From 32e7a6664732c9dbc7937d75f8d396e473a6d639 Mon Sep 17 00:00:00 2001 From: chenk Date: Wed, 20 Dec 2023 13:16:12 +0200 Subject: [PATCH] fix: kubelet checks via config resource (#88) * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk * fix: kubelet checks via config resource Signed-off-by: chenk --------- Signed-off-by: chenk --- go.mod | 2 +- go.sum | 10 ++++ job.yaml | 104 +++++++++++++++++++++++++++------------ pkg/collector/cluster.go | 11 +++-- pkg/collector/collect.go | 8 ++- 5 files changed, 98 insertions(+), 37 deletions(-) diff --git a/go.mod b/go.mod index ab6eb56..e39f9cb 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/aquasecurity/k8s-node-collector -go 1.19 +go 1.21 require ( github.com/olekukonko/tablewriter v0.0.5 diff --git a/go.sum b/go.sum index 3ab77c4..8ab9d36 100644 --- a/go.sum +++ b/go.sum @@ -10,6 +10,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -30,6 +31,7 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -59,10 +61,12 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -81,6 +85,7 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -105,7 +110,9 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -114,8 +121,10 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -195,6 +204,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/job.yaml b/job.yaml index 49ac09c..cdd257c 100644 --- a/job.yaml +++ b/job.yaml @@ -1,3 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-collector +rules: + - apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-collector + labels: + app.kubernetes.io/managed-by: kubectl + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-collector + labels: + app.kubernetes.io/version: 0.17.1 + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-collector +subjects: + - kind: ServiceAccount + name: node-collector + namespace: default + --- apiVersion: batch/v1 kind: Job @@ -9,12 +47,31 @@ spec: labels: app: node-collector spec: + dnsPolicy: ClusterFirst hostPID: true + automountServiceAccountToken: true + serviceAccountName: node-collector containers: - name: node-collector - image: ghcr.io/aquasecurity/node-collector:0.0.9 - command: ["node-collector"] - args: ["k8s", "--node", "minikube"] + image: ghcr.io/aquasecurity/node-collector:0.1.1 + command: + - node-collector + args: + - k8s + resources: + limits: + cpu: 100m + memory: 100M + requests: + cpu: 50m + memory: 50M + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd @@ -34,55 +91,40 @@ spec: - name: lib-systemd mountPath: /lib/systemd/ readOnly: true - - name: srv-kubernetes - mountPath: /srv/kubernetes/ - readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true - # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. - # You can omit this mount if you specify --version as part of the command. - - name: usr-bin - mountPath: /usr/local/mount-from-host/bin - readOnly: true - name: etc-cni-netd mountPath: /etc/cni/net.d/ readOnly: true - - name: opt-cni-bin - mountPath: /opt/cni/bin/ - readOnly: true restartPolicy: Never + securityContext: + runAsGroup: 0 + runAsUser: 0 + seccompProfile: + type: RuntimeDefault volumes: - name: var-lib-etcd hostPath: - path: "/var/lib/etcd" + path: /var/lib/etcd - name: var-lib-kubelet hostPath: - path: "/var/lib/kubelet" + path: /var/lib/kubelet - name: var-lib-kube-scheduler hostPath: - path: "/var/lib/kube-scheduler" + path: /var/lib/kube-scheduler - name: var-lib-kube-controller-manager hostPath: - path: "/var/lib/kube-controller-manager" + path: /var/lib/kube-controller-manager - name: etc-systemd hostPath: - path: "/etc/systemd" + path: /etc/systemd - name: lib-systemd hostPath: - path: "/lib/systemd" - - name: srv-kubernetes - hostPath: - path: "/srv/kubernetes" + path: /lib/systemd - name: etc-kubernetes hostPath: - path: "/etc/kubernetes" - - name: usr-bin - hostPath: - path: "/usr/bin" + path: /etc/kubernetes - name: etc-cni-netd hostPath: - path: "/etc/cni/net.d/" - - name: opt-cni-bin - hostPath: - path: "/opt/cni/bin/" + path: /etc/cni/net.d/ diff --git a/pkg/collector/cluster.go b/pkg/collector/cluster.go index 9d53dba..a7fd080 100644 --- a/pkg/collector/cluster.go +++ b/pkg/collector/cluster.go @@ -37,19 +37,22 @@ func GetCluster() (*Cluster, error) { cf := genericclioptions.NewConfigFlags(true) rest.SetDefaultWarningHandler(rest.NoWarnings{}) clientConfig := cf.ToRawKubeConfigLoader() - rc, err := clientConfig.ClientConfig() + restMapper, err := cf.ToRESTMapper() if err != nil { return nil, err } - restMapper, err := cf.ToRESTMapper() + // creates the in-cluster config + config, err := rest.InClusterConfig() if err != nil { return nil, err } - clientset, err := kubernetes.NewForConfig(rc) + // creates the clientset + clientset, err := kubernetes.NewForConfig(config) if err != nil { return nil, err } - k8sDynamicClient, err := dynamic.NewForConfig(rc) + + k8sDynamicClient, err := dynamic.NewForConfig(config) if err != nil { return nil, err } diff --git a/pkg/collector/collect.go b/pkg/collector/collect.go index 02ab241..afdf619 100644 --- a/pkg/collector/collect.go +++ b/pkg/collector/collect.go @@ -126,14 +126,20 @@ func getValuesFromkubeletConfig(ctx context.Context, nodeName string, cluster Cl values := nodeConfig["kubeletconfig"] for k, v := range configMapper { p := values + var found bool splittedValues := StringToArray(v, ".") for _, sv := range splittedValues { next := p.(map[string]interface{}) if k, ok := next[sv.(string)]; ok { + found = true p = k + } else { + found = false } } - overrideConfig[k] = &Info{Values: []interface{}{p}} + if found { + overrideConfig[k] = &Info{Values: []interface{}{p}} + } } return overrideConfig, nil }