feat(k8s-docker): polaris scanner dockerfile and k8s objects

v1r7u · v1r7u · commit 7e8b115beecb · 2020-02-04T09:14:30.000+01:00
DISCLAIMER: I haven't found a way to run the service in bare-bone alpine container. polaris keeps a part of runtime needed configuration in yaml files. These files are embedded into polaris binaries with gobuffalo/packr The problem is, packr is not able to embed files from referenced modules gobuffalo/packr#236 To overcome the issue, polaris-scanner is built and is running from the same golang container golang:1.13.7-alpine3.11 using CGO_ENABLED=1 If produced binary is copied to bare-bone alpine container - it's not visible, due the problem described in SO question https://stackoverflow.com/q/34729748/1952990 I tried both options from SO question: nor symlink, neither CGO_ENABLED=0 helps, because of the initial packr issue
diff --git a/examples/k8s/scanner-polaris.yaml b/examples/k8s/scanner-polaris.yaml
@@ -0,0 +1,254 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: scanner-polaris-cfg
+  namespace: joseki
+  labels:
+    app: scanner-polaris
+    module: scanners
+    version: 0.1.1
+data:
+  scanner-polaris-config.yaml:  |
+    scanner:
+      id: SCANNER_ID
+      periodicity: "0 2 * * *"
+      heartbeat-periodicity: 86400
+      version: 0.1.1
+    polaris:
+      configPath: /app/polaris-config.yaml
+      version: 0.6.0
+    blobStorageType: azure-blob-storage
+    azureBlobConfig:
+      storageBaseUrl: https://STORAGE__ACCOUNT_NAME.blob.core.windows.net/CONTAINER_NAME
+      sasToken: INSERT_SAS_TOKEN_HERE
+    logFormat: plain-text
+  polaris-config.yaml:  |
+    checks:
+      # resources
+      cpuRequestsMissing: warning
+      cpuLimitsMissing: warning
+      memoryRequestsMissing: warning
+      memoryLimitsMissing: warning
+      # images
+      tagNotSpecified: error
+      pullPolicyNotAlways: ignore
+      # healthChecks
+      readinessProbeMissing: warning
+      livenessProbeMissing: warning
+      # networking
+      hostNetworkSet: warning
+      hostPortSet: warning
+      # security
+      hostIPCSet: error
+      hostPIDSet: error
+      notReadOnlyRootFileSystem: warning
+      privilegeEscalationAllowed: error
+      runAsRootAllowed: warning
+      runAsPrivileged: error
+      dangerousCapabilities: error
+      insecureCapabilities: warning
+    controllersToScan:
+      - Deployments
+      - StatefulSets
+      - DaemonSets
+      - CronJobs
+      - Jobs
+      - ReplicationControllers
+    exemptions:
+      - controllerNames:
+          - dns-controller
+          - datadog-datadog
+          - kube-flannel-ds
+          - kube2iam
+          - aws-iam-authenticator
+          - datadog
+          - kube2iam
+        rules:
+          - hostNetworkSet
+      - controllerNames:
+          - aws-iam-authenticator
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - dnsmasq
+          - autoscaler
+          - kubernetes-dashboard
+          - install-cni
+          - kube2iam
+        rules:
+          - readinessProbeMissing
+          - livenessProbeMissing
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - runAsRootAllowed
+      - controllerNames:
+          - aws-iam-authenticator
+          - nginx-ingress-controller
+          - nginx-ingress-default-backend
+          - aws-cluster-autoscaler
+          - kube-state-metrics
+          - dns-controller
+          - external-dns
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - tiller
+          - kube2iam
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - cert-manager
+          - dns-controller
+          - kubedns
+          - dnsmasq
+          - autoscaler
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - cpuRequestsMissing
+          - cpuLimitsMissing
+          - memoryRequestsMissing
+          - memoryLimitsMissing
+      - controllerNames:
+          - kube2iam
+          - kube-flannel-ds
+        rules:
+          - runAsPrivileged
+      - controllerNames:
+          - kube-hunter
+        rules:
+          - hostPIDSet
+      - controllerNames:
+          - polaris
+          - kube-hunter
+          - goldilocks
+          - insights-agent-goldilocks-vpa-install
+        rules:
+          - notReadOnlyRootFileSystem
+      - controllerNames:
+          - insights-agent-goldilocks-controller
+        rules:
+          - livenessProbeMissing
+          - readinessProbeMissing
+      - controllerNames:
+          - insights-agent-goldilocks-vpa-install
+          - kube-hunter
+        rules:
+          - runAsRootAllowed
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: scanner-polaris
+  namespace: joseki
+  labels:
+    app: scanner-polaris
+    module: scanners
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: scanner-polaris
+  labels:
+    app: scanner-polaris
+    module: scanners
+rules:
+  - apiGroups:
+      - 'apps'
+      - 'extensions'
+    resources:
+      - 'deployments'
+      - 'statefulsets'
+      - 'daemonsets'
+    verbs:
+      - 'get'
+      - 'list'
+  - apiGroups:
+      - 'batch'
+    resources:
+      - 'jobs'
+      - 'cronjobs'
+    verbs:
+      - 'get'
+      - 'list'
+  - apiGroups:
+      - ''
+    resources:
+      - 'nodes'
+      - 'namespaces'
+      - 'pods'
+      - 'replicationcontrollers'
+    verbs:
+      - 'get'
+      - 'list'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: scanner-polaris
+  labels:
+    app: scanner-polaris
+    module: scanners
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: scanner-polaris
+subjects:
+  - kind: ServiceAccount
+    name: scanner-polaris
+    namespace: joseki
+
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: scanner-polaris
+  namespace: joseki
+  labels:
+    app: scanner-polaris
+    module: scanners
+    version: 0.1.1
+spec:
+  schedule: "0 2 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: scanner-polaris
+            image: deepnetwork/joseki-scanner-polaris:0.1.1-alpine
+            imagePullPolicy: Always
+            args:
+            - --config
+            - /app/scanner-polaris-config.yaml
+            volumeMounts:
+            - name: config
+              mountPath: /app/scanner-polaris-config.yaml
+              subPath: scanner-polaris-config.yaml
+              readOnly: true
+            - name: config
+              mountPath: /app/polaris-config.yaml
+              subPath: polaris-config.yaml
+              readOnly: true
+          volumes:
+            - name: config
+              configMap:
+                name: scanner-polaris-cfg
+          restartPolicy: Never
+          serviceAccountName: scanner-polaris
diff --git a/src/scanners/polaris/dockerfile b/src/scanners/polaris/dockerfile
@@ -0,0 +1,13 @@
+FROM golang:1.13.7-alpine3.11 AS build-env
+WORKDIR /go/src/github.com/deepnetworkgmbh/joseki/src/scanners/polaris
+
+COPY go.mod go.sum ./
+ENV GOMOD=/go/src/github.com/deepnetworkgmbh/joseki/src/scanners/polaris/go.mod
+RUN go mod download
+
+COPY . .
+RUN go build -o scanner-polaris .
+
+RUN apk --no-cache add ca-certificates
+
+ENTRYPOINT ["./scanner-polaris"]
diff --git a/src/scanners/polaris/examples/scanner-config.yaml b/src/scanners/polaris/examples/scanner-config.yaml
@@ -1,7 +1,7 @@
 scanner:
   id: 8fc1b601-d5a2-466d-8236-c747c1dc02a2
   periodicity: "0 2 * * *"
-  heartbeat-periodicity: 7200
+  heartbeat-periodicity: 86400
   version: 0.1.0
 polaris:
   configPath: ./examples/polaris-config.yaml
diff --git a/src/scanners/polaris/main.go b/src/scanners/polaris/main.go
@@ -3,10 +3,11 @@ package main
 import (
 	"flag"
 	"fmt"
-	"github.com/deepnetworkgmbh/joseki/src/scanners/polaris/pkg/azureblob"
-	"github.com/deepnetworkgmbh/joseki/src/scanners/polaris/pkg/scanner"
 	"log"
 	"os"
+
+	"github.com/deepnetworkgmbh/joseki/src/scanners/polaris/pkg/azureblob"
+	"github.com/deepnetworkgmbh/joseki/src/scanners/polaris/pkg/scanner"
 )
 
 const (
@@ -20,14 +21,17 @@ func main() {
 		"./examples/scanner-config.yaml",
 		"Location of Polaris scanner configuration file")
 
+	flag.Parse()
+
 	if *version {
 		fmt.Printf("Polaris version %s\n", Version)
 		os.Exit(0)
 	}
 
+	log.Printf("Parsing config from %v", *configPath)
 	config, err := scanner.ParseConfig(*configPath)
 	if err != nil {
-		log.Fatalf("Failed to parse configuration at %s %v", configPath, err)
+		log.Fatalf("Failed to parse configuration at %s %v", *configPath, err)
 		os.Exit(1)
 	}
 
