modify test and create sample psp grant yaml

Signed-off-by: kaizhe <[email protected]>

Author: Kaizhe

advisor/types/pspgrant.go

@@ -2,6 +2,7 @@ package types
 
 import (
 	"fmt"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -75,20 +76,29 @@ func (s *SASecuritySpec) GenerateComment() string {
 	decision := "will be"
 
 	if s.IsDefaultServiceAccount() {
-		decision = "will not be"
+		decision = "will NOT be"
 	}
 
-	return fmt.Sprintf("# Pod security policies %s created for service account: %s in namespace %s for images: %s", decision, s.ServiceAccount, s.Namespace, s.GetImages())
+	commentsForWorkloads := []string{}
+	comment := fmt.Sprintf("# Pod security policies %s created for service account '%s' in namespace '%s' with following workdloads:\n", decision, s.ServiceAccount, s.Namespace)
+	for _, wlImg := range s.GetWorkloadImages() {
+		commentsForWorkloads = append(commentsForWorkloads, fmt.Sprintf("#\t%s", wlImg))
+	}
+
+	comment += strings.Join(commentsForWorkloads, "\n")
+	return comment
 }
 
-func (s *SASecuritySpec) GetImages() []string {
-	imageList := []string{}
+// GetWorkloadImages returns a list of workload images in the format of "kind, Name, Image Name"
+func (s *SASecuritySpec) GetWorkloadImages() []string {
+	workLoadImageList := []string{}
 
 	for _, css := range s.ContainerSecuritySpecList {
-		imageList = append(imageList, css.ImageName)
+		workLoadImage := fmt.Sprintf("Kind: %s, Name: %s, Image: %s", css.Metadata.Kind, css.Metadata.Name, css.ImageName)
+		workLoadImageList = append(workLoadImageList, workLoadImage)
 	}
 
-	return imageList
+	return workLoadImageList
 }
 
 func (s *SASecuritySpec) GenerateRole() *v1rbac.Role {

scripts/test

@@ -7,4 +7,4 @@ kubectl apply -f test-yaml/base-busybox.yaml
 
 sleep 5
 
-./kube-psp-advisor inpsect
+./kube-psp-advisor inspect 

test-yaml/base-busybox.yaml

@@ -4,6 +4,24 @@ metadata:
   name: psp-test
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-1
+  namespace: psp-test
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-2
+  namespace: psp-test
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-3
+  namespace: psp-test
+---
+apiVersion: v1
 kind: Pod 
 metadata:
   name: busy-pod
@@ -27,6 +45,7 @@ spec:
   hostPID: false 
   hostIPC: false
   hostNetwork: true
+  serviceAccount: sa-1
   volumes:
   - name: test-volume
     hostPath:
@@ -43,6 +62,7 @@ metadata:
 spec:
   template:
     spec:
+      serviceAccount: sa-2
       restartPolicy: Never
       containers:
       - name: my-busybox
@@ -88,6 +108,7 @@ spec:
       labels:
         app: busy-deploy
     spec:
+      serviceAccount: sa-2
       containers:
       - name: my-busybox
         image: busybox 
@@ -179,6 +200,7 @@ spec:
       labels:
         app: busy-ds
     spec:
+      serviceAccount: sa-2
       containers:
       - name: my-busybox
         image: busybox 
@@ -245,6 +267,7 @@ spec:
       hostPID: true
       hostIPC: true
       hostNetwork: true
+      serviceAccount: sa-1
       volumes:
       - name: config-vol
         configMap:

test-yaml/psp-grant.yaml

@@ -0,0 +1,132 @@
+# Pod security policies will NOT be created for service account 'default' in namespace 'psp-test' with following workdloads:
+#	Kind: ReplicationController, Name: busy-rc, Image: busybox
+---
+# Pod security policies will be created for service account 'sa-1' in namespace 'psp-test' with following workdloads:
+#	Kind: ReplicaSet, Name: busy-rs, Image: busybox
+#	Kind: Pod, Name: busy-pod, Image: busybox
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  creationTimestamp: null
+  name: psp-for-psp-test-sa-1
+spec:
+  allowedCapabilities:
+  - SYS_ADMIN
+  allowedHostPaths:
+  - pathPrefix: /usr/bin
+    readOnly: true
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: true
+  hostNetwork: true
+  hostPID: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - secret
+  - hostPath
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: use-psp-by-psp-test:sa-1
+  namespace: psp-test
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - psp-for-psp-test-sa-1
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: use-psp-by-psp-test:sa-1-binding
+  namespace: psp-test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: use-psp-by-psp-test:sa-1
+subjects:
+- kind: ServiceAccount
+  name: sa-1
+  namespace: psp-test
+---
+# Pod security policies will be created for service account 'sa-2' in namespace 'psp-test' with following workdloads:
+#	Kind: DaemonSet, Name: busy-ds, Image: busybox
+#	Kind: Deployment, Name: busy-deploy, Image: busybox
+#	Kind: Job, Name: busy-job, Image: busybox
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  creationTimestamp: null
+  name: psp-for-psp-test-sa-2
+spec:
+  allowedCapabilities:
+  - SYS_ADMIN
+  - NET_ADMIN
+  allowedHostPaths:
+  - pathPrefix: /bin
+    readOnly: true
+  - pathPrefix: /tmp
+    readOnly: true
+  - pathPrefix: /usr/bin
+    readOnly: true
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    ranges:
+    - max: 10001
+      min: 10001
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - hostPath
+  - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: use-psp-by-psp-test:sa-2
+  namespace: psp-test
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - psp-for-psp-test-sa-2
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: use-psp-by-psp-test:sa-2-binding
+  namespace: psp-test
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: use-psp-by-psp-test:sa-2
+subjects:
+- kind: ServiceAccount
+  name: sa-2
+  namespace: psp-test
+---