feat(k8s): add filter for ignoring TLS secrets without client certificates

- Introduce IgnoreTLSSecretsContainingNonClientCertificates filter
- Update dynamic gatherer config to support resource filters via YAML
- Apply filters when adding resources to cache to exclude non-client TLS secrets

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

deploy/charts/cyberark-disco-agent/templates/configmap.yaml

@@ -30,6 +30,8 @@ data:
         - type!=kubernetes.io/dockerconfigjson
         - type!=bootstrap.kubernetes.io/token
         - type!=helm.sh/release.v1
+        filters:
+        - IgnoreTLSSecretsContainingNonClientCertificates
     - kind: k8s-dynamic
       name: ark/serviceaccounts
       config:

examples/machinehub.yaml

@@ -28,6 +28,8 @@ data-gatherers:
     - type!=kubernetes.io/dockerconfigjson
     - type!=bootstrap.kubernetes.io/token
     - type!=helm.sh/release.v1
+    filters:
+    - IgnoreTLSSecretsContainingNonClientCertificates
 
 # Gather Kubernetes service accounts
 - name: ark/serviceaccounts

pkg/datagatherer/k8s/cache.go

@@ -1,11 +1,14 @@
 package k8s
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/pmylund/go-cache"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/jetstack/preflight/api"
@@ -39,9 +42,113 @@ func logCacheUpdateFailure(log logr.Logger, obj interface{}, operation string) {
 	log.Error(err, "Cache update failure", "operation", operation)
 }
 
+// cacheFilterFunction is a function that takes an object and returns true if the
+// object should not be added to the cache, false otherwise.
+// This can be used to filter out objects that are not relevant for the data gatherer.
+type cacheFilterFunction func(interface{}) bool
+
+// IgnoreTLSSecretsContainingNonClientCertificates filters out all TLS secrets that do not
+// contain a client certificate in the `tls.crt` key.
+func IgnoreTLSSecretsContainingNonClientCertificates(obj interface{}) bool {
+	_, ok := obj.(cacheResource)
+	if !ok {
+		// Not a cacheResource, skip it
+		// Programming error if this happens
+		return false
+	}
+	secret, ok := obj.(*corev1.Secret)
+	if !ok {
+		// Not a Secret, skip it
+		return false
+	}
+	// Check if the secret contains the `tls.crt` key
+	data, found := secret.Data[corev1.TLSCertKey]
+	// If the key is not found or the data is empty, skip it
+
+	if !found || len(data) == 0 {
+		return false
+	}
+
+	// Try to parse the data as a PEM encoded X.509 certificate chain
+	certs, err := parsePEMCertificateChain(data)
+	if err != nil {
+		return false
+	}
+
+	if len(certs) == 0 {
+		return false
+	}
+
+	// Check if the leaf certificate is a client certificate
+	if isClientCertificate(certs[0]) {
+		return false
+	}
+
+	// Not a client certificate, drop it
+	return true
+}
+
+// isClientCertificate checks if the given certificate is a client certificate
+// by checking if it has the ClientAuth EKU.
+func isClientCertificate(cert *x509.Certificate) bool {
+	if cert == nil {
+		return false
+	}
+	// Check if the certificate has the ClientAuth EKU
+	for _, eku := range cert.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageClientAuth {
+			return true
+		}
+	}
+	return false
+}
+
+// parsePEMCertificateChain parses a PEM encoded certificate chain and returns
+// a slice of x509.Certificate pointers. It returns an error if the data cannot
+// be parsed as a certificate chain.
+// The supplied data can contain multiple PEM blocks, the function will parse
+// all of them and return a slice of certificates.
+func parsePEMCertificateChain(data []byte) ([]*x509.Certificate, error) {
+	// Parse the PEM encoded certificate chain
+	var certs []*x509.Certificate
+	var block *pem.Block
+	rest := data
+	for {
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" || len(block.Bytes) == 0 {
+			continue
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse certificate: %w", err)
+		}
+		certs = append(certs, cert)
+	}
+	if len(certs) == 0 {
+		return nil, fmt.Errorf("no certificates found")
+	}
+	return certs, nil
+}
+
 // onAdd handles the informer creation events, adding the created runtime.Object
 // to the data gatherer's cache. The cache key is the uid of the object
-func onAdd(log logr.Logger, obj interface{}, dgCache *cache.Cache) {
+// The object is wrapped in a GatheredResource struct.
+// If the object is already present in the cache, it gets replaced.
+// The cache key is the uid of the object
+// The supplied filter functions can be used to filter out objects that
+// should not be added to the cache.
+// If multiple filter functions are supplied, the object is filtered out
+// if any of the filter functions returns true.
+func onAdd(log logr.Logger, obj interface{}, dgCache *cache.Cache, filters ...cacheFilterFunction) {
+	for _, filter := range filters {
+		if filter != nil && filter(obj) {
+			return
+		}
+	}
+
 	item, ok := obj.(cacheResource)
 	if ok {
 		cacheObject := &api.GatheredResource{

pkg/datagatherer/k8s/dynamic.go

@@ -43,6 +43,12 @@ type ConfigDynamic struct {
 	IncludeNamespaces []string `yaml:"include-namespaces"`
 	// FieldSelectors is a list of field selectors to use when listing this resource
 	FieldSelectors []string `yaml:"field-selectors"`
+	// Filters is a list of filter functions to apply to the resources before adding them to the cache.
+	// Each filter function should return true if the resource should be excluded, false otherwise.
+	// Available filter functions:
+	// - IgnoreTLSSecretsContainingNonClientCertificates: ignores all TLS
+	//   secrets that do not contain client certificates
+	Filters []cacheFilterFunction `yaml:"filters"`
 }
 
 // UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.
@@ -57,6 +63,7 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		ExcludeNamespaces []string `yaml:"exclude-namespaces"`
 		IncludeNamespaces []string `yaml:"include-namespaces"`
 		FieldSelectors    []string `yaml:"field-selectors"`
+		Filters           []string `yaml:"filters"`
 	}{}
 	err := unmarshal(&aux)
 	if err != nil {
@@ -71,6 +78,15 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	c.IncludeNamespaces = aux.IncludeNamespaces
 	c.FieldSelectors = aux.FieldSelectors
 
+	for _, filterName := range aux.Filters {
+		switch filterName {
+		case "IgnoreTLSSecretsContainingNonClientCertificates":
+			c.Filters = append(c.Filters, IgnoreTLSSecretsContainingNonClientCertificates)
+		default:
+			return fmt.Errorf("filters contains an unknown filter function: %s. Must be one of: IgnoreTLSSecretsContainingNonClientCertificates", filterName)
+		}
+	}
+
 	return nil
 }
 
@@ -218,7 +234,7 @@ func (c *ConfigDynamic) newDataGathererWithClient(ctx context.Context, cl dynami
 
 	registration, err := newDataGatherer.informer.AddEventHandlerWithOptions(k8scache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
-			onAdd(log, obj, dgCache)
+			onAdd(log, obj, dgCache, c.Filters...)
 		},
 		UpdateFunc: func(oldObj, newObj interface{}) {
 			onUpdate(log, oldObj, newObj, dgCache)

pkg/datagatherer/k8s/dynamic_test.go

@@ -217,6 +217,8 @@ include-namespaces:
 - default
 field-selectors:
 - type!=kubernetes.io/service-account-token
+filters:
+- IgnoreTLSSecretsContainingNonClientCertificates
 `
 
 	expectedGVR := schema.GroupVersionResource{
@@ -259,6 +261,7 @@ field-selectors:
 	if got, want := cfg.FieldSelectors, expectedFieldSelectors; !reflect.DeepEqual(got, want) {
 		t.Errorf("FieldSelectors does not match: got=%+v want=%+v", got, want)
 	}
+	assert.Equal(t, []cacheFilterFunction{IgnoreTLSSecretsContainingNonClientCertificates}, cfg.Filters)
 }
 
 func TestConfigDynamicValidate(t *testing.T) {