-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Connect with discovery-engine to recommend Kyverno policies
Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>
- Loading branch information
1 parent
8f3e118
commit 23b3a90
Showing
12 changed files
with
304 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package recommend | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"github.com/accuknox/auto-policy-discovery/src/libs" | ||
"github.com/accuknox/auto-policy-discovery/src/protobuf/v1/worker" | ||
"github.com/clarketm/json" | ||
"github.com/fatih/color" | ||
"github.com/kubearmor/kubearmor-client/k8s" | ||
"github.com/kubearmor/kubearmor-client/utils" | ||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" | ||
log "github.com/sirupsen/logrus" | ||
"golang.org/x/exp/slices" | ||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/credentials/insecure" | ||
"os" | ||
"strconv" | ||
"strings" | ||
) | ||
|
||
func recommendAdmissionControllerPolicies(img ImageInfo, c *k8s.Client) error { | ||
labels := libs.LabelMapToString(img.Labels) | ||
gRPC := "" | ||
targetSvc := "discovery-engine" | ||
var port int64 = 9089 | ||
mtchLabels := map[string]string{"app": "discovery-engine"} | ||
if val, ok := os.LookupEnv("DISCOVERY_SERVICE"); ok { | ||
gRPC = val | ||
} else { | ||
pf, err := utils.InitiatePortForward(c, port, port, mtchLabels, targetSvc) | ||
if err != nil { | ||
return err | ||
} | ||
gRPC = "localhost:" + strconv.FormatInt(pf.LocalPort, 10) | ||
} | ||
// create a client | ||
conn, err := grpc.Dial(gRPC, grpc.WithTransportCredentials(insecure.NewCredentials())) | ||
if err != nil { | ||
return errors.New("could not connect to the server. Possible troubleshooting:\n- Check if discovery engine is running\n- Create a portforward to discovery engine service using\n\t\033[1mkubectl port-forward -n explorer service/knoxautopolicy --address 0.0.0.0 --address :: 9089:9089\033[0m\n[0m") | ||
} | ||
defer func(conn *grpc.ClientConn) { | ||
err := conn.Close() | ||
if err != nil { | ||
log.Println("Error while closing connection") | ||
} | ||
}(conn) | ||
client := worker.NewWorkerClient(conn) | ||
resp, err := client.Convert(context.Background(), &worker.WorkerRequest{ | ||
Labels: labels, | ||
Namespace: img.Namespace, | ||
Policytype: "AdmissionControllerPolicy", | ||
}) | ||
if err != nil { | ||
color.Red(err.Error()) | ||
return err | ||
} | ||
if resp.AdmissionControllerPolicy != nil { | ||
for _, policy := range resp.AdmissionControllerPolicy { | ||
var kyvernoPolicy kyvernov1.Policy | ||
err := json.Unmarshal(policy.Data, &kyvernoPolicy) | ||
if err != nil { | ||
return err | ||
} | ||
if matchAdmissionControllerPolicyTags(&kyvernoPolicy) { | ||
img.writeAdmissionControllerPolicy(kyvernoPolicy) | ||
} | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func matchAdmissionControllerPolicyTags(policy *kyvernov1.Policy) bool { | ||
policyTags := strings.Split(policy.Annotations["recommended-policies.kubearmor.io/tags"], ",") | ||
if len(options.Tags) <= 0 { | ||
return true | ||
} | ||
for _, t := range options.Tags { | ||
if slices.Contains(policyTags, t) { | ||
return true | ||
} | ||
} | ||
return false | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.