cmd

package
v0.0.0-...-9261f26 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 30, 2022 License: Apache-2.0 Imports: 21 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DryRun bool
View Source
var MigrateCmd = &cobra.Command{
	Use:   "migrate",
	Short: "Interactive command to migrate from PSP to PSA ",
	Long: `The interactive command will help with setting a suggested a
	Suggested Pod Security Standard for each namespace. In addition, it also
	checks whether a PSP object is mutating pods in every namespace.`,
	Run: func(cmd *cobra.Command, args []string) {
		pods, err := GetPods()
		if err != nil {
			log.Fatalln("Error getting pods", err.Error())
		}
		fmt.Println("Checking if any pods are being mutated by a PSP object")
		mutatedPods := make([]v1.Pod, 0)
		for _, pod := range pods.Items {
			mutated, _, err := pspmigrator.IsPodBeingMutatedByPSP(&pod, clientset)
			if err != nil {
				log.Fatalln(err)
			}
			if mutated {
				mutatedPods = append(mutatedPods, pod)
			}
		}
		if len(mutatedPods) > 0 {
			fmt.Println("The table below shows the pods that were mutated by a PSP object")

			table := tablewriter.NewWriter(os.Stdout)
			table.SetHeader([]string{"Pod Name", "Namespace", "PSP"})
			for _, pod := range mutatedPods {
				if pspName, ok := pod.ObjectMeta.Annotations["kubernetes.io/psp"]; ok {
					table.Append([]string{pod.Name, pod.Namespace, pspName})
				}
			}
			table.Render()
			pod := mutatedPods[0]
			fmt.Printf("There were %v pods mutated. Please modify the PodSpec such that PSP no longer needs to mutate your pod.\n", len(mutatedPods))
			fmt.Printf("You can run `pspmigrator mutating pod %v -n %v` to learn more why and how your pod is being mutated. ", pod.Name, pod.Namespace)
			fmt.Printf("Please re-run the tool again after you've modified your PodSpecs.\n")
			os.Exit(1)
		}

		namespaces, err := GetNamespaces()
		if err != nil {
			log.Fatalln("Error getting namespaces:", err.Error())
		}
		for _, namespace := range namespaces.Items {

			if NamespaceHasPSALabels(&namespace) {
				log.Printf("The namespace %v already has PSA labels set. So skipping....\n", namespace.Name)
				log.Printf("The following labels are currently set on the %v namespace.\n Labels: %#v\n",
					namespace.Name, namespace.Labels)
				continue
			}
			suggestions := make(map[psaapi.Level]bool)
			podList, err := GetPodsByNamespace(namespace.Name)
			if err != nil {
				log.Printf("Error getting pods for namespace %v. Error: %v\n", namespace.Name, err.Error())
				log.Println("Continuing with next namespace")
				continue
			}
			pods := podList.Items
			if len(pods) == 0 {
				fmt.Printf("There are no pods running in namespace %v. Skipping and going to the next one.\n", namespace.Name)
				continue
			}
			for _, pod := range pods {
				level, err := pspmigrator.SuggestedPodSecurityStandard(&pod)
				if err != nil {
					fmt.Println("error occured checking the suggested pod security standard", err)
					fmt.Println("Continuing with the next namespace due to error with ", namespace.Name)
					continue
				}
				suggestions[level] = true
			}
			var suggested psaapi.Level
			switch {
			case suggestions["privileged"]:
				suggested = psaapi.LevelPrivileged
			case suggestions["baseline"]:
				suggested = psaapi.LevelBaseline
			case suggestions["restricted"]:
				suggested = psaapi.LevelRestricted
			}
			fmt.Printf("Suggest using %v in namespace %v\n", suggested, namespace.Name)
			if DryRun == true {
				fmt.Printf("In dry-run mode so not applying any changes. You can run this ")
				fmt.Printf("command again with --dry-run=false to apply %v on namespace %v\n", suggested, namespace.Name)
			} else {
				skipStr := "skip, continue with next namespace"

				prompt := promptui.Select{
					Label: fmt.Sprintf("Select control mode for %v on namespace %v", suggested, namespace.Name),
					Items: []string{"enforce", "audit", skipStr},
				}
				_, control, err := prompt.Run()
				if err != nil {
					fmt.Println("error occured getting enforcement mode", err)
				}
				if control == skipStr {
					continue
				}
				if err := ApplyPSSLevel(&namespace, suggested, control); err != nil {
					log.Printf("Error applying %v on namespace %v. Error: %v\n", suggested, namespace.Name, err.Error())
				}
				fmt.Printf("Applied pod security level %v on namespace %v in %v control mode\n", suggested, namespace.Name, control)
				fmt.Printf("Review the labels by running `kubectl get ns %v -o yaml`\n", namespace.Name)
			}
		}
		fmt.Println("Done with migrating namespaces with pods to PSA")

	},
}
View Source
var MutatingCmd = &cobra.Command{
	Use:   "mutating",
	Short: "Check if pods or PSP objects are mutating",
}
View Source
var (
	Namespace string
)
View Source
var RootCmd = &cobra.Command{
	Use:   "pspmigrator",
	Short: "pspmigrator is a tool to help migrate from PSP to PSA",
}

Functions

func ApplyPSSLevel

func ApplyPSSLevel(namespace *v1.Namespace, level psaapi.Level, control string) error

func GetNamespaces

func GetNamespaces() (*v1.NamespaceList, error)

func GetPods

func GetPods() (*v1.PodList, error)

func GetPodsByNamespace

func GetPodsByNamespace(namespace string) (*v1.PodList, error)

func IgnoreNamespaceSelector

func IgnoreNamespaceSelector(field string) string

func NamespaceHasPSALabels

func NamespaceHasPSALabels(namespace *v1.Namespace) bool

Types

This section is empty.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL