Skip to content

Commit

Permalink
Upgrade to opa v1.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
romulets committed Dec 23, 2024
1 parent 9d09f6c commit b94ab14
Show file tree
Hide file tree
Showing 41 changed files with 57 additions and 63 deletions.
File renamed without changes.
2 changes: 1 addition & 1 deletion bin/opa
8 changes: 3 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ require (
github.com/mikefarah/yq/v4 v4.44.6
github.com/mitchellh/gox v1.0.1
github.com/mitchellh/mapstructure v1.5.0
github.com/open-policy-agent/opa v0.70.0
github.com/open-policy-agent/opa v1.0.0
github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0
github.com/samber/lo v1.47.0
github.com/spf13/viper v1.19.0
Expand Down Expand Up @@ -187,8 +187,6 @@ require (
go.opentelemetry.io/collector/pdata v1.15.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
golang.org/x/tools v0.28.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
Expand Down Expand Up @@ -521,7 +519,7 @@ require (
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/mod v0.22.0 // indirect
golang.org/x/net v0.32.0 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
Expand All @@ -531,7 +529,7 @@ require (
google.golang.org/genproto v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/grpc v1.69.0
google.golang.org/grpc v1.69.2
google.golang.org/protobuf v1.35.2
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand Down
12 changes: 6 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1384,8 +1384,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U=
github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI=
github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I=
github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
Expand Down Expand Up @@ -1905,8 +1905,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -2359,8 +2359,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
Expand Down
4 changes: 2 additions & 2 deletions internal/evaluator/debug_logger/factory.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ package dlogger
import (
"sync"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/util"
)

type Factory struct{}
Expand Down
4 changes: 2 additions & 2 deletions internal/evaluator/debug_logger/factory_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ package dlogger
import (
"testing"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/storage/inmem"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/storage/inmem"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand Down
9 changes: 4 additions & 5 deletions internal/evaluator/debug_logger/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,14 @@ import (
"encoding/json"
"sync"

"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/plugins/logs"
"github.com/open-policy-agent/opa/util"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/plugins/logs"
"github.com/open-policy-agent/opa/v1/util"
)

const PluginName = "debug_decision_logs"

type config struct {
}
type config struct{}

type plugin struct {
manager *plugins.Manager
Expand Down
2 changes: 1 addition & 1 deletion internal/evaluator/logger.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ package evaluator

import (
"github.com/elastic/elastic-agent-libs/logp"
"github.com/open-policy-agent/opa/logging"
"github.com/open-policy-agent/opa/v1/logging"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
)
Expand Down
2 changes: 1 addition & 1 deletion internal/evaluator/logger_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
"testing"

"github.com/elastic/elastic-agent-libs/logp"
"github.com/open-policy-agent/opa/logging"
"github.com/open-policy-agent/opa/v1/logging"
"github.com/stretchr/testify/suite"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
Expand Down
6 changes: 2 additions & 4 deletions internal/evaluator/opa.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import (

"github.com/elastic/elastic-agent-libs/logp"
"github.com/mitchellh/mapstructure"
"github.com/open-policy-agent/opa/plugins"
"github.com/open-policy-agent/opa/sdk"
"github.com/open-policy-agent/opa/v1/plugins"
"github.com/open-policy-agent/opa/v1/sdk"

"github.com/elastic/cloudbeat/internal/config"
dlogger "github.com/elastic/cloudbeat/internal/evaluator/debug_logger"
Expand Down Expand Up @@ -84,7 +84,6 @@ func NewOpaEvaluator(ctx context.Context, log *logp.Logger, cfg *config.Config)
dlogger.PluginName: &dlogger.Factory{},
},
})

if err != nil {
return nil, fmt.Errorf("fail to init opa: %s", err.Error())
}
Expand Down Expand Up @@ -123,7 +122,6 @@ func (o *OpaEvaluator) Eval(ctx context.Context, resourceInfo fetching.ResourceI
Result: fetcherResult,
Benchmark: o.benchmark,
})

if err != nil {
return EventData{}, fmt.Errorf("error running the policy: %v", err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_10

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.contains("--enable-admission-plugins", "EventRateLimit"))
finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "EventRateLimit"))
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_11

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.not_contains("--enable-admission-plugins", "AlwaysAdmit"))
finding := audit.finding(audit.arg_not_contains("--enable-admission-plugins", "AlwaysAdmit"))
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_12

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.contains("--enable-admission-plugins", "AlwaysPullImages"))
finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "AlwaysPullImages"))
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_16

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.contains("--enable-admission-plugins", "NodeRestriction"))
finding := audit.finding(audit.arg_contains("--enable-admission-plugins", "NodeRestriction"))
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.not_contains("--secure-port", "0"))
result := audit.finding(audit.arg_not_contains("--secure-port", "0"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--profiling", "false"))
result := audit.finding(audit.arg_contains("--profiling", "false"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--audit-log-path"))
result := audit.finding(audit.arg_contains("--audit-log-path"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.not_contains("--token-auth-file"))
result := audit.finding(audit.arg_not_contains("--token-auth-file"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--service-account-key-file"))
result := audit.finding(audit.arg_contains("--service-account-key-file"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--client-ca-file"))
result := audit.finding(audit.arg_contains("--client-ca-file"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--etcd-cafile"))
result := audit.finding(audit.arg_contains("--etcd-cafile"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.not_contains("--kubelet-https", "false"))
result := audit.finding(audit.arg_not_contains("--kubelet-https", "false"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.apiserver_filter
result := audit.finding(audit.contains("--kubelet-certificate-authority"))
result := audit.finding(audit.arg_contains("--kubelet-certificate-authority"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_7

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.not_contains("--authorization-mode", "AlwaysAllow"))
finding := audit.finding(audit.arg_not_contains("--authorization-mode", "AlwaysAllow"))
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_8

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.contains("--authorization-mode", "Node"))
finding := audit.finding(audit.arg_contains("--authorization-mode", "Node"))
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_9

import data.compliance.policy.process.ensure_arguments_contain_value as audit

finding := audit.finding(audit.contains("--authorization-mode", "RBAC"))
finding := audit.finding(audit.arg_contains("--authorization-mode", "RBAC"))
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--profiling", "false"))
result := audit.finding(audit.arg_contains("--profiling", "false"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--use-service-account-credentials", "true"))
result := audit.finding(audit.arg_contains("--use-service-account-credentials", "true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--service-account-private-key-file"))
result := audit.finding(audit.arg_contains("--service-account-private-key-file"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--root-ca-file"))
result := audit.finding(audit.arg_contains("--root-ca-file"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--feature-gates", "RotateKubeletServerCertificate=true"))
result := audit.finding(audit.arg_contains("--feature-gates", "RotateKubeletServerCertificate=true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.controller_manager_filter
result := audit.finding(audit.contains("--bind-address", "127.0.0.1"))
result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.scheduler_filter
result := audit.finding(audit.contains("--profiling", "false"))
result := audit.finding(audit.arg_contains("--profiling", "false"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.scheduler_filter
result := audit.finding(audit.contains("--bind-address", "127.0.0.1"))
result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.etcd_filter
result := audit.finding(audit.contains("--client-cert-auth", "true"))
result := audit.finding(audit.arg_contains("--client-cert-auth", "true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.etcd_filter
result := audit.finding(audit.not_contains("--auto-tls", "true"))
result := audit.finding(audit.arg_not_contains("--auto-tls", "true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.etcd_filter
result := audit.finding(audit.contains("--peer-client-cert-auth", "true"))
result := audit.finding(audit.arg_contains("--peer-client-cert-auth", "true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ import future.keywords.if

finding = result if {
audit.etcd_filter
result := audit.finding(audit.not_contains("--peer-auto-tls", "true"))
result := audit.finding(audit.arg_not_contains("--peer-auto-tls", "true"))
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,9 @@ finding(rule_evaluation) := lib_common.generate_result_without_expected(
{"process_args": process_args},
)

not_contains(entity) := assert.is_false(lib_common.contains_key(process_args, entity))
arg_not_contains(entity) := assert.is_false(lib_common.contains_key(process_args, entity))

# regal ignore:rule-shadows-builtin
contains(entity) := entity in object.keys(process_args)
arg_contains(entity) := entity in object.keys(process_args)

apiserver_filter := data_adapter.is_kube_apiserver

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ finding(rule_evaluation) := lib_common.generate_result_without_expected(
{"process_args": process_args},
)

not_contains(entity, value) := assert.is_false(lib_common.contains_key_with_value(process_args, entity, value))
arg_not_contains(entity, value) := assert.is_false(lib_common.contains_key_with_value(process_args, entity, value))

# regal ignore:rule-shadows-builtin
contains(entity, value) := lib_common.contains_key_with_value(process_args, entity, value)
arg_contains(entity, value) := lib_common.contains_key_with_value(process_args, entity, value)

apiserver_filter := data_adapter.is_kube_apiserver

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ finding(rule_evaluation) = result if {
)
}

not_contains(entity, value) := assert.is_false(process_common.arg_values_contains(process_args, entity, value))
arg_not_contains(entity, value) := assert.is_false(process_common.arg_values_contains(process_args, entity, value))

# regal ignore:rule-shadows-builtin
contains(entity, value) := process_common.arg_values_contains(process_args, entity, value)

arg_contains(entity, value) := process_common.arg_values_contains(process_args, entity, value)

0 comments on commit b94ab14

Please sign in to comment.