[Security Hardened Kubernetes Cluster] Rule 2005 implementation #380
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-robot
added
needs/review
gardener-robot-ci-3
added
reviewed/ok-to-test
dimityrmirchev
requested changes
Nov 25, 2024
|
|
||
| type Rule2005 struct { | ||
| Client client.Client | ||
| Options *Options2005 |
There was a problem hiding this comment.
Please ensure that this implements the required Option interface.
| } | ||
|
|
||
| type Options2005 struct { | ||
| AllowedRepositories []AllowedRepository `json:"allowedRepositories" yaml:"allowedRepositories"` |
There was a problem hiding this comment.
Suggested change
| AllowedRepositories []AllowedRepository `json:"allowedRepositories" yaml:"allowedRepositories"` | |
| AllowedRepositories []AllowedRepository `json:"allowedImages" yaml:"allowedImages"` |
| return rule.Result(r, rule.ErroredCheckResult("rule options are missing, but required", nil)), nil | ||
| } | ||
|
|
||
| var checkResults []rule.CheckResult |
There was a problem hiding this comment.
Please move this closer to its use.
| checkResults = append(checkResults, rule.ErroredCheckResult(err.Error(), containerTarget.With("imageRef", imageRef))) | ||
| continue | ||
| } | ||
| imageBase := named.Name() |
There was a problem hiding this comment.
Let's also include the version/hash when comparing to prefixes
| }) { | ||
| checkResults = append(checkResults, rule.PassedCheckResult("Image comes from allowed repository.", containerTarget.With("imageBase", imageBase))) | ||
| } else { | ||
| checkResults = append(checkResults, rule.FailedCheckResult("Image comes from not allowed repository.", containerTarget.With("imageBase", imageBase))) |
There was a problem hiding this comment.
Suggested change
| checkResults = append(checkResults, rule.FailedCheckResult("Image comes from not allowed repository.", containerTarget.With("imageBase", imageBase))) | |
| checkResults = append(checkResults, rule.FailedCheckResult("Image has not allowed prefix.", containerTarget.With("imageRef", imageRef))) |
gardener-robot-ci-3
added
reviewed/ok-to-test
13 tasks
dimityrmirchev
previously approved these changes
Nov 26, 2024
|
|
||
| func (r *Rule2005) Run(ctx context.Context) (rule.RuleResult, error) { | ||
| if r.Options == nil { | ||
| return rule.Result(r, rule.ErroredCheckResult("rule options are missing, but required", nil)), nil |
There was a problem hiding this comment.
I think that we should rather report such error earlier. And/Or return a failed result when allowed images are not configured since all images are disallowed. WDYT?
There was a problem hiding this comment.
I think it would be best if the ruleset can run without requiring any options to be set. The earlier place to report this error would be when we register the rules.
We can change this check result to Failed and change the message to "There are no configured allowed images."
example/config/managedk8s.yaml
Outdated
| # - ruleID: "2005" | ||
| # args: | ||
| # allowedImages: | ||
| # - prefix: "repository.prefix" |
There was a problem hiding this comment.
Suggested change
| # - prefix: "repository.prefix" | |
| # - prefix: "example.foo.repository/organisation/releases/" |
gardener-robot-ci-1
added
the
reviewed/ok-to-test
gardener-robot-ci-2
removed
the
reviewed/ok-to-test
gardener-robot
added
reviewed/lgtm
gardener-robot-ci-2
added
the
reviewed/ok-to-test
gardener-robot
removed
needs/review
gardener-robot-ci-1
removed
the
reviewed/ok-to-test
AleksandarSavchev
force-pushed
the
implement-k8s-rule-2005
branch
from
62d4b37
to
061b390
Compare
gardener-robot
added
needs/changes
gardener-robot-ci-2
added
the
reviewed/ok-to-test
gardener-robot
added
needs/second-opinion
gardener-robot-ci-2
removed
the
reviewed/ok-to-test
gardener-robot
added
reviewed/lgtm
gardener-robot-ci-1
added
the
reviewed/ok-to-test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Which issue(s) this PR fixes:
Part of #356
Special notes for your reviewer:
Release note: