From 3b9bcea7cb29c71886cec04404ccf2ee3e73e53d Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 25 Jun 2023 15:56:41 +0200 Subject: [PATCH 1/4] feat: add fairwinds polaris --- Dockerfile | 5 ++++ overlay/usr/local/bin/flux-audit | 40 ++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100755 overlay/usr/local/bin/flux-audit diff --git a/Dockerfile b/Dockerfile index 702d380..00dc4c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ ARG YQ_VERSION ARG HELM_VERSION ARG KUSTOMIZE_VERSION ARG KUBECONFORM_VERSION +ARG POLARIS_VERSION # renovate: datasource=github-releases depName=kubernetes/kubernetes ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}" @@ -23,6 +24,8 @@ ENV HELM_VERSION="${HELM_VERSION:-v3.12.1}" ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" # renovate: datasource=github-releases depName=yannh/kubeconform ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" +# renovate: datasource=github-releases depName=FairwindsOps/polaris +ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" RUN apk --update add curl tar bash python3 py3-yaml && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ @@ -34,6 +37,8 @@ RUN apk --update add curl tar bash python3 py3-yaml && \ | tar xz -C /usr/local/bin kustomize && \ curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \ | tar xz -C /usr/local/bin kubeconform && \ + curl -SsfL "https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz" \ + | tar xz -C /usr/local/bin polaris && \ chmod 755 /usr/local/bin/kubectl && \ chmod 755 /usr/local/bin/kubectl-convert && \ chmod 755 /usr/local/bin/yq && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit new file mode 100755 index 0000000..3927ba2 --- /dev/null +++ b/overlay/usr/local/bin/flux-audit @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +set -eo pipefail + +KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") +KUSTOMIZE_CONFIG="kustomization.yaml" + +FLUX_PATH="${1:-.}" +POLARIS_EXCLUDE_PATHS=( + "flux/clusters/cloud-infra/flux-system/" +) + +if [ -z "$POLARIS_CONFIG" ]; then + POLARIS_CONFIG=( + "--format=pretty" + "--set-exit-code-on-danger" + "--set-exit-code-below-score=80" + "--only-show-failed-tests=true" + "--audit-path=-" + ) +else + # shellcheck disable=SC2128 + IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG" +fi + +printf "\nINFO - Auditing kustomize overlays\n" +find "${FLUX_PATH%/}" -type f -name $KUSTOMIZE_CONFIG -print0 | while IFS= read -r -d $'\0' file; do + printf "INFO - Auditing kustomization %s\n" "${file/%$KUSTOMIZE_CONFIG/}" + for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do + if [ "$EXCLUDE" == "${file/%$KUSTOMIZE_CONFIG/}" ]; then + continue 2 + fi + done + + kustomize build "${file/%$KUSTOMIZE_CONFIG/}" "${KUSTOMIZE_FLAGS[@]}" | + polaris audit "${POLARIS_CONFIG[@]}" + echo + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done -- 2.24.4 From 265da7d159f1e92921b2c4881fe10757f2774f45 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 25 Jun 2023 15:59:01 +0200 Subject: [PATCH 2/4] feat: add fairwinds polaris --- overlay/usr/local/bin/flux-audit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit index 3927ba2..ccdd3f0 100755 --- a/overlay/usr/local/bin/flux-audit +++ b/overlay/usr/local/bin/flux-audit @@ -2,7 +2,7 @@ set -eo pipefail KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") -KUSTOMIZE_CONFIG="kustomization.yaml" +KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml" FLUX_PATH="${1:-.}" POLARIS_EXCLUDE_PATHS=( -- 2.24.4 From af701c3a1b8f971d434d63219e1a9551c7ec26ff Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 25 Jun 2023 16:26:54 +0200 Subject: [PATCH 3/4] add excludes --- Dockerfile | 2 +- overlay/usr/local/bin/flux-audit | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 00dc4c6..c3e50f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,7 @@ ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" # renovate: datasource=github-releases depName=FairwindsOps/polaris ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" -RUN apk --update add curl tar bash python3 py3-yaml && \ +RUN apk --update add curl tar bash python3 py3-yaml findutils && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit index ccdd3f0..c8664b9 100755 --- a/overlay/usr/local/bin/flux-audit +++ b/overlay/usr/local/bin/flux-audit @@ -5,9 +5,11 @@ KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml" FLUX_PATH="${1:-.}" -POLARIS_EXCLUDE_PATHS=( - "flux/clusters/cloud-infra/flux-system/" -) + +# shellcheck disable=SC2128 +IFS=', ' read -r -a POLARIS_EXCLUDE_PATHS <<<"$POLARIS_EXCLUDE_PATHS" + +echo "${POLARIS_EXCLUDE_PATHS[@]}" if [ -z "$POLARIS_CONFIG" ]; then POLARIS_CONFIG=( @@ -23,15 +25,19 @@ else fi printf "\nINFO - Auditing kustomize overlays\n" -find "${FLUX_PATH%/}" -type f -name $KUSTOMIZE_CONFIG -print0 | while IFS= read -r -d $'\0' file; do - printf "INFO - Auditing kustomization %s\n" "${file/%$KUSTOMIZE_CONFIG/}" +find "${FLUX_PATH%/}" -type f -iwholename "$KUSTOMIZE_CONFIG" -print0 | while IFS= read -r -d $'\0' file; do + KUSTOMIZE_BASENAME=$(basename "$KUSTOMIZE_CONFIG") + KUSTOMIZE_BUILD="${file/%$KUSTOMIZE_BASENAME/}" + for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do - if [ "$EXCLUDE" == "${file/%$KUSTOMIZE_CONFIG/}" ]; then + if [ "$EXCLUDE" == "$KUSTOMIZE_BUILD" ]; then + printf "INFO - Skipping kustomization %s\n" "$KUSTOMIZE_BUILD" continue 2 fi done - kustomize build "${file/%$KUSTOMIZE_CONFIG/}" "${KUSTOMIZE_FLAGS[@]}" | + printf "INFO - Auditing kustomization %s\n" "$KUSTOMIZE_BUILD" + kustomize build "$KUSTOMIZE_BUILD" "${KUSTOMIZE_FLAGS[@]}" | polaris audit "${POLARIS_CONFIG[@]}" echo if [[ ${PIPESTATUS[0]} != 0 ]]; then -- 2.24.4 From b67f51139c6979db2e8b9e293a5e1429fbe5595e Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 9 Jul 2023 14:08:36 +0200 Subject: [PATCH 4/4] add flux-local to build clusters for better audit results with polaris --- Dockerfile | 5 ++++- overlay/usr/local/bin/flux-audit | 35 ++++++++++++----------------- overlay/usr/local/bin/flux-validate | 2 +- 3 files changed, 19 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index c3e50f4..14a8d9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,8 +26,11 @@ ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" # renovate: datasource=github-releases depName=FairwindsOps/polaris ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" +# renovate: datasource=pypi depName=flux-local +ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.0.0}" -RUN apk --update add curl tar bash python3 py3-yaml findutils && \ +RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \ + pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit index c8664b9..dc6975f 100755 --- a/overlay/usr/local/bin/flux-audit +++ b/overlay/usr/local/bin/flux-audit @@ -1,16 +1,8 @@ #!/usr/bin/env bash set -eo pipefail -KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") -KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml" - FLUX_PATH="${1:-.}" -# shellcheck disable=SC2128 -IFS=', ' read -r -a POLARIS_EXCLUDE_PATHS <<<"$POLARIS_EXCLUDE_PATHS" - -echo "${POLARIS_EXCLUDE_PATHS[@]}" - if [ -z "$POLARIS_CONFIG" ]; then POLARIS_CONFIG=( "--format=pretty" @@ -24,20 +16,21 @@ else IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG" fi -printf "\nINFO - Auditing kustomize overlays\n" -find "${FLUX_PATH%/}" -type f -iwholename "$KUSTOMIZE_CONFIG" -print0 | while IFS= read -r -d $'\0' file; do - KUSTOMIZE_BASENAME=$(basename "$KUSTOMIZE_CONFIG") - KUSTOMIZE_BUILD="${file/%$KUSTOMIZE_BASENAME/}" - - for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do - if [ "$EXCLUDE" == "$KUSTOMIZE_BUILD" ]; then - printf "INFO - Skipping kustomization %s\n" "$KUSTOMIZE_BUILD" - continue 2 - fi - done +if [ -z "$FLUX_LOCAL_CONFIG" ]; then + FLUX_LOCAL_CONFIG=( + "--enable-helm" + "--skip-secrets" + "--skip-crds" + ) +else + # shellcheck disable=SC2128 + IFS=' ' read -r -a FLUX_LOCAL_CONFIG <<<"$FLUX_LOCAL_CONFIG" +fi - printf "INFO - Auditing kustomization %s\n" "$KUSTOMIZE_BUILD" - kustomize build "$KUSTOMIZE_BUILD" "${KUSTOMIZE_FLAGS[@]}" | +printf "\nINFO - Auditing clusters\n" +find "${FLUX_PATH%/}" -mindepth 1 -maxdepth 1 -type d -print0 | while IFS= read -r -d $'\0' cluster; do + printf "INFO - Auditing cluster %s\n" "${cluster##*/}" + flux-local build "${FLUX_LOCAL_CONFIG[@]}" "${cluster}" | polaris audit "${POLARIS_CONFIG[@]}" echo if [[ ${PIPESTATUS[0]} != 0 ]]; then diff --git a/overlay/usr/local/bin/flux-validate b/overlay/usr/local/bin/flux-validate index 4062d9b..9dbface 100755 --- a/overlay/usr/local/bin/flux-validate +++ b/overlay/usr/local/bin/flux-validate @@ -46,7 +46,7 @@ if [ -z "$KUBECONFORM_CONFIG" ]; then ) else # shellcheck disable=SC2128 - IFS=', ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" + IFS=' ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" fi printf "\nINFO - Validating clusters\n" -- 2.24.4