add support for daemonsets

Signed-off-by: Ankur Kothiwal <ankur.kothiwal99@gmail.com>
accuknox · Apr 24, 2023 · 70e362b · 70e362b
1 parent e0a2154
commit 70e362b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml
@@ -40,7 +40,7 @@ clusterRole:
   name: discovery-engine-role
   rules:
   - apiGroups: ["*"]
-    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
+    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets", "daemonsets"]
     verbs: ["get", "list", "watch"]
 
 #clusterroleBinding

diff --git a/deployments/k8s/deployment.yaml b/deployments/k8s/deployment.yaml
@@ -163,7 +163,7 @@ metadata:
   name: discovery-engine-role
 rules:
 - apiGroups: ["*"]
-  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
+  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets", "daemonsets"]
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/src/recommendpolicy/recommendPolicy.go b/src/recommendpolicy/recommendPolicy.go
@@ -140,8 +140,14 @@ func RecommendPolicyMain() {
 		log.Error().Msg("Error getting statefulsets err=" + err.Error())
 		return
 	}
+	daemonsets, err := client.AppsV1().DaemonSets("").List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		log.Error().Msg("Error getting daemonsets err=" + err.Error())
+		return
+	}
+
 	systempolicy.InitSysPolicyDiscoveryConfiguration()
-	policies := GetHardenPolicy(deployments, replicaSets, statefulSets, nsNotFilter)
+	policies := GetHardenPolicy(deployments, replicaSets, statefulSets, daemonsets, nsNotFilter)
 	if policies == nil {
 		log.Error().Msg("Error generating hardened policies")
 		return
@@ -214,17 +220,16 @@ func uniqueNsDeploy(deployName, deployNamespace string) *types.Deployment {
 	return &deploy
 }
 
-func GetHardenPolicy(deployments *v1.DeploymentList, replicaSets *v1.ReplicaSetList, statefulSets *v1.StatefulSetList, nsNotFilter []string) []types.KnoxSystemPolicy {
+func GetHardenPolicy(deployments *v1.DeploymentList, replicaSets *v1.ReplicaSetList, statefulSets *v1.StatefulSetList, daemonSets *v1.DaemonSetList, nsNotFilter []string) []types.KnoxSystemPolicy {
 
 	var policies []types.KnoxSystemPolicy
 	if !isLatest() {
 		version, err := DownloadAndUnzipRelease()
 		if err != nil {
 			log.Error().Msgf("Unable to download %v", err.Error())
 			return nil
-		} else {
-			log.Info().Msgf("Downloaded version: %v", version)
 		}
+		log.Info().Msgf("Downloaded version: %v", version)
 	}
 	for _, d := range deployments.Items {
 		deploy := uniqueNsDeploy(d.Name, d.Namespace)
@@ -255,5 +260,13 @@ func GetHardenPolicy(deployments *v1.DeploymentList, replicaSets *v1.ReplicaSetL
 			}
 		}
 	}
+
+	for _, ds := range daemonSets.Items {
+		for _, ns := range nsNotFilter {
+			if ds.Namespace != ns && len(ds.ObjectMeta.OwnerReferences) == 0 {
+				policies = append(policies, generateHardenPolicy(ds.Name, ds.Namespace, ds.Spec.Template.Labels)...)
+			}
+		}
+	}
 	return policies
 }