Merge pull request #46 from darryk10/opa-generate

Introduced OPA Policy Support

Author: darryk10

README.MD

@@ -1,8 +1,8 @@
 # Kube PodSecurityPolicy Advisor
 
-kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
+kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) or OPA Policy from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
 
-It has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP based on the file.
+It has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP or an OPA Policy based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP or OPA Policy based on the file.
 
 ## Installation as a Krew Plugin
 
@@ -20,15 +20,20 @@ The plugin will be available as `kubectl advise-psp`.
    - 2.1 ```./kube-psp-advisor inspect --report``` to print the details reports (why this PSP is recommended for the cluster)
    - 2.2 ```./kube-psp-advisor inspect --grant``` to print PSPs, roles and rolebindings for service accounts (refer to [psp-grant.yaml](./test-yaml/psp-grant.yaml))
    - 2.3 ```./kube-psp-advisor inspect --namespace=<ns>``` to print report or PSP(s) within a given namespace (default to all) 
+   - 2.4 ```./kube-psp-advisor inspect --opa``` to generate OPA Policy based on running cluster configuration
+   - 2.5 ```./kube-psp-advisor inspect --opa --deny-by-default``` to generate an OPA Policy, where OPA Default Rule is Deny ALL
 4. ```./kube-psp-advisor convert --podFile <path> --pspFile <path>``` to generate a PSP from a single .yaml file.
-
+   - 4.1 ```./kube-psp-advisor convert --podFile <path> --pspFile <path> --opa``` to generate an OPA Policy from a single .yaml file.
+   - 4.2 ```./kube-psp-advisor convert --podFile <path> --pspFile <path> --opa --deny-by-default``` to generate an OPA Policy from a single .yaml file, where OPA Default Rule is Deny ALL.
+    
 ## Build and Run as Container
 1. ```docker build -t <Image Name> -f container/Dockerfile .```
 2. ```docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws <Image Name>``` (the `.aws` folder mount is optional and totally depends on your clould provider)
 
 ## Use Cases
 1. Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources
 2. Apply Pod Security Policy to the target cluster
+3. Apply OPA Policy to the target cluster
 3. flag `--namespace=<namespace>` is introduced to debug and narrow down the security context per namespace
 
 ## Attributes Aggregated for Pod Security Policy

advisor/advisor.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/open-policy-agent/opa/ast"
+
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/types"
 
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/processor"
@@ -18,6 +20,7 @@ import (
 
 type Advisor struct {
 	podSecurityPolicy *v1beta1.PodSecurityPolicy
+	OPAModulePolicy   *ast.Module
 	k8sClient         *kubernetes.Clientset
 	processor         *processor.Processor
 	report            *report.Report
@@ -41,7 +44,7 @@ func NewAdvisor(kubeconfig string) (*Advisor, error) {
 	}, nil
 }
 
-func (advisor *Advisor) Process(namespace string, excludeNamespaces []string) error {
+func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat string, OPAdefaultRule bool) error {
 	advisor.processor.SetNamespace(namespace)
 	advisor.processor.SetExcludeNamespaces(excludeNamespaces)
 
@@ -51,7 +54,11 @@ func (advisor *Advisor) Process(namespace string, excludeNamespaces []string) er
 		return err
 	}
 
-	advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)
+	if OPAformat == "opa" {
+		advisor.OPAModulePolicy = advisor.processor.GenerateOPA(cssList, pssList, OPAdefaultRule)
+	} else if OPAformat == "psp" {
+		advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)
+	}
 
 	advisor.report = advisor.processor.GenerateReport(cssList, pssList)
 
@@ -77,6 +84,15 @@ func (advisor *Advisor) PrintPodSecurityPolicy() error {
 	return err
 }
 
+func (advisor *Advisor) PrintOPAPolicy() string {
+	if advisor.OPAModulePolicy != nil {
+		err := advisor.OPAModulePolicy.String()
+		fmt.Printf(err)
+		return err
+	} else {
+		return ""
+	}
+}
 func (advisor *Advisor) GetPodSecurityPolicy() *v1beta1.PodSecurityPolicy {
 	return advisor.podSecurityPolicy
 }

advisor/processor/generate.go

@@ -5,6 +5,8 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/open-policy-agent/opa/ast"
+
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/report"
 	"github.com/sysdiglabs/kube-psp-advisor/advisor/types"
 	"github.com/sysdiglabs/kube-psp-advisor/generator"
@@ -79,6 +81,10 @@ func (p *Processor) GeneratePSP(cssList []types.ContainerSecuritySpec, pssList [
 	return p.gen.GeneratePSP(cssList, pssList, p.namespace, p.serverGitVersion)
 }
 
+func (p *Processor) GenerateOPA(cssList []types.ContainerSecuritySpec, pssList []types.PodSecuritySpec, OPAdefaultRule bool) *ast.Module {
+	return p.gen.GenerateOPA(cssList, pssList, p.namespace, p.serverGitVersion, OPAdefaultRule)
+}
+
 // GeneratePSPGrant generates Pod Security Policies, Roles, RoleBindings for service accounts to use PSP
 func (p *Processor) GeneratePSPGrant(cssList []types.ContainerSecuritySpec, pssList []types.PodSecuritySpec) (types.PSPGrantList, string) {
 	saSecuritySpecMap := map[string]*types.SASecuritySpec{}

advisor/types/securityspec.go

@@ -89,6 +89,7 @@ type PodSecuritySpec struct {
 	HostNetwork    bool            `json:"hostNetwork,omitempty"`
 	HostIPC        bool            `json:"hostIPC,omitempty"`
 	VolumeTypes    []string        `json:"volumeTypes,omitempty"`
+	VolumeMounts   map[string]bool `json:"volumeMounts,omitempty"` //--> NEW
 	MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
 	ServiceAccount string          `json:"serviceAccount,omitempty"`
 	Sysctls        []string        `json:"sysctls,omitempty"`