "Image tag is correct", FilePath: "imagePath", }}, image.ImageCorrect, "note", "Image tag is correct", "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/image.md", "imagePath", }, { "limits is nil", []*kubeaudit.AuditResult{{ Auditor: limits.Name, Rule: limits.LimitsNotSet, Severity: kubeaudit.Warn, Message: "Resource limits not set", FilePath: "limitsPath", }}, limits.LimitsNotSet, "warning", "Resource limits not set", "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/limits.md", "limitsPath", }, } for _, tc := range cases { t.Run(tc.description, func(t *testing.T) { kubeAuditReport := kubeaudit.NewReport([]kubeaudit.Result{&kubeaudit.WorkloadResult{ AuditResults: tc.auditResults, }}) sarifReport, err := Create(kubeAuditReport) require.NoError(t, err) assert.Equal(t, repoURL, *sarifReport.Runs[0].Tool.Driver.InformationURI) // verify that the rules have been added as per report findings assert.Equal(t, tc.expectedRule, sarifReport.Runs[0].Tool.Driver.Rules[0].ID) var ruleNames []string //check for rules occurrences for _, sarifRule := range sarifReport.Runs[0].Tool.Driver.Rules { assert.Equal(t, []string{ "security", "kubernetes", "infrastructure", }, sarifRule.Properties["tags"], ) ruleNames = append(ruleNames, sarifRule.ID) assert.Contains(t, *sarifRule.Help.Text, tc.expectedURI) } for _, sarifResult := range sarifReport.Runs[0].Results { assert.Contains(t, ruleNames, *sarifResult.RuleID) assert.Equal(t, tc.expectedErrorLevel, *sarifResult.Level) assert.Contains(t, *sarifResult.Message.Text, tc.expectedMessage) assert.Contains(t, tc.expectedFilePath, *sarifResult.Locations[0].PhysicalLocation.ArtifactLocation.URI) } }) } } func TestCreateWithNoResults(t *testing.T) { sarifReport, err := Create(&kubeaudit.Report{}) require.NoError(t, err) require.NotEmpty(t, *sarifReport.Runs[0]) // verify that the rules are only added as per report findings assert.Len(t, sarifReport.Runs[0].Tool.Driver.Rules, 0) } 0707010000012C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001F00000000kubeaudit-0.22.2/internal/test0707010000012D000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000002800000000kubeaudit-0.22.2/internal/test/fixtures0707010000012E000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000003600000000kubeaudit-0.22.2/internal/test/fixtures/all_resources0707010000012F000081A400000000000000000000000166C635DC000001A8000000000000000000000000000000000000004200000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/cronjob.ymlapiVersion: v1 kind: Namespace metadata: name: cronjob --- apiVersion: batch/v1beta1 kind: CronJob metadata: name: cronjob namespace: cronjob spec: schedule: "*/1 * * * *" jobTemplate: spec: template: spec: restartPolicy: Never hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000130000081A400000000000000000000000166C635DC000001A8000000000000000000000000000000000000004700000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/daemonset-v1.ymlapiVersion: v1 kind: Namespace metadata: name: daemonset-v1 --- apiVersion: apps/v1 kind: DaemonSet metadata: name: daemonset1 namespace: daemonset-v1 spec: selector: matchLabels: name: daemonset1 template: metadata: labels: name: daemonset1 spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000131000081A400000000000000000000000166C635DC000001B5000000000000000000000000000000000000004D00000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/deployment-apps-v1.ymlapiVersion: v1 kind: Namespace metadata: name: deployment-apps-v1 --- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: deployment-apps-v1 spec: selector: matchLabels: name: deployment template: metadata: labels: name: deployment spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000132000081A400000000000000000000000166C635DC0000013C000000000000000000000000000000000000003E00000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/job.ymlapiVersion: v1 kind: Namespace metadata: name: job --- apiVersion: batch/v1 kind: Job metadata: name: job namespace: job spec: template: spec: restartPolicy: Never hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000133000081A400000000000000000000000166C635DC000000ED000000000000000000000000000000000000003E00000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/pod.ymlapiVersion: v1 kind: Namespace metadata: name: pod --- apiVersion: v1 kind: Pod metadata: name: pod namespace: pod spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000134000081A400000000000000000000000166C635DC00000157000000000000000000000000000000000000004600000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/podtemplate.ymlapiVersion: v1 kind: Namespace metadata: name: podtemplate --- apiVersion: v1 kind: PodTemplate metadata: name: templatespec namespace: podtemplate template: metadata: labels: name: templatespec spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000135000081A400000000000000000000000166C635DC000001A3000000000000000000000000000000000000005000000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/replicationcontroller.ymlapiVersion: v1 kind: Namespace metadata: name: replicationcontroller --- apiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: replicationcontroller spec: template: metadata: labels: name: replicationcontroller spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000136000081A400000000000000000000000166C635DC000001CC000000000000000000000000000000000000004900000000kubeaudit-0.22.2/internal/test/fixtures/all_resources/statefulset-v1.ymlapiVersion: v1 kind: Namespace metadata: name: statefulset-v1 --- apiVersion: apps/v1 kind: StatefulSet metadata: name: statefulset namespace: statefulset-v1 spec: serviceName: statefulset selector: matchLabels: name: statefulset template: metadata: labels: name: statefulset spec: hostPID: true hostIPC: true hostNetwork: true containers: - name: container image: scratch 07070100000137000081A400000000000000000000000166C635DC00000155000000000000000000000000000000000000004700000000kubeaudit-0.22.2/internal/test/fixtures/custom_resource_definition.ymlapiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: wgnodes.wormhole.gravitational.io spec: group: wormhole.gravitational.io names: kind: Wgnode plural: wgnodes scope: Namespaced version: v1beta1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] 07070100000138000081A400000000000000000000000166C635DC000000D3000000000000000000000000000000000000003400000000kubeaudit-0.22.2/internal/test/fixtures/service.ymlapiVersion: v1 kind: Service metadata: name: test-service spec: selector: app: test-service ports: - protocol: TCP port: 80 targetPort: 9376 clusterIP: 10.96.0.1 type: LoadBalancer 07070100000139000081A400000000000000000000000166C635DC00000108000000000000000000000000000000000000004200000000kubeaudit-0.22.2/internal/test/fixtures/unknown_resource_type.ymlapiVersion: networking.k8s.io kind: Ingress metadata: name: unknown_resource_type spec: rules: - http: paths: - path: /test-unknownpath backend: service: name: test-unknown port: number: 80 0707010000013A000081A400000000000000000000000166C635DC000014CC000000000000000000000000000000000000002700000000kubeaudit-0.22.2/internal/test/test.gopackage test import ( "bytes" "fmt" "os" "os/exec" "path/filepath" "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // SharedFixturesDir contains fixtures used by multiple tests const SharedFixturesDir = "../../internal/test/fixtures" const MANIFEST_MODE = "manifest" const LOCAL_MODE = "local" func AuditManifest(t *testing.T, fixtureDir, fixture string, auditable kubeaudit.Auditable, expectedErrors []string) *kubeaudit.Report { return AuditMultiple(t, fixtureDir, fixture, []kubeaudit.Auditable{auditable}, expectedErrors, "", MANIFEST_MODE) } func AuditLocal(t *testing.T, fixtureDir, fixture string, auditable kubeaudit.Auditable, namespace string, expectedErrors []string) *kubeaudit.Report { return AuditMultiple(t, fixtureDir, fixture, []kubeaudit.Auditable{auditable}, expectedErrors, namespace, LOCAL_MODE) } func AuditMultiple(t *testing.T, fixtureDir, fixture string, auditables []kubeaudit.Auditable, expectedErrors []string, namespace string, mode string) *kubeaudit.Report { if mode == LOCAL_MODE && !UseKind() { return nil } expected := make(map[string]bool, len(expectedErrors)) for _, err := range expectedErrors { expected[err] = true } report := GetReport(t, fixtureDir, fixture, auditables, namespace, mode) require.NotNil(t, report) errors := make(map[string]bool) for _, result := range report.Results() { for _, auditResult := range result.GetAuditResults() { errors[auditResult.Rule] = true } } assert.Equal(t, expected, errors) return report } func FixSetup(t *testing.T, fixtureDir, fixture string, auditable kubeaudit.Auditable) (fixedResources []k8s.Resource, report *kubeaudit.Report) { return FixSetupMultiple(t, fixtureDir, fixture, []kubeaudit.Auditable{auditable}) } // FixSetup runs Fix() on a given manifest and returns the resulting resources func FixSetupMultiple(t *testing.T, fixtureDir, fixture string, auditables []kubeaudit.Auditable) (fixedResources []k8s.Resource, report *kubeaudit.Report) { require := require.New(t) report = GetReport(t, fixtureDir, fixture, auditables, "", MANIFEST_MODE) require.NotNil(report) // This increases code coverage by calling the Plan() method on each PendingFix object. Plan() returns a human // readable description of what Apply() will do and does not need to be otherwise tested for correct logic report.PrintPlan(os.Stdout) // New resources that are created to fix the manifest are not added to the results, only the fixed manifest. By // running the fixed manifest through another audit run, the new resource is treated the same as any other // resource and parsed into a Result fixedManifest := bytes.NewBuffer(nil) err := report.Fix(fixedManifest) require.Nil(err) auditor, err := kubeaudit.New(auditables) require.Nil(err) report, err = auditor.AuditManifest("", fixedManifest) require.Nil(err) results := report.RawResults() fixedResources = make([]k8s.Resource, 0, len(results)) for _, result := range results { resource := result.GetResource().Object() if resource != nil { fixedResources = append(fixedResources, resource) } } return fixedResources, report } func GetReport(t *testing.T, fixtureDir, fixture string, auditables []kubeaudit.Auditable, namespace string, mode string) *kubeaudit.Report { require := require.New(t) fixture = filepath.Join(fixtureDir, fixture) auditor, err := kubeaudit.New(auditables) require.NoError(err) var report *kubeaudit.Report switch mode { case MANIFEST_MODE: manifest, openErr := os.Open(fixture) require.NoError(openErr) defer manifest.Close() report, err = auditor.AuditManifest("", manifest) case LOCAL_MODE: defer DeleteNamespace(t, namespace) CreateNamespace(t, namespace) ApplyManifest(t, fixture, namespace) report, err = auditor.AuditLocal("", "", k8sinternal.ClientOptions{Namespace: namespace}) } require.NoError(err) return report } // GetAllFileNames returns all file names in the given directory // It can be used to retrieve all of the resource manifests from the test/fixtures/all_resources directory // This directory is not hardcoded because the working directory for tests is relative to the test func GetAllFileNames(t *testing.T, directory string) []string { files, err := os.ReadDir(directory) require.Nil(t, err) fileNames := make([]string, 0, len(files)) for _, file := range files { fileNames = append(fileNames, file.Name()) } return fileNames } // UseKind returns true if tests which utilize Kind should run func UseKind() bool { return os.Getenv("USE_KIND") == "true" } func ApplyManifest(t *testing.T, manifestPath, namespace string) { t.Helper() runCmd(t, exec.Command("kubectl", "apply", "-f", manifestPath, "-n", namespace)) } func CreateNamespace(t *testing.T, namespace string) { t.Helper() runCmd(t, exec.Command("kubectl", "create", "namespace", namespace)) } func DeleteNamespace(t *testing.T, namespace string) { t.Helper() runCmd(t, exec.Command("kubectl", "delete", "namespace", namespace)) } func runCmd(t *testing.T, cmd *exec.Cmd) { t.Helper() stdoutStderr, err := cmd.CombinedOutput() fmt.Printf("%s\n", stdoutStderr) require.NoError(t, err) } 0707010000013B000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001F00000000kubeaudit-0.22.2/internal/yaml0707010000013C000081A400000000000000000000000166C635DC00004DBD000000000000000000000000000000000000002700000000kubeaudit-0.22.2/internal/yaml/yaml.gopackage yaml import ( "bytes" "fmt" log "github.com/sirupsen/logrus" goyaml "gopkg.in/yaml.v3" ) // src https://github.com/go-yaml/yaml/blob/v3/resolve.go#L70 const ( strTag = "!!str" seqTag = "!!seq" mapTag = "!!map" ) // Merge merges the original YAML with the fixed YAML such that the resulting YAML is autofixed but with the // same order and comments as the original. func Merge(origData, fixedData []byte) ([]byte, error) { origYaml, err := unmarshal(origData) if err != nil { return nil, err } fixedYaml, err := unmarshal(fixedData) if err != nil { return nil, err } // Create a new document node that contains the merged maps for the original and fixed yaml mergedYaml := shallowCopyNode(origYaml) mergedYaml.Content = []*goyaml.Node{ mergeMaps(origYaml.Content[0], fixedYaml.Content[0]), } return marshal(mergedYaml) } func unmarshal(data []byte) (*goyaml.Node, error) { var node goyaml.Node if err := goyaml.Unmarshal(data, &node); err != nil { return nil, err } if len(node.Content) != 1 { return nil, fmt.Errorf("expected original yaml document to have one child but got %v", len(node.Content)) } if node.Content[0].Kind != goyaml.MappingNode { return nil, fmt.Errorf("expected mapping node as child of original yaml document node but got %v", node.Content[0].Kind) } return &node, nil } func marshal(node *goyaml.Node) ([]byte, error) { data := bytes.NewBuffer(nil) encoder := goyaml.NewEncoder(data) defer encoder.Close() encoder.SetIndent(2) if err := encoder.Encode(node); err != nil { return nil, fmt.Errorf("error marshaling merged yaml: %v", err) } return data.Bytes(), nil } // mergeMaps recursively merges orig and fixed. // Key-value pairs which exist in orig but not fixed are excluded (as determined by matching the key). // Key-value pairs which exist in fixed but not orig are included. // If keys exist in both orig and fixed then the key-value pair from fixed is used unless both values are complex // (maps or sequences), in which case they are merged recursively. func mergeMaps(orig, fixed *goyaml.Node) *goyaml.Node { merged := shallowCopyNode(orig) origContent := orig.Content fixedContent := fixed.Content // Drop items from original if they are not in fixed for i := 0; i < len(origContent); i += 2 { origKey := origContent[i] if isKeyInMap(origKey, fixed) { origVal := origContent[i+1] merged.Content = append(merged.Content, origKey, origVal) } } // Update or add items from the fixed yaml which are not in the original for i := 0; i < len(fixedContent); i += 2 { fixedKey := fixedContent[i] fixedVal := fixedContent[i+1] if mergedKeyIndex := findKeyInMap(fixedKey, merged); mergedKeyIndex == -1 { // Add item merged.Content = append(merged.Content, fixedKey, fixedVal) } else { // Update item mergedValIndex := mergedKeyIndex + 1 mergedVal := merged.Content[mergedValIndex] if fixedVal.Kind != mergedVal.Kind { merged.Content[mergedValIndex] = fixedVal continue } switch fixedVal.Kind { case goyaml.ScalarNode: merged.Content[mergedValIndex].Value = fixedVal.Value case goyaml.MappingNode: merged.Content[mergedValIndex] = mergeMaps(mergedVal, fixedVal) case goyaml.SequenceNode: merged.Content[mergedValIndex] = mergeSequences(fixedKey.Value, mergedVal, fixedVal) default: log.Error("Unexpected yaml node kind", fixedVal.Kind) } } } return merged } // mergeSequences recursively merges orig and fixed. // Items which exist in orig but not fixed are excluded. // Items which exist in fixed but not orig are included. // If items exist in both orig and fixed then the item from fixed is used unless both items are complex // (maps or sequences), in which case they are merged recursively. func mergeSequences(sequenceKey string, orig, fixed *goyaml.Node) *goyaml.Node { merged := shallowCopyNode(orig) origContent := orig.Content fixedContent := fixed.Content // Drop items from original if they are not in fixed for _, origItem := range origContent { if isItemInSequence(sequenceKey, origItem, fixed) { merged.Content = append(merged.Content, origItem) } } // Update or add items from the fixed yaml which are not in the original for _, fixedItem := range fixedContent { if mergedItemIndex := findItemInSequence(sequenceKey, fixedItem, merged); mergedItemIndex == -1 { // Add item merged.Content = append(merged.Content, fixedItem) } else { // Update item mergedItem := merged.Content[mergedItemIndex] switch { case fixedItem.Kind != mergedItem.Kind: merged.Content[mergedItemIndex] = fixedItem case fixedItem.Kind == goyaml.MappingNode: merged.Content[mergedItemIndex] = mergeMaps(mergedItem, fixedItem) case fixedItem.Kind == goyaml.SequenceNode: merged.Content[mergedItemIndex] = mergeSequences(sequenceKey, mergedItem, fixedItem) } } } return merged } // deepEqual recursively compares two values but ignores map and array child order and comments. For example the // following values are considered to be equal: // // []goyaml.SequenceItem{{Value: goyaml.MapSlice{ // {Key: "k", Value: "v", Comment: "c"}, // {Key: "k2", Value: "v2", Comment: "c2"}, // }}} // // []goyaml.SequenceItem{{Value: goyaml.MapSlice{ // {Key: "k2", Value: "v2"}, // {Key: "k", Value: "v"}, // }}} func deepEqual(val1, val2 *goyaml.Node) bool { if val1.Kind != val2.Kind { return false } switch val1.Kind { case goyaml.ScalarNode: return equalScalar(val1, val2) case goyaml.MappingNode: return equalMap(val1, val2) case goyaml.SequenceNode: return equalSequence(val1, val2) } return false } func equalScalar(val1, val2 *goyaml.Node) bool { if val1.Kind != goyaml.ScalarNode || val2.Kind != goyaml.ScalarNode { return false } return val1.Tag == val2.Tag && val1.Value == val2.Value } func equalSequence(seq1, seq2 *goyaml.Node) bool { if seq1.Kind != goyaml.SequenceNode || seq2.Kind != goyaml.SequenceNode { return false } content1 := seq1.Content content2 := seq2.Content if len(content1) != len(content2) { return false } for _, val1 := range content1 { if !isItemInSequence("", val1, seq2) { return false } } return true } func equalMap(map1, map2 *goyaml.Node) bool { if map1.Kind != goyaml.MappingNode || map2.Kind != goyaml.MappingNode { return false } content1 := map1.Content content2 := map2.Content if len(content1) != len(content2) { return false } for i := 0; i < len(content1); i += 2 { key1 := content1[i] index2 := findKeyInMap(key1, map2) if index2 == -1 { return false } value1 := content1[i+1] value2 := content2[index2+1] if !deepEqual(value1, value2) { return false } } return true } // equalValueForKey returns true if map1 and map2 have the same key-value pair for the given key func equalValueForKey(findKey string, map1, map2 *goyaml.Node) bool { if map1.Kind != goyaml.MappingNode || map2.Kind != goyaml.MappingNode { return false } if val1, index1 := findValInMap(findKey, map1); index1 != -1 { if val2, index2 := findValInMap(findKey, map2); index2 != -1 { return deepEqual(val1, val2) } } return false } // isKeyInMap returns true if findKey is a child of mapNode func isKeyInMap(findKey *goyaml.Node, mapNode *goyaml.Node) bool { return findKeyInMap(findKey, mapNode) != -1 } // findKeyInMap returns the index of findKey in mapNode's list of children, or -1 if it isn't found func findKeyInMap(findKey *goyaml.Node, mapNode *goyaml.Node) int { if mapNode.Kind != goyaml.MappingNode { return -1 } children := mapNode.Content for i := 0; i < len(children); i += 2 { key := children[i] if deepEqual(key, findKey) { return i } } return -1 } // findValInMap returns the child of mapNode which is value corresponding to the given key, and its index func findValInMap(key string, mapNode *goyaml.Node) (*goyaml.Node, int) { findKey := &goyaml.Node{ Kind: goyaml.ScalarNode, Value: key, Tag: strTag, } keyIndex := findKeyInMap(findKey, mapNode) if keyIndex == -1 { return nil, -1 } valIndex := keyIndex + 1 return mapNode.Content[valIndex], valIndex } // isItemInSequence returns true if findVal is a child of sequenceNode func isItemInSequence(sequenceKey string, findVal *goyaml.Node, sequenceNode *goyaml.Node) bool { return findItemInSequence(sequenceKey, findVal, sequenceNode) != -1 } // findItemInSequence returns the index of the child in sequenceNode which "matches" findVal. See sequenceItemMatch for // what is considered a "match". Returns -1 if there is no match found. func findItemInSequence(sequenceKey string, findVal *goyaml.Node, sequenceNode *goyaml.Node) int { children := sequenceNode.Content for i, val := range children { if sequenceItemMatch(sequenceKey, val, findVal) { return i } } return -1 } var identifyingKey = map[string]string{ "allowedFlexVolumes": "driver", // PodSecurityPolicySpec.allowedFlexVolumes : AllowedFlexVolume.driver "allowedHostPaths": "pathPrefix", // PodSecurityPolicySpec.allowedHostPaths : AllowedHostPath.pathPrefix // StorageClass.allowedTopologies : TopologySelectorTerm.matchLabelExpressions "allowedTopologies": "matchLabelExpressions", "clusterRoleSelectors": "matchExpressions", // AggregationRule.clusterRoleSelectors : LabelSelector.matchExpressions "containers": "name", // PodSpec.containers : Container.name "egress": "ports", // NetworkPolicySpec.egress : NetworkPolicyEgressRule.ports "env": "name", // Container.env : EnvVar.name "hostAliases": "ip", // PodSpec.hostAliases : HostAlias.ip // Assumes it is not possible to add multiple values for the same header, ie. // httpHeaders: // - name: header1 // value: value1 // - name: header1 // value: value2 // This restriction is not documented so the assumption may be incorrect // See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#httpheader-v1-core "httpHeaders": "name", // HTTPGetAction.httpHeaders : HTTPHeader.name // PodSpec.imagePullSecrets : LocalObjectReference.name // ServiceAccount.imagePullSecrets : LocalObjectReference.name "imagePullSecrets": "name", "initContainers": "name", // PodSpec.initContainers : Container.name // LabelSelector.matchExpressions : LabelSelectorRequirement.key // NodeSelectorTerm.matchExpressions : NodeSelectorRequirement.key "matchExpressions": "key", "matchFields": "key", // NodeSelectorTerm.matchFields : NodeSelectorRequirement.key "options": "name", // PodDNSConfig.options : PodDNSConfigOption.name // TopologySelectorTerm.matchLabelExpressions : TopologySelectorLabelRequirement.key "matchLabelExpressions": "key", "pending": "name", // Initializers.pending : Initializer.name "readinessGates": "conditionType", // PodSpec.readinessGates : PodReadinessGate.conditionType // PodAffinity.requiredDuringSchedulingIgnoredDuringExecution : PodAffinityTerm.labelSelector // PodAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution : PodAffinityTerm.labelSelector "requiredDuringSchedulingIgnoredDuringExecution": "labelSelector", "secrets": "name", // ServiceAccount.secrets : ObjectReference.name // ClusterRoleBinding.subjects : Subject.name // RoleBinding.subjects : Subject.name "subjects": "name", "subsets": "addresses", // Endpoints.subsets : EndpointSubset.addresses "sysctls": "name", // PodSecurityContext.sysctls : Sysctl.name "taints": "key", // NodeSpec.taints : Taint.key "volumeDevices": "devicePath", // Container.volumeDevices : VolumeDevice.devicePath "volumeMounts": "mountPath", // Container.volumeMounts : VolumeMount.mountPath "volumes": "name", // PodSpec.volumes : Volume.name } // sequenceItemMatch returns true if item1 and item2 are a match, false otherwise. In order to determine whether // sequence items match (and should be merged) we determine the "identifying key" for the sequence item, and if both // sequence items have the same key-value pair for the "identifying key" then they are a match. The sequenceKey // is the key for which the array items are the value. ie: // sequenceKey: // - item1 // - item2 func sequenceItemMatch(sequenceKey string, item1, item2 *goyaml.Node) bool { if item1.Kind != item2.Kind { return false } if sequenceKey == "" || item1.Kind != goyaml.MappingNode { return deepEqual(item1, item2) } if idKey, ok := identifyingKey[sequenceKey]; ok { return equalValueForKey(idKey, item1, item2) } switch sequenceKey { // EndpointSubset.addresses : EndpointAddress.[hostname OR ip] // EndpointSubset.notReadyAddresses : EndpointAddress.[hostname OR ip] case "addresses", "notReadyAddresses": if equalValueForKey("hostname", item1, item2) { return true } return equalValueForKey("ip", item1, item2) // Container.envFrom : EnvFromSource.[configMapRef OR secretRef].name case "envFrom": if val1, index1 := findValInMap("configMapRef", item1); index1 != -1 { if val2, index2 := findValInMap("configMapRef", item2); index2 != -1 { return equalValueForKey("name", val1, val2) } } if val1, index1 := findValInMap("secretRef", item1); index1 != -1 { if val2, index2 := findValInMap("secretRef", item2); index2 != -1 { return equalValueForKey("name", val1, val2) } } return false // NetworkPolicySpec.ingress : NetworkPolicyIngressRule.[ports OR from] case "ingress": if equalValueForKey("ports", item1, item2) { return true } return equalValueForKey("from", item1, item2) // ConfigMapProjection.items : KeyToPath.key // ConfigMapVolumeSource.items : KeyToPath.key // DownwardAPIVolumeSource.items : DownwardAPIVolumeFile.path // SecretSecretProjection.items : KeyToPath.key // SecretVolumeSource.items : KeyToPath.key case "items": // ConfigMapVolumeSource.items : KeyToPath.key // SecretVolumeSource.items : KeyToPath.key if equalValueForKey("key", item1, item2) { return true } // DownwardAPIVolumeSource.items : DownwardAPIVolumeFile.path return equalValueForKey("path", item1, item2) // NodeSelector.nodeSelectorTerms : NodeSelectorTerm.[matchExpressions OR matchFields] case "nodeSelectorTerms": // This is a bit of a complicated case. // See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#nodeselector-v1-core // For now, only match if there is an exact match for the complex value of either the "matchExpressions" or // "matchFields" fields. if equalValueForKey("matchExpressions", item1, item2) { return true } return equalValueForKey("matchFields", item1, item2) // ObjectMeta.ownerReferences : OwnerReference.[uid OR name] case "ownerReferences": if equalValueForKey("uid", item1, item2) { return true } return equalValueForKey("name", item1, item2) // NodeAffinity.preferredDuringSchedulingIgnoredDuringExecution : PreferredSchedulingTerm.preference // PodAffinity.preferredDuringSchedulingIgnoredDuringExecution : WeightedPodAffinityTerm.podAffinityTerm // PodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution : WeightedPodAffinityTerm.podAffinityTerm case "preferredDuringSchedulingIgnoredDuringExecution": // This is a bit of a complicated case as the values are very nested and because the same identifying key is // used for two different array types (PreferredSchedulingTerm and WeightedPodAffinityTerm). // See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#nodeaffinity-v1-core // and https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podaffinity-v1-core // For now, only match if there is an exact match for the complex value of the "preference" or // "podAffinityTerm" field. // The value for the "weight" field can be updated. // NodeAffinity.preferredDuringSchedulingIgnoredDuringExecution : PreferredSchedulingTerm.preference if equalValueForKey("preference", item1, item2) { return true } // PodAffinity.preferredDuringSchedulingIgnoredDuringExecution : WeightedPodAffinityTerm.podAffinityTerm // PodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution : WeightedPodAffinityTerm.podAffinityTerm return equalValueForKey("podAffinityTerm", item1, item2) // Container.ports : ContainerPort.containerPort // EndpointSubset.ports : EndpointPort.port // ServiceSpec.ports : ServicePort.port case "ports": // Container.ports : ContainerPort.containerPort if equalValueForKey("containerPort", item1, item2) { return true } // EndpointSubset.ports : EndpointPort.port // ServiceSpec.ports : ServicePort.port return equalValueForKey("port", item1, item2) // ClusterRole.rules : PolicyRule.resources // IngressSpec.rules : IngressRule.host // Role.rules : PolicyRule.resources case "rules": // ClusterRole.rules : PolicyRule.resources // Role.rules : PolicyRule.resources if equalValueForKey("resources", item1, item2) { return true } // IngressSpec.rules : IngressRule.host if equalValueForKey("host", item1, item2) { return true } return deepEqual(item1, item2) // ProjectedVolumeSource.sources case "sources": // ProjectedVolumeSource.sources : VolumeProjection.configMap.name if val1, index1 := findValInMap("configMap", item1); index1 != -1 { if val2, index2 := findValInMap("configMap", item2); index2 != -1 { return equalValueForKey("name", val1, val2) } return false } // ProjectedVolumeSource.sources : VolumeProjection.downwardAPI.items if val1, index1 := findValInMap("downwardAPI", item1); index1 != -1 { if val2, index2 := findValInMap("downwardAPI", item2); index2 != -1 { return equalValueForKey("items", val1, val2) } return false } // ProjectedVolumeSource.sources : VolumeProjection.secret.name if val1, index1 := findValInMap("secret", item1); index1 != -1 { if val2, index2 := findValInMap("secret", item2); index2 != -1 { return equalValueForKey("name", val1, val2) } return false } // ProjectedVolumeSource.sources : VolumeProjection.serviceAccountToken.path if val1, index1 := findValInMap("serviceAccountToken", item1); index1 != -1 { if val2, index2 := findValInMap("serviceAccountToken", item2); index2 != -1 { return equalValueForKey("path", val1, val2) } } return false // IngressSpec.tls : IngressTLS.[secretName OR hosts] case "tls": if equalValueForKey("secretName", item1, item2) { return true } return equalValueForKey("hosts", item1, item2) // StatefulSetSpec.volumeClaimTemplates : PersistentVolumeClaim.metadata.name case "volumeClaimTemplates": if val1, index1 := findValInMap("metadata", item1); index1 != -1 { if val2, index2 := findValInMap("metadata", item2); index2 != -1 { return equalValueForKey("name", val1, val2) } } return false } // FSGroupStrategyOptions.ranges : IDRange // RunAsGroupStrategyOptions.ranges : IDRange // RunAsUserStrategyOptions.ranges : IDRange // SupplementalGroupsStrategyOptions.ranges : IDRange // PodSecurityPolicySpec.hostPorts : HostPortRange // PodSpec.tolerations : Toleration return deepEqual(item1, item2) } // Returns a new *goyaml.Node with the same values as the original node except for the Content field, which is initialized // to an empty array func shallowCopyNode(orig *goyaml.Node) *goyaml.Node { return &goyaml.Node{ Kind: orig.Kind, Style: orig.Style, Tag: orig.Tag, Value: orig.Value, Anchor: orig.Anchor, Alias: orig.Alias, Content: []*goyaml.Node{}, HeadComment: orig.HeadComment, LineComment: orig.LineComment, FootComment: orig.FootComment, Line: orig.Line, Column: orig.Column, } } 0707010000013D000081A400000000000000000000000166C635DC00007C47000000000000000000000000000000000000002C00000000kubeaudit-0.22.2/internal/yaml/yaml_test.gopackage yaml import ( "testing" "github.com/stretchr/testify/assert" yaml "gopkg.in/yaml.v3" ) func TestMerge(t *testing.T) { assert := assert.New(t) // empty yaml _, err := Merge(nil, nil) assert.NotNil(err) _, err = Merge([]byte{}, []byte{}) assert.NotNil(err) _, err = Merge([]byte(""), []byte("")) assert.NotNil(err) // invalid yaml _, err = Merge([]byte("a: b: c"), nil) assert.NotNil(err) _, err = Merge([]byte("a:"), nil) assert.NotNil(err) _, err = Merge([]byte("a: b"), []byte("a: b: c")) assert.NotNil(err) // non-map root node _, err = Merge([]byte("- a"), nil) assert.NotNil(err) _, err = Merge([]byte("a: b"), []byte("- a")) assert.NotNil(err) // valid yaml merged, err := Merge([]byte("a: b"), []byte("a: b")) assert.NoError(err) assert.Equal("a: b\n", string(merged)) } func TestMergeMaps(t *testing.T) { cases := []struct { testName string orig *yaml.Node fixed *yaml.Node merged *yaml.Node }{ { "Update", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "K", HeadComment: "Hi"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "V", LineComment: "Bye"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "K"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "V2"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "K", HeadComment: "Hi"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "V2", LineComment: "Bye"}, }}, }, { "Add", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }}, }, { "Remove", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment 2"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment 2"}, }}, }, { "Preserve order", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k", HeadComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2", HeadComment: "Comment 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "EOL Comment 2", FootComment: "Foot Comment"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "knew"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "vnew"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2new"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "vnew"}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k", HeadComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "vnew", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2", HeadComment: "Comment 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2new", LineComment: "EOL Comment 2", FootComment: "Foot Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "knew"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "vnew"}, }}, }, { "Sequence of strings", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v1", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", HeadComment: "Comment 1", LineComment: "EOL Comment 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v3", HeadComment: "EOL Comment 3"}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v4"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v1"}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v1", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v3", HeadComment: "EOL Comment 3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v4"}, }}, }}, }, { "Map of maps", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "a"}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "b", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "c", HeadComment: "Comment 1", LineComment: "EOL Comment 2"}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "a"}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "b"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "d"}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "a"}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "b", LineComment: "EOL Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "d", HeadComment: "Comment 1", LineComment: "EOL Comment 2"}, }}, }}, }, { "Complex mapslice (nested sequence and mapslices)", &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "containers"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container1", LineComment: "Container 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image1", LineComment: "Image 1"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container2", LineComment: "Container 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "TCP"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "3000", LineComment: "Port 3000"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "UDP"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000", LineComment: "Port 6000"}, }}, }}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "subsets"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "addresses"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "hostname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "hname", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ip"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "10.0.0.1"}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "pname", LineComment: "Comment 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "3000"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "pname2", LineComment: "Comment 3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "8000"}, }}, }}, }}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "containers"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image1"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "TCP"}, }}, }}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "subsets"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "addresses"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "hostname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "hname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ip"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "10.0.0.1"}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "pname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "newname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "8000"}, }}, }}, }}, }}, }}, &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "containers"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container2", LineComment: "Container 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "TCP"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000", LineComment: "Port 6000"}, }}, }}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "container3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "image1"}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "subsets"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "addresses"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "hostname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "hname", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ip"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "10.0.0.1"}, }}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "ports"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "newname", LineComment: "Comment 3"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "8000"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "pname"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000"}, }}, }}, }}, }}, }}, }, } for _, test := range cases { t.Run(test.testName, func(t *testing.T) { merged := mergeMaps(test.orig, test.fixed) assert.True(t, deepEqual(test.merged, merged)) assert.Equal(t, test.merged, merged) }) } } func TestFindItemInSequence(t *testing.T) { assert := assert.New(t) // same string seq := &yaml.Node{Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment 2"}, }} item := &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"} index := findItemInSequence("", item, seq) assert.Equal(1, index) // different string seq = &yaml.Node{Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment 2"}, }} item = &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v3"} index = findItemInSequence("", item, seq) assert.Equal(-1, index) // matching mapslice seq = &yaml.Node{Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "TCP"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "3000"}, }}, {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "UDP", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000", LineComment: "Comment 2"}, }}, }} item = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "name"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "port1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "protocol"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "TCP"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "containerPort"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "6000"}, }} index = findItemInSequence("ports", item, seq) assert.Equal(1, index) } func TestFindItemInMapSlice(t *testing.T) { assert := assert.New(t) // key present m := &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment 2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }} item, index := findValInMap("k2", m) assert.Equal(3, index) assert.True(deepEqual(m.Content[3], item)) // key not present m = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k", HeadComment: "Comment"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment 2"}, }} _, index = findValInMap("k2", m) assert.Equal(-1, index) } func TestEqualValueForKey(t *testing.T) { assert := assert.New(t) // same string m1 := &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment 2"}, }} m2 := &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "k2"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }} assert.True(equalValueForKey("k2", m1, m2)) // different string m1 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v"}, }} m2 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, }} assert.False(equalValueForKey("k2", m1, m2)) // string and number m1 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "2"}, }} m2 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: "!!int", Value: "2"}, }} assert.False(equalValueForKey("k", m1, m2)) } func TestSequenceItemMatch(t *testing.T) { cases := []struct { testName string item1 *yaml.Node item2 *yaml.Node sequenceKey string expected bool }{ { testName: "Same strings", item1: &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment"}, item2: &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, sequenceKey: "", expected: true, }, { testName: "Different strings", item1: &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v", LineComment: "Comment"}, item2: &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v2", LineComment: "Comment"}, sequenceKey: "", expected: false, }, { testName: "String and mapslice", item1: &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, LineComment: "Comment"}, }, LineComment: "Comment"}, item2: &yaml.Node{Kind: yaml.ScalarNode, Tag: strTag, Value: "v2"}, sequenceKey: "", expected: false, }, } for _, test := range cases { t.Run(test.testName, func(t *testing.T) { assert.Equal(t, test.expected, sequenceItemMatch(test.sequenceKey, test.item1, test.item2)) }) } cases2 := []struct { testName string sequenceKey string mapKey string }{ {"EndpointSubset.addresses : EndpointAddress.hostname", "addresses", "hostname"}, {"EndpointSubset.addresses : EndpointAddress.ip", "addresses", "ip"}, {"EndpointSubset.notReadyAddresses : EndpointAddress.hostname", "notReadyAddresses", "hostname"}, {"EndpointSubset.notReadyAddresses : EndpointAddress.ip", "notReadyAddresses", "ip"}, {"NetworkPolicySpec.ingress : NetworkPolicyIngressRule.ports", "ingress", "ports"}, {"NetworkPolicySpec.ingress : NetworkPolicyIngressRule.from", "ingress", "from"}, {"ConfigMapProjection.items : KeyToPath.key", "items", "key"}, {"DownwardAPIVolumeSource.items : DownwardAPIVolumeFile.path", "items", "path"}, {"NodeSelector.nodeSelectorTerms : NodeSelectorTerm.matchExpressions", "nodeSelectorTerms", "matchExpressions"}, {"NodeSelector.nodeSelectorTerms : NodeSelectorTerm.matchFields", "nodeSelectorTerms", "matchFields"}, {"ObjectMeta.ownerReferences : OwnerReference.uid", "ownerReferences", "uid"}, {"ObjectMeta.ownerReferences : OwnerReference.name", "ownerReferences", "name"}, {"NodeAffinity.preferredDuringSchedulingIgnoredDuringExecution : PreferredSchedulingTerm.preference", "preferredDuringSchedulingIgnoredDuringExecution", "preference"}, {"PodAffinity.preferredDuringSchedulingIgnoredDuringExecution : WeightedPodAffinityTerm.podAffinityTerm", "preferredDuringSchedulingIgnoredDuringExecution", "podAffinityTerm"}, {"ClusterRole.rules : PolicyRule.resources", "rules", "resources"}, {"IngressSpec.rules : IngressRule.host", "rules", "host"}, {"IngressSpec.rules : IngressRule.host", "rules", "host"}, {"IngressSpec.tls : IngressTLS.secretName", "tls", "secretName"}, {"IngressSpec.tls : IngressTLS.hosts", "tls", "hosts"}, } for _, test := range cases2 { t.Run(test.testName, func(t *testing.T) { item1 := &yaml.Node{Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.mapKey}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randval"}, }} item2 := &yaml.Node{Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.mapKey}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "otherval"}, }} assert.True(t, sequenceItemMatch(test.sequenceKey, item1, item2)) item2.Content[1].Value = "othervalue" assert.False(t, sequenceItemMatch(test.sequenceKey, item1, item2)) }) } // nested maps cases3 := []struct { testName string sequenceKey string intermediateMapKey string mapKey string }{ {"ProjectedVolumeSource.sources : VolumeProjection.configMap.name", "sources", "configMap", "name"}, {"ProjectedVolumeSource.sources : VolumeProjection.downwardAPI.items", "sources", "downwardAPI", "items"}, {"ProjectedVolumeSource.sources : VolumeProjection.secret.name", "sources", "secret", "name"}, {"ProjectedVolumeSource.sources : VolumeProjection.serviceAccountToken.name", "sources", "serviceAccountToken", "path"}, {"Container.envFrom : EnvFromSource.configMapRef.name", "envFrom", "configMapRef", "name"}, {"Container.envFrom : EnvFromSource.secretRef.name", "envFrom", "secretRef", "name"}, } for _, test := range cases3 { t.Run(test.testName, func(t *testing.T) { item1 := &yaml.Node{Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.intermediateMapKey}, {Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.mapKey}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randval"}, }}, }} item2 := &yaml.Node{Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.intermediateMapKey}, {Kind: yaml.MappingNode, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: test.mapKey}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "randkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "otherval"}, }}, }} assert.True(t, sequenceItemMatch(test.sequenceKey, item1, item2)) item2.Content[1].Content[1].Value = "othervalue" assert.False(t, sequenceItemMatch(test.sequenceKey, item1, item2)) item2.Content[0].Value = "bla" assert.False(t, sequenceItemMatch(test.sequenceKey, item1, item2)) }) } } func TestDeepEqual(t *testing.T) { assert := assert.New(t) var v1 *yaml.Node var v2 *yaml.Node // maps should be equal, regardless of comments v1 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k", HeadComment: "head", LineComment: "line", FootComment: "foot"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", HeadComment: "head", LineComment: "line", FootComment: "foot"}, }} v2 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "k"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "v"}, }} assert.True(deepEqual(v1, v2)) // sequences should be equal, regardless of comments v1 = &yaml.Node{Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v", HeadComment: "head", LineComment: "line", FootComment: "foot"}, }} v2 = &yaml.Node{Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "v"}, }} assert.True(deepEqual(v1, v2)) v1 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "matchExpressions"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "key"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "labelkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "operator"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "In"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "value1", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value2"}, }}, }}, }}, }} v2 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "matchExpressions"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "key"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "labelkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "value1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value2"}, }}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "operator"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "In"}, }}, }}, }} assert.True(deepEqual(v1, v2)) v1 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "matchExpressions"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "key"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "labelkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "operator"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "In"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "value1", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "value2"}, }}, }}, }}, }} v2 = &yaml.Node{Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "matchExpressions"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.MappingNode, Tag: mapTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "key"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "labelkey"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "operator"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "In"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "values"}, {Kind: yaml.SequenceNode, Tag: seqTag, Content: []*yaml.Node{ {Kind: yaml.ScalarNode, Tag: strTag, Value: "value1", LineComment: "Comment 1"}, {Kind: yaml.ScalarNode, Tag: strTag, Value: "newvalue"}, }}, }}, }}, }} assert.False(deepEqual(v1, v2)) } 0707010000013E000081A400000000000000000000000166C635DC000003C5000000000000000000000000000000000000001900000000kubeaudit-0.22.2/kube.gopackage kubeaudit import "github.com/Shopify/kubeaudit/pkg/k8s" // ErrorUnsupportedResource occurs when Kubeaudit doesn't know how to audit the resource const ErrorUnsupportedResource = "Unsupported resource" // RedundantAuditorOverride is the audit result name given when an override label is used to disable an auditor, // but that auditor found no security issues so the label is redundant const RedundantAuditorOverride = "RedundantAuditorOverride" // KubeResource is a wrapper around a Kubernetes object type KubeResource interface { // Object is a pointer to a Kubernetes resource. The resource may be modified by multiple auditors Object() k8s.Resource // Bytes is the original byte representation of the resource Bytes() []byte } // Implements KubeResource type kubeResource struct { object k8s.Resource bytes []byte } func (k *kubeResource) Object() k8s.Resource { return k.object } func (k *kubeResource) Bytes() []byte { return k.bytes } 0707010000013F000081A400000000000000000000000166C635DC00002262000000000000000000000000000000000000001E00000000kubeaudit-0.22.2/kubeaudit.go// Package kubeaudit provides methods to find and fix security issues in Kubernetes resources. // // # Modes // // Kubeaudit supports three different modes. The mode used depends on the audit method used. // // 1. Manifest mode: Audit a manifest file // // 2. Local mode: Audit resources in a local kubeconfig file // // 3. Cluster mode: Audit resources in a running cluster (kubeaudit must be invoked from a container within the cluster) // // In manifest mode, kubeaudit can automatically fix security issues. // // Follow the instructions below to use kubeaudit: // // # First initialize the security auditors // // The auditors determine which security issues kubeaudit will look for. Each auditor is responsible for a different // security issue. For an explanation of what each auditor checks for, see https://github.com/Shopify/kubeaudit#auditors. // // To initialize all available auditors: // // import "github.com/Shopify/kubeaudit/auditors/all" // // auditors, err := all.Auditors(config.KubeauditConfig{}) // // Or, to initialize specific auditors, import each one: // // import ( // "github.com/Shopify/kubeaudit/auditors/apparmor" // "github.com/Shopify/kubeaudit/auditors/image" // ) // // auditors := []kubeaudit.Auditable{ // apparmor.New(), // image.New(image.Config{Image: "myimage:mytag"}), // } // // # Initialize Kubeaudit // // Create a new instance of kubeaudit: // // kubeAuditor, err := kubeaudit.New(auditors) // // # Run the audit // // To run the audit in manifest mode: // // import "os" // // manifest, err := os.Open("/path/to/manifest.yaml") // if err != nil { // ... // } // // report, err := kubeAuditor.AuditManifest(manifest) // // Or, to run the audit in local mode: // // report, err := kubeAuditor.AuditLocal("/path/to/kubeconfig.yml", kubeaudit.AuditOptions{}) // // Or, to run the audit in cluster mode (pass it a namespace name as a string to only audit resources in that namespace, or an empty string to audit resources in all namespaces): // // report, err := auditor.AuditCluster(kubeaudit.AuditOptions{}) // // # Get the results // // To print the results in a human readable way: // // report.PrintResults() // // Results are printed to standard out by default. To print to a string instead: // // var buf bytes.Buffer // report.PrintResults(kubeaudit.WithWriter(&buf), kubeaudit.WithColor(false)) // resultsString := buf.String() // // Or, to get the result objects: // // results := report.Results() // // # Autofix // // Note that autofixing is only supported in manifest mode. // // To print the plan (what will be fixed): // // report.PrintPlan(os.Stdout) // // To automatically fix the security issues and print the fixed manifest: // // err = report.Fix(os.Stdout) // // # Override Errors // // Overrides can be used to ignore specific auditors for specific containers or pods. // See the documentation for the specific auditor you wish to override at https://github.com/Shopify/kubeaudit#auditors. // // # Custom Auditors // // Kubeaudit supports custom auditors. See the Custom Auditor example. package kubeaudit import ( "errors" "fmt" "io" "path/filepath" "strings" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/pkg/k8s" ) // Kubeaudit provides functions to audit and fix Kubernetes manifests type Kubeaudit struct { auditors []Auditable } type AuditOptions = k8sinternal.ClientOptions // New returns a new Kubeaudit instance func New(auditors []Auditable, opts ...Option) (*Kubeaudit, error) { if len(auditors) == 0 { return nil, errors.New("no auditors enabled") } auditor := &Kubeaudit{ auditors: auditors, } if err := auditor.parseOptions(opts); err != nil { return nil, err } return auditor, nil } // AuditManifest audits the Kubernetes resources in the provided manifest func (a *Kubeaudit) AuditManifest(manifestPath string, manifest io.Reader) (*Report, error) { manifestBytes, err := io.ReadAll(manifest) if err != nil { return nil, err } resources, err := getResourcesFromManifest(manifestBytes) if err != nil { return nil, fmt.Errorf("failed to get resources from manifest: %w", err) } results, err := auditResources(resources, a.auditors) if err != nil { return nil, err } for _, result := range results { auditResults := result.GetAuditResults() if !filepath.IsAbs(manifestPath) { manifestPath = strings.TrimPrefix(filepath.Clean("/"+manifestPath), "/") } for _, ar := range auditResults { ar.FilePath = manifestPath } } report := NewReport(results) return report, nil } // AuditCluster audits the Kubernetes resources found in the cluster in which Kubeaudit is running func (a *Kubeaudit) AuditCluster(options AuditOptions) (*Report, error) { if !k8sinternal.IsRunningInCluster(k8sinternal.DefaultClient) { return nil, errors.New("failed to audit resources in cluster mode: not running in cluster") } client, err := k8sinternal.NewKubeClientCluster(k8sinternal.DefaultClient) if err != nil { return nil, err } resources, err := getResourcesFromClient(client, options) if err != nil { return nil, err } results, err := auditResources(resources, a.auditors) if err != nil { return nil, err } report := NewReport(results) return report, nil } // AuditLocal audits the Kubernetes resources found in the provided Kubernetes config file func (a *Kubeaudit) AuditLocal(configpath string, context string, options AuditOptions) (*Report, error) { client, err := k8sinternal.NewKubeClientLocal(configpath, context) if err == k8sinternal.ErrNoReadableKubeConfig { return nil, fmt.Errorf("failed to open kubeconfig file %s", configpath) } else if err != nil { return nil, err } resources, err := getResourcesFromClient(client, options) if err != nil { return nil, err } results, err := auditResources(resources, a.auditors) if err != nil { return nil, err } report := NewReport(results) return report, nil } // Report contains the results after auditing type Report struct { results []Result } func NewReport(results []Result) *Report { return &Report{results} } // RawResults returns all of the results for each Kubernetes resource, including ones that had no audit results. // Generally, you will want to use Results() instead. func (r *Report) RawResults() []Result { return r.results } // Results returns the audit results for each Kubernetes resource func (r *Report) Results() []Result { results := make([]Result, 0, len(r.RawResults())) for _, result := range r.RawResults() { if len(result.GetAuditResults()) > 0 { results = append(results, result) } } return results } // ResultsWithMinSeverity returns the audit results for each Kubernetes resource with a minimum severity func (r *Report) ResultsWithMinSeverity(minSeverity SeverityLevel) []Result { var results []Result for _, result := range r.RawResults() { var filteredAuditResults []*AuditResult for _, auditResult := range result.GetAuditResults() { if auditResult.Severity >= minSeverity { filteredAuditResults = append(filteredAuditResults, auditResult) } } if len(filteredAuditResults) > 0 { results = append(results, &WorkloadResult{ Resource: result.GetResource(), AuditResults: filteredAuditResults, }) } } return results } // HasErrors returns true if any findings have the level of Error func (r *Report) HasErrors() (errorsFound bool) { for _, workloadResult := range r.Results() { for _, auditResult := range workloadResult.GetAuditResults() { if auditResult.Severity >= Error { return true } } } return false } // PrintResults writes the audit results to the specified writer. Defaults to printing results to stdout func (r *Report) PrintResults(printOptions ...PrintOption) { printer := NewPrinter(printOptions...) printer.PrintReport(r) } // Fix tries to automatically patch any security concerns and writes the resulting manifest to the provided writer. // Only applies when audit was performed on a manifest (not local or cluster) func (r *Report) Fix(writer io.Writer) error { fixed, err := fix(r.RawResults()) if err != nil { return err } _, err = writer.Write(fixed) return err } // PrintPlan writes the actions that will be performed by the Fix() function in a human-readable way to the // provided writer. Only applies when audit was performed on a manifest (not local or cluster) func (r *Report) PrintPlan(writer io.Writer) { for _, result := range r.Results() { for _, auditResult := range result.GetAuditResults() { ok, plan := auditResult.FixPlan() if ok { fmt.Fprintln(writer, "* ", plan) } } } } // Auditable is an interface which is implemented by auditors type Auditable interface { Audit(resource k8s.Resource, resources []k8s.Resource) ([]*AuditResult, error) } 07070100000140000081A400000000000000000000000166C635DC0000085D000000000000000000000000000000000000002300000000kubeaudit-0.22.2/kubeaudit_test.gopackage kubeaudit_test import ( "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/internal/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestNew(t *testing.T) { require := require.New(t) allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(err) auditor, err := kubeaudit.New(allAuditors) require.NoError(err) assert.NotNil(t, auditor) _, err = kubeaudit.New(nil) require.NotNil(err) } func TestAuditLocal(t *testing.T) { if !test.UseKind() { return } require := require.New(t) allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(err) auditor, err := kubeaudit.New(allAuditors) require.NoError(err) _, err = auditor.AuditLocal("", "", k8sinternal.ClientOptions{}) require.NoError(err) _, err = auditor.AuditLocal("invalid_path", "", k8sinternal.ClientOptions{}) require.NotNil(err) _, err = auditor.AuditLocal("", "invalid_context", k8sinternal.ClientOptions{}) require.NotNil(err) } func TestAuditCluster(t *testing.T) { require := require.New(t) allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(err) auditor, err := kubeaudit.New(allAuditors) require.NoError(err) _, err = auditor.AuditCluster(k8sinternal.ClientOptions{}) require.NotNil(err) } func TestUnknownResource(t *testing.T) { // Make sure we produce only warning results for resources kubeaudit doesn't know how to audit files := []string{"unknown_resource_type.yml", "custom_resource_definition.yml"} allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(t, err) for _, file := range files { t.Run(file, func(t *testing.T) { _, report := test.FixSetupMultiple(t, "internal/test/fixtures", file, allAuditors) require.NotNil(t, report) for _, result := range report.Results() { for _, auditResult := range result.GetAuditResults() { assert.Equal(t, kubeaudit.Warn, auditResult.Severity) } } }) } } 07070100000141000081A400000000000000000000000166C635DC000001F4000000000000000000000000000000000000001C00000000kubeaudit-0.22.2/options.gopackage kubeaudit import ( log "github.com/sirupsen/logrus" ) // Option is used to specify the behaviour of Kubeaudit Auditor type Option func(*Kubeaudit) error // WithLogger specifies the log formatter to use func WithLogger(formatter log.Formatter) Option { return func(_ *Kubeaudit) error { log.SetFormatter(formatter) return nil } } func (a *Kubeaudit) parseOptions(opts []Option) error { for _, opt := range opts { if err := opt(a); err != nil { return err } } return nil } 07070100000142000081A400000000000000000000000166C635DC00000383000000000000000000000000000000000000002100000000kubeaudit-0.22.2/options_test.gopackage kubeaudit_test import ( "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestWithLogger(t *testing.T) { assert := assert.New(t) allAuditors, err := all.Auditors(config.KubeauditConfig{}) require.NoError(t, err) formatter := logrus.Formatter(&logrus.JSONFormatter{}) _, err = kubeaudit.New(allAuditors, kubeaudit.WithLogger(formatter)) assert.NoError(err) assert.Equal(formatter, logrus.StandardLogger().Formatter) formatter = logrus.Formatter(&logrus.TextFormatter{}) assert.NotEqual(formatter, logrus.StandardLogger().Formatter) _, err = kubeaudit.New(allAuditors, kubeaudit.WithLogger(formatter)) assert.NoError(err) assert.Equal(formatter, logrus.StandardLogger().Formatter) } 07070100000143000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001500000000kubeaudit-0.22.2/pkg07070100000144000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001900000000kubeaudit-0.22.2/pkg/fix07070100000145000081A400000000000000000000000166C635DC00000794000000000000000000000000000000000000002800000000kubeaudit-0.22.2/pkg/fix/annotations.gopackage fix import ( "fmt" "github.com/Shopify/kubeaudit/pkg/k8s" ) // FixBySettingPodAnnotation implements PendingFix type BySettingPodAnnotation struct { Key string Value string } // Apply sets the pod annotation to the specified value func (pending *BySettingPodAnnotation) Apply(resource k8s.Resource) []k8s.Resource { objectMeta := k8s.GetPodObjectMeta(resource) if objectMeta.GetAnnotations() == nil { objectMeta.SetAnnotations(map[string]string{}) } objectMeta.GetAnnotations()[pending.Key] = pending.Value return nil } // Plan is a description of what apply will do func (pending *BySettingPodAnnotation) Plan() string { return fmt.Sprintf("Set pod-level annotation '%v' to '%v'", pending.Key, pending.Value) } // FixByAddingPodAnnotation implements PendingFix type ByAddingPodAnnotation struct { Key string Value string } // Apply adds the pod annotation func (pending *ByAddingPodAnnotation) Apply(resource k8s.Resource) []k8s.Resource { objectMeta := k8s.GetPodObjectMeta(resource) if objectMeta.GetAnnotations() == nil { objectMeta.SetAnnotations(map[string]string{}) } objectMeta.GetAnnotations()[pending.Key] = pending.Value return nil } // Plan is a description of what apply will do func (pending *ByAddingPodAnnotation) Plan() string { return fmt.Sprintf("Add pod-level annotation '%v: %v'", pending.Key, pending.Value) } type ByRemovingPodAnnotations struct { Keys []string } // Apply removes the pod annotation func (pending *ByRemovingPodAnnotations) Apply(resource k8s.Resource) []k8s.Resource { objectMeta := k8s.GetPodObjectMeta(resource) if objectMeta.GetAnnotations() == nil { return nil } for _, key := range pending.Keys { delete(objectMeta.GetAnnotations(), key) } return nil } // Plan is a description of what apply will do func (pending *ByRemovingPodAnnotations) Plan() string { return fmt.Sprintf("Remove pod-level annotations '%v'", pending.Keys) } 07070100000146000081A400000000000000000000000166C635DC000007BF000000000000000000000000000000000000002D00000000kubeaudit-0.22.2/pkg/fix/annotations_test.gopackage fix import ( "testing" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" "github.com/stretchr/testify/assert" v1 "k8s.io/api/core/v1" ) func TestFix(t *testing.T) { cases := []struct { testName string pendingFix kubeaudit.PendingFix preFix func(resource k8s.Resource) assertFixed func(t *testing.T, resource k8s.Resource) }{ { testName: "BySettingPodAnnotation", pendingFix: &BySettingPodAnnotation{Key: "mykey", Value: "myvalue"}, preFix: func(resource k8s.Resource) {}, assertFixed: func(t *testing.T, resource k8s.Resource) { annotations := k8s.GetAnnotations(resource) assert.NotNil(t, annotations) val, ok := annotations["mykey"] assert.True(t, ok) assert.Equal(t, "myvalue", val) }, }, { testName: "ByAddingPodAnnotation", pendingFix: &ByAddingPodAnnotation{Key: "mykey", Value: "myvalue"}, preFix: func(resource k8s.Resource) {}, assertFixed: func(t *testing.T, resource k8s.Resource) { annotations := k8s.GetAnnotations(resource) assert.NotNil(t, annotations) val, ok := annotations["mykey"] assert.True(t, ok) assert.Equal(t, "myvalue", val) }, }, { testName: "ByRemovingPodAnnotations", pendingFix: &ByRemovingPodAnnotations{Keys: []string{"mykey", "mykey2"}}, preFix: func(resource k8s.Resource) { k8s.GetPodObjectMeta(resource).SetAnnotations(map[string]string{"mykey": "myvalue", "mykey2": "myvalue2"}) }, assertFixed: func(t *testing.T, resource k8s.Resource) { annotations := k8s.GetAnnotations(resource) _, ok := annotations["mykey"] assert.False(t, ok) _, ok2 := annotations["mykey2"] assert.False(t, ok2) }, }, } for _, tc := range cases { t.Run(tc.testName, func(t *testing.T) { resource := &k8s.PodV1{Spec: v1.PodSpec{}} tc.preFix(resource) assert.NotEmpty(t, tc.pendingFix.Plan()) tc.pendingFix.Apply(resource) tc.assertFixed(t, resource) }) } } 07070100000147000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001900000000kubeaudit-0.22.2/pkg/k8s07070100000148000081A400000000000000000000000166C635DC00000D80000000000000000000000000000000000000002400000000kubeaudit-0.22.2/pkg/k8s/helpers.gopackage k8s import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // NewTrue returns a pointer to a boolean variable set to true func NewTrue() *bool { b := true return &b } // NewFalse returns a pointer to a boolean variable set to false func NewFalse() *bool { return new(bool) } func GetContainers(resource Resource) []*ContainerV1 { podSpec := GetPodSpec(resource) if podSpec == nil { return nil } var containers []*ContainerV1 for i := range podSpec.Containers { containers = append(containers, &podSpec.Containers[i]) } if len(podSpec.InitContainers) > 0 { containers = append(containers, GetInitContainers(resource)...) } return containers } func GetInitContainers(resource Resource) []*ContainerV1 { podSpec := GetPodSpec(resource) if podSpec == nil { return nil } containers := make([]*ContainerV1, len(podSpec.InitContainers)) for i := range podSpec.InitContainers { containers[i] = &podSpec.InitContainers[i] } return containers } // GetAnnotations returns the annotations at the pod level. If the resource does not have pods, then it returns // the least-nested annotations func GetAnnotations(resource Resource) map[string]string { objectMeta := GetPodObjectMeta(resource) if objectMeta != nil { return objectMeta.GetAnnotations() } return nil } // GetLabels returns the labels at the pod level. If the resource does not have pods, then it returns the // least-nested labels func GetLabels(resource Resource) map[string]string { objectMeta := GetPodObjectMeta(resource) if objectMeta != nil { return objectMeta.GetLabels() } return nil } // GetObjectMeta returns the highest-level ObjectMeta func GetObjectMeta(resource Resource) metav1.Object { obj, _ := resource.(metav1.ObjectMetaAccessor) if obj != nil { return obj.GetObjectMeta() } return nil } // GetPodObjectMeta returns the ObjectMeta at the pod level. If the resource does not have pods, then it returns // the highest-level ObjectMeta func GetPodObjectMeta(resource Resource) metav1.Object { podTemplateSpec := GetPodTemplateSpec(resource) if podTemplateSpec != nil { return &podTemplateSpec.ObjectMeta } return GetObjectMeta(resource) } // GetPodSpec gets the PodSpec for a resource. Avoid using this function if you need support for Namespace or // ServiceAccount resources, and write a helper functions in this package instead func GetPodSpec(resource Resource) *PodSpecV1 { podTemplateSpec := GetPodTemplateSpec(resource) if podTemplateSpec != nil { return &podTemplateSpec.Spec } switch kubeType := resource.(type) { case *PodV1: return &kubeType.Spec case *NamespaceV1, *ServiceAccountV1: return nil } return nil } // GetPodTemplateSpec gets the PodTemplateSpec for a resource. Avoid using this function if you need support for // Pod, Namespace, or ServiceAccount resources, and write a helper functions in this package instead func GetPodTemplateSpec(resource Resource) *PodTemplateSpecV1 { switch kubeType := resource.(type) { case *CronJobV1Beta1: return &kubeType.Spec.JobTemplate.Spec.Template case *DaemonSetV1: return &kubeType.Spec.Template case *DeploymentV1: return &kubeType.Spec.Template case *JobV1: return &kubeType.Spec.Template case *PodTemplateV1: return &kubeType.Template case *ReplicationControllerV1: return kubeType.Spec.Template case *StatefulSetV1: return &kubeType.Spec.Template case *PodV1, *NamespaceV1: return nil } return nil } 07070100000149000081A400000000000000000000000166C635DC00000D82000000000000000000000000000000000000002600000000kubeaudit-0.22.2/pkg/k8s/resources.gopackage k8s var podTemplateSpec = PodTemplateSpecV1{ ObjectMeta: ObjectMetaV1{}, Spec: PodSpecV1{}, } // NewDeployment creates a new Deployment resource func NewDeployment() *DeploymentV1 { return &DeploymentV1{ TypeMeta: TypeMetaV1{ Kind: "Deployment", APIVersion: "apps/v1", }, ObjectMeta: ObjectMetaV1{}, Spec: DeploymentSpecV1{ Template: podTemplateSpec, }, } } // NewPod creates a new Pod resource func NewPod() *PodV1 { return &PodV1{ TypeMeta: TypeMetaV1{ Kind: "Pod", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, Spec: PodSpecV1{}, } } // NewNamespace creates a new Namespace resource func NewNamespace() *NamespaceV1 { return &NamespaceV1{ TypeMeta: TypeMetaV1{ Kind: "Namespace", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, Spec: NamespaceSpecV1{}, } } // NewDaemonSet creates a new DaemonSet resource func NewDaemonSet() *DaemonSetV1 { return &DaemonSetV1{ TypeMeta: TypeMetaV1{ Kind: "DaemonSet", APIVersion: "apps/v1", }, ObjectMeta: ObjectMetaV1{}, Spec: DaemonSetSpecV1{ Template: podTemplateSpec, }, } } // NewReplicationController creates a new ReplicationController resource func NewReplicationController() *ReplicationControllerV1 { return &ReplicationControllerV1{ TypeMeta: TypeMetaV1{ Kind: "ReplicationController", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, Spec: ReplicationControllerSpecV1{ Template: podTemplateSpec.DeepCopy(), }, } } // NewStatefulSet creates a new StatefulSet resource func NewStatefulSet() *StatefulSetV1 { return &StatefulSetV1{ TypeMeta: TypeMetaV1{ Kind: "StatefulSet", APIVersion: "apps/v1", }, ObjectMeta: ObjectMetaV1{}, Spec: StatefulSetSpecV1{ Template: podTemplateSpec, }, } } // NewNetworkPolicy creates a new NetworkPolicy resource func NewNetworkPolicy() *NetworkPolicyV1 { return &NetworkPolicyV1{ TypeMeta: TypeMetaV1{ Kind: "NetworkPolicy", APIVersion: "networking.k8s.io/v1", }, ObjectMeta: ObjectMetaV1{}, Spec: NetworkPolicySpecV1{}, } } // NewPodTemplate creates a new PodTemplate resource func NewPodTemplate() *PodTemplateV1 { return &PodTemplateV1{ TypeMeta: TypeMetaV1{ Kind: "PodTemplate", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, Template: podTemplateSpec, } } // NewCronJob creates a new CronJob resource func NewCronJob() *CronJobV1Beta1 { return &CronJobV1Beta1{ TypeMeta: TypeMetaV1{ Kind: "CronJob", APIVersion: "batch/v1beta1", }, ObjectMeta: ObjectMetaV1{}, Spec: CronJobSpecV1Beta1{ JobTemplate: JobTemplateSpecV1Beta1{ Spec: JobSpecV1{ Template: podTemplateSpec, }, }, }, } } // NewServiceAccount creates a new ServiceAccount resource func NewServiceAccount() *ServiceAccountV1 { return &ServiceAccountV1{ TypeMeta: TypeMetaV1{ Kind: "ServiceAccount", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, } } // NewService creates a new Service resource func NewService() *ServiceV1 { return &ServiceV1{ TypeMeta: TypeMetaV1{ Kind: "Service", APIVersion: "v1", }, ObjectMeta: ObjectMetaV1{}, } } // NewJob creates a new Job resource func NewJob() *JobV1 { return &JobV1{ TypeMeta: TypeMetaV1{ Kind: "Job", APIVersion: "batch/v1", }, ObjectMeta: ObjectMetaV1{}, Spec: JobSpecV1{ Template: podTemplateSpec, }, } } 0707010000014A000081A400000000000000000000000166C635DC000000BA000000000000000000000000000000000000002800000000kubeaudit-0.22.2/pkg/k8s/type_checks.gopackage k8s func IsNamespaceV1(resource Resource) bool { _, ok := resource.(*NamespaceV1) return ok } func IsPodV1(resource Resource) bool { _, ok := resource.(*PodV1) return ok } 0707010000014B000081A400000000000000000000000166C635DC0000106D000000000000000000000000000000000000002200000000kubeaudit-0.22.2/pkg/k8s/types.gopackage k8s import ( appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" batchv1beta1 "k8s.io/api/batch/v1beta1" apiv1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" k8sRuntime "k8s.io/apimachinery/pkg/runtime" ) // CapabilitiesV1 is a type alias for the v1 version of the k8s API. type CapabilitiesV1 = apiv1.Capabilities // CapabilityV1 is a type alias for the v1 version of the k8s API. type CapabilityV1 = apiv1.Capability // ContainerV1 is a type alias for the v1 version of the k8s API. type ContainerV1 = apiv1.Container // CronJobV1Beta1 is a type alias for the v1beta1 version of the k8s batch API. type CronJobV1Beta1 = batchv1beta1.CronJob // CronJobSpecV1Beta1 is a type alias for the v1beta1 version of the k8s batch API. type CronJobSpecV1Beta1 = batchv1beta1.CronJobSpec // DaemonSetSpecV1 is a type alias for the v1 version of the k8s apps API. type DaemonSetSpecV1 = appsv1.DaemonSetSpec // DaemonSetV1 is a type alias for the v1 version of the k8s API. type DaemonSetV1 = appsv1.DaemonSet // DeploymentSpecV1 is a type alias for the v1 version of the k8s apps API. type DeploymentSpecV1 = appsv1.DeploymentSpec // DeploymentV1 is a type alias for the v1 version of the k8s apps API. type DeploymentV1 = appsv1.Deployment // JobTemplateSpecV1Beta1 is a type alias for the v1beta1 version of the k8s batch API. type JobTemplateSpecV1Beta1 = batchv1beta1.JobTemplateSpec // JobSpecV1 is a type alias for the v1 version of the k8s batch API. type JobSpecV1 = batchv1.JobSpec // JobV1 is a type alias for the v1 version of the k8s batch API. type JobV1 = batchv1.Job // ListOptionsV1 is a type alias for the v1 version of the k8s meta API. type ListOptionsV1 = metav1.ListOptions // NamespaceV1 is a type alias for the v1 version of the k8s API. type NamespaceV1 = apiv1.Namespace // NamespaceSpecV1 is a type alias for the v1 version of the k8s API. type NamespaceSpecV1 = apiv1.NamespaceSpec // NetworkPolicySpecV1 is a type alias for the v1 version of the k8s networking API. type NetworkPolicySpecV1 = networkingv1.NetworkPolicySpec // NetworkPolicyV1 is a type alias for the v1 version of the k8s networking API. type NetworkPolicyV1 = networkingv1.NetworkPolicy // ObjectMetaV1 is a type alias for the v1 version of the k8s meta API. type ObjectMetaV1 = metav1.ObjectMeta // PodSpecV1 is a type alias for the v1 version of the k8s API. type PodSpecV1 = apiv1.PodSpec // PodTemplateSpecV1 is a type alias for the v1 version of the k8s API. type PodTemplateSpecV1 = apiv1.PodTemplateSpec // PodTemplateV1 is a type alias for the v1 version of the k8s API. type PodTemplateV1 = apiv1.PodTemplate // PodV1 is a type alias for the v1 version of the k8s API. type PodV1 = apiv1.Pod // PolicyTypeV1 is a type alias for the v1 version of the k8s networking API. type PolicyTypeV1 = networkingv1.PolicyType // ReplicationControllerSpecV1 is a type alias for the v1 version of the k8s API. type ReplicationControllerSpecV1 = apiv1.ReplicationControllerSpec // ReplicationControllerV1 is a type alias for the v1 version of the k8s API. type ReplicationControllerV1 = apiv1.ReplicationController // Resource is a type alias for a runtime.Object type Resource k8sRuntime.Object // SecurityContextV1 is a type alias for the v1 version of the k8s API. type SecurityContextV1 = apiv1.SecurityContext // ServiceAccountV1 is a type alias for the v1 version of the k8s API. type ServiceAccountV1 = apiv1.ServiceAccount // ServiceV1 is a type alias for the v1 version of the k8s API. type ServiceV1 = apiv1.Service // ServiceV1Spec is a type alias for the v1 version of the k8s API. type ServiceV1Spec = apiv1.ServiceSpec // StatefulSetSpecV1 is a type alias for the v1 version of the k8s apps API. type StatefulSetSpecV1 = appsv1.StatefulSetSpec // StatefulSetV1 is a type alias for the v1 version of the k8s apps API. type StatefulSetV1 = appsv1.StatefulSet // TypeMetaV1 is a type alias for the v1 version of the k8s meta API. type TypeMetaV1 = metav1.TypeMeta // UnsupportedType is a type alias for v1 version of the k8s apps API, this is meant for testing type UnsupportedType = apiv1.Binding 0707010000014C000041ED00000000000000000000000266C635DC00000000000000000000000000000000000000000000001E00000000kubeaudit-0.22.2/pkg/override0707010000014D000081A400000000000000000000000166C635DC00001630000000000000000000000000000000000000002A00000000kubeaudit-0.22.2/pkg/override/override.gopackage override import ( "strings" "github.com/Shopify/kubeaudit" "github.com/Shopify/kubeaudit/pkg/k8s" ) const ( // TODO: remove deprecated unregistered labels after warning users about the breaking change // DeprecatedContainerOverrideLabelPrefix is used to disable an auditor for a specific container DeprecatedContainerOverrideLabelPrefix = "container.audit.kubernetes.io/" // DeprecatedPodOverrideLabelPrefix is used to disable an auditor for a specific pod DeprecatedPodOverrideLabelPrefix = "audit.kubernetes.io/pod." // DeprecatedNamespaceOverrideLabelPrefix is used to disable an auditor for a specific namespace resource DeprecatedNamespaceOverrideLabelPrefix = "audit.kubernetes.io/namespace." // ContainerOverrideLabelPrefix is used to disable an auditor for a specific container ContainerOverrideLabelPrefix = "container.kubeaudit.io/" // OverrideLabelPrefix is used to disable an auditor for either a pod or namespace OverrideLabelPrefix = "kubeaudit.io/" ) // GetOverriddenResultName takes an audit result name and modifies it to indicate that the security issue was // ignored by an override label func GetOverriddenResultName(resultName string) string { return resultName + "Allowed" } // NewRedundantOverrideResult creates a new AuditResult at warning level telling the user to remove the override // label because there are no security issues found, so the label is redundant func NewRedundantOverrideResult(auditorName, containerName, overrideReason, overrideLabel string) *kubeaudit.AuditResult { return &kubeaudit.AuditResult{ Auditor: auditorName, Rule: kubeaudit.RedundantAuditorOverride, Severity: kubeaudit.Warn, Message: "Auditor is disabled via label but there were no security issues found by the auditor. The label should be removed.", Metadata: kubeaudit.Metadata{ "Container": containerName, "OverrideLabel": overrideLabel, }, } } // ApplyOverride checks if hasOverride is true. If it is, it changes the severity of the audit result from error to // info, adds the override reason to the metadata and removes the pending fix func ApplyOverride(auditResult *kubeaudit.AuditResult, auditorName, containerName string, resource k8s.Resource, overrideLabel string) *kubeaudit.AuditResult { hasOverride, overrideReason := GetContainerOverrideReason(containerName, resource, overrideLabel) if !hasOverride { return auditResult } if auditResult == nil { return NewRedundantOverrideResult(auditorName, containerName, overrideReason, overrideLabel) } auditResult.Rule = GetOverriddenResultName(auditResult.Rule) auditResult.PendingFix = nil auditResult.Severity = kubeaudit.Info auditResult.Message = "Audit result overridden: " + auditResult.Message if overrideReason != "" && strings.ToLower(overrideReason) != "true" { if auditResult.Metadata == nil { auditResult.Metadata = make(kubeaudit.Metadata) } auditResult.Metadata["OverrideReason"] = overrideReason } return auditResult } // GetContainerOverrideReason returns true if the resource has a pod-level label disabling a given auditor and the // value of the label which is meant to represent the reason for overriding the auditor // // Container override labels disable the auditor for that specific container and have the following format: // // container.kubeaudit.io/[container name].[auditor override label] // // If there is no container override label, it calls GetResourceOverrideReason() func GetContainerOverrideReason(containerName string, resource k8s.Resource, overrideLabel string) (hasOverride bool, reason string) { labels := k8s.GetLabels(resource) if containerName != "" { if reason, hasOverride = labels[GetDeprecatedContainerOverrideLabel(containerName, overrideLabel)]; hasOverride { return } if reason, hasOverride = labels[GetContainerOverrideLabel(containerName, overrideLabel)]; hasOverride { return } } return GetResourceOverrideReason(resource, overrideLabel) } // GetResourceOverrideReason returns true if the resource has a label disabling a given auditor and the value of the // label which is meant to represent the reason for overriding the auditor // // Pod override labels disable the auditor for the pod and all containers within the pod and have the following format: // // kubeaudit.io/[auditor override label] // // Namespace override labels disable the auditor for the namespace resource and have the following format: // // kubeaudit.io/[auditor override label] func GetResourceOverrideReason(resource k8s.Resource, auditorOverrideLabel string) (hasOverride bool, reason string) { labelFuncs := []func(overrideLabel string) string{ GetOverrideLabel, GetDeprecatedPodOverrideLabel, GetDeprecatedNamespaceOverrideLabel, } labels := k8s.GetLabels(resource) for _, getLabel := range labelFuncs { if reason, hasOverride = labels[getLabel(auditorOverrideLabel)]; hasOverride { return } } return false, "" } // TODO: remove deprecated getters func GetDeprecatedPodOverrideLabel(overrideLabel string) string { return DeprecatedPodOverrideLabelPrefix + overrideLabel } func GetDeprecatedNamespaceOverrideLabel(overrideLabel string) string { return DeprecatedNamespaceOverrideLabelPrefix + overrideLabel } func GetDeprecatedContainerOverrideLabel(containerName, overrideLabel string) string { return DeprecatedContainerOverrideLabelPrefix + containerName + "." + overrideLabel } func GetOverrideLabel(overrideLabel string) string { return OverrideLabelPrefix + overrideLabel } func GetContainerOverrideLabel(containerName, overrideLabel string) string { return ContainerOverrideLabelPrefix + containerName + "." + overrideLabel } 0707010000014E000081A400000000000000000000000166C635DC000013E4000000000000000000000000000000000000001C00000000kubeaudit-0.22.2/printer.gopackage kubeaudit import ( "fmt" "io" "os" "github.com/Shopify/kubeaudit/internal/color" "github.com/Shopify/kubeaudit/pkg/k8s" log "github.com/sirupsen/logrus" ) type Printer struct { writer io.Writer minSeverity SeverityLevel formatter log.Formatter color bool } type PrintOption func(p *Printer) // WithMinSeverity sets the minimum severity of results that will be printed. func WithMinSeverity(minSeverity SeverityLevel) PrintOption { return func(p *Printer) { p.minSeverity = minSeverity } } // WithWriter sets the writer where results will be written to. func WithWriter(writer io.Writer) PrintOption { return func(p *Printer) { p.writer = writer } } // WithFormatter sets a logrus formatter to use to format results. func WithFormatter(formatter log.Formatter) PrintOption { return func(p *Printer) { p.formatter = formatter } } // WithColor specifies whether or not to colorize output. You will likely want to set this to false if // not writing to standard out. func WithColor(color bool) PrintOption { return func(p *Printer) { p.color = color } } func (p *Printer) parseOptions(opts ...PrintOption) { for _, opt := range opts { opt(p) } } func NewPrinter(opts ...PrintOption) Printer { p := Printer{ writer: os.Stdout, minSeverity: Info, color: true, } p.parseOptions(opts...) return p } func (p *Printer) PrintReport(report *Report) { if p.formatter == nil { p.prettyPrintReport(report) } else { p.logReport(report) } } func (p *Printer) prettyPrintReport(report *Report) { if len(report.ResultsWithMinSeverity(p.minSeverity)) < 1 { p.printColor(color.GreenColor, "All checks completed. 0 high-risk vulnerabilities found\n") return } for _, workloadResult := range report.ResultsWithMinSeverity(p.minSeverity) { resource := workloadResult.GetResource().Object() objectMeta := k8s.GetObjectMeta(resource) resouceApiVersion, resourceKind := resource.GetObjectKind().GroupVersionKind().ToAPIVersionAndKind() p.printColor(color.CyanColor, "\n---------------- Results for ---------------\n\n") p.printColor(color.CyanColor, " apiVersion: "+resouceApiVersion+"\n") p.printColor(color.CyanColor, " kind: "+resourceKind+"\n") if objectMeta != nil && (objectMeta.GetName() != "" || objectMeta.GetNamespace() != "") { p.printColor(color.CyanColor, " metadata:\n") if objectMeta.GetName() != "" { p.printColor(color.CyanColor, " name: "+objectMeta.GetName()+"\n") } if objectMeta.GetNamespace() != "" { p.printColor(color.CyanColor, " namespace: "+objectMeta.GetNamespace()+"\n") } } p.printColor(color.CyanColor, "\n--------------------------------------------\n\n") for _, auditResult := range workloadResult.GetAuditResults() { severityColor := color.YellowColor switch auditResult.Severity { case Info: severityColor = color.CyanColor case Warn: severityColor = color.YellowColor case Error: severityColor = color.RedColor } p.print("-- ") p.printColor(severityColor, "["+auditResult.Severity.String()+"] ") p.print(auditResult.Rule + "\n") p.print(" Message: " + auditResult.Message + "\n") if len(auditResult.Metadata) > 0 { p.print(" Metadata:\n") } for k, v := range auditResult.Metadata { p.print(fmt.Sprintf(" %s: %s\n", k, v)) } p.print("\n") } } } func (p *Printer) print(s string) { fmt.Fprint(p.writer, s) } func (p *Printer) printColor(c string, s string) { if p.color { fmt.Fprint(p.writer, color.Colored(c, s)) } else { p.print(s) } } func (p *Printer) logReport(report *Report) { resultLogger := log.New() resultLogger.SetOutput(p.writer) resultLogger.SetFormatter(p.formatter) // We manually manage what severity levels to log, logrus should let everything through resultLogger.SetLevel(log.DebugLevel) for _, workloadResult := range report.ResultsWithMinSeverity(p.minSeverity) { for _, auditResult := range workloadResult.GetAuditResults() { p.logAuditResult(workloadResult.GetResource().Object(), auditResult, resultLogger) } } } func (p *Printer) logAuditResult(resource k8s.Resource, result *AuditResult, baseLogger *log.Logger) { logger := baseLogger.WithFields(p.getLogFieldsForResult(resource, result)) switch result.Severity { case Info: logger.Info(result.Message) case Warn: logger.Warn(result.Message) case Error: logger.Error(result.Message) } } func (p *Printer) getLogFieldsForResult(resource k8s.Resource, result *AuditResult) log.Fields { apiVersion, kind := resource.GetObjectKind().GroupVersionKind().ToAPIVersionAndKind() objectMeta := k8s.GetObjectMeta(resource) fields := log.Fields{ "AuditResultName": result.Rule, "ResourceKind": kind, "ResourceApiVersion": apiVersion, } if objectMeta != nil { if objectMeta.GetNamespace() != "" { fields["ResourceNamespace"] = objectMeta.GetNamespace() } if objectMeta.GetName() != "" { fields["ResourceName"] = objectMeta.GetName() } } for k, v := range result.Metadata { fields[k] = v } return fields } 0707010000014F000081A400000000000000000000000166C635DC00000ADF000000000000000000000000000000000000001B00000000kubeaudit-0.22.2/result.gopackage kubeaudit import "github.com/Shopify/kubeaudit/pkg/k8s" // AuditResult severity levels. They also correspond to log levels const ( // Info is used for informational audit results where no action is required Info SeverityLevel = 0 // Warn is used for audit results where there may be security concerns. If an auditor is disabled for a resource // using an override label, the audit results will be warnings instead of errors. Kubeaudit will NOT attempt to // fix these Warn SeverityLevel = 1 // Error is used for audit results where action is required. Kubeaudit will attempt to fix these Error SeverityLevel = 2 ) // Result contains the audit results for a single Kubernetes resource type Result interface { GetResource() KubeResource GetAuditResults() []*AuditResult } type SeverityLevel int func (s SeverityLevel) String() string { switch s { case Info: return "info" case Warn: return "warning" case Error: return "error" default: return "unknown" } } // AuditResult represents a potential security issue. There may be multiple AuditResults per resource and audit type AuditResult struct { Auditor string // Auditor name Rule string // Rule uniquely identifies a type of violation Severity SeverityLevel // Severity is one of Error, Warn, or Info Message string // Message is a human-readable description of the audit result PendingFix PendingFix // PendingFix is the fix that will be applied to automatically fix the security issue Metadata Metadata // Metadata includes additional context for an audit result FilePath string // Manifest file path } func (result *AuditResult) Fix(resource k8s.Resource) (newResources []k8s.Resource) { if result.PendingFix == nil { return nil } return result.PendingFix.Apply(resource) } func (result *AuditResult) FixPlan() (ok bool, plan string) { if result.PendingFix == nil { return false, "" } return true, result.PendingFix.Plan() } // PendingFix includes the logic to automatically fix the issues caught by auditing type PendingFix interface { // Plan returns a human-readable description of what Apply() will do Plan() string // Apply applies the proposed fix to the resource and returns any new resources that were created. Note that // Apply is expected to modify the passed in resource Apply(k8s.Resource) []k8s.Resource } // Metadata holds metadata for a potential security issue type Metadata = map[string]string // Implements Result type WorkloadResult struct { Resource KubeResource AuditResults []*AuditResult } func (wlResult *WorkloadResult) GetResource() KubeResource { return wlResult.Resource } func (wlResult *WorkloadResult) GetAuditResults() []*AuditResult { return wlResult.AuditResults } 07070100000150000081ED00000000000000000000000166C635DC000001DC000000000000000000000000000000000000001900000000kubeaudit-0.22.2/test.sh#!/usr/bin/env bash set -e echo "Starting tests. This may take a while..." function finish { if [ "$USE_KIND" == "true" ] ; then make test-teardown fi } trap finish EXIT if [ "$USE_KIND" == "true" ] ; then make test-setup fi touch coverage.txt for d in $(go list ./...); do go test -race -coverprofile=profile.out -covermode=atomic $d if [ -f profile.out ]; then cat profile.out >> coverage.txt rm profile.out fi done 07070100000151000081A400000000000000000000000166C635DC000008B1000000000000000000000000000000000000001900000000kubeaudit-0.22.2/util.gopackage kubeaudit import ( "bytes" "fmt" "github.com/Shopify/kubeaudit/internal/k8sinternal" "github.com/Shopify/kubeaudit/pkg/k8s" "gopkg.in/yaml.v3" ) func getResourcesFromClient(client k8sinternal.KubeClient, options k8sinternal.ClientOptions) ([]KubeResource, error) { var resources []KubeResource k8sresources, err := client.GetAllResources(options) if err != nil { return nil, err } for _, resource := range k8sresources { resources = append(resources, &kubeResource{object: resource}) } return resources, nil } func getResourcesFromManifest(data []byte) ([]KubeResource, error) { var resources []KubeResource bufSlice := bytes.Split(data, []byte("---")) for _, b := range bufSlice { obj, err := k8sinternal.DecodeResource(b) if err == nil && obj != nil { source := &kubeResource{ object: obj, bytes: b, } resources = append(resources, source) } else if err := yaml.Unmarshal(data, &yaml.Node{}); err != nil { return nil, fmt.Errorf("Invalid yaml: %w", err) } else { resources = append(resources, &kubeResource{bytes: b}) } } return resources, nil } func auditResources(resources []KubeResource, auditable []Auditable) ([]Result, error) { var results []Result for _, resource := range resources { result, err := auditResource(resource, resources, auditable) if err != nil { return nil, err } results = append(results, result) } return results, nil } func auditResource(resource KubeResource, resources []KubeResource, auditables []Auditable) (Result, error) { result := &WorkloadResult{ Resource: resource, AuditResults: []*AuditResult{}, } if resource.Object() == nil { return result, nil } for _, auditable := range auditables { auditResults, err := auditable.Audit(resource.Object(), unwrapResources(resources)) if err != nil { return nil, err } result.AuditResults = append(result.AuditResults, auditResults...) } return result, nil } func unwrapResources(resources []KubeResource) []k8s.Resource { unwrappedResources := make([]k8s.Resource, 0, len(resources)) for _, resource := range resources { unwrappedResources = append(unwrappedResources, resource.Object()) } return unwrappedResources } 07070100000152000081A400000000000000000000000166C635DC00000B3E000000000000000000000000000000000000001E00000000kubeaudit-0.22.2/util_test.gopackage kubeaudit import ( "bytes" "encoding/json" "testing" "github.com/Shopify/kubeaudit/pkg/k8s" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" ) type logEntry struct { AuditResultName string Foo string Level string `json:"level"` ResourceKind string ResourceApiVersion string ResourceName string ResourceNamespace string } func TestPrintResults(t *testing.T) { report := Report{ results: []Result{ &WorkloadResult{ AuditResults: []*AuditResult{ newTestAuditResult(Error), newTestAuditResult(Warn), newTestAuditResult(Info), }, Resource: &kubeResource{ object: k8s.NewPod(), }, }, }, } out := bytes.NewBuffer(nil) writerOption := WithWriter(out) formatterOption := WithFormatter(&log.JSONFormatter{}) // Error results only report.PrintResults(writerOption, WithMinSeverity(Error), formatterOption) assert.Equal(t, 1, bytes.Count(out.Bytes(), []byte{'\n'})) out.Reset() // Error and warn results report.PrintResults(writerOption, WithMinSeverity(Warn), formatterOption) assert.Equal(t, 2, bytes.Count(out.Bytes(), []byte{'\n'})) out.Reset() // Error, warn, and info results report.PrintResults(writerOption, WithMinSeverity(Info), formatterOption) assert.Equal(t, 3, bytes.Count(out.Bytes(), []byte{'\n'})) } func newTestAuditResult(severity SeverityLevel) *AuditResult { return &AuditResult{ Rule: "MyAuditResult", Severity: severity, Metadata: Metadata{"Foo": "bar"}, } } func TestLogAuditResult(t *testing.T) { for _, severity := range []SeverityLevel{Error, Warn, Info} { // Send all log output as JSON to this byte buffer out := bytes.NewBuffer(nil) resource := k8s.NewDeployment() resource.Name = "mydeployment" resource.Namespace = "mynamespace" auditResult := newTestAuditResult(severity) report := &Report{ results: []Result{ &WorkloadResult{ AuditResults: []*AuditResult{ auditResult, }, Resource: &kubeResource{ object: resource, }, }, }, } expectedApiVersion, expectedKind := resource.GetObjectKind().GroupVersionKind().ToAPIVersionAndKind() expected := logEntry{ AuditResultName: "MyAuditResult", Level: severity.String(), Foo: auditResult.Metadata["Foo"], ResourceKind: expectedKind, ResourceApiVersion: expectedApiVersion, ResourceName: resource.GetName(), ResourceNamespace: resource.GetNamespace(), } // This writes the log to the variable out, parses the JSON into the logEntry struct, and checks the struct printer := NewPrinter(WithWriter(out), WithFormatter(&log.JSONFormatter{})) printer.PrintReport(report) got := logEntry{} err := json.Unmarshal(out.Bytes(), &got) assert.NoError(t, err) assert.Equal(t, expected, got) out.Reset() } } 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!1261 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
