From 9bde47f83f49fa127910ed7017c2b1eb54876ed0 Mon Sep 17 00:00:00 2001 From: chenk Date: Wed, 20 Dec 2023 09:16:51 +0200 Subject: [PATCH] fix: update kubelet checks via kubelet config resource (#87) * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk --------- Signed-off-by: chenk --- job.yaml | 1 + pkg/collector/collect.go | 66 +++++++++++++++++++++++++++++++++++++++- pkg/command/root.go | 1 + 3 files changed, 67 insertions(+), 1 deletion(-) diff --git a/job.yaml b/job.yaml index e067d07..49ac09c 100644 --- a/job.yaml +++ b/job.yaml @@ -14,6 +14,7 @@ spec: - name: node-collector image: ghcr.io/aquasecurity/node-collector:0.0.9 command: ["node-collector"] + args: ["k8s", "--node", "minikube"] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd diff --git a/pkg/collector/collect.go b/pkg/collector/collect.go index eb6ff97..02ab241 100644 --- a/pkg/collector/collect.go +++ b/pkg/collector/collect.go @@ -1,13 +1,29 @@ package collector import ( + "context" + "encoding/json" + "errors" "fmt" + "log" "os" "time" "github.com/spf13/cobra" ) +var configMapper = map[string]string{ + "kubeletAnonymousAuthArgumentSet": "authentication.anonymous.enabled", + "kubeletAuthorizationModeArgumentSet": "authorization.mode", + "kubeletClientCaFileArgumentSet": "authentication.x509.clientCAFile", + "kubeletReadOnlyPortArgumentSet": "readOnlyPort", + "kubeletStreamingConnectionIdleTimeoutArgumentSet": "streamingConnectionIdleTimeout", + "kubeletProtectKernelDefaultsArgumentSet": "kernelMemcgNotification", + "kubeletMakeIptablesUtilChainsArgumentSet": "makeIPTablesUtilChains", + "kubeletEventQpsArgumentSet": "eventRecordQPS", + "kubeletRotateKubeletServerCertificateArgumentSet": "featureGates.RotateKubeletServerCertificate", +} + type SpecVersion struct { Name string Version string @@ -22,10 +38,19 @@ var platfromSpec = map[string]SpecVersion{ // CollectData run spec audit command and output it result data func CollectData(cmd *cobra.Command, target string) error { + log.SetFlags(log.LstdFlags | log.Lmicroseconds) cluster, err := GetCluster() if err != nil { return err } + ctx, cancel := context.WithTimeout(cmd.Context(), time.Duration(10)*time.Minute) + defer cancel() + + defer func() { + if errors.Is(err, context.DeadlineExceeded) { + log.Println("Increase --timeout value") + } + }() p, err := cluster.Platfrom() if err != nil { return err @@ -61,6 +86,12 @@ func CollectData(cmd *cobra.Command, target string) error { values := StringToArray(output, ",") nodeInfo[ci.Key] = &Info{Values: values} } + nodeName := cmd.Flag("node").Value.String() + configVal, err := getValuesFromkubeletConfig(ctx, nodeName, *cluster) + if err != nil { + return err + } + mergeConfigValues(nodeInfo, configVal) nodeData := Node{ APIVersion: Version, Kind: Kind, @@ -69,7 +100,7 @@ func CollectData(cmd *cobra.Command, target string) error { Info: nodeInfo, } outputFormat := cmd.Flag("output").Value.String() - err := printOutput(nodeData, outputFormat, os.Stdout) + err = printOutput(nodeData, outputFormat, os.Stdout) if err != nil { return err } @@ -80,3 +111,36 @@ func CollectData(cmd *cobra.Command, target string) error { func specByPlatfromVersion(platfrom string, version string) SpecVersion { return platfromSpec[fmt.Sprintf("%s-%s", platfrom, platfrom)] } + +func getValuesFromkubeletConfig(ctx context.Context, nodeName string, cluster Cluster) (map[string]*Info, error) { + overrideConfig := make(map[string]*Info) + data, err := cluster.clientSet.RESTClient().Get().AbsPath(fmt.Sprintf("/api/v1/nodes/%s/proxy/configz", nodeName)).DoRaw(ctx) + if err != nil { + return nil, err + } + nodeConfig := make(map[string]interface{}) + err = json.Unmarshal(data, &nodeConfig) + if err != nil { + return nil, err + } + values := nodeConfig["kubeletconfig"] + for k, v := range configMapper { + p := values + splittedValues := StringToArray(v, ".") + for _, sv := range splittedValues { + next := p.(map[string]interface{}) + if k, ok := next[sv.(string)]; ok { + p = k + } + } + overrideConfig[k] = &Info{Values: []interface{}{p}} + } + return overrideConfig, nil +} + +func mergeConfigValues(configValues map[string]*Info, overrideConfig map[string]*Info) map[string]*Info { + for k, v := range overrideConfig { + configValues[k] = v + } + return configValues +} diff --git a/pkg/command/root.go b/pkg/command/root.go index db3e4ea..982f1cf 100644 --- a/pkg/command/root.go +++ b/pkg/command/root.go @@ -11,6 +11,7 @@ func init() { rootCmd.PersistentFlags().StringP("output", "o", "json", "Output format. One of table|json") rootCmd.PersistentFlags().StringP("spec", "s", "cis", " spec name. default: cis") rootCmd.PersistentFlags().StringP("version", "v", "1.23", "spec version. default: 1.23") + rootCmd.PersistentFlags().StringP("node", "n", "minikube", "node name. default: minikube") } var rootCmd = &cobra.Command{