generating policy for replica-set & statefulset

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

deployments/helm/values.yaml

@@ -40,7 +40,7 @@ clusterRole:
   name: discovery-engine-role
   rules:
   - apiGroups: ["*"]
-    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes"]
+    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
     verbs: ["get", "list", "watch"]
 
 #clusterroleBinding

deployments/k8s/deployment.yaml

@@ -163,7 +163,7 @@ metadata:
   name: discovery-engine-role
 rules:
 - apiGroups: ["*"]
-  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes"]
+  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

src/recommendpolicy/recommendPolicy.go

@@ -52,6 +52,11 @@ type LabelMap = map[string]string
 // DeployNsName stores the identified deployments in a namespace
 var DeployNsName []types.Deployment
 
+// NsNotFilter stores the namespace which needs to be filtered out
+var NsNotFilter = cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
+
+var policies []types.KnoxSystemPolicy
+
 // init Function
 func init() {
 	log = logger.GetInstance()
@@ -71,9 +76,11 @@ func StartRecommendWorker() {
 	} else if cfg.GetCfgRecOperationMode() == OP_MODE_CRONJOB { // every time intervals
 		DeployNsName = []types.Deployment{}
 		log.Info().Msg("Recommended policy cron job started")
+		NsNotFilter = cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
 		RecommendPolicyMain()
 		StartRecommendCronJob()
 	} else { // one-time generation
+		NsNotFilter = cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
 		RecommendPolicyMain()
 		log.Info().Msgf("Policy Recommendation onetime job done")
 	}
@@ -95,6 +102,7 @@ func StopRecommendWorker() {
 func StartRecommendCronJob() {
 	// init cron job
 	RecommendCronJob = cron.New()
+	NsNotFilter = cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
 	err := RecommendCronJob.AddFunc(cfg.GetCfgRecCronJobTime(), RecommendPolicyMain) // time interval
 	if err != nil {
 		log.Error().Msg(err.Error())
@@ -122,8 +130,6 @@ func StopRecommendCronJob() {
 // RecommendPolicyMain generates recommended policies from policy-template GH
 func RecommendPolicyMain() {
 
-	nsNotFilter := cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
-
 	if !isLatest() {
 		if _, err := DownloadAndUnzipRelease(); err != nil {
 			log.Error().Msgf("Unable to download %v", err.Error())
@@ -135,6 +141,16 @@ func RecommendPolicyMain() {
 		log.Error().Msg(err.Error())
 		return
 	}
+	replicaSets, err := client.AppsV1().ReplicaSets("").List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		log.Error().Msg("error getting replicasets err=" + err.Error())
+		return
+	}
+	statefulSets, err := client.AppsV1().StatefulSets("").List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		log.Error().Msg("error getting statefulsets err=" + err.Error())
+		return
+	}
 	systempolicy.InitSysPolicyDiscoveryConfiguration()
 	for _, d := range deployments.Items {
 		deploy := uniqueNsDeploy(d.Name, d.Namespace)
@@ -143,22 +159,39 @@ func RecommendPolicyMain() {
 			DeployNsName = append(DeployNsName, *deploy)
 		}
 
-		for _, ns := range nsNotFilter {
+		for _, ns := range NsNotFilter {
 			if d.Namespace != ns {
-				generateHardenPolicy(d.Name, d.Namespace, d.Spec.Template.Labels)
+				policies = append(policies, generateHardenPolicy(d.Name, d.Namespace, d.Spec.Template.Labels)...)
+			}
+		}
+	}
+
+	for _, r := range replicaSets.Items {
+		for _, ns := range NsNotFilter {
+			if r.Namespace != ns && len(r.ObjectMeta.OwnerReferences) == 0 {
+				policies = append(policies, generateHardenPolicy(r.Name, r.Namespace, r.Spec.Template.Labels)...)
+			}
+		}
+	}
+
+	for _, s := range statefulSets.Items {
+		for _, ns := range NsNotFilter {
+			if s.Namespace != ns {
+				policies = append(policies, generateHardenPolicy(s.Name, s.Namespace, s.Spec.Template.Labels)...)
 			}
 		}
 	}
+	systempolicy.UpdateSysPolicies(policies)
 }
 
-func generateHardenPolicy(name, namespace string, labels LabelMap) {
-	log.Info().Msgf("Generating hardening policy for deployment: %v in namespace: %v", name, namespace)
+func generateHardenPolicy(name, namespace string, labels LabelMap) []types.KnoxSystemPolicy {
+	log.Info().Msgf("Generating hardening policy for: %v in namespace: %v", name, namespace)
 	policies, err := generatePolicy(name, namespace, labels)
 	if err != nil {
 		log.Error().Msg(err.Error())
-		return
+		return nil
 	}
-	systempolicy.UpdateSysPolicies(policies)
+	return policies
 }
 
 func uniqueNsDeploy(deployName, deployNamespace string) *types.Deployment {
@@ -180,3 +213,8 @@ func uniqueNsDeploy(deployName, deployNamespace string) *types.Deployment {
 
 	return &deploy
 }
+
+func GetHardenPolicy() []types.KnoxSystemPolicy {
+	RecommendPolicyMain()
+	return policies
+}

tests/go.mod

@@ -3,7 +3,6 @@ module github.com/kubearmor/discovery-engine/tests
 go 1.19
 
 require (
-	github.com/accuknox/auto-policy-discovery/src v0.0.0-20230207142942-3e2adb51594b
 	github.com/kubearmor/KubeArmor/tests v0.0.0-20230110035627-26adfb0a0f18
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.24.2
@@ -12,24 +11,40 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require github.com/accuknox/auto-policy-discovery/src v0.0.0-20230320081550-86bcb8b555bd
+
+replace github.com/accuknox/auto-policy-discovery/src v0.0.0-20230320081550-86bcb8b555bd => ../src
+
 require (
 	cloud.google.com/go/compute v1.14.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/99designs/keyring v1.1.6 // indirect
+	github.com/AthenZ/athenz v1.10.39 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.22 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/DATA-DOG/go-sqlmock v1.5.0 // indirect
+	github.com/DataDog/zstd v1.5.0 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
+	github.com/apache/pulsar-client-go v0.8.1 // indirect
+	github.com/apache/pulsar-client-go/oauth2 v0.0.0-20220120090717-25e59572242e // indirect
+	github.com/ardielle/ardielle-go v1.5.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cavaliergopher/grab/v3 v3.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cilium/cilium v1.10.14 // indirect
+	github.com/clarketm/json v1.17.1 // indirect
+	github.com/confluentinc/confluent-kafka-go v1.6.1 // indirect
+	github.com/danieljoos/wincred v1.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
@@ -45,53 +60,70 @@ require (
 	github.com/go-openapi/strfmt v0.21.0 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/go-openapi/validate v0.20.3 // indirect
+	github.com/go-sql-driver/mysql v1.5.0 // indirect
 	github.com/go-stack/stack v1.8.1 // indirect
+	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang-jwt/jwt/v4 v4.1.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-github v17.0.0+incompatible // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/kubearmor/KVMService/src/types v0.0.0-20220714130113-b0eba8c9ff34 // indirect
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy v0.0.0-20220823050108-4455a183e9ef // indirect
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy v0.0.0-20220823050108-4455a183e9ef // indirect
 	github.com/kubearmor/KubeArmor/protobuf v0.0.0-20220815044951-425f333210e1 // indirect
 	github.com/kubearmor/kubearmor-client v0.8.3 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/linkedin/goavro/v2 v2.9.8 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-sqlite3 v1.14.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
+	github.com/pierrec/lz4 v2.0.5+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.1-0.20210607210712-147c58e9608a // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/sasha-s/go-deadlock v0.3.1 // indirect
 	github.com/shirou/gopsutil/v3 v3.21.10 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.4.0 // indirect
@@ -103,6 +135,7 @@ require (
 	github.com/xlab/treeprint v1.0.0 // indirect
 	go.mongodb.org/mongo-driver v1.8.4 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/exp v0.0.0-20221114191408-850992195362 // indirect
 	golang.org/x/net v0.5.0 // indirect
@@ -118,6 +151,7 @@ require (
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.22.3 // indirect