Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding feature for apparmor annotation #160

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions score/apparmor/apparmor.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package apparmor

import (
"strings"

"github.com/zegl/kube-score/score/checks"
"github.com/zegl/kube-score/scorecard"
appsv1 "k8s.io/api/apps/v1"
)

func Register( allChecks *checks.Checks ) {
allChecks.RegisterDeploymentCheck( "Deployment sets apparmor annotation", `Makes sure that all Deployments set apparmor annotation`, deploymentHas() )
}

func deploymentHas() func( appsv1.Deployment ) ( scorecard.TestScore, error ) {
return func( deployment appsv1.Deployment ) ( score scorecard.TestScore, err error ) {
if armor, found := deployment.Spec.Template.GetObjectMeta().GetAnnotations()[ "container.apparmor.security.beta.kubernetes.io" ]; found {
if strings.Index( armor, "localhost/docker-default" ) != -1 {
score.Grade = scorecard.GradeAlmostOK
score.AddComment( "", "apparmor annotation is set:", "It is recommended to not use docker-default and instead customize a profile" )
return
}
score.Grade = scorecard.GradeAllOK
score.AddComment( "", "apparmor annotation is set:", armor )
return
}
score.Grade = scorecard.GradeCritical
score.AddComment( "", "apparmor annotation is not set", "It is recommended to set apparmor annotation and customize a profile" )
return
}
}
13 changes: 13 additions & 0 deletions score/apparmor_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package score

import "testing"

func TestApparmorAnnotation(t *testing.T) {
testExpectedScore(t, "deployment-sets-apparmor.yaml", "Deployment sets apparmor annotation", 10)
}
func TestNoApparmorAnnotation(t *testing.T) {
testExpectedScore(t, "deployment-sets-no-apparmor.yaml", "Deployment sets apparmor annotation", 1)
}
func TestDefaultApparmorAnnotation(t *testing.T) {
testExpectedScore(t, "deployment-sets-default-apparmor.yaml", "Deployment sets apparmor annotation", 7)
}
2 changes: 2 additions & 0 deletions score/score.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"github.com/zegl/kube-score/config"
ks "github.com/zegl/kube-score/domain"
"github.com/zegl/kube-score/score/apps"
"github.com/zegl/kube-score/score/apparmor"
"github.com/zegl/kube-score/score/checks"
"github.com/zegl/kube-score/score/container"
"github.com/zegl/kube-score/score/cronjob"
Expand Down Expand Up @@ -33,6 +34,7 @@ func RegisterAllChecks(allObjects ks.AllTypes, cnf config.Configuration) *checks
service.Register(allChecks, allObjects, allObjects)
stable.Register(allChecks)
apps.Register(allChecks)
apparmor.Register(allChecks)
meta.Register(allChecks)

return allChecks
Expand Down
32 changes: 32 additions & 0 deletions score/testdata/deployment-sets-apparmor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-service
spec:
replicas: 1
selector:
matchLabels:
app: my-service
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io: localhost/docker-custom
labels:
app: my-service
spec:
containers:
- name: my-service
image: "alpine:latest"
imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
name: "http-node"
resources:
limits:
cpu: 50m
memory: 128Mi
requests:
cpu: 50m
memory: 128Mi
32 changes: 32 additions & 0 deletions score/testdata/deployment-sets-default-apparmor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-service
spec:
replicas: 1
selector:
matchLabels:
app: my-service
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io: localhost/docker-default
labels:
app: my-service
spec:
containers:
- name: my-service
image: "alpine:latest"
imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
name: "http-node"
resources:
limits:
cpu: 50m
memory: 128Mi
requests:
cpu: 50m
memory: 128Mi
30 changes: 30 additions & 0 deletions score/testdata/deployment-sets-no-apparmor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-service
spec:
replicas: 1
selector:
matchLabels:
app: my-service
template:
metadata:
labels:
app: my-service
spec:
containers:
- name: my-service
image: "alpine:latest"
imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
name: "http-node"
resources:
limits:
cpu: 50m
memory: 128Mi
requests:
cpu: 50m
memory: 128Mi