mirror of
https://github.com/k8sgpt-ai/k8sgpt.git
synced 2025-08-07 10:53:25 +00:00
a128906136
* chore: rebased chore: removed trivy Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: updated deps Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix: missing error Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix: missing error Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: switching old sonnet to message API Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: added three new analyzers Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.2 (#1400) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * docs: remove extra dollar sign in README.md (#1410) Signed-off-by: Qian_Xiao <heyheyco@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * test: add tests for `k8sgpt/pkg/analyzer/events.go` (#913) * test: add tests for events_test.go Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com> * feat: fixed event tests Signed-off-by: Alex Jones <alexsimonjones@gmail.com> --------- Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com> Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * docs: add table of contents and cleanup (#1413) Signed-off-by: hadi2f244 <m.h.azaddel@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: linter (#1414) * chore: changing linter Signed-off-by: Alex Jones <alexsimonjones@gmail.com> * chore: changing linter Signed-off-by: Alex Jones <alexsimonjones@gmail.com> * chore: changing linter Signed-off-by: Alex Jones <alexsimonjones@gmail.com> --------- Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): pin golangci/golangci-lint-action action to 1481404 (#1415) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): update goreleaser/goreleaser-action digest to 9c156ee (#1411) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix: prometheus UTF8Validation (#1404) Signed-off-by: Kay Yan <kay.yan@daocloud.io> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix(deps): update module gopkg.in/yaml.v2 to v3 (#1363) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: added new AmazonBedrock model (#1390) * Update AI Bedrock region - Added mumbai region Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> * Update amazonbedrock.go Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> * Added new AI model to work for ap-south-1 region[that does not uses inference profile] Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> --------- Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.3 (#1412) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): update module github.com/docker/docker to v28 (#1376) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: updating deps (#1422) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): update docker/setup-buildx-action digest to b5ca514 (#1371) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.4 (#1421) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fix workflows (#1423) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.5 (#1424) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fixing docker build push action (#1426) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: updated actor for login (#1430) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): pin docker/build-push-action action to 471d1dc (#1428) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.6 (#1427) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fixing build (#1431) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): update actions/upload-artifact digest to ea165f8 (#1425) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.7 (#1432) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: removed krew release (#1434) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.8 (#1435) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fixing (#1437) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(deps): pin dependencies (#1440) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.9 (#1439) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix: pod analyzer catches errors when containers are in Terminated state (#1438) Signed-off-by: Guoxun Wei <guwe@microsoft.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: add a naive support of bedrock inference profile (#1446) * feat: add a naive support of bedrock inference profile Signed-off-by: Tony Chen <tony_chen@discovery.com> * feat: improving the tests Signed-off-by: Alex Jones <alexsimonjones@gmail.com> --------- Signed-off-by: Tony Chen <tony_chen@discovery.com> Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix(deps): update module gopkg.in/yaml.v2 to v3 (#1417) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix(deps): update module helm.sh/helm/v3 to v3.17.3 [security] (#1448) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.10 (#1441) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: call bedrock with inference profile (#1449) * call bedrock with inference profile Signed-off-by: Tony Chen <tony_chen@discovery.com> * add validation and test Signed-off-by: Tony Chen <tony_chen@discovery.com> * update test Signed-off-by: Tony Chen <tony_chen@discovery.com> --------- Signed-off-by: Tony Chen <tony_chen@discovery.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix(deps): update module gopkg.in/yaml.v2 to v3 (#1447) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * docs: fix the slack invite link (#1450) Signed-off-by: Pengfei Ni <feiskyer@gmail.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: add verbose flag to enable detailed output (#1420) * feat: add verbose flag to enable detailed output Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com> * test: add verbose output tests for analysis.go and root.go Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com> --------- Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix(deps): update module gopkg.in/yaml.v2 to v3 (#1453) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * feat: improved test coverage (#1455) Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * fix: config ai provider in query (#1457) Signed-off-by: Guoxun Wei <guwe@microsoft.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore(main): release 0.4.11 (#1451) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fixed test Signed-off-by: AlexsJones <alexsimonjones@gmail.com> * chore: fixed test --------- Signed-off-by: AlexsJones <alexsimonjones@gmail.com> Signed-off-by: Qian_Xiao <heyheyco@gmail.com> Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com> Signed-off-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: hadi2f244 <m.h.azaddel@gmail.com> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: Kay Yan <kay.yan@daocloud.io> Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> Signed-off-by: Guoxun Wei <guwe@microsoft.com> Signed-off-by: Tony Chen <tony_chen@discovery.com> Signed-off-by: Pengfei Ni <feiskyer@gmail.com> Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Qian_Xiao <heyheyco@gmail.com> Co-authored-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com> Co-authored-by: Hadi Azaddel <m.h.azaddel@gmail.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kay Yan <kay.yan@daocloud.io> Co-authored-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com> Co-authored-by: gossion <guwe@microsoft.com> Co-authored-by: ju187 <tony_chen@discovery.com> Co-authored-by: Pengfei Ni <feiskyer@users.noreply.github.com> Co-authored-by: Yicheng <36285652+zyc140345@users.noreply.github.com>
202 lines
5.6 KiB
Go
202 lines
5.6 KiB
Go
/*
|
|
Copyright 2024 The K8sGPT Authors.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package analyzer
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/k8sgpt-ai/k8sgpt/pkg/common"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
type SecurityAnalyzer struct{}
|
|
|
|
func (SecurityAnalyzer) Analyze(a common.Analyzer) ([]common.Result, error) {
|
|
kind := "Security"
|
|
|
|
AnalyzerErrorsMetric.DeletePartialMatch(map[string]string{
|
|
"analyzer_name": kind,
|
|
})
|
|
|
|
var results []common.Result
|
|
|
|
// Analyze ServiceAccounts
|
|
saResults, err := analyzeServiceAccounts(a)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
results = append(results, saResults...)
|
|
|
|
// Analyze RoleBindings
|
|
rbResults, err := analyzeRoleBindings(a)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
results = append(results, rbResults...)
|
|
|
|
// Analyze Pod Security Contexts
|
|
podResults, err := analyzePodSecurityContexts(a)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
results = append(results, podResults...)
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func analyzeServiceAccounts(a common.Analyzer) ([]common.Result, error) {
|
|
var results []common.Result
|
|
|
|
sas, err := a.Client.GetClient().CoreV1().ServiceAccounts(a.Namespace).List(a.Context, metav1.ListOptions{
|
|
LabelSelector: a.LabelSelector,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, sa := range sas.Items {
|
|
var failures []common.Failure
|
|
|
|
// Check for default service account usage
|
|
if sa.Name == "default" {
|
|
pods, err := a.Client.GetClient().CoreV1().Pods(sa.Namespace).List(a.Context, metav1.ListOptions{})
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
defaultSAUsers := []string{}
|
|
for _, pod := range pods.Items {
|
|
if pod.Spec.ServiceAccountName == "default" {
|
|
defaultSAUsers = append(defaultSAUsers, pod.Name)
|
|
}
|
|
}
|
|
|
|
if len(defaultSAUsers) > 0 {
|
|
failures = append(failures, common.Failure{
|
|
Text: fmt.Sprintf("Default service account is being used by pods: %v", defaultSAUsers),
|
|
Sensitive: []common.Sensitive{},
|
|
})
|
|
}
|
|
}
|
|
|
|
if len(failures) > 0 {
|
|
results = append(results, common.Result{
|
|
Kind: "Security/ServiceAccount",
|
|
Name: fmt.Sprintf("%s/%s", sa.Namespace, sa.Name),
|
|
Error: failures,
|
|
})
|
|
AnalyzerErrorsMetric.WithLabelValues("Security/ServiceAccount", sa.Name, sa.Namespace).Set(float64(len(failures)))
|
|
}
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func analyzeRoleBindings(a common.Analyzer) ([]common.Result, error) {
|
|
var results []common.Result
|
|
|
|
rbs, err := a.Client.GetClient().RbacV1().RoleBindings(a.Namespace).List(a.Context, metav1.ListOptions{
|
|
LabelSelector: a.LabelSelector,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, rb := range rbs.Items {
|
|
var failures []common.Failure
|
|
|
|
// Check for wildcards in role references
|
|
role, err := a.Client.GetClient().RbacV1().Roles(rb.Namespace).Get(a.Context, rb.RoleRef.Name, metav1.GetOptions{})
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
for _, rule := range role.Rules {
|
|
if containsWildcard(rule.Verbs) || containsWildcard(rule.Resources) {
|
|
failures = append(failures, common.Failure{
|
|
Text: fmt.Sprintf("RoleBinding %s references Role %s which contains wildcard permissions - this is not recommended for security best practices", rb.Name, role.Name),
|
|
Sensitive: []common.Sensitive{},
|
|
})
|
|
}
|
|
}
|
|
|
|
if len(failures) > 0 {
|
|
results = append(results, common.Result{
|
|
Kind: "Security/RoleBinding",
|
|
Name: fmt.Sprintf("%s/%s", rb.Namespace, rb.Name),
|
|
Error: failures,
|
|
})
|
|
AnalyzerErrorsMetric.WithLabelValues("Security/RoleBinding", rb.Name, rb.Namespace).Set(float64(len(failures)))
|
|
}
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func analyzePodSecurityContexts(a common.Analyzer) ([]common.Result, error) {
|
|
var results []common.Result
|
|
|
|
pods, err := a.Client.GetClient().CoreV1().Pods(a.Namespace).List(a.Context, metav1.ListOptions{
|
|
LabelSelector: a.LabelSelector,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, pod := range pods.Items {
|
|
var failures []common.Failure
|
|
|
|
// Check for privileged containers first (most critical)
|
|
hasPrivilegedContainer := false
|
|
for _, container := range pod.Spec.Containers {
|
|
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
|
|
failures = append(failures, common.Failure{
|
|
Text: fmt.Sprintf("Container %s in pod %s is running as privileged which poses security risks", container.Name, pod.Name),
|
|
Sensitive: []common.Sensitive{},
|
|
})
|
|
hasPrivilegedContainer = true
|
|
break
|
|
}
|
|
}
|
|
|
|
// Only check for missing security context if no privileged containers found
|
|
if !hasPrivilegedContainer && pod.Spec.SecurityContext == nil {
|
|
failures = append(failures, common.Failure{
|
|
Text: fmt.Sprintf("Pod %s does not have a security context defined which may pose security risks", pod.Name),
|
|
Sensitive: []common.Sensitive{},
|
|
})
|
|
}
|
|
|
|
if len(failures) > 0 {
|
|
results = append(results, common.Result{
|
|
Kind: "Security/Pod",
|
|
Name: fmt.Sprintf("%s/%s", pod.Namespace, pod.Name),
|
|
Error: failures[:1],
|
|
})
|
|
AnalyzerErrorsMetric.WithLabelValues("Security/Pod", pod.Name, pod.Namespace).Set(1)
|
|
}
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func containsWildcard(slice []string) bool {
|
|
for _, item := range slice {
|
|
if item == "*" {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|