forked from Shopify/kubeaudit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_test.go
202 lines (169 loc) · 5.06 KB
/
example_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
package kubeaudit_test
import (
"fmt"
"os"
"strings"
"github.com/Shopify/kubeaudit"
"github.com/Shopify/kubeaudit/auditors/all"
"github.com/Shopify/kubeaudit/auditors/apparmor"
"github.com/Shopify/kubeaudit/auditors/image"
"github.com/Shopify/kubeaudit/config"
"github.com/Shopify/kubeaudit/internal/k8s"
"github.com/sirupsen/logrus"
log "github.com/sirupsen/logrus"
)
// Example shows how to audit and fix a Kubernetes manifest file
func Example() {
// A sample Kubernetes manifest file
manifest := `
apiVersion: apps/v1
kind: Deployment
metadata:
name: myAuditor
spec:
template:
spec:
containers:
- name: myContainer
`
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in manifest mode
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults()
// Print the plan to screen. These are the steps that will be taken by calling "report.Fix()".
fmt.Println("\nPlan:")
report.PrintPlan(os.Stdout)
// Print the fixed manifest to screen. Note that this leaves the original manifest unmodified.
fmt.Println("\nFixed manifest:")
err = report.Fix(os.Stdout)
if err != nil {
log.Fatal(err)
}
}
// ExampleAuditLocal shows how to run kubeaudit in local mode
func Example_auditLocal() {
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.WithError(err).Fatal("Error initializing all auditors")
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in local mode
report, err := auditor.AuditLocal("", k8s.ClientOptions{})
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults()
}
// ExampleAuditCluster shows how to run kubeaudit in cluster mode (only works if kubeaudit is being run from a container insdie of a cluster)
func Example_auditCluster() {
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in cluster mode. Note this will fail if kubeaudit is not running within a cluster.
report, err := auditor.AuditCluster(k8s.ClientOptions{})
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults()
}
// ExampleAuditorSubset shows how to run kubeaudit with a subset of auditors
func Example_auditorSubset() {
// Initialize the auditors you want to use
auditor, err := kubeaudit.New([]kubeaudit.Auditable{
apparmor.New(),
image.New(image.Config{Image: "myimage:mytag"}),
})
if err != nil {
log.Fatal(err)
}
// Run the audit in the mode of your choosing. Here we use manifest mode.
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults()
}
// ExampleConfig shows how to use a kubeaudit with a config file.
// A kubeaudit config can be used to specify which security auditors to run, and to specify configuration
// for those auditors.
func Example_config() {
configFile := "config/config.yaml"
// Open the configuration file
reader, err := os.Open(configFile)
if err != nil {
log.WithError(err).Fatal("Unable to open config file ", configFile)
}
// Load the config
conf, err := config.New(reader)
if err != nil {
log.WithError(err).Fatal("Error parsing config file ", configFile)
}
// Initialize security auditors using the configuration
auditors, err := all.Auditors(conf)
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(auditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in the mode of your choosing. Here we use manifest mode.
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults()
}
// ExamplePrintOptions shows how to use different print options for printing audit results.
func Example_printOptions() {
auditor, err := kubeaudit.New([]kubeaudit.Auditable{apparmor.New()})
if err != nil {
log.Fatal(err)
}
report, err := auditor.AuditLocal("", k8s.ClientOptions{})
if err != nil {
log.Fatal(err)
}
// Print the audit results to a file
f, err := os.Create("output.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
defer os.Remove("output.txt")
report.PrintResults(kubeaudit.WithWriter(f))
// Only print audit results with severity of Error (ignore info and warning)
report.PrintResults(kubeaudit.WithMinSeverity(kubeaudit.Error))
// Print results as JSON
report.PrintResults(kubeaudit.WithFormatter(&logrus.JSONFormatter{}))
}