Merge pull request #34 from sysdiglabs/kh_improvement

Kaizhe · web-flow · commit 49d3faadf461 · 2020-01-07T15:10:45.000-08:00
fix test and minor changes
diff --git a/advisor/processor/generate.go b/advisor/processor/generate.go
@@ -14,12 +14,11 @@ import (
 )
 
 type Processor struct {
-	k8sClient          *kubernetes.Clientset
-	resourceNamePrefix map[string]bool
-	namespace          string
-	serviceAccountMap  map[string]v1.ServiceAccount
-	serverGitVersion   string
-	gen                *generator.Generator
+	k8sClient         *kubernetes.Clientset
+	namespace         string
+	serviceAccountMap map[string]v1.ServiceAccount
+	serverGitVersion  string
+	gen               *generator.Generator
 }
 
 // NewProcessor returns a new processor
@@ -46,10 +45,9 @@ func NewProcessor(kubeconfig string) (*Processor, error) {
 	}
 
 	return &Processor{
-		k8sClient:          clientset,
-		resourceNamePrefix: map[string]bool{},
-		serverGitVersion:   info.GitVersion,
-		gen:                gen,
+		k8sClient:        clientset,
+		serverGitVersion: info.GitVersion,
+		gen:              gen,
 	}, nil
 }
 
diff --git a/advisor/processor/get.go b/advisor/processor/get.go
@@ -1,8 +1,6 @@
 package processor
 
 import (
-	"strings"
-
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/types"
 
 	"k8s.io/api/core/v1"
@@ -32,7 +30,6 @@ func (p *Processor) getSecuritySpecFromDaemonSets() ([]types.ContainerSecuritySp
 	}
 
 	for _, ds := range daemonSetList.Items {
-		p.resourceNamePrefix[ds.Name] = true
 		sa := p.serviceAccountMap[ds.Spec.Template.Spec.ServiceAccountName]
 		cspList2, podSecurityPosture := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: ds.Name,
@@ -58,11 +55,10 @@ func (p *Processor) getSecuritySpecFromReplicaSets() ([]types.ContainerSecurityS
 	}
 
 	for _, rs := range replicaSetList.Items {
-		if p.hasSpecRecorded(rs.Name) {
+		if len(rs.OwnerReferences) > 0 {
 			continue
 		}
 
-		p.resourceNamePrefix[rs.Name] = true
 		sa := p.serviceAccountMap[rs.Spec.Template.Spec.ServiceAccountName]
 		cspList2, psc := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: rs.Name,
@@ -88,7 +84,6 @@ func (p *Processor) getSecuritySpecFromStatefulSets() ([]types.ContainerSecurity
 	}
 
 	for _, sts := range statefulSetList.Items {
-		p.resourceNamePrefix[sts.Name] = true
 		sa := p.serviceAccountMap[sts.Spec.Template.Spec.ServiceAccountName]
 		cspList2, pss := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: sts.Name,
@@ -114,7 +109,6 @@ func (p *Processor) getSecuritySpecFromReplicationController() ([]types.Containe
 	}
 
 	for _, rc := range replicationControllerList.Items {
-		p.resourceNamePrefix[rc.Name] = true
 		sa := p.serviceAccountMap[rc.Spec.Template.Spec.ServiceAccountName]
 		cspList2, pss := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: rc.Name,
@@ -140,7 +134,6 @@ func (p *Processor) getSecuritySpecFromCronJobs() ([]types.ContainerSecuritySpec
 	}
 
 	for _, cronJob := range jobList.Items {
-		p.resourceNamePrefix[cronJob.Name] = true
 		sa := p.serviceAccountMap[cronJob.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName]
 		cspList2, pss := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: cronJob.Name,
@@ -166,11 +159,9 @@ func (p *Processor) getSecuritySpecFromJobs() ([]types.ContainerSecuritySpec, []
 	}
 
 	for _, job := range jobList.Items {
-		if p.hasSpecRecorded(job.Name) {
+		if len(job.OwnerReferences) > 0 {
 			continue
 		}
-
-		p.resourceNamePrefix[job.Name] = true
 		sa := p.serviceAccountMap[job.Spec.Template.Spec.ServiceAccountName]
 		cspList2, pss := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: job.Name,
@@ -196,7 +187,6 @@ func (p *Processor) getSecuritySpecFromDeployments() ([]types.ContainerSecurityS
 	}
 
 	for _, deploy := range deployments.Items {
-		p.resourceNamePrefix[deploy.Name] = true
 		sa := p.serviceAccountMap[deploy.Spec.Template.Spec.ServiceAccountName]
 		cspList2, pss := p.gen.GetSecuritySpecFromPodSpec(types.Metadata{
 			Name: deploy.Name,
@@ -210,15 +200,6 @@ func (p *Processor) getSecuritySpecFromDeployments() ([]types.ContainerSecurityS
 	return cssList, pssList, nil
 }
 
-func (p *Processor) hasSpecRecorded(resourceName string) bool {
-	for prefix := range p.resourceNamePrefix {
-		if strings.HasPrefix(resourceName, prefix) {
-			return true
-		}
-	}
-	return false
-}
-
 func (p *Processor) getSecuritySpecFromPods() ([]types.ContainerSecuritySpec, []types.PodSecuritySpec, error) {
 	clientset := p.k8sClient
 	cssList := []types.ContainerSecuritySpec{}
@@ -231,7 +212,7 @@ func (p *Processor) getSecuritySpecFromPods() ([]types.ContainerSecuritySpec, []
 	}
 
 	for _, pod := range pods.Items {
-		if p.hasSpecRecorded(pod.Name) {
+		if len(pod.OwnerReferences) > 0 {
 			continue
 		}
 
diff --git a/scripts/test b/scripts/test
@@ -7,4 +7,4 @@ kubectl apply -f test-yaml/base-busybox.yaml
 
 sleep 5
 
-./kube-psp-advisor
+./kube-psp-advisor inpsect

Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,4 @@ kubectl apply -f test-yaml/base-busybox.yaml`
`7`	`7`
`8`	`8`	`sleep 5`
`9`	`9`
`10`		`-./kube-psp-advisor`
	`10`	`+./kube-psp-advisor inpsect`