Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Connect with discovery-engine to recommend Kyverno policies #303

Merged
merged 1 commit into from
Apr 24, 2023
Merged

feat: Connect with discovery-engine to recommend Kyverno policies #303

merged 1 commit into from
Apr 24, 2023

Conversation

Vyom-Yadav
Copy link
Contributor

@Vyom-Yadav Vyom-Yadav commented Apr 1, 2023
edited
Loading

Signed-off-by: Vyom-Yadav jackhammervyom@gmail.com

Kyverno policy recommendation is spread across 3 PRs including this one:

Explanation:

Unlike other recommended policies, admission controller policies are fetched from Discovery-Engine. The client does not generate any admission controller policies.

Admission controller policies recommendation does not require downloading the images, they can be directly fetched from Discovery Engine.

CLI is extended with another flag for recommend: (-p, --policy)

$ ./karmor recommend --help          
Recommend policies based on container image, k8s manifest or the actual runtime env

Usage:
  karmor recommend [flags]
  karmor recommend [command]

Available Commands:
  update      Updates policy-template cache

Flags:
  -c, --config string      absolute path to image registry configuration file (default "/home/vyom/.docker/config.json")
  -h, --help               help for recommend
  -i, --image strings      Container image list (comma separated)
  -l, --labels strings     User defined labels for policy (comma separated)
  -n, --namespace string   User defined namespace value for policies
  -o, --outdir string      output folder to write policies (default "out")
  -p, --policy strings     Types of policy that can be recommended: KubeArmorPolicy|KyvernoPolicy (comma separated) (default [KyvernoPolicy,KubeArmorPolicy])
  -r, --report string      report file (default "report.txt")
  -t, --tag strings        tags (comma-separated) to apply. Eg. PCI-DSS, MITRE

Global Flags:
      --context string      Name of the kubeconfig context to use
      --kubeconfig string   Path to the kubeconfig file to use

Use "karmor recommend [command] --help" for more information about a command.

Policies are being currently fetched from my fork of policy-templates, change would be required after merging kubearmor/policy-templates#1037.

Recommendation Logs: https://gist.github.com/Vyom-Yadav/17d2baf7164c7204a4237b2b3efb88b6

@Vyom-Yadav Vyom-Yadav mentioned this pull request Apr 1, 2023
Merged
@Vyom-Yadav Vyom-Yadav force-pushed the recommendAdmissionControllerPolicies branch from 23b3a90 to 8e1cbfe Compare April 1, 2023 13:16
@Vyom-Yadav Vyom-Yadav mentioned this pull request Apr 1, 2023
Merged
@Vyom-Yadav
Copy link
Contributor Author

CI failure is due to dependency on updated worker protobuf.

@nyrahul nyrahul requested a review from PrimalPimmy April 1, 2023 18:41
nyrahul
nyrahul requested changes Apr 1, 2023
View reviewed changes
recommend/admissionControllerPolicy.go Outdated Show resolved Hide resolved
recommend/admissionControllerPolicy.go Show resolved Hide resolved
recommend/policyTemplates.go Outdated Show resolved Hide resolved
recommend/imageHandler.go Outdated Show resolved Hide resolved
@Vyom-Yadav Vyom-Yadav force-pushed the recommendAdmissionControllerPolicies branch 5 times, most recently from 5e7714e to 7b13661 Compare April 4, 2023 17:56
@Vyom-Yadav Vyom-Yadav marked this pull request as ready for review April 4, 2023 18:00
@Vyom-Yadav Vyom-Yadav requested a review from nyrahul April 4, 2023 18:01
@Vyom-Yadav Vyom-Yadav force-pushed the recommendAdmissionControllerPolicies branch from 7b13661 to c993ec4 Compare April 13, 2023 06:06
@daemon1024 daemon1024 self-requested a review April 17, 2023 10:06
daemon1024
daemon1024 reviewed Apr 19, 2023
View reviewed changes
recommend/admissionControllerPolicy.go Outdated Show resolved Hide resolved
recommend/imageHandler.go Outdated Show resolved Hide resolved
@Vyom-Yadav Vyom-Yadav force-pushed the recommendAdmissionControllerPolicies branch 2 times, most recently from 6e95397 to f839570 Compare April 19, 2023 08:31
@Vyom-Yadav
feat: Connect with discovery-engine to recommend Kyverno policies
caeba1f 
Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>
@Vyom-Yadav Vyom-Yadav force-pushed the recommendAdmissionControllerPolicies branch from f839570 to caeba1f Compare April 19, 2023 15:44
PrimalPimmy
PrimalPimmy approved these changes Apr 21, 2023
View reviewed changes
Copy link
Member

@PrimalPimmy PrimalPimmy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 tested locally

@Vyom-Yadav
Copy link
Contributor Author

@nyrahul Can you please LGTM if the changes look good?

nyrahul
nyrahul approved these changes Apr 24, 2023
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@nyrahul nyrahul merged commit da769dd into kubearmor:main Apr 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishnusomank vishnusomank vishnusomank left review comments

@nyrahul nyrahul nyrahul approved these changes

@PrimalPimmy PrimalPimmy PrimalPimmy approved these changes

@daemon1024 daemon1024 daemon1024 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Vyom-Yadav @nyrahul @PrimalPimmy @daemon1024 @vishnusomank