Merge pull request #646 from vishnusomank/fix-recommend

Show recommended policy using DE

deployments/helm/configmapfiles/discovery-engine/conf.yaml

@@ -74,4 +74,9 @@ feed-consumer:
     enable: false
     cert: /kafka-ssl/user.cert.pem
     key: /kafka-ssl/user.key.pem
-
+
+# Recommended policies configuration
+recommend:
+  operation-mode: 1                       # 1: cronjob | 2: one-time-job
+  cron-job-time-interval: "1h0m00s"       # format: XhYmZs
+

deployments/helm/values.yaml

@@ -32,7 +32,7 @@ clusterRole:
   create: true
   name: discovery-engine-role
   rules:
-  - apiGroups: [""]
+  - apiGroups: ["*"]
     resources: ["pods", "services", "deployments", "endpoints", "namespaces"]
     verbs: ["get", "list", "watch"]
 

deployments/k8s/deployment.yaml

@@ -122,6 +122,11 @@ data:
     kubearmor:
       url: kubearmor.kube-system.svc.cluster.local
       port: 32767
+
+    # Recommended policies configuration
+    recommend:
+      operation-mode: 1                       # 1: cronjob | 2: one-time-job
+      cron-job-time-interval: "1h0m00s"       # format: XhYmZs
 ---
 apiVersion: v1
 kind: Service

src/recommendpolicy/downloadTemplates.go

@@ -113,6 +113,7 @@ func DownloadAndUnzipRelease() (string, error) {
 	}
 	_ = updatePolicyRules(strings.TrimSuffix(resp.Filename, ".zip"))
 	CurrentVersion = CurrentRelease()
+	log.Info().Msgf("Latest recommendation downloaded and updated")
 	return LatestVersion, nil
 }
 

src/recommendpolicy/helperFunctions.go

@@ -8,7 +8,6 @@ import (
 	"github.com/clarketm/json"
 
 	"github.com/accuknox/auto-policy-discovery/src/types"
-	v1 "k8s.io/api/apps/v1"
 	"sigs.k8s.io/yaml"
 )
 
@@ -54,7 +53,7 @@ func genericPolicy(precondition []string) bool {
 	return false
 }
 
-func generatePolicy(dp v1.Deployment) ([]types.KnoxSystemPolicy, error) {
+func generatePolicy(name, namespace string, labels LabelMap) ([]types.KnoxSystemPolicy, error) {
 
 	var ms types.MatchSpec
 	var err error
@@ -63,7 +62,7 @@ func generatePolicy(dp v1.Deployment) ([]types.KnoxSystemPolicy, error) {
 	ms, err = getNextRule(&idx)
 	for ; err == nil; ms, err = getNextRule(&idx) {
 		if genericPolicy(ms.Precondition) {
-			policy, err := createPolicy(ms, dp)
+			policy, err := createPolicy(ms, name, namespace, labels)
 			if err != nil {
 				log.Error().Msg(err.Error())
 			}
@@ -75,7 +74,7 @@ func generatePolicy(dp v1.Deployment) ([]types.KnoxSystemPolicy, error) {
 
 }
 
-func createPolicy(ms types.MatchSpec, dp v1.Deployment) (types.KnoxSystemPolicy, error) {
+func createPolicy(ms types.MatchSpec, name, namespace string, labels LabelMap) (types.KnoxSystemPolicy, error) {
 	policy := types.KnoxSystemPolicy{
 		Spec: types.KnoxSystemSpec{
 			Severity: 1, // by default
@@ -87,8 +86,8 @@ func createPolicy(ms types.MatchSpec, dp v1.Deployment) (types.KnoxSystemPolicy,
 	policy.Kind = "KubeArmorPolicy"
 
 	policy.Metadata = map[string]string{
-		"name":      fmt.Sprintf("%v-%v-%v", types.HardeningPolicy, dp.Name, ms.Name),
-		"namespace": dp.Namespace,
+		"name":      fmt.Sprintf("%v-%v-%v", types.HardeningPolicy, name, ms.Name),
+		"namespace": namespace,
 	}
 
 	policy.Spec.Action = ms.Spec.Action
@@ -100,7 +99,7 @@ func createPolicy(ms types.MatchSpec, dp v1.Deployment) (types.KnoxSystemPolicy,
 		policy.Spec.Tags = ms.Spec.Tags
 	}
 
-	policy.Spec.Selector.MatchLabels = dp.Spec.Template.Labels
+	policy.Spec.Selector.MatchLabels = labels
 
 	addPolicyRule(&policy, &ms.Spec)
 	return policy, nil

src/recommendpolicy/recommendPolicy.go

@@ -45,6 +45,9 @@ var CurrentVersion string
 // LatestVersion stores the latest version of policy-template
 var LatestVersion string
 
+// LabelMap is an alias for map[string]string
+type LabelMap = map[string]string
+
 // init Function
 func init() {
 	log = logger.GetInstance()
@@ -62,6 +65,7 @@ func StartRecommendWorker() {
 	if cfg.GetCfgRecOperationMode() == OP_MODE_NOOP { // Do not run the operation
 		log.Info().Msg("Recommendation operation mode is NOOP ... NO RECOMMENDED POLICY")
 	} else if cfg.GetCfgRecOperationMode() == OP_MODE_CRONJOB { // every time intervals
+		log.Info().Msg("Recommended policy cron job started")
 		RecommendPolicyMain()
 		StartRecommendCronJob()
 	} else { // one-time generation
@@ -94,8 +98,6 @@ func StartRecommendCronJob() {
 	}
 	RecommendCronJob.Start()
 
-	log.Info().Msg("Recommended policy cron job started")
-
 }
 
 // StopRecommendCronJob stops the recommendation cronjob
@@ -114,6 +116,8 @@ func StopRecommendCronJob() {
 // RecommendPolicyMain generates recommended policies from policy-template GH
 func RecommendPolicyMain() {
 
+	nsNotFilter := cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
+
 	if !isLatest() {
 		if _, err := DownloadAndUnzipRelease(); err != nil {
 			log.Error().Msgf("Unable to download %v", err.Error())
@@ -123,17 +127,20 @@ func RecommendPolicyMain() {
 	deployments, err := client.AppsV1().Deployments("").List(context.Background(), metav1.ListOptions{})
 	if err != nil {
 		log.Error().Msg(err.Error())
+		return
 	}
 	systempolicy.InitSysPolicyDiscoveryConfiguration()
 	for _, d := range deployments.Items {
-		if d.Namespace == "kube-system" {
-			continue
+		for _, ns := range nsNotFilter {
+			if d.Namespace != ns {
+				log.Info().Msgf("Generating hardening policy for deployment: %v in namespace: %v", d.Name, d.Namespace)
+				policies, err := generatePolicy(d.Name, d.Namespace, d.Spec.Template.Labels)
+				if err != nil {
+					log.Error().Msg(err.Error())
+				}
+				systempolicy.UpdateSysPolicies(policies)
+			}
 		}
-		policies, err := generatePolicy(d)
-		if err != nil {
-			log.Error().Msg(err.Error())
-		}
-
-		systempolicy.UpdateSysPolicies(policies)
 	}
+
 }