Skip to content

Commit 0186148

Browse files
darryk10Kaizhe
darryk10
authored and
Kaizhe
committed
introduced opa policy generation
1 parent feb1b53 commit 0186148

File tree

10 files changed

+937
-103
lines changed

10 files changed

+937
-103
lines changed

advisor/advisor.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package advisor
33
import (
44
"encoding/json"
55
"fmt"
6+
"github.com/open-policy-agent/opa/ast"
67
"os"
78

89
"github.com/sysdiglabs/kube-psp-advisor/advisor/types"
@@ -18,6 +19,7 @@ import (
1819

1920
type Advisor struct {
2021
podSecurityPolicy *v1beta1.PodSecurityPolicy
22+
OPAModulePolicy *ast.Module
2123
k8sClient *kubernetes.Clientset
2224
processor *processor.Processor
2325
report *report.Report
@@ -41,7 +43,7 @@ func NewAdvisor(kubeconfig string) (*Advisor, error) {
4143
}, nil
4244
}
4345

44-
func (advisor *Advisor) Process(namespace string, excludeNamespaces []string) error {
46+
func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat bool, OPAdefaultRule bool) error {
4547
advisor.processor.SetNamespace(namespace)
4648
advisor.processor.SetExcludeNamespaces(excludeNamespaces)
4749

@@ -51,7 +53,11 @@ func (advisor *Advisor) Process(namespace string, excludeNamespaces []string) er
5153
return err
5254
}
5355

54-
advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)
56+
if OPAformat {
57+
advisor.OPAModulePolicy = advisor.processor.GenerateOPA(cssList, pssList, OPAdefaultRule)
58+
} else {
59+
advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)
60+
}
5561

5662
advisor.report = advisor.processor.GenerateReport(cssList, pssList)
5763

@@ -77,6 +83,15 @@ func (advisor *Advisor) PrintPodSecurityPolicy() error {
7783
return err
7884
}
7985

86+
func (advisor *Advisor) PrintOPAPolicy() string {
87+
if advisor.OPAModulePolicy != nil {
88+
err := advisor.OPAModulePolicy.String()
89+
fmt.Printf(err)
90+
return err
91+
} else {
92+
return ""
93+
}
94+
}
8095
func (advisor *Advisor) GetPodSecurityPolicy() *v1beta1.PodSecurityPolicy {
8196
return advisor.podSecurityPolicy
8297
}

advisor/processor/generate.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package processor
22

33
import (
44
"fmt"
5+
"github.com/open-policy-agent/opa/ast"
56
"sort"
67
"strings"
78

@@ -79,6 +80,10 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
7980
return p.gen.GeneratePSP(cssList, pssList, p.namespace, p.serverGitVersion)
8081
}
8182

83+
func (p *Processor) GenerateOPA(cssList []types.ContainerSecuritySpec, pssList []types.PodSecuritySpec, OPAdefaultRule bool) *ast.Module {
84+
return p.gen.GenerateOPA(cssList, pssList, p.namespace, p.serverGitVersion, OPAdefaultRule)
85+
}
86+
8287
// GeneratePSPGrant generates Pod Security Policies, Roles, RoleBindings for service accounts to use PSP
8388
func (p *Processor) GeneratePSPGrant(cssList []types.ContainerSecuritySpec, pssList []types.PodSecuritySpec) (types.PSPGrantList, string) {
8489
saSecuritySpecMap := map[string]*types.SASecuritySpec{}

advisor/types/securityspec.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ type PodSecuritySpec struct {
8989
HostNetwork bool `json:"hostNetwork,omitempty"`
9090
HostIPC bool `json:"hostIPC,omitempty"`
9191
VolumeTypes []string `json:"volumeTypes,omitempty"`
92+
VolumeMounts map[string]bool `json:"volumeMounts,omitempty"` //--> NEW
9293
MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
9394
ServiceAccount string `json:"serviceAccount,omitempty"`
9495
Sysctls []string `json:"sysctls,omitempty"`

0 commit comments

Comments
 (0)