fix #46,#51,#60,#61,#62

change_logs/release_v0.6.0.md

@@ -0,0 +1,56 @@
+<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/popeye.png" align="right" width="200" height="auto"/>
+
+# Release v0.6.0
+
+## Notes
+
+Thank you so much for your support and suggestions to make Popeye better!!
+
+If you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer)
+
+---
+
+## Change Logs
+
+### Popeye's got your RBAC!
+
+New this release, we've added preliminary sanitizers for the following RBAC resources: clusterrole, clusterrolebinding, role and rolebinding. The sanitizers will now check if these resource are indeed in use on your clusters.
+
+## Excludes are OUT??
+
+We've revamped the way excludes worked. Big thanks and credits goes to [Dirk Jablonski](https://github.com/djablonski-moia) for the push! So you can now excludes some sanitizers based not only on the resource name and type but also based on the sanitization codes. ie exclude all pod freds as long as they have missing probes (Code=102) but flag any other issues. This I think will make Popeye a bit more flexible.
+
+NOTE: You will need to revamp your spinachYAML files as the format changed!!
+
+Here is an example:
+
+```yaml
+popeye:
+  # Excludes define rules to exempt resources from sanitization
+  excludes:
+    # NOTE!! excludes now use the full singular resource kind ie pod and not po or pods.
+    pod:
+      # Excludes all pods named fred unless the sanitizer reports any different codes from 102 or 106
+      - name: rx:fred
+        codes:
+        - 102
+        - 106
+```
+
+Please keep in mind the paint is still fresh here and I could have totally hosed some stuff in the process. If so reach out for your issues/prs button.
+
+Thank you all for your great suggestions, fixes, patience and kindness!!
+
+---
+
+## Resolved Bugs
+
+* [Issue #46](https://github.com/derailed/popeye/issues/46)
+* [Issue #51](https://github.com/derailed/popeye/issues/51)
+* [Issue #60](https://github.com/derailed/popeye/issues/60)
+* [Issue #61](https://github.com/derailed/popeye/issues/61)
+* [Issue #62](https://github.com/derailed/popeye/issues/62)
+
+---
+
+<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/imhotep_logo.png" width="32" height="auto"/>&nbsp; © 2019 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0)

go.sum

@@ -197,6 +197,7 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=

internal/alias.go

@@ -0,0 +1,84 @@
+package internal
+
+// BOZO!! Canned for now - make k8s call for these and refine.
+
+// Alias represents a resource alias.
+type Alias struct {
+	ShortNames StringSet
+	Plural     string
+}
+
+// Aliases represents a collection of aliases.
+type Aliases struct {
+	aliases map[string]Alias
+}
+
+// NewAliases returns a new alias glossary.
+func NewAliases() *Aliases {
+	a := Aliases{}
+	a.init()
+
+	return &a
+}
+
+func (a *Aliases) ToResources(ss []string) []string {
+	aa := make([]string, len(ss))
+	for i := 0; i < len(ss); i++ {
+		aa[i] = a.FromAlias(ss[i])
+	}
+	return aa
+}
+
+// Pluralize returns a plural form.
+func (a Aliases) Pluralize(res string) string {
+	if v, ok := a.aliases[res]; ok {
+		if v.Plural != "" {
+			return v.Plural
+		}
+	}
+	return res + "s"
+}
+
+// FromAlias returns the resource name from an alias.
+func (a Aliases) FromAlias(res string) string {
+	if _, ok := a.aliases[res]; ok {
+		return res
+	}
+
+	for k, v := range a.aliases {
+		if _, ok := v.ShortNames[res]; ok {
+			return k
+		}
+	}
+
+	return res
+}
+
+func (a *Aliases) init() {
+	// Glossary stores a collection of resource aliases.
+	a.aliases = map[string]Alias{
+		"cluster":                 Alias{ShortNames: StringSet{"cl": Blank}},
+		"configmap":               Alias{ShortNames: StringSet{"cm": Blank}},
+		"clusterrole":             Alias{ShortNames: StringSet{"cr": Blank}},
+		"clusterrolebinding":      Alias{ShortNames: StringSet{"crb": Blank}},
+		"deployment":              Alias{ShortNames: StringSet{"dp": Blank, "deploy": Blank}, Plural: "deployments"},
+		"daemonset":               Alias{ShortNames: StringSet{"ds": Blank}},
+		"horizontalpodautoscaler": Alias{ShortNames: StringSet{"hpa": Blank}},
+		"ingress":                 Alias{ShortNames: StringSet{"ing": Blank}, Plural: "ingresses"},
+		"node":                    Alias{ShortNames: StringSet{"no": Blank}},
+		"networkpolicy":           Alias{ShortNames: StringSet{"np": Blank}, Plural: "networkpolicies"},
+		"namespace":               Alias{ShortNames: StringSet{"ns": Blank}},
+		"poddisruptionbudget":     Alias{ShortNames: StringSet{"pdb": Blank}},
+		"pod":                     Alias{ShortNames: StringSet{"po": Blank}},
+		"podsecuritypolicy":       Alias{ShortNames: StringSet{"psp": Blank}, Plural: "podsecuritypolicies"},
+		"persistentvolume":        Alias{ShortNames: StringSet{"pv": Blank}},
+		"persistentvolumeclaim":   Alias{ShortNames: StringSet{"pvc": Blank}},
+		"rolebinding":             Alias{ShortNames: StringSet{"rb": Blank}},
+		"role":                    Alias{ShortNames: StringSet{"ro": Blank}},
+		"replicaset":              Alias{ShortNames: StringSet{"rs": Blank}},
+		"serviceaccount":          Alias{ShortNames: StringSet{"sa": Blank}},
+		"secret":                  Alias{ShortNames: StringSet{"sec": Blank}},
+		"statefulset":             Alias{ShortNames: StringSet{"sts": Blank}},
+		"service":                 Alias{ShortNames: StringSet{"svc": Blank}},
+	}
+}

internal/cache/cluster.go

@@ -1,6 +1,6 @@
 package cache
 
-// ClusterKey tracks Cluster ressource references
+// ClusterKey tracks Cluster resource references
 const ClusterKey = "cl"
 
 // Cluster represents Cluster cache.

internal/cache/cluster_test.go

@@ -0,0 +1,16 @@
+package cache_test
+
+import (
+	"testing"
+
+	"github.com/derailed/popeye/internal/cache"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCluster(t *testing.T) {
+	c := cache.NewCluster("1", "9")
+
+	ma, mi := c.ListVersion()
+	assert.Equal(t, "1", ma)
+	assert.Equal(t, "9", mi)
+}

internal/cache/cm.go

@@ -4,7 +4,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 )
 
-// ConfigMapKey tracks ConfigMap ressource references
+// ConfigMapKey tracks ConfigMap resource references
 const ConfigMapKey = "cm"
 
 // ConfigMap represents ConfigMap cache.

internal/cache/cr.go

@@ -0,0 +1,23 @@
+package cache
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+// ClusterRoleKey tracks ClusterRole resource references
+const ClusterRoleKey = "clusterrole"
+
+// ClusterRole represents ClusterRole cache.
+type ClusterRole struct {
+	crs map[string]*rbacv1.ClusterRole
+}
+
+// NewClusterRole returns a new ClusterRole cache.
+func NewClusterRole(crs map[string]*rbacv1.ClusterRole) *ClusterRole {
+	return &ClusterRole{crs: crs}
+}
+
+// ListClusterRoles returns all available ClusterRoles on the cluster.
+func (c *ClusterRole) ListClusterRoles() map[string]*rbacv1.ClusterRole {
+	return c.crs
+}

internal/cache/crb.go

@@ -1,6 +1,9 @@
 package cache
 
 import (
+	"strings"
+
+	"github.com/derailed/popeye/internal"
 	rbacv1 "k8s.io/api/rbac/v1"
 )
 
@@ -18,3 +21,16 @@ func NewClusterRoleBinding(crbs map[string]*rbacv1.ClusterRoleBinding) *ClusterR
 func (c *ClusterRoleBinding) ListClusterRoleBindings() map[string]*rbacv1.ClusterRoleBinding {
 	return c.crbs
 }
+
+// ClusterRoleRefs computes all clusterrole external references.
+func (c *ClusterRoleBinding) ClusterRoleRefs(refs ObjReferences) {
+	for fqn, crb := range c.crbs {
+		key := ResFqn(strings.ToLower(crb.RoleRef.Kind), FQN(crb.Namespace, crb.RoleRef.Name))
+		if c, ok := refs[key]; ok {
+			c.Add(fqn)
+		} else {
+			refs[key] = internal.StringSet{fqn: internal.Blank}
+		}
+
+	}
+}

internal/cache/crb_test.go

@@ -0,0 +1,55 @@
+package cache_test
+
+import (
+	"testing"
+
+	"github.com/derailed/popeye/internal/cache"
+	"github.com/stretchr/testify/assert"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestClusterRoleRef(t *testing.T) {
+	cr := cache.NewClusterRoleBinding(makeCRBMap())
+	refs := make(cache.ObjReferences)
+	cr.ClusterRoleRefs(refs)
+
+	assert.Equal(t, 2, len(refs))
+	m, ok := refs["clusterrole:cr1"]
+	assert.True(t, ok)
+	_, ok = m["crb1"]
+	assert.True(t, ok)
+
+	m, ok = refs["role:blee/r1"]
+	assert.True(t, ok)
+	_, ok = m["crb2"]
+	assert.True(t, ok)
+}
+
+// Helpers...
+
+func makeCRBMap() map[string]*rbacv1.ClusterRoleBinding {
+	return map[string]*rbacv1.ClusterRoleBinding{
+		"crb1": makeCRB("", "crb1", "ClusterRole", "cr1"),
+		"crb2": makeCRB("blee", "crb2", "Role", "r1"),
+	}
+}
+
+func makeCRB(ns, name, kind, refName string) *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		ObjectMeta: makeObjMeta(ns, name),
+		RoleRef: rbacv1.RoleRef{
+			Kind: kind,
+			Name: refName,
+		},
+	}
+}
+
+func makeObjMeta(ns, n string) metav1.ObjectMeta {
+	m := metav1.ObjectMeta{Name: n}
+	if ns != "" {
+		m.Namespace = ns
+	}
+
+	return m
+}

internal/cache/dp.go

@@ -4,7 +4,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 )
 
-// DeploymentKey tracks Deployment ressource references
+// DeploymentKey tracks Deployment resource references
 const DeploymentKey = "dp"
 
 // Deployment represents Deployment cache.

internal/cache/ds.go

@@ -4,7 +4,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 )
 
-// DaemonSetKey tracks DaemonSet ressource references
+// DaemonSetKey tracks DaemonSet resource references
 const DaemonSetKey = "ds"
 
 // DaemonSet represents DaemonSet cache.

internal/cache/ing.go

@@ -1,6 +1,7 @@
 package cache
 
 import (
+	"github.com/derailed/popeye/internal"
 	nv1beta1 "k8s.io/api/extensions/v1beta1"
 )
 
@@ -35,6 +36,6 @@ func (d *Ingress) trackReference(refs ObjReferences, key string) {
 	if set, ok := refs[key]; ok {
 		set.Add(AllKeys)
 	} else {
-		refs[key] = StringSet{AllKeys: Blank}
+		refs[key] = internal.StringSet{AllKeys: internal.Blank}
 	}
 }

internal/cache/no_mx.go

@@ -36,12 +36,15 @@ func (n *NodesMetrics) ListAllocatedMetrics() v1.ResourceList {
 }
 
 // ListAllocatableMetrics return the total cluster available cpu/mem.
-func (mx *NodesMetrics) ListAllocatableMetrics(nn map[string]*v1.Node) v1.ResourceList {
+func (mx *NodesMetrics) ListAvailableMetrics(nn map[string]*v1.Node) v1.ResourceList {
 	cpu, mem := new(resource.Quantity), new(resource.Quantity)
 	for _, n := range nn {
 		cpu.Add(*n.Status.Allocatable.Cpu())
 		mem.Add(*n.Status.Allocatable.Memory())
 	}
+	used := mx.ListAllocatedMetrics()
+	cpu.Sub(*used.Cpu())
+	mem.Sub(*used.Memory())
 
 	return v1.ResourceList{
 		v1.ResourceCPU:    *cpu,

internal/cache/no_mx_test.go

@@ -31,7 +31,7 @@ func TestClusterAllocatableMetrics(t *testing.T) {
 		u := uu[k]
 		t.Run(k, func(t *testing.T) {
 			n := NewNodesMetrics(map[string]*mv1beta1.NodeMetrics{})
-			res := n.ListAllocatableMetrics(u.nn)
+			res := n.ListAvailableMetrics(u.nn)
 			assert.Equal(t, u.e.Cpu().Value(), res.Cpu().Value())
 			assert.Equal(t, u.e.Memory().Value(), res.Memory().Value())
 		})

internal/cache/np.go

@@ -4,7 +4,7 @@ import (
 	nv1 "k8s.io/api/networking/v1"
 )
 
-// NetworkPolicyKey tracks NetworkPolicy ressource references
+// NetworkPolicyKey tracks NetworkPolicy resource references
 const NetworkPolicyKey = "np"
 
 // NetworkPolicy represents NetworkPolicy cache.

internal/cache/pdb.go

@@ -4,7 +4,7 @@ import (
 	v1beta1 "k8s.io/api/policy/v1beta1"
 )
 
-// PodDisruptionBudgetKey tracks PodDisruptionBudget ressource references
+// PodDisruptionBudgetKey tracks PodDisruptionBudget resource references
 const PodDisruptionBudgetKey = "pdb"
 
 // PodDisruptionBudget represents PodDisruptionBudget cache.