Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refine CVE check in check script for k8s version policy #779

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
d96edd7
adding functions for getting more information & debug
piobig2871 Oct 10, 2024
0caf99d
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Oct 11, 2024
ebfe951
solving conflicts
piobig2871 Oct 16, 2024
e635411
fixing git inset
piobig2871 Oct 16, 2024
a298678
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Oct 16, 2024
cfc3dc6
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Oct 16, 2024
54ee694
feat: Add Kubernetes pod image scanning and improve error handling
piobig2871 Oct 18, 2024
cc87097
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Oct 21, 2024
38921f1
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Oct 22, 2024
12987e5
removing comments
piobig2871 Oct 23, 2024
1d332ae
reseting standard to it's original form
piobig2871 Nov 4, 2024
11daeac
reverting ClusterInfo to its original shape, removing kubeconfig fiel…
piobig2871 Nov 4, 2024
e62b347
removing unused kubeconfig variable
piobig2871 Nov 4, 2024
5ab2bd0
fixing pylint and docstring formatting
piobig2871 Nov 4, 2024
5e2b764
Update Tests/kaas/k8s-version-policy/k8s_version_policy.py
piobig2871 Nov 4, 2024
3348960
fixing pylint and resolving conflict which appeard after review
piobig2871 Nov 4, 2024
4a59878
fixing the script with providing proper images list to check out
piobig2871 Nov 7, 2024
cea9840
femoving unused lines
piobig2871 Nov 7, 2024
c676f5f
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Nov 13, 2024
f1674fe
Update Tests/kaas/k8s-version-policy/k8s_version_policy.py
piobig2871 Nov 21, 2024
f51a46c
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Nov 21, 2024
48ba4d7
Merge branch 'main' into 526-refine-cve-check-in-scs-0210-v2-test-script
piobig2871 Nov 28, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 96 additions & 1 deletion Tests/kaas/k8s-version-policy/k8s_version_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@
(c) Hannes Baum <[email protected]>, 6/2023
(c) Martin Morgenstern <[email protected]>, 2/2024
(c) Matthias Büchse <[email protected]>, 3/2024
(c) Piotr Bigos <[email protected]>
SPDX-License-Identifier: CC-BY-SA-4.0
"""

from collections import Counter
from dataclasses import dataclass
from datetime import datetime, timedelta
Expand All @@ -35,11 +35,13 @@
import asyncio
import contextlib
import getopt
import json
import kubernetes_asyncio
import logging
import logging.config
import re
import requests
import subprocess
import sys
import yaml

Expand Down Expand Up @@ -93,6 +95,10 @@ class HelpException(BaseException):
"""Exception raised if the help functionality is called"""


class CriticalException(BaseException):
"""Raise an exception if a critical CVE is found"""


class Config:
kubeconfig = None
context = None
Expand Down Expand Up @@ -381,6 +387,82 @@ async def collect_cve_versions(session: aiohttp.ClientSession) -> set:
return cfvs


async def run_trivy_scan(image: str) -> dict:
"""Run Trivy scan on the specified image and return the results as a dictionary.

Args:
image (str): The Docker image to scan.

Returns:
dict: Parsed JSON results from Trivy.
"""
try:
# Run the Trivy scan command
result = await asyncio.create_subprocess_exec(
'trivy',
'image',
'--format', 'json',
'--no-progress',
image,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)

stdout, stderr = await result.communicate()

if result.returncode != 0:
logger.error("Trivy scan failed: %s", stderr.decode().strip())
return {}

# Parse the JSON output from Trivy
return json.loads(stdout.decode())

except Exception as e:
logger.error("Error running Trivy scan: %s", e)
return {}


async def get_k8s_pod_images(kubeconfig, context=None) -> list[str]:
"""Get the list of container images used by all the pods in the Kubernetes cluster."""

async with kubernetes_asyncio.client.ApiClient() as api:
v1 = kubernetes_asyncio.client.CoreV1Api(api)
pods = await v1.list_pod_for_all_namespaces(watch=False)

images = set()
for pod in pods.items:
for container in pod.spec.containers:
images.add(container.image)

if pod.spec.init_containers:
for container in pod.spec.init_containers:
images.add(container.image)

return list(images)


async def scan_k8s_images(images_to_scan) -> None:
"""Scan the images used in the Kubernetes cluster for vulnerabilities."""

for image in images_to_scan:
logger.info(f"Scanning image: {image}")
scan_results = await run_trivy_scan(image)

if scan_results:
for result in scan_results.get('Results', []):
for vulnerability in result.get('Vulnerabilities', []):
logger.warning(
f"""Vulnerability found in image {image}:
{vulnerability['VulnerabilityID']} "
(Severity: {vulnerability['Severity']})"""
)


async def get_images_and_scan(kubeconfig, context=None) -> None:
images_to_scan = await get_k8s_pod_images(kubeconfig, context)
await scan_k8s_images(images_to_scan)


async def get_k8s_cluster_info(kubeconfig, context=None) -> ClusterInfo:
"""Get the k8s version of the cluster under test."""
cluster_config = await kubernetes_asyncio.config.load_kube_config(kubeconfig, context)
Expand Down Expand Up @@ -479,6 +561,19 @@ async def main(argv):
cve_affected_ranges = await collect_cve_versions(session)
releases_data = fetch_k8s_releases_data()

try:
logger.info(
f"""Initiating scan on the Kubernetes cluster specified by kubeconfig at {config.kubeconfig}
with context {config.context if config.context else ''}.
Fetching cluster information and verifying access.""")
await get_k8s_cluster_info(config.kubeconfig, config.context)
await get_images_and_scan(config.kubeconfig, config.context)

except CriticalException as e:
logger.critical(e)
logger.debug("Exception info", exc_info=True)
return 1

try:
context_desc = f"context '{config.context}'" if config.context else "default context"
logger.info("Checking cluster specified by %s in %s.", context_desc, config.kubeconfig)
Expand Down