Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(repo): Simplify structure #308

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

refactor(repo): Simplify structure #308

wants to merge 8 commits into from

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Jan 4, 2025

@simar7 simar7 force-pushed the refactor-structure branch from ad52a3f to e281ce0 Compare January 4, 2025 06:44
@simar7 simar7 requested a review from nikpivkin January 7, 2025 01:32
const ComplianceFolder = "compliance"
// Loader access compliance specs
type Loader interface {
GetSpecByName(name string) string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a need for this interface?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not but since we already have it, removal of it would be a breaking change that I don't want to make in this PR.

go.mod Outdated Show resolved Hide resolved
@simar7 simar7 marked this pull request as ready for review January 15, 2025 05:15
@simar7
Copy link
Member Author

simar7 commented Jan 15, 2025

@itaysk for your review: do you want to keep node-collector commands in this repo? I don't think that feature was fully implemented and as a result there's most likely no consumer of this. I personally would move them out elsewhere as they're not checks per-se (maybe trivy-operator?)

ARCHITECTURE.md Outdated Show resolved Hide resolved
ARCHITECTURE.md Outdated Show resolved Hide resolved
ARCHITECTURE.md Outdated
@@ -7,10 +7,9 @@ This document aims to answer the question *Where is the code that does X?*
The directory structure is broken down as follows:

- `cmd/` - These CLI tools are primarily used during development for end-to-end testing without needing to pull the library into trivy/tfsec etc.
- `checks` - All of the checks are defined in this directory.
- `checks` - All the checks are defined in this directory.
- `commands` - All Node-collector commands are defined in this directory.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's link to node collector docs to make sure the context is undestood

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to continue developing node-collector and its associated functionality? I asked it here.

If not we should remove it from trivy-checks if this repo is solely for the purposes of keeping checks.

Copy link
Contributor

@itaysk itaysk Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, node collector is needed for k8s cis compliance, isn't it? in any case, "commands" is not very clear without this context. "node-collector" or something similar will give it more context I think

ARCHITECTURE.md Outdated Show resolved Hide resolved
ARCHITECTURE.md Outdated
- `commands` - All Node-collector commands are defined in this directory.
- `pkg/spec` - Logic to handle standardized specs such as CIS.
- `pkg/rules` - This package exposes internal rules, and imports them accordingly (see _rules.go_).
- `pkg/rules` - This package exposes internal checks, and imports them accordingly (see _rules.go_).
- `specs/` - Standaridized compliance specs such as CIS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think specs is oerloaded term. for a newcomer "specs" probably relate more to bdd specs or to standardidation specs. the feature in trivy is called "compliance" shouldn't the directory be called that way too?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

theres a doc about contributing compliance specs under docs/compliance.md. it's the only doc in the docs dir I thin we should make it a readme in this dir, like kubernetes related info is documented in readme under checks/kubernetes, then we can remove /docs, which should be in trivy anyway

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that you've addressed the first comment about renaming specs to compliance but not the second about docs

| Target | Description |
|----------------|------------------------------------------------------------------------------------------------------------------------------------|
| Network | Checks primarily targeting the networking stack |
| Dynamic | Checks that evaluate deprecated and removed APIs |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

either the description is not accurate or the dir name is bad. I think the intention was that these checks rely on environmental context for evaluation. for example, the deprecated API checks rely on information of which k8s version the user is running/evaluating against in order to decide if outdated or not.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree the name isn't very meaningful but then again I didn't want to change it in this PR as there maybe users who rely on this structure.

I couldn't come up with a better description, so I'm open to ideas. Would the following work based on what you said?

"Checks whose decision outcome is dynamically determined based on the environmental context."

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think the structure of checks could break users? I mean aren't the checks save/loaded from embedded/bundle in their complete hierarchy? is changing the internal hierachy problemattic?

about the description, it's something like:
"Checks that cannot evaluate based on input alone, and depend on environmental or user-provided context"

|----------------|------------------------------------------------------------------------------------------------------------------------------------|
| Network | Checks primarily targeting the networking stack |
| Dynamic | Checks that evaluate deprecated and removed APIs |
| CIS Benchmarks | Checks that are recommended by the CIS Benchmarks. The checks inside are targeted per each subsystem (e.g. apiserver, cni, etc.) |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this dir is serving only CIS, and CIS is using only this dir then fine, but I will challange us abit here: aren't these checks valid k8s checks also outside CIS context? aren't CIS reports include k8s checks besides these checks (i presume something like non privileged pod check).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right in the sense that these checks are ordinary checks even outside of CIS context.

I'm open to re-organizing all k8s checks in general (maybe based on another type) but we just need to confirm first with the stakeholders that this won't cause any breakage as in the past some users did rely on the structure. Can we do this in another PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes I think we need to reorganize the checks which is part of the motivation for this PR. sure if you think it needs another pr that's fine

| Network | Checks primarily targeting the networking stack |
| Dynamic | Checks that evaluate deprecated and removed APIs |
| CIS Benchmarks | Checks that are recommended by the CIS Benchmarks. The checks inside are targeted per each subsystem (e.g. apiserver, cni, etc.) |
| Advanced | Checks that are recommended for the advanced uesrs of Kubernetes |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how do we define advanced users

| CIS Benchmarks | Checks that are recommended by the CIS Benchmarks. The checks inside are targeted per each subsystem (e.g. apiserver, cni, etc.) |
| Advanced | Checks that are recommended for the advanced uesrs of Kubernetes |
| GKE | Checks specific to Google Kubernetes Engine |
| PSS | Checks pertaining to Pod Security Standards |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as CIS

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be in trivy?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not quite because then users will need to import trivy as a library to load compliance specs which isn't ideal as it's a much bigger dependency.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

users needing to load compliance checks will also need to run them, which will require trivy no? is there a use case for loading compliance and not running them?

@@ -1,23 +0,0 @@
package spec
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should leave this package with public functions, which will be imported from pkg/compliance . Then in Trivy you can change the import spec to compliance and after that completely remove this package? This will get rid of the errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants