introduced opa policy generation

darryk10 · Kaizhe · commit a35a4e4b393b · 2021-09-20T22:54:37.000-07:00
diff --git a/advisor/advisor.go b/advisor/advisor.go
@@ -43,7 +43,7 @@ func NewAdvisor(kubeconfig string) (*Advisor, error) {
 	}, nil
 }
 
-func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat bool, OPAdefaultRule bool) error {
+func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat string, OPAdefaultRule bool) error {
 	advisor.processor.SetNamespace(namespace)
 	advisor.processor.SetExcludeNamespaces(excludeNamespaces)
 
@@ -53,9 +53,9 @@ func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OP
 		return err
 	}
 
-	if OPAformat {
+	if OPAformat == "opa" {
 		advisor.OPAModulePolicy = advisor.processor.GenerateOPA(cssList, pssList, OPAdefaultRule)
-	} else {
+	} else if OPAformat == "psp" {
 		advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)
 	}
 
diff --git a/generator/generator.go b/generator/generator.go
@@ -938,7 +938,7 @@ func addOPARule(nameRuleHead string, arg string) *ast.Rule {
 	return &Rule
 }
 
-func (pg *Generator) fromPodObj(metadata types.Metadata, spec corev1.PodSpec, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromPodObj(metadata types.Metadata, spec corev1.PodSpec, OPAformat string, OPAdefaultRule bool) (string, error) {
 
 	cssList, pss := pg.GetSecuritySpecFromPodSpec(metadata, "default", spec, nil)
 
@@ -951,7 +951,7 @@ func (pg *Generator) fromPodObj(metadata types.Metadata, spec corev1.PodSpec, OP
 	var mod *ast.Module
 	var out string
 
-	if !OPAformat {
+	if OPAformat == "psp" {
 		psp = pg.GeneratePSP(cssList, pssList, "default", types.Version1_11)
 		pspJson, err := json.Marshal(psp)
 		if err != nil {
@@ -962,71 +962,71 @@ func (pg *Generator) fromPodObj(metadata types.Metadata, spec corev1.PodSpec, OP
 			return "", fmt.Errorf("Could not convert resulting PSP to Json: %v", err)
 		}
 		out = string(pspYaml)
-	} else {
+	} else if OPAformat == "opa" {
 		mod = pg.GenerateOPAPod(cssList, pssList, "default", types.Version1_11, OPAdefaultRule)
 		out = mod.String()
 	}
 
 	return string(out), nil
 }
 
-func (pg *Generator) fromDaemonSet(ds *appsv1.DaemonSet, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromDaemonSet(ds *appsv1.DaemonSet, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: ds.Name,
 		Kind: ds.Kind,
 	}, ds.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromDeployment(dep *appsv1.Deployment, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromDeployment(dep *appsv1.Deployment, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: dep.Name,
 		Kind: dep.Kind,
 	}, dep.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromReplicaSet(rs *appsv1.ReplicaSet, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromReplicaSet(rs *appsv1.ReplicaSet, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: rs.Name,
 		Kind: rs.Kind,
 	}, rs.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromStatefulSet(ss *appsv1.StatefulSet, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromStatefulSet(ss *appsv1.StatefulSet, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: ss.Name,
 		Kind: ss.Kind,
 	}, ss.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromReplicationController(rc *corev1.ReplicationController, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromReplicationController(rc *corev1.ReplicationController, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: rc.Name,
 		Kind: rc.Kind,
 	}, rc.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromCronJob(cj *batchv1beta1.CronJob, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromCronJob(cj *batchv1beta1.CronJob, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: cj.Name,
 		Kind: cj.Kind,
 	}, cj.Spec.JobTemplate.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromJob(job *batch.Job, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromJob(job *batch.Job, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: job.Name,
 		Kind: job.Kind,
 	}, job.Spec.Template.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) fromPod(pod *corev1.Pod, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) fromPod(pod *corev1.Pod, OPAformat string, OPAdefaultRule bool) (string, error) {
 	return pg.fromPodObj(types.Metadata{
 		Name: pod.Name,
 		Kind: pod.Kind,
 	}, pod.Spec, OPAformat, OPAdefaultRule)
 }
 
-func (pg *Generator) FromPodObjString(podObjString string, OPAformat bool, OPAdefaultRule bool) (string, error) {
+func (pg *Generator) FromPodObjString(podObjString string, OPAformat string, OPAdefaultRule bool) (string, error) {
 
 	podObjJson, err := yaml.YAMLToJSON([]byte(podObjString))
 	if err != nil {
diff --git a/kube-psp-advisor.go b/kube-psp-advisor.go
@@ -23,7 +23,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 )
 
-func inspect(kubeconfig string, namespace string, excludeNamespaces []string, withReport, withGrant bool, OPAformat bool, OPAdefaultRule bool) error {
+func inspect(kubeconfig string, namespace string, excludeNamespaces []string, withReport, withGrant bool, OPAformat string, OPAdefaultRule bool) error {
 	advisor, err := advisor.NewAdvisor(kubeconfig)
 
 	if err != nil {
@@ -45,12 +45,12 @@ func inspect(kubeconfig string, namespace string, excludeNamespaces []string, wi
 		return advisor.PrintPodSecurityPolicyWithGrants()
 	}
 
-	if !OPAformat {
+	if OPAformat == "psp" {
 		err = advisor.PrintPodSecurityPolicy()
 		if err != nil {
 			return fmt.Errorf("Could not print PSP: %v", err)
 		}
-	} else {
+	} else if OPAformat == "opa" {
 		opaRuleOutput := advisor.PrintOPAPolicy()
 		if opaRuleOutput == "" {
 			return fmt.Errorf("Could not print OPA rule: %v", err)
@@ -59,7 +59,7 @@ func inspect(kubeconfig string, namespace string, excludeNamespaces []string, wi
 	return nil
 }
 
-func convert(podObjFilename string, pspFilename string, OPAformat bool, OPAdefaultRule bool) error {
+func convert(podObjFilename string, pspFilename string, OPAformat string, OPAdefaultRule bool) error {
 	podObjFile, err := os.Open(podObjFilename)
 	if err != nil {
 		return fmt.Errorf("Could not open pod object file %s for reading: %v", podObjFilename, err)
@@ -140,7 +140,7 @@ func main() {
 	var excludeNamespaces []string
 	var podObjFilename string
 	var pspFilename string
-	var OPAformat bool
+	var OPAformat string
 	var OPAdefaultRule bool
 	var logLevel string
 	var srcYamlDir string
@@ -234,12 +234,12 @@ func main() {
 	inspectCmd.Flags().BoolVarP(&withGrant, "grant", "g", false, "(optional) return with pod security policies, roles and rolebindings")
 	inspectCmd.Flags().StringVarP(&namespace, "namespace", "n", "", "(optional) namespace")
 	inspectCmd.Flags().StringSliceVarP(&excludeNamespaces, "exclude-namespaces", "e", []string{}, "(optional) comma separated list of namespaces to exclude")
-	inspectCmd.Flags().BoolVarP(&OPAformat, "opa", "", false, "(optional) OPA option for output in OPA format")
+	inspectCmd.Flags().StringVarP(&OPAformat, "policy", "p", "", "set policy type. Default psp")
 	inspectCmd.Flags().BoolVarP(&OPAdefaultRule, "OPADefaultRule", "", false, "(optional) OPA Default Rule: use this option iF OPA Default Rule is Deny ALL")
 
 	convertCmd.Flags().StringVar(&podObjFilename, "podFile", "", "Path to a yaml file containing an object with a pod Spec")
 	convertCmd.Flags().StringVar(&pspFilename, "pspFile", "", "Write the resulting output to this file")
-	convertCmd.Flags().BoolVarP(&OPAformat, "opa", "", false, "(optional) OPA option for output in OPA format")
+	convertCmd.Flags().StringVarP(&OPAformat, "policy", "p", "psp", "set policy type. Default psp")
 	convertCmd.Flags().BoolVarP(&OPAdefaultRule, "deny-by-default", "", false, "(optional) OPA Default Rule: use this option if OPA Default Rule is Deny ALL")
 
 	compareCmd.Flags().StringVar(&srcYamlDir, "sourceDir", "", "Source YAML directory to load YAMLs")

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func NewAdvisor(kubeconfig string) (*Advisor, error) {`
`43`	`43`	`}, nil`
`44`	`44`	`}`
`45`	`45`
`46`		`-func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat bool, OPAdefaultRule bool) error {`
	`46`	`+func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OPAformat string, OPAdefaultRule bool) error {`
`47`	`47`	`advisor.processor.SetNamespace(namespace)`
`48`	`48`	`advisor.processor.SetExcludeNamespaces(excludeNamespaces)`
`49`	`49`
`@@ -53,9 +53,9 @@ func (advisor *Advisor) Process(namespace string, excludeNamespaces []string, OP`
`53`	`53`	`return err`
`54`	`54`	`}`
`55`	`55`
`56`		`- if OPAformat {`
	`56`	`+ if OPAformat == "opa" {`
`57`	`57`	`advisor.OPAModulePolicy = advisor.processor.GenerateOPA(cssList, pssList, OPAdefaultRule)`
`58`		`- } else {`
	`58`	`+ } else if OPAformat == "psp" {`
`59`	`59`	`advisor.podSecurityPolicy = advisor.processor.GeneratePSP(cssList, pssList)`
`60`	`60`	`}`
`61`	`61`