cmd/violations: update command
General MR
Summary
Update violations
command with additional logging and fix any broken logic.
Relevant logs/screenshots
violations
was not detecting kyverno CRDs. The existing code was searching for a label that was not present in my fresh, unmodified bigb-bang cluster.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
meta.helm.sh/release-name: kyverno-kyverno
meta.helm.sh/release-namespace: kyverno
creationTimestamp: "2024-05-23T20:47:36Z"
generation: 1
labels:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: kyverno-kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno-kyverno-crds
app.kubernetes.io/version: 3.1.4
helm.sh/chart: crds-3.1.4
helm.toolkit.fluxcd.io/name: kyverno
helm.toolkit.fluxcd.io/namespace: bigbang
name: clusterpolicies.kyverno.io
Also added debugging logging to the violations command to detect the existence of gatekeeper
and kyverno
and report which it notices.
Example:
danieldides@BPH-MAC14 ~/P/b/p/bbctl (dd/violations)> bbctl violations --audit
time=2024-06-06T16:17:05.282-05:00 level=DEBUG msg="Logger setup complete"
time=2024-06-06T16:17:05.282-05:00 level=DEBUG msg="Command line settings: {...}"
time=2024-06-06T16:17:06.249-05:00 level=DEBUG msg="Gatekeeper exists in cluster. Checking for Gatekeeper violations."
k8spspseccomp.constraints.gatekeeper.sh
Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'tempo-query'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}
Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'tempo'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}
Time: 2024-06-06T21:16:55Z, Resource: tempo-tempo-0, Kind: Pod, Namespace: tempo
Seccomp profile 'not configured' is not allowed for container 'istio-proxy'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "runtime/default"}
Linked Issue
Closes #59 (closed)
Upgrade Notices
N/A
Edited by Daniel Dides