feat: load user-defined Rego rules for workload auto-import

ivanstanev · ivanstanev · commit 423d23d52db2 · 2021-02-23T18:40:27.000Z
The Rego rules are loaded by snyk-monitor at the start of the application.
We want the rules to be provided client-side but any choice whether workloads should be imported or deleted happens in the upstream. This allows us to swap implementations, fix bugs, etc. in the back end without requiring any new versions to be deployed by users.

Test coverage provided in system tests to ensure the policy is being transmitted first thing on start up of the application.
diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
     "prepare": "npm run build",
     "build": "tsc",
     "dev": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect .'",
-    "debug": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect --debug-brk .'",
+    "debug": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect-brk .'",
     "lint": "eslint \"src/**/*.ts\" && (cd test && eslint \"**/*.ts\")"
   },
   "author": "snyk.io",
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -34,6 +34,8 @@ spec:
           mountPath: "/srv/app/certs"
         - name: registries-conf
           mountPath: "/srv/app/.config/containers"
+        - name: workload-policies
+          mountPath: "/var/tmp/policies"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -115,4 +117,8 @@ spec:
         configMap:
           name: snyk-monitor-registries-conf
           optional: true
+      - name: workload-policies
+        configMap:
+          name: snyk-monitor-workload-policies
+          optional: true
       serviceAccountName: snyk-monitor
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -49,6 +49,9 @@ spec:
             mountPath: "/var/tmp"
           - name: ssl-certs
             mountPath: "/srv/app/certs"
+          - name: workload-policies
+            mountPath: "/var/tmp/policies"
+            readOnly: true
           - name: registries-conf
             mountPath: "/srv/app/.config/containers"
           env:
@@ -114,6 +117,10 @@ spec:
           configMap:
             name: {{ .Values.certsConfigMap }}
             optional: true
+        - name: workload-policies
+          configMap:
+            name: {{ .Values.workloadPoliciesMap }}
+            optional: true
         - name: registries-conf
           configMap:
             name: {{ .Values.registriesConfConfigMap }}
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -7,6 +7,7 @@
 monitorSecrets: snyk-monitor
 certsConfigMap: snyk-monitor-certs
 registriesConfConfigMap: snyk-monitor-registries-conf
+workloadPoliciesMap: snyk-monitor-workload-policies
 
 # One of: Cluster, Namespaced
 # Cluster - creates a ClusterRole and ClusterRoleBinding with the ServiceAccount
diff --git a/src/common/policy.ts b/src/common/policy.ts
@@ -0,0 +1,31 @@
+import { existsSync, readFile } from 'fs';
+import { resolve as resolvePath } from 'path';
+import { promisify } from 'util';
+
+import { logger } from './logger';
+import { constructWorkloadAutoImportPolicy } from '../transmitter/payload';
+import { sendWorkloadAutoImportPolicy } from '../transmitter';
+import { config } from './config';
+
+const readFileAsync = promisify(readFile);
+
+export async function loadAndSendWorkloadAutoImportPolicy(): Promise<void> {
+  try {
+    /** This path is set in snyk-monitor during installation/deployment and is defined in the Helm chart. */
+    const userProvidedRegoPolicyPath = resolvePath(
+      config.IMAGE_STORAGE_ROOT,
+      'policies',
+      'workload-auto-import.rego',
+    );
+    if (!existsSync(userProvidedRegoPolicyPath)) {
+      logger.info({}, 'Rego policy file does not exist, skipping loading');
+      return;
+    }
+
+    const regoPolicy = await readFileAsync(userProvidedRegoPolicyPath, 'utf8');
+    const payload = constructWorkloadAutoImportPolicy(regoPolicy);
+    await sendWorkloadAutoImportPolicy(payload);
+  } catch (err) {
+    logger.error({ err }, 'Unexpected error occurred while loading workload auto-import policy');
+  }
+}
diff --git a/src/index.ts b/src/index.ts
@@ -7,6 +7,7 @@ import { config } from './common/config';
 import { logger } from './common/logger';
 import { currentClusterName } from './supervisor/cluster';
 import { beginWatchingWorkloads } from './supervisor/watchers';
+import { loadAndSendWorkloadAutoImportPolicy } from './common/policy';
 
 process.on('uncaughtException', (err) => {
   if (state.shutdownInProgress) {
@@ -58,4 +59,9 @@ function monitor(): void {
 
 SourceMapSupport.install();
 cleanUpTempStorage();
-monitor();
+
+// Allow running in an async context
+setImmediate(async function setUpAndMonitor(): Promise<void> {
+  await loadAndSendWorkloadAutoImportPolicy();
+  monitor();
+});
diff --git a/src/transmitter/index.ts b/src/transmitter/index.ts
@@ -10,6 +10,7 @@ import {
   IRequestError,
   ScanResultsPayload,
   IDependencyGraphPayload,
+  WorkloadAutoImportPolicyPayload,
 } from './types';
 import { getProxyAgent } from './proxy';
 
@@ -69,6 +70,30 @@ export async function sendWorkloadMetadata(payload: IWorkloadMetadataPayload): P
     }
 }
 
+export async function sendWorkloadAutoImportPolicy(payload: WorkloadAutoImportPolicyPayload): Promise<void> {
+  try {
+    logger.info(
+      { userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId },
+      'attempting to send workload auto-import policy',
+    );
+
+    const { response, attempt } = await retryRequest('post', `${upstreamUrl}/api/v1/policy`, payload);
+    if (!isSuccessStatusCode(response.statusCode)) {
+      throw new Error(`${response.statusCode} ${response.statusMessage}`);
+    }
+
+    logger.info(
+      { userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId, attempt },
+      'workload auto-import policy sent upstream successfully',
+    );
+  } catch (error) {
+    logger.error(
+      { error, userLocator: payload.userLocator, cluster: payload.cluster, agentId: payload.agentId },
+      'could not send workload auto-import policy',
+    );
+  }
+}
+
 export async function deleteWorkload(payload: IDeleteWorkloadPayload): Promise<void> {
   try {
     const {response, attempt} = await retryRequest('delete', `${upstreamUrl}/api/v1/workload`, payload);
diff --git a/src/transmitter/payload.ts b/src/transmitter/payload.ts
@@ -12,6 +12,7 @@ import {
   IKubernetesMonitorMetadata,
   ScanResultsPayload,
   IDependencyGraphPayload,
+  WorkloadAutoImportPolicyPayload,
 } from './types';
 
 export function constructDepGraph(
@@ -125,3 +126,14 @@ export function constructDeleteWorkload(
     agentId: config.AGENT_ID,
   };
 }
+
+export function constructWorkloadAutoImportPolicy(
+  policy: string,
+): WorkloadAutoImportPolicyPayload {
+  return {
+    policy,
+    userLocator: config.INTEGRATION_ID,
+    cluster: currentClusterName,
+    agentId: config.AGENT_ID,
+  };
+}
diff --git a/src/transmitter/types.ts b/src/transmitter/types.ts
@@ -61,6 +61,13 @@ export interface IDeleteWorkloadPayload {
   agentId: string;
 }
 
+export interface WorkloadAutoImportPolicyPayload {
+  userLocator: string;
+  cluster: string;
+  agentId: string;
+  policy: string;
+}
+
 export interface IWorkload {
   type: string;
   name: string;
diff --git a/test/fixtures/workload-auto-import.rego b/test/fixtures/workload-auto-import.rego
@@ -0,0 +1,3 @@
+package snyk
+
+default workload_auto_import = false
diff --git a/test/system/kind.spec.ts b/test/system/kind.spec.ts
@@ -1,11 +1,19 @@
 import * as fsExtra from 'fs-extra';
 import * as nock from 'nock';
+import { copyFile, readFile, mkdir, exists } from 'fs';
+import { promisify } from 'util';
+import { resolve as resolvePath } from 'path';
 
 import * as kubectl from '../helpers/kubectl';
 import * as kind from '../setup/platforms/kind';
 import * as transmitterTypes from '../../src/transmitter/types';
 import { execWrapper as exec } from '../helpers/exec';
 
+const copyFileAsync = promisify(copyFile);
+const readFileAsync = promisify(readFile);
+const mkdirAsync = promisify(mkdir);
+const existsAsync = promisify(exists);
+
 /**
  * TODO graceful shutdown
  * We abruptly close the connection to the K8s API server during shutdown, which can result in exceptions.
@@ -61,10 +69,38 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
 
   // Services
   await Promise.all([
-    kubectl.applyK8sYaml('./test/fixtures/java-deployment.yaml'),
+    kubectl.applyK8sYaml(resolvePath('./test/fixtures/java-deployment.yaml')),
     kubectl.waitForDeployment('java', 'services'),
   ]);
 
+  // Create a copy of the policy file fixture in the location that snyk-monitor is expecting to load it from.
+  const regoPolicyFixturePath = resolvePath('./test/fixtures/workload-auto-import.rego');
+  const expectedPoliciesPath = resolvePath('/var/tmp/policies');
+  if (!(await existsAsync(expectedPoliciesPath))) {
+    await mkdirAsync(expectedPoliciesPath);
+  }
+  await copyFileAsync(
+    regoPolicyFixturePath,
+    resolvePath(expectedPoliciesPath, 'workload-auto-import.rego'),
+  );
+
+  const regoPolicyContents = await readFileAsync(regoPolicyFixturePath, 'utf8');
+  nock('https://kubernetes-upstream.snyk.io')
+    .post('/api/v1/policy')
+    .times(1)
+    .reply(200, (uri, requestBody: transmitterTypes.WorkloadAutoImportPolicyPayload) => {
+      try {
+        expect(requestBody).toEqual<transmitterTypes.WorkloadAutoImportPolicyPayload>({
+          agentId: expect.any(String),
+          cluster: expect.any(String),
+          userLocator: expect.any(String),
+          policy: regoPolicyContents,
+        });
+      } catch (error) {
+        jestDoneCallback(error);
+      }
+    });
+
   // Setup nocks
   nock(/https\:\/\/127\.0\.0\.1\:\d+/, { allowUnmocked: true })
     .get('/api/v1/namespaces')

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package snyk`
	`2`	`+`
	`3`	`+default workload_auto_import = false`