Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⭐️ cnspec v9 #873

Merged
merged 16 commits into from
Oct 4, 2023
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .copywrite.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,6 @@ project {
"**/*_string.go",
"charts/mondoo-operator/**",
"config/**/*.yaml",
"controllers/admission/webhook-manifests.yaml",
]
}
14 changes: 13 additions & 1 deletion .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,19 @@
"program": "${workspaceRoot}/cmd/mondoo-operator/main.go",
"args": ["operator"],
"env": {
"MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator"
"MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator",
}
},
{
"name": "operator v9",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceRoot}/cmd/mondoo-operator/main.go",
"args": ["operator"],
"env": {
"MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator",
"FEATURE_ENABLE_V9": "1"
}
},
{
Expand Down
10 changes: 4 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -405,15 +405,13 @@ prep/tools/ranger:

prep/repos:
test -x cnquery || git clone https://github.com/mondoohq/cnquery.git
# workaround for now. Needs to be removed as we move to v9
cd cnquery && git fetch && git checkout v8
cd cnquery && git fetch && git checkout main
test -x cnspec || git clone https://github.com/mondoohq/cnspec.git
cd cnspec && git fetch && git checkout v8
cd cnspec && git fetch && git checkout main

prep/repos/update: prep/repos
# workaround for now. Needs to be removed as we move to v9
cd cnquery; git fetch; git checkout v8 && git pull; cd -;
cd cnspec; git checkout v8 && git pull; cd -;
cd cnquery; git fetch; git checkout main && git pull; cd -;
cd cnspec; git checkout main && git pull; cd -;

prep/ci/protoc:
curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v${PROTO_VERSION}/protoc-${PROTO_VERSION}-linux-x86_64.zip
Expand Down
5 changes: 3 additions & 2 deletions cmd/mondoo-operator/garbage_collect/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ import (

"github.com/go-logr/logr"
"github.com/spf13/cobra"
"go.mondoo.com/cnquery/motor/providers"
"go.mondoo.com/cnspec/policy/scan"
"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
"go.mondoo.com/mondoo-operator/pkg/utils/logger"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/log"
)

Expand Down Expand Up @@ -73,6 +73,7 @@ func init() {
client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
ApiEndpoint: *scanApiUrl,
Token: token,
HttpTimeout: ptr.To(time.Duration((*timeout)) * time.Minute),
czunker marked this conversation as resolved.
Show resolved Hide resolved
})
if err != nil {
return err
Expand Down Expand Up @@ -108,7 +109,7 @@ func GarbageCollectCmd(ctx context.Context, client scanapiclient.ScanApiClient,

if platformRuntime != "" {
switch platformRuntime {
case providers.RUNTIME_KUBERNETES_CLUSTER, providers.RUNTIME_DOCKER_IMAGE:
case "k8s", "docker-image":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should we use "container-image" instead of "docker-image"? It could be any OCI image.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe change this once we enable v9 by default? don't want to change the current behaviour while still working with v8

gcOpts.PlatformRuntime = platformRuntime
default:
return fmt.Errorf("no matching platform runtime found for (%s)", platformRuntime)
Expand Down
7 changes: 4 additions & 3 deletions cmd/mondoo-operator/k8s_scan/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ import (
"time"

"github.com/spf13/cobra"
"go.mondoo.com/cnquery/motor/providers"
"go.mondoo.com/mondoo-operator/cmd/mondoo-operator/garbage_collect"
"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
"go.mondoo.com/mondoo-operator/pkg/utils/logger"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/log"
)

Expand Down Expand Up @@ -59,6 +59,7 @@ func init() {
client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
ApiEndpoint: *scanApiUrl,
Token: token,
HttpTimeout: ptr.To(time.Duration((*timeout)) * time.Minute),
czunker marked this conversation as resolved.
Show resolved Hide resolved
})
if err != nil {
return err
Expand Down Expand Up @@ -95,9 +96,9 @@ func init() {

// If scanning successful, now attempt some cleanup of older assets
if *setManagedBy != "" && *cleanupOlderThan != "" {
platformRuntime := providers.RUNTIME_KUBERNETES_CLUSTER
platformRuntime := "k8s"
if *scanContainerImages {
platformRuntime = providers.RUNTIME_DOCKER_IMAGE
platformRuntime = "docker-image"
}

err = garbage_collect.GarbageCollectCmd(ctx, client, platformRuntime, *cleanupOlderThan, *setManagedBy, make(map[string]string), logger)
Expand Down
18 changes: 12 additions & 6 deletions cmd/mondoo-operator/operator/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"github.com/go-logr/logr"
"github.com/spf13/cobra"
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"

// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
// to ensure that exec-entrypoint and run can make use of them.
Expand Down Expand Up @@ -37,6 +38,7 @@ import (
"go.mondoo.com/mondoo-operator/pkg/utils/logger"
"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
"go.mondoo.com/mondoo-operator/pkg/version"
"sigs.k8s.io/controller-runtime/pkg/webhook"
//+kubebuilder:scaffold:imports
)

Expand Down Expand Up @@ -67,15 +69,19 @@ func init() {

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
MetricsBindAddress: *metricsAddr,
Port: 9443,
Metrics: metricsserver.Options{BindAddress: *metricsAddr},
WebhookServer: webhook.NewServer(webhook.Options{Port: 9443}),
HealthProbeBindAddress: *probeAddr,
LeaderElection: *enableLeaderElection,
LeaderElectionID: "60679458.mondoo.com",
ClientDisableCacheFor: []client.Object{
// Don't cache so we can do a Get() on a Secret without a background List()
// trying to cache things we don't have access to
&corev1.Secret{},
Client: client.Options{
Cache: &client.CacheOptions{
DisableFor: []client.Object{
// Don't cache so we can do a Get() on a Secret without a background List()
// trying to cache things we don't have access to
&corev1.Secret{},
},
},
},
})
if err != nil {
Expand Down
21 changes: 12 additions & 9 deletions config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -104,7 +101,8 @@ spec:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable."
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
Expand Down Expand Up @@ -141,7 +139,8 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
Expand Down Expand Up @@ -211,7 +210,8 @@ spec:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable."
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
Expand Down Expand Up @@ -248,7 +248,8 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
Expand Down Expand Up @@ -407,7 +408,8 @@ spec:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable."
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
Expand Down Expand Up @@ -444,7 +446,8 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
serviceAccountName:
Expand Down
3 changes: 0 additions & 3 deletions config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down
13 changes: 10 additions & 3 deletions controllers/admission/cert-manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,18 @@ package admission
import (
"context"
_ "embed"
"errors"
"fmt"
"reflect"

"go.mondoo.com/mondoo-operator/api/v1alpha2"
"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
"k8s.io/apimachinery/pkg/api/errors"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/apiutil"

certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
certmanagerrefv1 "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
Expand Down Expand Up @@ -66,6 +68,11 @@ func (c *CertManagerHandler) Cleanup(ctx context.Context) error {
}

if err := k8s.DeleteIfExists(ctx, c.KubeClient, certificate); err != nil {
// If the resource discovery failed, we assume that cert-manager is not installed
var discoveryErr *apiutil.ErrResourceDiscoveryFailed
if errors.As(err, &discoveryErr) {
return nil
}
certManagerLog.Error(err, "Failed to clean up cert-manager Certificate resource")
return err
}
Expand Down Expand Up @@ -106,7 +113,7 @@ func (c *CertManagerHandler) syncCertManagerIssuer(ctx context.Context) error {
}

if err := c.KubeClient.Get(ctx, client.ObjectKeyFromObject(issuer), issuer); err != nil {
if errors.IsNotFound(err) {
if kerrors.IsNotFound(err) {
issuer.Spec = issuerSpec
if err := c.KubeClient.Create(ctx, issuer); err != nil {
webhookLog.Error(err, "Failed to create cert-manager Issuer resource")
Expand Down Expand Up @@ -158,7 +165,7 @@ func (c *CertManagerHandler) syncCertManagerCertificate(ctx context.Context) err
}

if err := c.KubeClient.Get(ctx, client.ObjectKeyFromObject(certificate), certificate); err != nil {
if errors.IsNotFound(err) {
if kerrors.IsNotFound(err) {
certificate.Spec = certificateSpec
if err := c.KubeClient.Create(ctx, certificate); err != nil {
webhookLog.Error(err, "Failed to create cert-manager Certificate resource")
Expand Down
4 changes: 2 additions & 2 deletions controllers/admission/deployment_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
yamlutil "k8s.io/apimachinery/pkg/util/yaml"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/utils/pointer"
"k8s.io/utils/ptr"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"

Expand Down Expand Up @@ -63,7 +63,7 @@ func (n *DeploymentHandler) syncValidatingWebhookConfiguration(ctx context.Conte
vwc.Webhooks[i].ClientConfig.Service.Namespace = n.Mondoo.Namespace

if vwc.Webhooks[i].ClientConfig.Service.Port == nil {
vwc.Webhooks[i].ClientConfig.Service.Port = pointer.Int32(443)
vwc.Webhooks[i].ClientConfig.Service.Port = ptr.To(int32(443))
}
}

Expand Down
23 changes: 13 additions & 10 deletions controllers/admission/deployment_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import (
"k8s.io/apimachinery/pkg/types"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
scheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/utils/pointer"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"

Expand Down Expand Up @@ -96,7 +96,7 @@ func TestReconcile(t *testing.T) {
Spec: mondoov1alpha2.MondooAuditConfigSpec{
Admission: mondoov1alpha2.Admission{
Mode: mondoov1alpha2.Enforcing,
Replicas: pointer.Int32(1),
Replicas: ptr.To(int32(1)),
},
},
}
Expand Down Expand Up @@ -146,7 +146,7 @@ func TestReconcile(t *testing.T) {
err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
require.NoError(t, err, "expected Admission Deployment to exist")

assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(1))
assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(1)))
assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Enforcing), "expected Webhook mode to be set to 'enforcing'")

vwcName, err := validatingWebhookName(&mondoov1alpha2.MondooAuditConfig{
Expand All @@ -173,7 +173,7 @@ func TestReconcile(t *testing.T) {
mondooAuditConfigSpec: func() mondoov1alpha2.MondooAuditConfigSpec {
mac := testMondooAuditConfigSpec(true, false)
mac.Admission.Mode = mondoov1alpha2.Enforcing
mac.Admission.Replicas = pointer.Int32(2)
mac.Admission.Replicas = ptr.To(int32(2))
return mac
}(),
validate: func(t *testing.T, kubeClient client.Client) {
Expand All @@ -182,7 +182,7 @@ func TestReconcile(t *testing.T) {
err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
require.NoError(t, err, "expected Admission Deployment to exist")

assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(2))
assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(2)))
},
},
{
Expand Down Expand Up @@ -298,7 +298,7 @@ func TestReconcile(t *testing.T) {
err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
require.NoError(t, err, "expected Admission Deployment to exist")

assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(1))
assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(1)))
assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Permissive), "expected Webhook mode to be set to 'permissive'")
},
},
Expand All @@ -307,7 +307,7 @@ func TestReconcile(t *testing.T) {
mondooAuditConfigSpec: func() mondoov1alpha2.MondooAuditConfigSpec {
mac := testMondooAuditConfigSpec(true, false)
mac.Admission.Mode = mondoov1alpha2.Permissive
mac.Admission.Replicas = pointer.Int32(3)
mac.Admission.Replicas = ptr.To(int32(3))
return mac
}(),
validate: func(t *testing.T, kubeClient client.Client) {
Expand All @@ -316,7 +316,7 @@ func TestReconcile(t *testing.T) {
err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
require.NoError(t, err, "expected Admission Deployment to exist")

assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(3))
assert.Equal(t, ptr.To(int32(3)), deployment.Spec.Replicas)
assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Permissive), "expected Webhook mode to be set to 'permissive'")
},
},
Expand Down Expand Up @@ -478,7 +478,10 @@ func TestReconcile(t *testing.T) {
if test.existingObjects != nil {
existingObj = append(existingObj, test.existingObjects(*auditConfig)...)
}
fakeClient := fake.NewClientBuilder().WithObjects(existingObj...).Build()
fakeClient := fake.NewClientBuilder().
WithStatusSubresource(existingObj...).
WithObjects(existingObj...).
Build()

webhooks := &DeploymentHandler{
Mondoo: auditConfig,
Expand Down Expand Up @@ -544,7 +547,7 @@ func testMondooAuditConfigSpec(admissionEnabled, integrationEnabled bool) mondoo
return mondoov1alpha2.MondooAuditConfigSpec{
Admission: mondoov1alpha2.Admission{
Enable: admissionEnabled,
Replicas: pointer.Int32(1),
Replicas: ptr.To(int32(1)),
},
ConsoleIntegration: mondoov1alpha2.ConsoleIntegration{
Enable: integrationEnabled,
Expand Down
Loading
Loading