Merge pull request #49 from fjogeleit/apply-labels

Apply labels from source report

charts/trivy-operator-polr-adapter/Chart.yaml

@@ -3,5 +3,5 @@ name: trivy-operator-polr-adapter
 description: Helm Chart to install the trivy-operator PolicyReport adapter
 
 type: application
-version: "0.1.5"
-appVersion: "0.1.5"
+version: "0.2.0"
+appVersion: "0.2.0"

charts/trivy-operator-polr-adapter/files/config.yaml

@@ -0,0 +1,36 @@
+vulnerabilityReports:
+  enabled: {{ .Values.adapters.vulnerabilityReports.enabled }}
+  {{- with .Values.adapters.vulnerabilityReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+configAuditReports:
+  enabled: {{ .Values.adapters.configAuditReports.enabled }}
+  {{- with .Values.adapters.configAuditReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+cisKubeBenchReports:
+  enabled: {{ .Values.adapters.cisKubeBenchReports.enabled }}
+  {{- with .Values.adapters.cisKubeBenchReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+complianceReports:
+  enabled: {{ .Values.adapters.complianceReports.enabled }}
+  {{- with .Values.adapters.complianceReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rbacAssessmentReports:
+  enabled: {{ .Values.adapters.rbacAssessmentReports.enabled }}
+  {{- with .Values.adapters.rbacAssessmentReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+exposedSecretReports:
+  enabled: {{ .Values.adapters.exposedSecretReports.enabled }}
+  {{- with .Values.adapters.exposedSecretReports.applyLabels }}
+  applyLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

charts/trivy-operator-polr-adapter/templates/config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy-operator-polr-adapter.fullname" . }}-config
+  labels:
+    {{- include "trivy-operator-polr-adapter.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- tpl (.Files.Get "files/config.yaml") . | nindent 4 }}

charts/trivy-operator-polr-adapter/templates/deployment.yaml

@@ -13,6 +13,7 @@ spec:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
+        checksum/secret: {{ include (print .Template.BasePath "/config.yaml") . | sha256sum | quote }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
@@ -31,20 +32,23 @@ spec:
           {{- end }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args:
-            - --enable-vulnerability={{ .Values.adapters.vulnerabilityReports.enabled }}
-            - --enable-config-audit={{ .Values.adapters.configAuditReports.enabled }}
-            - --enable-kube-bench={{ .Values.adapters.cisKubeBenchReports.enabled }}
-            - --enable-compliance={{ .Values.adapters.complianceReports.enabled }}
-            - --enable-rbac-assessment={{ .Values.adapters.rbacAssessmentReports.enabled }}
-            - --enable-exposed-secrets={{ .Values.adapters.exposedSecretReports.enabled }}
           readinessProbe:
             exec:
               command:
               - /app/trivy-operator-polr-adapter
               - version
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: config-file
+            mountPath: /app/config.yaml
+            subPath: config.yaml
+            readOnly: true
+      volumes:
+      - name: config-file
+        configMap:
+          name: {{ include "trivy-operator-polr-adapter.fullname" . }}-config
+          optional: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/trivy-operator-polr-adapter/values.yaml

@@ -4,7 +4,7 @@ image:
   registry: ghcr.io
   repository: fjogeleit/trivy-operator-polr-adapter
   pullPolicy: IfNotPresent
-  tag: 0.1.5
+  tag: 0.2.0
 
 imagePullSecrets: []
 nameOverride: ""
@@ -13,16 +13,23 @@ fullnameOverride: ""
 adapters:
   vulnerabilityReports:
     enabled: true
+    # apply labels from the source report
+    applyLabels: []
   configAuditReports:
     enabled: true
+    applyLabels: []
   cisKubeBenchReports:
     enabled: false
+    applyLabels: []
   complianceReports:
     enabled: false
+    applyLabels: []
   rbacAssessmentReports:
     enabled: false
+    applyLabels: []
   exposedSecretReports:
     enabled: false
+    applyLabels: []
 
 rbac:
   enabled: true
@@ -60,4 +67,4 @@ tolerations: []
 affinity: {}
 
 serviceAccount:
-  create: true
+  create: true

cmd/run.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"flag"
+	"fmt"
 
 	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/config"
 	"github.com/spf13/cobra"
@@ -32,6 +33,7 @@ func newRunCMD() *cobra.Command {
 			resolver := config.NewResolver(c, k8sConfig)
 
 			if c.ConfigAuditReports.Enabled {
+				fmt.Println("[INFO] ConfigAuditReports enabled")
 				auditrClient, err := resolver.ConfigAuditReportClient()
 				if err != nil {
 					return err
@@ -44,6 +46,7 @@ func newRunCMD() *cobra.Command {
 			}
 
 			if c.VulnerabilityReports.Enabled {
+				fmt.Println("[INFO] VulnerabilityReports enabled")
 				vulnrClient, err := resolver.VulnerabilityReportClient()
 				if err != nil {
 					return err
@@ -56,6 +59,7 @@ func newRunCMD() *cobra.Command {
 			}
 
 			if c.ComplianceReports.Enabled {
+				fmt.Println("[INFO] ComplianceReports enabled")
 				complianceClient, err := resolver.ComplianceReportClient()
 				if err != nil {
 					return err
@@ -68,6 +72,7 @@ func newRunCMD() *cobra.Command {
 			}
 
 			if c.RbacAssessmentReports.Enabled {
+				fmt.Println("[INFO] RbacAssessmentReports enabled")
 				rbacClient, err := resolver.RbacAssessmentReportClient()
 				if err != nil {
 					return err
@@ -90,6 +95,7 @@ func newRunCMD() *cobra.Command {
 			}
 
 			if c.ExposedSecretReports.Enabled {
+				fmt.Println("[INFO] ExposedSecretReports enabled")
 				secretClient, err := resolver.ExposedSecretReportClient()
 				if err != nil {
 					return err
@@ -102,6 +108,7 @@ func newRunCMD() *cobra.Command {
 			}
 
 			if c.CISKubeBenchReports.Enabled {
+				fmt.Println("[INFO] CISKubeBenchReports enabled")
 				kubeBenchClient, err := resolver.CISKubeBenchReportClient()
 				if err != nil {
 					return err

pkg/adapters/auditr/client.go

@@ -54,9 +54,9 @@ func (e *Client) StartWatching(ctx context.Context) error {
 	})
 }
 
-func NewClient(client controller.Controller, polrClient v1alpha2.Wgpolicyk8sV1alpha2Interface) *Client {
+func NewClient(client controller.Controller, polrClient v1alpha2.Wgpolicyk8sV1alpha2Interface, applyLabels []string) *Client {
 	return &Client{
 		client:     client,
-		polrClient: NewPolicyReportClient(polrClient),
+		polrClient: NewPolicyReportClient(polrClient, applyLabels),
 	}
 }

pkg/adapters/auditr/mapper.go

@@ -2,23 +2,15 @@ package auditr
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/adapters/shared"
 	"github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-type Severity = int
-
-const (
-	unknown Severity = iota
-	low
-	medium
-	high
-	critical
-)
-
 const (
 	resultSource = "Trivy ConfigAudit"
 	reportPrefix = "trivy-audit-polr"
@@ -36,16 +28,21 @@ var (
 	}
 )
 
-func Map(report *v1alpha1.ConfigAuditReport, polr *v1alpha2.PolicyReport) (*v1alpha2.PolicyReport, bool) {
+type mapper struct {
+	shared.LabelMapper
+}
+
+func (m *mapper) Map(report *v1alpha1.ConfigAuditReport, polr *v1alpha2.PolicyReport) (*v1alpha2.PolicyReport, bool) {
 	if len(report.Report.Checks) == 0 {
 		return nil, false
 	}
 
 	var updated bool
 
 	if polr == nil {
-		polr = CreatePolicyReport(report)
+		polr = m.CreatePolicyReport(report)
 	} else {
+		polr.Labels = m.CreateLabels(report.Labels, reportLabels)
 		polr.Summary = v1alpha2.PolicyReportSummary{}
 		polr.Results = []v1alpha2.PolicyReportResult{}
 		updated = true
@@ -89,7 +86,7 @@ func Map(report *v1alpha1.ConfigAuditReport, polr *v1alpha2.PolicyReport) (*v1al
 			Properties: props,
 			Resources:  []corev1.ObjectReference{res},
 			Result:     MapResult(check.Success),
-			Severity:   MapServerity(check.Severity),
+			Severity:   shared.MapServerity(check.Severity),
 			Category:   check.Category,
 			Timestamp:  *report.CreationTimestamp.ProtoTime(),
 			Source:     resultSource,
@@ -107,22 +104,6 @@ func MapResult(success bool) v1alpha2.PolicyResult {
 	return v1alpha2.StatusFail
 }
 
-func MapServerity(severity v1alpha1.Severity) v1alpha2.PolicySeverity {
-	if severity == v1alpha1.SeverityUnknown {
-		return ""
-	} else if severity == v1alpha1.SeverityLow {
-		return v1alpha2.SeverityLow
-	} else if severity == v1alpha1.SeverityMedium {
-		return v1alpha2.SeverityMedium
-	} else if severity == v1alpha1.SeverityHigh {
-		return v1alpha2.SeverityHigh
-	} else if severity == v1alpha1.SeverityCritical {
-		return v1alpha2.SeverityCritical
-	}
-
-	return v1alpha2.SeverityInfo
-}
-
 func CreateObjectReference(report *v1alpha1.ConfigAuditReport) corev1.ObjectReference {
 	if len(report.OwnerReferences) == 1 {
 		ref := report.OwnerReferences[0].DeepCopy()
@@ -142,12 +123,12 @@ func CreateObjectReference(report *v1alpha1.ConfigAuditReport) corev1.ObjectRefe
 	}
 }
 
-func CreatePolicyReport(report *v1alpha1.ConfigAuditReport) *v1alpha2.PolicyReport {
+func (m *mapper) CreatePolicyReport(report *v1alpha1.ConfigAuditReport) *v1alpha2.PolicyReport {
 	return &v1alpha2.PolicyReport{
 		ObjectMeta: v1.ObjectMeta{
 			Name:            GeneratePolicyReportName(report),
 			Namespace:       report.Namespace,
-			Labels:          reportLabels,
+			Labels:          m.CreateLabels(report.Labels, reportLabels),
 			OwnerReferences: report.OwnerReferences,
 		},
 		Summary: v1alpha2.PolicyReportSummary{},
@@ -158,7 +139,7 @@ func CreatePolicyReport(report *v1alpha1.ConfigAuditReport) *v1alpha2.PolicyRepo
 func GeneratePolicyReportName(report *v1alpha1.ConfigAuditReport) string {
 	name := report.Name
 	if len(report.OwnerReferences) == 1 {
-		name = report.OwnerReferences[0].Name
+		name = fmt.Sprintf("%s-%s", strings.ToLower(report.OwnerReferences[0].Kind), report.OwnerReferences[0].Name)
 	}
 
 	return fmt.Sprintf("%s-%s", reportPrefix, name)

pkg/adapters/auditr/polr_client.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/fjogeleit/trivy-operator-polr-adapter/pkg/adapters/shared"
 	pr "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha2"
 	"golang.org/x/net/context"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -13,6 +14,7 @@ import (
 
 type PolicyReportClient struct {
 	k8sClient pr.Wgpolicyk8sV1alpha2Interface
+	mapper    *mapper
 }
 
 func (p *PolicyReportClient) GenerateReport(ctx context.Context, report *v1alpha1.ConfigAuditReport) error {
@@ -24,7 +26,7 @@ func (p *PolicyReportClient) GenerateReport(ctx context.Context, report *v1alpha
 			polr = nil
 		}
 
-		polr, updated := Map(report, polr)
+		polr, updated := p.mapper.Map(report, polr)
 		if polr == nil {
 			return nil
 		} else if updated {
@@ -52,8 +54,9 @@ func (p *PolicyReportClient) DeleteReport(ctx context.Context, report *v1alpha1.
 	})
 }
 
-func NewPolicyReportClient(client pr.Wgpolicyk8sV1alpha2Interface) *PolicyReportClient {
+func NewPolicyReportClient(client pr.Wgpolicyk8sV1alpha2Interface, applyLabels []string) *PolicyReportClient {
 	return &PolicyReportClient{
 		k8sClient: client,
+		mapper:    &mapper{shared.NewLabelMapper(applyLabels)},
 	}
 }

pkg/adapters/clusterrbac/client.go

@@ -53,9 +53,9 @@ func (e *Client) StartWatching(ctx context.Context) error {
 	})
 }
 
-func NewClient(client controller.Controller, polrClient v1alpha2.Wgpolicyk8sV1alpha2Interface) *Client {
+func NewClient(client controller.Controller, polrClient v1alpha2.Wgpolicyk8sV1alpha2Interface, applyLabels []string) *Client {
 	return &Client{
 		client:     client,
-		polrClient: NewPolicyReportClient(polrClient),
+		polrClient: NewPolicyReportClient(polrClient, applyLabels),
 	}
 }