add custom configuration

2020-11-25 20:45:05 +08:00 · 2020-11-25 20:45:05 +08:00 · bb17b5aaa4
parent 38a8162442
commit bb17b5aaa4
9 changed files with 143 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -73,3 +73,44 @@ TIME                            NAME                                     NAMESPA
 ```

 ## Custom check
+
+* Add custom npd rule methods
+```
+1. Deploy npd, ./ke add npd --kubeconfig ***
+2. Ddit node-problem-detector-config configMap, such as: kubectl edit cm -n kube-system node-problem-detector-config
+3. Add exception log information under the rule of configMap, rules follow regular expressions.
+```
+* Add custom best practice configuration
+```
+1. Use the -f parameter and file name config.yaml.
+./ke audit -f /home/ubuntu/go/src/kubeye/examples/tmp/config.yaml --kubeconfig ***
+
+--kubeconfig string
+      Path to a kubeconfig. Only required if out-of-cluster.
+2. config.yaml example, follow the JSON syntax.
+ubuntu@node1:~/go/src/kubeye/examples/tmp$ cat config.yaml
+checks:
+  imageRegistry: warning
+
+customChecks:
+  imageRegistry:
+    successMessage: Image comes from allowed registries
+    failureMessage: Image should not be from disallowed registry
+    category: Images
+    target: Container
+    schema:
+      '$schema': http://json-schema.org/draft-07/schema
+      type: object
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ^quay.io
+
+
+ubuntu@node1:~/go/src/kubeye/examples/tmp$./ke audit -f /home/ubuntu/go/src/kubeye/examples/tmp/config.yaml
+TIME                        NAME                      NAMESPACE     KIND         MESSAGE
+2020-11-25T20:41:59+08:00   nginx                     default       Deployment   [{map[imageRegistry:{imageRegistry Image should not be from disallowed registry false    warning  Images  }]}]
+2020-11-25T20:41:59+08:00   coredns                   kube-system   Deployment   [{map[cpuLimitsMissing:{cpuLimitsMissing CPU limits should be set false    warning  Resources}]}]
+
+```
--- a/checks/hostIPCSet.yaml
+++ b/checks/hostIPCSet.yaml
--- a/checks/runningAsPrivileged.yaml
+++ b/checks/runningAsPrivileged.yaml
--- a/cmd/audit.go
+++ b/cmd/audit.go
@ -1,24 +1,25 @@
 package cmd

 import (
-	"flag"
 	"fmt"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	"kubeye/pkg/validator"
 )

+var config string
+
 func init() {
 	rootCmd.AddCommand(auditCmd)
-	flag.Parse()
-	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+	//flag.Parse()
+	//pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+	auditCmd.Flags().StringVarP(&config, "filename", "f", "", "Customize best practice configuration")
 }

 var auditCmd = &cobra.Command{
 	Use:   "audit",
 	Short: "audit the result",
 	Run: func(cmd *cobra.Command, args []string) {
-		err := validator.Cluster(cmd.Context())
+		err := validator.Cluster(config, cmd.Context())
 		if err != nil {
 			fmt.Println(err)
 		}
--- a/examples/config.yaml
+++ b/examples/config.yaml
@ -3,28 +3,28 @@ checks:
  cpuLimitsMissing: warning
  #image
  tagNotSpecified: danger
-  imageRegistry: warning
+  #imageRegistry: warning
  #healthChecks
  livenessProbeMissing: warning
  #network
-  hostPortSet: warning
+  #hostPortSet: warning
  #security
-  runningAsPrivileged: warning
+  runAsPrivileged: warning

 customChecks:
-  imageRegistry:
-    successMessage: Image comes from allowed registries
-    failureMessage: Image should not be from disallowed registry
-    category: Images
-    target: Container
-    schema:
-      '$schema': http://json-schema.org/draft-07/schema
-      type: object
-      properties:
-        image:
-          type: string
-          not:
-            pattern: ^quay.io
+#  imageRegistry:
+#    successMessage: Image comes from allowed registries
+#    failureMessage: Image should not be from disallowed registry
+#    category: Images
+#    target: Container
+#    schema:
+#      '$schema': http://json-schema.org/draft-07/schema
+#      type: object
+#      properties:
+#        image:
+#          type: string
+#          not:
+#            pattern: ^quay.io



--- a/examples/tmp/config.yaml
+++ b/examples/tmp/config.yaml
@ -0,0 +1,40 @@
+checks:
+  #resource
+  #cpuLimitsMissing: warning
+  #image
+  # tagNotSpecified: danger
+  imageRegistry: warning
+  #healthChecks
+  #livenessProbeMissing: warning
+  #network
+  # hostPortSet: warning
+  #security
+  #  runningAsPrivileged: warning
+
+customChecks:
+  imageRegistry:
+    successMessage: Image comes from allowed registries
+    failureMessage: Image should not be from disallowed registry
+    category: Images
+    target: Container
+    schema:
+      '$schema': http://json-schema.org/draft-07/schema
+      type: object
+      properties:
+        image:
+          type: string
+          not:
+            pattern: ^quay.io
+
+
+
+
+
+
+
+
+
+
+
+
+
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -7,6 +7,7 @@ import (
 	packr "github.com/gobuffalo/packr/v2"
 	"io"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	"path"
 )

 type Configuration struct {
@ -22,13 +23,24 @@ type Exemption struct {
 }

 var configBox = (*packr.Box)(nil)
+var configBox1 = (*packr.Box)(nil)

 func getConfigBox() *packr.Box {
 	if configBox == (*packr.Box)(nil) {
 		configBox = packr.New("Config", "../../examples")
+
 	}
 	return configBox
 }
+
+func getConfigBox1(fp string) *packr.Box {
+	var dir, _ = path.Split(fp)
+	if configBox1 == (*packr.Box)(nil) {
+		configBox1 = packr.New("CustomConfig", fmt.Sprintf("%s", dir))
+	}
+	return configBox1
+}
+
 func ParseFile() (Configuration, error) {
 	var rawBytes []byte
 	var err error
@ -39,6 +51,16 @@ func ParseFile() (Configuration, error) {
 	}
 	return Parse(rawBytes)
 }
+func ParseFile1(fp string) (Configuration, error) {
+	var rawBytes []byte
+	var err error
+
+	rawBytes, err = getConfigBox1(fp).Find("config.yaml")
+	if err != nil {
+		return Configuration{}, err
+	}
+	return Parse(rawBytes)
+}
 func Parse(rawBytes []byte) (Configuration, error) {
 	reader := bytes.NewReader(rawBytes)
 	conf := Configuration{}
--- a/pkg/validator/audit.go
+++ b/pkg/validator/audit.go
@ -8,12 +8,13 @@ import (
 	conf "kubeye/pkg/config"
 	"kubeye/pkg/kube"
 	"os"
+	"path/filepath"
 	"strings"
 	"text/tabwriter"
 	"time"
 )

-func Cluster(ctx context.Context) error {
+func Cluster(configuration string, ctx context.Context) error {
 	k, err := kube.CreateResourceProvider(ctx)
 	if err != nil {
 		return errors.Wrap(err, "Failed to get cluster information")
@ -35,8 +36,20 @@ func Cluster(ctx context.Context) error {
 	}

 	var config conf.Configuration
+	var goodPractice []PodResult
+	if len(configuration) != 0 {
+		fp, err := filepath.Abs(configuration)
+		if err != nil {
+			return errors.Wrap(err, "Failed to look up current directory")
+		}
+		config1, err := conf.ParseFile1(fp)
+		goodPractice1, err := ValidatePods(ctx, &config1, k)
+		goodPractice = append(goodPractice, goodPractice1...)
+
+	}
 	config, err = conf.ParseFile()
-	goodPractice, err := ValidatePods(ctx, &config, k)
+	goodPractice2, err := ValidatePods(ctx, &config, k)
+	goodPractice = append(goodPractice, goodPractice2...)
 	if err != nil {
 		errors.Wrap(err, "Failed to get goodPractice information")
 	}
--- a/pkg/validator/schema.go
+++ b/pkg/validator/schema.go
@ -29,12 +29,12 @@ var (
 		"cpuLimitsMissing",
 		//"cpuRequestsMissing",
 		//"readinessProbeMissing",
-		//"livenessProbeMissing",
+		"livenessProbeMissing",
 		//"pullPolicyNotAlways",
-		//"tagNotSpecified",
+		"tagNotSpecified",
 		//"hostPortSet",
 		//"runAsRootAllowed",
-		//"runAsPrivileged",
+		"runAsPrivileged",
 		//"notReadOnlyRootFilesystem",
 		//"privilegeEscalationAllowed",
 		//"dangerousCapabilities",