introduced opa policy generation

Author: darryk10

README.MD

@@ -1,8 +1,8 @@
 # Kube PodSecurityPolicy Advisor
 
-kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
+kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) or OPA Policy from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
 
-It has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP based on the file.
+It has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP or an OPA Policy based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP or OPA Policy based on the file.
 
 ## Installation as a Krew Plugin
 
@@ -20,15 +20,20 @@ The plugin will be available as `kubectl advise-psp`.
    - 2.1 ```./kube-psp-advisor inspect --report``` to print the details reports (why this PSP is recommended for the cluster)
    - 2.2 ```./kube-psp-advisor inspect --grant``` to print PSPs, roles and rolebindings for service accounts (refer to [psp-grant.yaml](./test-yaml/psp-grant.yaml))
    - 2.3 ```./kube-psp-advisor inspect --namespace=<ns>``` to print report or PSP(s) within a given namespace (default to all) 
+   - 2.4 ```./kube-psp-advisor inspect --opa``` to generate OPA Policy based on running cluster configuration
+   - 2.5 ```./kube-psp-advisor inspect --opa --deny-by-default``` to generate an OPA Policy, where OPA Default Rule is Deny ALL
 4. ```./kube-psp-advisor convert --podFile <path> --pspFile <path>``` to generate a PSP from a single .yaml file.
-
+   - 4.1 ```./kube-psp-advisor convert --podFile <path> --pspFile <path> --opa``` to generate an OPA Policy from a single .yaml file.
+   - 4.2 ```./kube-psp-advisor convert --podFile <path> --pspFile <path> --opa --deny-by-default``` to generate an OPA Policy from a single .yaml file, where OPA Default Rule is Deny ALL.
+    
 ## Build and Run as Container
 1. ```docker build -t <Image Name> -f container/Dockerfile .```
 2. ```docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws <Image Name>``` (the `.aws` folder mount is optional and totally depends on your clould provider)
 
 ## Use Cases
 1. Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources
 2. Apply Pod Security Policy to the target cluster
+3. Apply OPA Policy to the target cluster
 3. flag `--namespace=<namespace>` is introduced to debug and narrow down the security context per namespace
 
 ## Attributes Aggregated for Pod Security Policy

generator/generator.go

@@ -380,14 +380,14 @@ func (pg *Generator) GenerateOPA(cssList []types.ContainerSecuritySpec,
 	pssList []types.PodSecuritySpec,
 	namespace, serverGitVersion string, OPAdefaultRule bool) *ast.Module {
 
-	return pg.GenerateOPAPodWithName(cssList, pssList, namespace, serverGitVersion, "", OPAdefaultRule)
+	return pg.GenerateOPAWithName(cssList, pssList, namespace, serverGitVersion, "", OPAdefaultRule)
 }
 
 func (pg *Generator) GenerateOPAPod(cssList []types.ContainerSecuritySpec,
 	pssList []types.PodSecuritySpec,
 	namespace, serverGitVersion string, OPAdefaultRule bool) *ast.Module {
 
-	return pg.GenerateOPAPodWithName(cssList, pssList, namespace, serverGitVersion, "", OPAdefaultRule)
+	return pg.GenerateOPAWithName(cssList, pssList, namespace, serverGitVersion, "", OPAdefaultRule)
 }
 
 // GeneratePSP generate Pod Security Policy
@@ -626,7 +626,8 @@ func (pg *Generator) GeneratePSPWithName(
 	return psp
 }
 
-func (pg *Generator) GenerateOPAPodWithName(
+// GenerateOPA generate OPA Policy
+func (pg *Generator) GenerateOPAWithName(
 	cssList []types.ContainerSecuritySpec,
 	pssList []types.PodSecuritySpec,
 	namespace, serverGitVersion, pspName string, OPAdefaultRule bool) *ast.Module {
@@ -685,7 +686,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		ns = "all"
 	}
 	rule.Body.Append(ast.MustParseExpr("workload := input.request.object"))
-	rule.Body.Append(ast.NewExpr(ast.VarTerm("valueWorkLoadSecContext(workload)")))
+	rule.Body.Append(ast.NewExpr(ast.VarTerm(checkOPADefault(OPAdefaultRule) + "valueWorkLoadSecContext(workload)")))
 	valueWorkLoadSecContext := addOPARule("valueWorkLoadSecContext", "workload")
 
 	for _, wsc := range pssList {
@@ -709,10 +710,12 @@ func (pg *Generator) GenerateOPAPodWithName(
 			}
 		}
 
+		// Sysctls is set
 		for _, s := range wsc.Sysctls {
 			sysctls = append(sysctls, "\""+s+"\"")
 		}
 
+		// Check if workload or pod
 		if wsc.Metadata.Kind == "Deployment" || wsc.Metadata.Kind == "Job" || wsc.Metadata.Kind == "ReplicaSet" || wsc.Metadata.Kind == "DaemonSet" || wsc.Metadata.Kind == "ReplicationController" {
 			basepath = "input.request.object.spec.template.spec"
 		} else {
@@ -723,6 +726,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 
 	valueWorkLoadSecContext.Body.Append(ast.MustParseExpr("container := " + basepath + ".containers[_]"))
 
+	// Add rule hostPaths
 	if len(hostPaths) > 0 {
 		valueWorkLoadSecContext.Body.Append(ast.MustParseExpr("volumeHostPaths(workload)"))
 		valueHostPathRule := addOPARule("volumeHostPaths", "workload")
@@ -744,6 +748,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueHostPathRule)
 	}
 
+	// Add rule sysctls
 	if len(sysctls) > 0 {
 		valueWorkLoadSecContext.Body.Append(ast.MustParseExpr("valueSysctls(workload)"))
 		valueSysctlsRule := addOPARule("valueSysctls", "sysctls")
@@ -755,12 +760,17 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueSysctlsRule)
 	}
 
+	// Add rule hostPid
 	if hostPid {
 		valueWorkLoadSecContext.Body.Append(ast.MustParseExpr(basepath + ".hostPID"))
 	}
+
+	// Add rule HostIPC
 	if HostIPC {
 		valueWorkLoadSecContext.Body.Append(ast.MustParseExpr(basepath + ".hostIPC"))
 	}
+
+	// Add rule HostNet
 	if HostNet {
 		valueWorkLoadSecContext.Body.Append(ast.MustParseExpr(basepath + ".hostNetwork"))
 	}
@@ -795,6 +805,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 			runAsGroupCount++
 		}
 
+		// port is set
 		for _, port := range sc.HostPorts {
 			hostPorts = append(hostPorts, fmt.Sprint(port))
 		}
@@ -814,6 +825,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 
 	valueSecContextRule := addOPARule("valueSecContext", "container")
 
+	// Add rule addedCap
 	if len(addedCap) > 0 {
 		valueSecContextRule.Body.Append(ast.NewExpr(ast.VarTerm("valueAddedCap(container)")))
 		valueAddedCapRule := addOPARule("valueAddedCap", "addedCap")
@@ -823,6 +835,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueAddedCapRule)
 	}
 
+	// Add rule droppedCap
 	if len(droppedCap) > 0 {
 		valueSecContextRule.Body.Append(ast.NewExpr(ast.VarTerm("valueDroppedCap(container)")))
 		valueDroppedCapRule := addOPARule("valueDroppedCap", "droppedCap")
@@ -832,6 +845,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueDroppedCapRule)
 	}
 
+	// Add rule runAsUser
 	if len(runAsUser) > 0 {
 		valueSecContextRule.Body.Append(ast.NewExpr(ast.VarTerm("valueRunAsUserID(container)")))
 		valueHostRunAsUserRule := addOPARule("valueRunAsUserID", "uid")
@@ -843,7 +857,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueHostRunAsUserRule)
 	}
 
-	// runAsGroup is set
+	// Add rule runAsGroup
 	if len(runAsGroup) > 0 {
 		valueSecContextRule.Body.Append(ast.NewExpr(ast.VarTerm("valueRunAsGroupID(container)")))
 		valueHostRunAsGroupRule := addOPARule("valueRunAsGroupID", "gid")
@@ -855,6 +869,7 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueHostRunAsGroupRule)
 	}
 
+	// Add rule hostPorts
 	if len(hostPorts) > 0 {
 		valueSecContextRule.Body.Append(ast.NewExpr(ast.VarTerm("valueHostPort(container)")))
 		valueHostPortRule := addOPARule("valueHostPort", "container")
@@ -866,33 +881,37 @@ func (pg *Generator) GenerateOPAPodWithName(
 		mod.Rules = append(mod.Rules, valueHostPortRule)
 	}
 
-	// set allowed host path
-
+	// Add rule Privileged
 	if Privileged {
 		valueSecContextRule.Body.Append(ast.MustParseExpr("container.securityContext.privileged"))
 	}
 
+	// Add rule ReadOnlyRootFS
 	if ReadOnlyRootFS == len(cssList) {
 		valueSecContextRule.Body.Append(ast.MustParseExpr("container.securityContext.readOnlyRootFilesystem"))
 	}
 
+	// Add rule RunAsNonRoot
 	if RunAsNonRoot == len(cssList) {
 		valueSecContextRule.Body.Append(ast.MustParseExpr("container.securityContext.runAsNonRoot"))
 	}
 
+	// Add rule AllowPrivilegeEscalation
 	if AllowPrivilegeEscalation == len(cssList) {
 		valueSecContextRule.Body.Append(ast.MustParseExpr("container.securityContext.allowPrivilegeEscalation == false"))
 	}
+
 	mod.Rules = append(mod.Rules, valueSecContextRule)
 
-	rule.Body.Append(ast.MustParseExpr("message := sprintf(\"Container runs in privileged mode.\", [workload.metadata.name])"))
+	rule.Body.Append(ast.MustParseExpr("message := sprintf(\"Workflow or pod compliant with the policy.\", [workload.metadata.name])"))
 	mod.Package = pack
 	mod.Rules = append(mod.Rules, &rule)
 
 	return &mod
 
 }
 
+// deny-by-default option check
 func checkOPADefault(OPAdefaultRule bool) string {
 	if !OPAdefaultRule {
 		return "not "

kube-psp-advisor.go

@@ -240,7 +240,7 @@ func main() {
 	convertCmd.Flags().StringVar(&podObjFilename, "podFile", "", "Path to a yaml file containing an object with a pod Spec")
 	convertCmd.Flags().StringVar(&pspFilename, "pspFile", "", "Write the resulting output to this file")
 	convertCmd.Flags().BoolVarP(&OPAformat, "opa", "", false, "(optional) OPA option for output in OPA format")
-	convertCmd.Flags().BoolVarP(&OPAdefaultRule, "OPADefaultRule", "", false, "(optional) OPA Default Rule: use this option iF OPA Default Rule is Deny ALL")
+	convertCmd.Flags().BoolVarP(&OPAdefaultRule, "deny-by-default", "", false, "(optional) OPA Default Rule: use this option if OPA Default Rule is Deny ALL")
 
 	compareCmd.Flags().StringVar(&srcYamlDir, "sourceDir", "", "Source YAML directory to load YAMLs")
 	compareCmd.Flags().StringVar(&targetYamlDir, "targetDir", "", "Target YAML directory to load YAMLs")

kube-psp-advisor_test.go

@@ -12,11 +12,12 @@ var (
 	expectedYamls = []string{
 		"test-yaml/base-busybox.yaml",
 		"test-yaml/psp-grant.yaml",
-		"test-yaml/test-opa.yaml",
 		"test-yaml/srcYamls/busy-box.yaml",
 		"test-yaml/srcYamls/nginx.yaml",
 		"test-yaml/targetYamls/busy-box.yaml",
 		"test-yaml/targetYamls/nginx.yaml",
+		"test-yaml/targetYamls/web-deployment.yaml",
+		"test-yaml/test-opa.yaml",
 	}
 )
 
@@ -33,16 +34,3 @@ func TestReadYamls(t *testing.T) {
 		t.Fatalf("expected: %s\nactual: %s\n", expectedYamls, yamls)
 	}
 }
-
-func TestReadOPAYAmls(t *testing.T) {
-	testYaml := "test-yaml/test-opa.yaml"
-	yamls, err := getWorkLoadYamls(testYaml)
-
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(yamls) != 1 && yamls[0] != "test-yaml/base-busybox.yaml" {
-		t.Fatalf("expected: %s\nactual: %s\n", testYaml, yamls[0])
-	}
-}