Skip to content

Commit

Permalink
fix: update kubelet checks via kubelet config resource (#87)
Browse files Browse the repository at this point in the history
* fix: kubelet checks via config resource

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: kubelet checks via config resource

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: kubelet checks via config resource

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
chen-keinan authored Dec 20, 2023
1 parent 46290db commit 9bde47f
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 1 deletion.
1 change: 1 addition & 0 deletions job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ spec:
- name: node-collector
image: ghcr.io/aquasecurity/node-collector:0.0.9
command: ["node-collector"]
args: ["k8s", "--node", "minikube"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
Expand Down
66 changes: 65 additions & 1 deletion pkg/collector/collect.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,29 @@
package collector

import (
"context"
"encoding/json"
"errors"
"fmt"
"log"
"os"
"time"

"github.com/spf13/cobra"
)

var configMapper = map[string]string{
"kubeletAnonymousAuthArgumentSet": "authentication.anonymous.enabled",
"kubeletAuthorizationModeArgumentSet": "authorization.mode",
"kubeletClientCaFileArgumentSet": "authentication.x509.clientCAFile",
"kubeletReadOnlyPortArgumentSet": "readOnlyPort",
"kubeletStreamingConnectionIdleTimeoutArgumentSet": "streamingConnectionIdleTimeout",
"kubeletProtectKernelDefaultsArgumentSet": "kernelMemcgNotification",
"kubeletMakeIptablesUtilChainsArgumentSet": "makeIPTablesUtilChains",
"kubeletEventQpsArgumentSet": "eventRecordQPS",
"kubeletRotateKubeletServerCertificateArgumentSet": "featureGates.RotateKubeletServerCertificate",
}

type SpecVersion struct {
Name string
Version string
Expand All @@ -22,10 +38,19 @@ var platfromSpec = map[string]SpecVersion{

// CollectData run spec audit command and output it result data
func CollectData(cmd *cobra.Command, target string) error {
log.SetFlags(log.LstdFlags | log.Lmicroseconds)
cluster, err := GetCluster()
if err != nil {
return err
}
ctx, cancel := context.WithTimeout(cmd.Context(), time.Duration(10)*time.Minute)
defer cancel()

defer func() {
if errors.Is(err, context.DeadlineExceeded) {
log.Println("Increase --timeout value")
}
}()
p, err := cluster.Platfrom()
if err != nil {
return err
Expand Down Expand Up @@ -61,6 +86,12 @@ func CollectData(cmd *cobra.Command, target string) error {
values := StringToArray(output, ",")
nodeInfo[ci.Key] = &Info{Values: values}
}
nodeName := cmd.Flag("node").Value.String()
configVal, err := getValuesFromkubeletConfig(ctx, nodeName, *cluster)
if err != nil {
return err
}
mergeConfigValues(nodeInfo, configVal)
nodeData := Node{
APIVersion: Version,
Kind: Kind,
Expand All @@ -69,7 +100,7 @@ func CollectData(cmd *cobra.Command, target string) error {
Info: nodeInfo,
}
outputFormat := cmd.Flag("output").Value.String()
err := printOutput(nodeData, outputFormat, os.Stdout)
err = printOutput(nodeData, outputFormat, os.Stdout)
if err != nil {
return err
}
Expand All @@ -80,3 +111,36 @@ func CollectData(cmd *cobra.Command, target string) error {
func specByPlatfromVersion(platfrom string, version string) SpecVersion {
return platfromSpec[fmt.Sprintf("%s-%s", platfrom, platfrom)]
}

func getValuesFromkubeletConfig(ctx context.Context, nodeName string, cluster Cluster) (map[string]*Info, error) {
overrideConfig := make(map[string]*Info)
data, err := cluster.clientSet.RESTClient().Get().AbsPath(fmt.Sprintf("/api/v1/nodes/%s/proxy/configz", nodeName)).DoRaw(ctx)
if err != nil {
return nil, err
}
nodeConfig := make(map[string]interface{})
err = json.Unmarshal(data, &nodeConfig)
if err != nil {
return nil, err
}
values := nodeConfig["kubeletconfig"]
for k, v := range configMapper {
p := values
splittedValues := StringToArray(v, ".")
for _, sv := range splittedValues {
next := p.(map[string]interface{})
if k, ok := next[sv.(string)]; ok {
p = k
}
}
overrideConfig[k] = &Info{Values: []interface{}{p}}
}
return overrideConfig, nil
}

func mergeConfigValues(configValues map[string]*Info, overrideConfig map[string]*Info) map[string]*Info {
for k, v := range overrideConfig {
configValues[k] = v
}
return configValues
}
1 change: 1 addition & 0 deletions pkg/command/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ func init() {
rootCmd.PersistentFlags().StringP("output", "o", "json", "Output format. One of table|json")
rootCmd.PersistentFlags().StringP("spec", "s", "cis", " spec name. default: cis")
rootCmd.PersistentFlags().StringP("version", "v", "1.23", "spec version. default: 1.23")
rootCmd.PersistentFlags().StringP("node", "n", "minikube", "node name. default: minikube")
}

var rootCmd = &cobra.Command{
Expand Down

0 comments on commit 9bde47f

Please sign in to comment.