Merge pull request #86 from Shopify/refactor-labels

Make labels conform to standards
Shopify · Jan 17, 2018 · 6a22472 · 6a22472
2 parents 14f5e3a + 2f6b230
commit 6a22472
Show file tree

Hide file tree

Showing 18 changed files with 21 additions and 20 deletions.
diff --git a/cmd/allowPrivilegeEscalation.go b/cmd/allowPrivilegeEscalation.go
@@ -6,7 +6,7 @@ import (
 )
 
 func checkAllowPrivilegeEscalation(container Container, result *Result) {
-	if reason := result.Labels["kubeaudit.allow.privilegeEscalation"]; reason == "" {
+	if reason := result.Labels["audit.kubernetes.io/allow-privilege-escalation"]; reason == "" {
 		if container.SecurityContext == nil || container.SecurityContext.AllowPrivilegeEscalation == nil {
 			occ := Occurrence{
 				id:      ErrorAllowPrivilegeEscalationNIL,

diff --git a/cmd/automountServiceAccountToken.go b/cmd/automountServiceAccountToken.go
@@ -17,7 +17,7 @@ func checkAutomountServiceAccountToken(result *Result) {
 		return
 	}
 
-	if reason := result.Labels["kubeaudit.allow.automountServiceAccountToken"]; reason != "" {
+	if reason := result.Labels["audit.kubernetes.io/allow-automount-service-account-token"]; reason != "" {
 		if result.Token != nil && *result.Token {
 			occ := Occurrence{
 				id:       ErrorAutomountServiceAccountTokenTrueAllowed,

diff --git a/cmd/privileged.go b/cmd/privileged.go
@@ -14,7 +14,7 @@ func checkPrivileged(container Container, result *Result) {
 			message: "Privileged defaults to false, which results in non privileged, which is okay.",
 		}
 		result.Occurrences = append(result.Occurrences, occ)
-	} else if reason := result.Labels["kubeaudit.allow.privileged"]; reason != "" {
+	} else if reason := result.Labels["audit.kubernetes.io/allow-privileged"]; reason != "" {
 		if *container.SecurityContext.Privileged == true {
 			occ := Occurrence{
 				id:       ErrorPrivilegedTrueAllowed,

diff --git a/cmd/readOnlyRootFilesystem.go b/cmd/readOnlyRootFilesystem.go
@@ -7,7 +7,7 @@ import (
 )
 
 func checkReadOnlyRootFS(container Container, result *Result) {
-	if reason := result.Labels["kubeaudit.allow.readOnlyRootFilesystemFalse"]; reason != "" {
+	if reason := result.Labels["audit.kubernetes.io/allow-read-only-root-filesystem-false"]; reason != "" {
 		if container.SecurityContext == nil || container.SecurityContext.ReadOnlyRootFilesystem == nil || *container.SecurityContext.ReadOnlyRootFilesystem == false {
 			occ := Occurrence{
 				id:       ErrorReadOnlyRootFilesystemFalseAllowed,

diff --git a/cmd/result.go b/cmd/result.go
@@ -82,8 +82,9 @@ func shouldLog(err int) (members []string) {
 func (r *Result) allowedCaps() (allowed map[Capability]string) {
 	allowed = make(map[Capability]string)
 	for k, v := range r.Labels {
-		if strings.Contains(k, "kubeaudit.allow.capability.") {
-			allowed[Capability(strings.ToUpper(strings.TrimPrefix(k, "kubeaudit.allow.capability.")))] = v
+		if strings.Contains(k, "audit.kubernetes.io/allow-capability-") {
+			capName := strings.Replace(strings.ToUpper(strings.TrimPrefix(k, "audit.kubernetes.io/allow-capability-")), "-", "_", -1)
+			allowed[Capability(capName)] = v
 		}
 	}
 	return

diff --git a/cmd/runAsNonRoot.go b/cmd/runAsNonRoot.go
@@ -7,7 +7,7 @@ import (
 )
 
 func checkRunAsNonRoot(container Container, result *Result) {
-	if reason := result.Labels["kubeaudit.allow.runAsRoot"]; reason != "" {
+	if reason := result.Labels["audit.kubernetes.io/allow-run-as-root"]; reason != "" {
 		if container.SecurityContext == nil || container.SecurityContext.RunAsNonRoot == nil || *container.SecurityContext.RunAsNonRoot == false {
 			occ := Occurrence{
 				id:       ErrorRunAsNonRootFalseAllowed,

diff --git a/fixtures/allow_privilege_escalation_misconfigured_allow.yml b/fixtures/allow_privilege_escalation_misconfigured_allow.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeAllowPrivilegeEscalation
-        kubeaudit.allow.privilegeEscalation: "Superuser privileges needed"
+        audit.kubernetes.io/allow-privilege-escalation: "Superuser privileges needed"
     spec:
       containers:
       - name: fakeContainerAPE

diff --git a/fixtures/allow_privilege_escalation_true_allowed.yml b/fixtures/allow_privilege_escalation_true_allowed.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeAllowPrivilegeEscalation
-        kubeaudit.allow.privilegeEscalation: "Superuser privileges needed"
+        audit.kubernetes.io/allow-privilege-escalation: "Superuser privileges needed"
     spec:
       containers:
       - name: fakeContainerAPE

diff --git a/fixtures/capabilities_misconfigured_allow.yml b/fixtures/capabilities_misconfigured_allow.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeSecurityContext
-        kubeaudit.allow.capability.sys_time: "Time is of the essence"
+        audit.kubernetes.io/allow-capability-sys-time: "Time is of the essence"
     spec:
       containers:
       - name: fakeContainerSC

diff --git a/fixtures/capabilities_some_allowed.yml b/fixtures/capabilities_some_allowed.yml
@@ -9,8 +9,8 @@ spec:
     metadata:
       labels:
         apps: fakeSecurityContext
-        kubeaudit.allow.capability.chown: "True"
-        kubeaudit.allow.capability.sys_time: "Time is of the essence"
+        audit.kubernetes.io/allow-capability-chown: "True"
+        audit.kubernetes.io/allow-capability-sys-time: "Time is of the essence"
     spec:
       containers:
       - name: fakeContainerSC

diff --git a/fixtures/privileged_misconfigured_allow.yml b/fixtures/privileged_misconfigured_allow.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakePrivileged
-        kubeaudit.allow.privileged: "Privileged execution required"
+        audit.kubernetes.io/allow-privileged: "Privileged execution required"
     spec:
       containers:
       - name: fakeContainerPrivileged

diff --git a/fixtures/privileged_true_allowed.yml b/fixtures/privileged_true_allowed.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakePrivileged
-        kubeaudit.allow.privileged: "Privileged execution required"
+        audit.kubernetes.io/allow-privileged: "Privileged execution required"
     spec:
       containers:
       - name: fakeContainerPrivileged

diff --git a/fixtures/read_only_root_filesystem_false_allowed.yml b/fixtures/read_only_root_filesystem_false_allowed.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeReadOnlyRootFilesystem
-        kubeaudit.allow.readOnlyRootFilesystemFalse: "Write permissions needed"
+        audit.kubernetes.io/allow-read-only-root-filesystem-false: "Write permissions needed"
     spec:
       containers:
       - name: fakeContainerRORF

diff --git a/fixtures/read_only_root_filesystem_misconfigured_allow.yml b/fixtures/read_only_root_filesystem_misconfigured_allow.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeReadOnlyRootFilesystem
-        kubeaudit.allow.readOnlyRootFilesystemFalse: "Write permissions needed"
+        audit.kubernetes.io/allow-read-only-root-filesystem-false: "Write permissions needed"
     spec:
       containers:
       - name: fakeContainerRORF

diff --git a/fixtures/run_as_non_root_false_allowed.yml b/fixtures/run_as_non_root_false_allowed.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeSecurityContext
-        kubeaudit.allow.runAsRoot: "Superuser privileges needed"
+        audit.kubernetes.io/allow-run-as-root: "Superuser privileges needed"
     spec:
       containers:
       - name: fakeContainerRANR

diff --git a/fixtures/run_as_non_root_misconfigured_allow.yml b/fixtures/run_as_non_root_misconfigured_allow.yml
@@ -10,7 +10,7 @@ spec:
       creationTimestamp: null
       labels:
         apps: fakeSecurityContext
-        kubeaudit.allow.runAsRoot: "Superuser privileges needed"
+        audit.kubernetes.io/allow-run-as-root: "Superuser privileges needed"
     spec:
       containers:
       - name: fakeContainerRANR

diff --git a/fixtures/service_account_token_misconfigured_allow.yml b/fixtures/service_account_token_misconfigured_allow.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeAutomountServiceAccountToken
-        kubeaudit.allow.automountServiceAccountToken: "True"
+        audit.kubernetes.io/allow-automount-service-account-token: "True"
     spec:
       automountServiceAccountToken: false
       containers:

diff --git a/fixtures/service_account_token_true_allowed.yml b/fixtures/service_account_token_true_allowed.yml
@@ -9,7 +9,7 @@ spec:
     metadata:
       labels:
         apps: fakeAutomountServiceAccountToken
-        kubeaudit.allow.automountServiceAccountToken: "True"
+        audit.kubernetes.io/allow-automount-service-account-token: "True"
     spec:
       automountServiceAccountToken: true
       containers: