Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add custom rules and refactoring #102

Open
leonharetd opened this issue Dec 19, 2021 · 8 comments
Open

add custom rules and refactoring #102

leonharetd opened this issue Dec 19, 2021 · 8 comments

Comments

@leonharetd
Copy link
Contributor

User Story

As a user Using kubeeye in a production environment, we not only uses OPA rule validation, we also used

  1. check nodes ssh conntecion
  2. kubernetes certexpire
  3. check Component startup configuration consistency,such as kubelet command line parameter --root-dir.

and so on.
While meeting the above, we also hope to extend it with out of tree.

Detailed Description

Based on the above points, we extend kubeeye and refactor the code.

Feature Description

We have added the following features

custom command

Expand kubeeye's command line

Embed Rules

Embedded rules, package the rules into kubeeye for easy use

  • OPA rules
  • Function rules

Function check rules provide more customized rule checks. For example, by using a shell and calling a third-party interface, you can enclose the function and return the output according to the agreed format, which can be displayed uniformly in the report.

Why
custom command

On the one hand, kubeeye can be programmed into subcommands of other command-line tools. On the other hand, other command-line tools can also become kubeeye tools.

Embed Rules

Checklist are different in different environments and different businesses, But they have something in common, If it is maintained only through an external directory, it will lead to redundancy of the checklist. Therefore, we can package it as a whole and control the start and stop of the business checklist through the configuration file later such as

apiVersion: v1
kind: ConfigMap
metadata:
  name: kubeeye-<xxxx>-rules
  namespace: kube-system
data:
  version: "v1"
  regorules: |
    enable: 
      - name: allowPrivilegeEscalationRule
      - name: canImpersonateUserRoleRule
    disable: 
      - name: "*"
  funcrules: |
    enable:
      - name: nodeSSHConnection
    disable:
      - name: xxxxStatus

Configuration file feature is still in progress.

How
custom command

A kubeeyecommand is defined using the builder pattern, You can assemble it with any command, regorule and funcrule,Finally, a cobra command line is returned.

Embed Rules
  • The OPA rule uses go1.16 embedded, It can package files into code compilation. Whether default rules or additional rules,You must use a variable to package OPA rules.
  • Function rule is much simpler, Because it is go code itself, it can be packaged and compiled directly through import.

Refactor Description

In order to better add new features, we have adjusted the code structure.

  • Added directory funcrules, regorules, register

    Funcrules: Storing default function rules

    Regorules: Storing default regorules rules

    Register: rules register

  • Use go channel mode, Fan In to connect pipeline in series, The main entrance is audit.Run

  • Use fs.FS abstracts local file and embedded file operations

  • Simplifies the function of output

  • Some channels have been merged

Anything else you would like to add:

https://github.com/leonharetd/kubeeye is refactor kubeeye code
https://github.com/leonharetd/kubeeye_sample is kubeeye sample
These are some of my practices. Welcome to communicate. Thank you very much🙏.

@FeynmanZhou
Copy link
Member

Looking good to me. Hi @pixiake @ruiyaoOps , please help to give feedback on this user story and extension.

@ruiyaoOps
Copy link

Yes, Custom rules are a good idea, and we will verify as soon as possible.
And it is necessary to check the environment, whether k8s or Docker or kernel settings, and we will implement it later.
About managing checklist files through ConfigMap, I don't think so. After the audit, we should reduce the residue on k8s. It may not be the best way now, but we will keep trying to find it.

@leonharetd
Copy link
Contributor Author

👌,Configmap is not necessary, but I want to have a configuration to control the checklist, or provide a checklist command, such as kubeeye checklist, and then the subcommand kubeeye checklist disable / enable?

@ruiyaoOps
Copy link

We plan to use the UI to implement the function of the management rules and display the results, but it has not yet been implemented.

@leonharetd
Copy link
Contributor Author

Good, there is no checklist config in this version. What else can I do? I'm glad to help

@ruiyaoOps
Copy link

Need to wait until January, it's busy now

@ruiyaoOps
Copy link

hello @leonharetd
I reviewed the code, and thanks for your help and support in optimizing the code structure. It was one of the tasks, I will incorporate it into the code as appropriate.
Regarding the check of the expiration time of the certification file, in the code, I marked that it will be recorded, because the current check method is wrong, and I will rewrite it next.
About the cobra, I found that you have rewritten cmd. Can you tell me why we should do this?

@pixiake
Copy link
Collaborator

pixiake commented Dec 25, 2021

I think it is a good way to improve the flexibility of KubeEye. I think you can submit a pr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants