feat(polaris_scanner): initial version of polaris scanner app

Author: v1r7u

.gitignore

@@ -41,3 +41,5 @@ bld/
 # MSTest test Results
 [Tt]est[Rr]esult*/
 [Bb]uild[Ll]og.*
+
+/src/scanners/polaris/polaris.exe

src/scanners/polaris/TECH_DESIGN.md

@@ -23,7 +23,7 @@ The scanner adjusts to the underlying Polaris app - it's written in golang and a
 
 - Polaris config should be located at path specified in `POLARIS_CONFIG_PATH` environment variable path;
 - exact Blob Storage service implementation is constructed based on `BLOB_STORAGE_SERVICE_TYPE` environment variable;
-- if is running out of the target cluster, `KUBECONFIG_PATH` environment variable should point to kubeconfig file;
+- if is running out of the target cluster, `KUBECONFIG` environment variable should point to kubeconfig file;
 - `SCANNER_IDENTIFIER` and `SCANNER_PERIODICITY` is deployment-time scanner identifier and periodicity;
 - `LOG_FORMAT` - `plain-text` or `json`.
 
@@ -70,7 +70,7 @@ After each audit iteration is completed, the scanner should update general metad
 {
   "scanner-type": "polaris",
   "scanner-id": "{UUID}",
-  "scanner-periodicity": "on-cron-{cron-expression}",
+  "scanner-periodicity": "{cron-expression}",
   "heartbeat-periodicity": "int",
   "heartbeat": 1579619671
 }

src/scanners/polaris/examples/polaris-config.yaml

@@ -0,0 +1,151 @@
+checks:
+  # resources
+  cpuRequestsMissing: warning
+  cpuLimitsMissing: warning
+  memoryRequestsMissing: warning
+  memoryLimitsMissing: warning
+  # images
+  tagNotSpecified: error
+  pullPolicyNotAlways: ignore
+  imageRegistry: warning
+  # healthChecks
+  readinessProbeMissing: warning
+  livenessProbeMissing: warning
+  # networking
+  hostNetworkSet: warning
+  hostPortSet: warning
+  # security
+  hostIPCSet: error
+  hostPIDSet: error
+  notReadOnlyRootFileSystem: warning
+  privilegeEscalationAllowed: error
+  runAsRootAllowed: warning
+  runAsPrivileged: error
+  dangerousCapabilities: error
+  insecureCapabilities: warning
+
+customChecks:
+  resourceLimits:
+    containers:
+      exclude:
+        - initContainer
+    successMessage: Resource limits are within the required range
+    failureMessage: Resource limits should be within the required range
+    category: Resources
+    target: Container
+    schema:
+      '$schema': http://json-schema.org/draft-07/schema
+      type: object
+      required:
+        - resources
+      properties:
+        resources:
+          type: object
+          required:
+            - limits
+          properties:
+            limits:
+              type: object
+              required:
+                - memory
+                - cpu
+              properties:
+                memory:
+                  type: string
+                  resourceMinimum: 100M
+                  resourceMaximum: 6G
+                cpu:
+                  type: string
+                  resourceMinimum: 100m
+                  resourceMaximum: "2"
+  imageRegistry:
+    successMessage: Image comes from allowed registries
+    failureMessage: Image should not be from disallowed registry
+    category: Images
+    target: Container
+    schema:
+      '$schema': http://json-schema.org/draft-07/schema
+      type: object
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ^quay.io
+
+controllersToScan:
+  - Deployments
+  - StatefulSets
+  - DaemonSets
+  - CronJobs
+  - Jobs
+  - ReplicationControllers
+exemptions:
+  - controllerNames:
+      - dns-controller
+      - datadog-datadog
+      - kube-flannel-ds
+      - kube2iam
+      - aws-iam-authenticator
+      - datadog
+      - kube2iam
+    rules:
+      - hostNetworkSet
+  - controllerNames:
+      - aws-iam-authenticator
+      - aws-cluster-autoscaler
+      - kube-state-metrics
+      - dns-controller
+      - external-dns
+      - dnsmasq
+      - autoscaler
+      - kubernetes-dashboard
+      - install-cni
+      - kube2iam
+    rules:
+      - readinessProbeMissing
+      - livenessProbeMissing
+  - controllerNames:
+      - aws-iam-authenticator
+      - nginx-ingress-controller
+      - nginx-ingress-default-backend
+      - aws-cluster-autoscaler
+      - kube-state-metrics
+      - dns-controller
+      - external-dns
+      - kubedns
+      - dnsmasq
+      - autoscaler
+      - tiller
+      - kube2iam
+    rules:
+      - runAsRootAllowed
+  - controllerNames:
+      - aws-iam-authenticator
+      - nginx-ingress-controller
+      - nginx-ingress-default-backend
+      - aws-cluster-autoscaler
+      - kube-state-metrics
+      - dns-controller
+      - external-dns
+      - kubedns
+      - dnsmasq
+      - autoscaler
+      - tiller
+      - kube2iam
+    rules:
+      - notReadOnlyRootFileSystem
+  - controllerNames:
+      - cert-manager
+      - dns-controller
+      - kubedns
+      - dnsmasq
+      - autoscaler
+    rules:
+      - cpuRequestsMissing
+      - cpuLimitsMissing
+      - memoryRequestsMissing
+      - memoryLimitsMissing
+  - controllerNames:
+      - kube2iam
+    rules:
+      - runAsPrivileged

src/scanners/polaris/examples/scanner-config.yaml

@@ -0,0 +1,13 @@
+scanner:
+  id: 8fc1b601-d5a2-466d-8236-c747c1dc02a2
+  periodicity: "0 2 * * *"
+  heartbeat-periodicity: 7200
+  version: 0.1.0
+polaris:
+  configPath: ./examples/polaris-config.yaml
+  version: 0.6.0
+blobStorageType: azure-blob-storage
+azureBlobConfig:
+  storageBaseUrl: https://BLOB_NAME.blob.core.windows.net/CONTAINER_NAME
+  sasToken: insert-sas-token-here
+logFormat: plain-text

src/scanners/polaris/go.mod

@@ -0,0 +1,9 @@
+module github.com/deepnetworkgmbh/joseki/src/scanners/polaris
+
+go 1.13
+
+require (
+	github.com/Azure/azure-storage-blob-go v0.8.0
+	github.com/fairwindsops/polaris v0.0.0-20200129175304-73c492333435
+	k8s.io/apimachinery v0.0.0-20181127025237-2b1284ed4c93
+)