k8s scan compare results

[vjeffrey]

FTL failed to resolve policies error="failed to compile bundle: failed to compile //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-best-practices-ingress-cert-expiration: failed to compile query 'k8s.ingress.tls.all(\n  certificates.all(\n    expiresIn.days > 15\n  )\n)\n': cannot find resource that is called by '>' of type core.certificate\nfailed to compile //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-best-practices-ingress-cert-expiration: failed to compile query 'k8s.ingress.tls.all(\n  certificates.all(\n    expiresIn.days > 15\n  )\n)\n': cannot find resource that is called by '>' of type core.certificate\n"
exit status 1

[vjeffrey]

some assets are missing platform ids

edit -i should have mentioned - this test was against minikube

[czunker]

I couldn't really pin this down to a query. I get a panic, because the cluster doesn't have certificates:

cnquery run k8s --discover ingresses -c "k8s.ingress.tls{ certificates{ * }}" 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0xc4ecbf]

goroutine 1 [running]:
go.mondoo.com/cnquery/mqlc.publicFieldsInfo(0xc000757a70, 0x0)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/builtin.go:192 +0x3f
go.mondoo.com/cnquery/mqlc.availableGlobFields(0xc000757a70, {0xc000774de1?, 0x0?}, 0x0)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/builtin.go:257 +0xc7
go.mondoo.com/cnquery/mqlc.(*compiler).compileBlock(0xc000757a70, {0xc00007ea28?, 0x1?, 0x1?}, {0xc000774de0, 0x12}, 0x0?)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:292 +0x15c
go.mondoo.com/cnquery/mqlc.(*compiler).compileOperand(0xc000757a70, 0xc00075d3b0)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1580 +0xdcc
go.mondoo.com/cnquery/mqlc.(*compiler).compileExpression(...)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1596
go.mondoo.com/cnquery/mqlc.(*compiler).compileAndAddExpression(0xc000757a70, 0xcc67bdf3862d5bdf?)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1600 +0x2b
go.mondoo.com/cnquery/mqlc.(*compiler).compileExpressions(0xc000757a70, {0xc00007ea30, 0x1, 0x1?})
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1676 +0x2ad
go.mondoo.com/cnquery/mqlc.(*compiler).blockOnResource(0xc0007579e0, {0xc00007ea30, 0x1, 0x1}, {0xc00072fcc1, 0xf}, 0x100000002)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:590 +0x333
go.mondoo.com/cnquery/mqlc.(*compiler).blockExpressions(0xc0007579e0, {0xc00007ea30, 0x1, 0x1}, {0xc00072fcc0?, 0xc000856e50?}, 0x100000002)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:662 +0x30a
go.mondoo.com/cnquery/mqlc.(*compiler).compileBlock(0xc0007579e0, {0xc00007ea30?, 0x1?, 0x1?}, {0xc00072fcc0, 0x10}, 0x2?)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:310 +0x197
go.mondoo.com/cnquery/mqlc.(*compiler).compileOperand(0xc0007579e0, 0xc00075d310)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1580 +0xdcc
go.mondoo.com/cnquery/mqlc.(*compiler).compileExpression(...)
	/home/christian/workspace/mondoo/github.com/cnquery/mqlc/mqlc.go:1596

One level higher all is fine:

cnquery run k8s --discover ingresses -c "k8s.ingress.tls{ * }" 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
k8s.ingress.tls: []
k8s.ingress.tls: []

[czunker]

I can reproduce it with a single run against a cluster where Ingress objects are present, but they do not have a tls entry:

cnquery run k8s --discover ingresses -c "k8s.ingress.tls.all( certificates.all( expiresIn.days > 15 ) )" --verbose
! CLI pre-processing encountered an issue error="unknown flag: --verbose"
DBG using provider k8s with connector k8s
DBG no need to update provider last-refresh=16m48.086318061s provider=k8s
DBG running provider plugin path=/home/christian/.config/mondoo/providers/k8s/k8s
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
DBG resolved 2 assets
failed to compile: cannot find resource that is called by '>' of type core.certificate
FTL failed to run query error="failed to run: cannot find resource that is called by '>' of type core.certificate"

[czunker]

In contrast the v8 output:

cnquery run k8s --discover ingresses -c "k8s.ingress.tls.all( certificates.all( expiresIn.days > 15 ) )"     INT ✘ │ 09:29:03 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=2
[ok] value: true

[ok] value: true

[czunker]

os.rootCertificates works:

./cnquery run local -c "os.rootCertificates.all( expiresIn.days > 15 )" 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
x found a mandatory argument for list, which is not supported: files for list of os.rootCertificates
[failed] os.rootCertificates.all()
  actual:   [
    0: certificate {
      subject.commonName: "E-Tugra Certification Authority"

[czunker]

It's getting wired. In a cluster with an ingress including a tls section, I get a panic:

cnquery run k8s --discover ingresses -c "k8s.ingress.tls" 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0xe26ea7]

goroutine 73 [running]:
go.mondoo.com/cnquery/providers.(*Runtime).lookupResourceProvider(0xc0005269c0, {0xc000659c60, 0xc})
	/home/christian/workspace/mondoo/github.com/cnquery/providers/runtime.go:537 +0x187
go.mondoo.com/cnquery/providers.(*Runtime).CreateResource(0xc0005269c0, {0xc000659c60, 0xc}, 0xc000c01860)
	/home/christian/workspace/mondoo/github.com/cnquery/providers/runtime.go:228 +0x3f
go.mondoo.com/cnquery/providers.(*providerCallbacks).GetData(0x128d600?, 0x412600?)
	/home/christian/workspace/mondoo/github.com/cnquery/providers/runtime.go:402 +0x45
go.mondoo.com/cnquery/providers-sdk/v1/plugin.(*GRPCProviderCallbackServer).GetData(0x1363ac0?, {0xc0001fcd90?, 0x49ea26?}, 0x0?)
	/home/christian/workspace/mondoo/github.com/cnquery/providers-sdk/v1/plugin/grpc.go:154 +0x1e
go.mondoo.com/cnquery/providers-sdk/v1/plugin._ProviderCallback_GetData_Handler({0x128d600?, 0xc000a32600}, {0x1607830, 0xc000c01470}, 0xc0001fccb0, 0x0)
	/home/christian/workspace/mondoo/github.com/cnquery/providers-sdk/v1/plugin/plugin_grpc.pb.go:427 +0x169
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0006b0000, {0x160dc60, 0xc0006a2680}, 0xc000391680, 0xc000968de0, 0x1fd6250, 0x0)
	/home/christian/go/pkg/mod/google.golang.org/[email protected]/server.go:1376 +0xde7
google.golang.org/grpc.(*Server).handleStream(0xc0006b0000, {0x160dc60, 0xc0006a2680}, 0xc000391680, 0x0)
	/home/christian/go/pkg/mod/google.golang.org/[email protected]/server.go:1753 +0x9e7
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	/home/christian/go/pkg/mod/google.golang.org/[email protected]/server.go:998 +0x8d
created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 101
	/home/christian/go/pkg/mod/google.golang.org/[email protected]/server.go:996 +0x165

 ~/workspace/mondoo/github.com/cnquery │ main *8 ?4  k get ingress 
NAME                CLASS   HOSTS              ADDRESS   PORTS     AGE
hello-app-ingress   nginx   demo.cz-test.com             80, 443   3m19s

[czunker]

I assume we are missing a provider to create the certificate resource. The resource is not part of the k8s provider, but we didn't create one, so the lookup fails, when we try to create it.