From 70446dc8744384a4dc97bd8c8ed23431c3c8ded9 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 23 Dec 2024 11:53:20 +0200 Subject: [PATCH 01/26] Add supported versions metadata for each ruleset instance --- pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go | 5 ++++- pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 5 ++++- pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 5 ++++- .../managedk8s/ruleset/securityhardenedk8s/ruleset.go | 5 ++++- pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 5 ++++- 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index 07725d2e0..8955add3c 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -23,7 +23,10 @@ const ( RulesetID = "security-hardened-shoot-cluster" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + SupportedVersions = []string{"v0.1.0"} +) // Ruleset implements Security Hardened Shoot Cluster. type Ruleset struct { diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index 017dc2274..ba7230797 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -25,7 +25,10 @@ const ( RulesetID = "disa-kubernetes-stig" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + SupportedVersions = []string{"v2r1", "v1r11"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index 7edff6e77..fd4609092 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -25,7 +25,10 @@ const ( RulesetID = "disa-kubernetes-stig" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + SupportedVersions = []string{"v2r1", "v1r11"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index decdaf41e..205f2a0a8 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -22,7 +22,10 @@ const ( RulesetID = "security-hardened-k8s" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + SupportedVersions = []string{"v0.1.0"} +) // Ruleset implements Security Hardened Kubernetes Cluster. type Ruleset struct { diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 18b2a2237..ba0ba4bd0 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -25,7 +25,10 @@ const ( RulesetID = "disa-kubernetes-stig" ) -var _ ruleset.Ruleset = &Ruleset{} +var ( + _ ruleset.Ruleset = &Ruleset{} + SupportedVersions = []string{"v2r1", "v1r11"} +) // Ruleset implements DISA Kubernetes STIG. type Ruleset struct { From 5c608f6c8cfb2cd8773c64497810a2e45a3a1217 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 23 Dec 2024 11:53:45 +0200 Subject: [PATCH 02/26] Add ruleset version resolving methods to the provider definitions --- pkg/provider/builder/garden.go | 9 +++++++++ pkg/provider/builder/gardener.go | 9 +++++++++ pkg/provider/builder/managedk8s.go | 11 +++++++++++ pkg/provider/builder/virtualgarden.go | 9 +++++++++ 4 files changed, 38 insertions(+) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index df51f4caf..cc8c04073 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -48,3 +48,12 @@ func GardenProviderFromConfig(conf config.ProviderConfig) (provider.Provider, er return p, nil } + +func GardenGetSupportedVersions(ruleset string) []string { + switch ruleset { + case securityhardenedshoot.RulesetID: + return securityhardenedshoot.SupportedVersions + default: + return nil + } +} diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index d16b0e2d8..eff096203 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -61,3 +61,12 @@ func setConfigDefaults(config *rest.Config) { config.Burst = 40 } } + +func GardenerGetSupportedVersions(ruleset string) []string { + switch ruleset { + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index a0eecb845..a1897ab7d 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -57,3 +57,14 @@ func ManagedK8SProviderFromConfig(conf config.ProviderConfig) (provider.Provider return p, nil } + +func ManagedK8SGetSupportedVersions(ruleset string) []string { + switch ruleset { + case securityhardenedk8s.RulesetID: + return securityhardenedk8s.SupportedVersions + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 37664dba3..130355d49 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -48,3 +48,12 @@ func VirtualGardenProviderFromConfig(conf config.ProviderConfig) (provider.Provi return p, nil } + +func VirtualGardenGetSupportedVersions(ruleset string) []string { + switch ruleset { + case disak8sstig.RulesetID: + return disak8sstig.SupportedVersions + default: + return nil + } +} From a69a4d45a0068d5c05089ed5e5cac41cd3685dac Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 23 Dec 2024 13:47:53 +0200 Subject: [PATCH 03/26] Add comments --- pkg/provider/builder/garden.go | 1 + pkg/provider/builder/gardener.go | 1 + pkg/provider/builder/managedk8s.go | 1 + pkg/provider/builder/virtualgarden.go | 1 + pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go | 5 +++-- pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 5 +++-- pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 5 +++-- .../managedk8s/ruleset/securityhardenedk8s/ruleset.go | 5 +++-- pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 5 +++-- 9 files changed, 19 insertions(+), 10 deletions(-) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index cc8c04073..7c2f71447 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -49,6 +49,7 @@ func GardenProviderFromConfig(conf config.ProviderConfig) (provider.Provider, er return p, nil } +// GardenGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Garden provider. func GardenGetSupportedVersions(ruleset string) []string { switch ruleset { case securityhardenedshoot.RulesetID: diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index eff096203..5efc10136 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -62,6 +62,7 @@ func setConfigDefaults(config *rest.Config) { } } +// GardenerGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Gardener provider. func GardenerGetSupportedVersions(ruleset string) []string { switch ruleset { case disak8sstig.RulesetID: diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index a1897ab7d..2ce4a59a3 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -58,6 +58,7 @@ func ManagedK8SProviderFromConfig(conf config.ProviderConfig) (provider.Provider return p, nil } +// ManagedK8SGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Managed K8S provider. func ManagedK8SGetSupportedVersions(ruleset string) []string { switch ruleset { case securityhardenedk8s.RulesetID: diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 130355d49..37deb58f0 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -49,6 +49,7 @@ func VirtualGardenProviderFromConfig(conf config.ProviderConfig) (provider.Provi return p, nil } +// VirtualGardenGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Virtual Garden provider. func VirtualGardenGetSupportedVersions(ruleset string) []string { switch ruleset { case disak8sstig.RulesetID: diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index 8955add3c..13bd08ebb 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -24,8 +24,9 @@ const ( ) var ( - _ ruleset.Ruleset = &Ruleset{} - SupportedVersions = []string{"v0.1.0"} + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the Security Hardened Shoot Cluster Ruleset. + SupportedVersions = []string{"v0.1.0"} ) // Ruleset implements Security Hardened Shoot Cluster. diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index ba7230797..36cf8282c 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -26,8 +26,9 @@ const ( ) var ( - _ ruleset.Ruleset = &Ruleset{} - SupportedVersions = []string{"v2r1", "v1r11"} + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + SupportedVersions = []string{"v2r1", "v1r11"} ) // Ruleset implements DISA Kubernetes STIG. diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index fd4609092..f9535d007 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -26,8 +26,9 @@ const ( ) var ( - _ ruleset.Ruleset = &Ruleset{} - SupportedVersions = []string{"v2r1", "v1r11"} + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + SupportedVersions = []string{"v2r1", "v1r11"} ) // Ruleset implements DISA Kubernetes STIG. diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index 205f2a0a8..30d151560 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -23,8 +23,9 @@ const ( ) var ( - _ ruleset.Ruleset = &Ruleset{} - SupportedVersions = []string{"v0.1.0"} + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the Security Hardened Kubernetes Cluster Ruleset. + SupportedVersions = []string{"v0.1.0"} ) // Ruleset implements Security Hardened Kubernetes Cluster. diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index ba0ba4bd0..0704e58fb 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -26,8 +26,9 @@ const ( ) var ( - _ ruleset.Ruleset = &Ruleset{} - SupportedVersions = []string{"v2r1", "v1r11"} + _ ruleset.Ruleset = &Ruleset{} + // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + SupportedVersions = []string{"v2r1", "v1r11"} ) // Ruleset implements DISA Kubernetes STIG. From d8ae1c38ecbbb98fbb5a59c9d15b4a1cb6e37294 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 23 Dec 2024 13:51:11 +0200 Subject: [PATCH 04/26] Add show command implementation --- cmd/diki/app/app.go | 122 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index a6546d0dd..4475a56af 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -21,6 +21,7 @@ import ( "github.com/gardener/diki/pkg/config" "github.com/gardener/diki/pkg/provider" + "github.com/gardener/diki/pkg/provider/builder" "github.com/gardener/diki/pkg/report" "github.com/gardener/diki/pkg/ruleset" ) @@ -124,6 +125,28 @@ e.g. to check compliance of your hyperscaler accounts.`, addReportGenerateDiffFlags(generateDiffCmd, &generateDiffOpts) generateCmd.AddCommand(generateDiffCmd) + showCmd := &cobra.Command{ + Use: "show", + Short: "Show metadata of the providers that the current diki binary supports.", + Long: "Show metadata of the providers that the current diki binary supports.", + RunE: func(_ *cobra.Command, _ []string) error { + return errors.New("show subcommand not selected") + }, + } + + rootCmd.AddCommand(showCmd) + + showProviderCmd := &cobra.Command{ + Use: "provider", + Short: "", + Long: "", + RunE: func(_ *cobra.Command, args []string) error { + return showProviderCmd(args, providerCreateFuncs) + }, + } + + showCmd.AddCommand(showProviderCmd) + return rootCmd } @@ -156,6 +179,105 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { cmd.PersistentFlags().Var(cliflag.NewMapStringString(&opts.identityAttributes), "identity-attributes", "The keys are the IDs of the providers that will be present in the generated difference report and the values are metadata attributes to be used as identifiers.") } +func showProviderCmd(args []string, providerCreateFuncs map[string]provider.ProviderFromConfigFunc) error { + type Version struct { + Version string `json:"version"` + Latest bool `json:"latest"` + } + type RulesetMetadata struct { + RulesetID string `json:"rulesetID"` + RulesetName string `json:"rulesetName"` + Versions []Version `json:"versions"` + } + type ProviderMetadata struct { + ID string `json:"id"` + Name string `json:"name"` + } + type Provider struct { + ID string `json:"id"` + Name string `json:"name"` + Rulesets []RulesetMetadata `json:"rulesets"` + } + + if len(args) > 1 { + return fmt.Errorf("show provider accepts at most one provider") + } + + dikiConfigs := map[string]config.DikiConfig{} + for providerName := range providerCreateFuncs { + dikiConfig, err := readConfig(fmt.Sprintf("example/config/%s.yaml", providerName)) + dikiConfigs[providerName] = *dikiConfig + if err != nil { + return err + } + } + + if len(args) == 0 { + var providersMetadata = []ProviderMetadata{} + for provider, config := range dikiConfigs { + providersMetadata = append(providersMetadata, ProviderMetadata{ID: provider, Name: config.Providers[0].Name}) + } + if bytes, err := json.Marshal(providersMetadata); err != nil { + return err + } else { + fmt.Println(string(bytes)) + } + } else { + var ( + providerID = args[0] + providerData = Provider{} + providerFuncMap = map[string]func(string) []string{ + "gardener": builder.GardenerGetSupportedVersions, + "garden": builder.GardenGetSupportedVersions, + "managedk8s": builder.ManagedK8SGetSupportedVersions, + "virtualgarden": builder.VirtualGardenGetSupportedVersions, + } + GetSupportedVersionsByProviderAndRuleset = func(provider, ruleset string) ([]string, error) { + getSupportedVersionsByRuleset, ok := providerFuncMap[provider] + if !ok { + return nil, fmt.Errorf("provider %s is not registered for versioning", provider) + } + var result = getSupportedVersionsByRuleset(ruleset) + if result == nil { + return nil, fmt.Errorf("ruleset %s of provider %s is not registered for versioning", ruleset, provider) + } + return result, nil + } + ) + config, ok := dikiConfigs[providerID] + if !ok { + return fmt.Errorf("provider %s not found", providerID) + } + providerData.ID = providerID + providerData.Name = config.Providers[0].Name + + for _, ruleset := range config.Providers[0].Rulesets { + var ( + rulesetMetadata = RulesetMetadata{RulesetID: ruleset.ID, RulesetName: ruleset.Name} + latestVersion = ruleset.Version + ) + rulesetMetadata.Versions = append(rulesetMetadata.Versions, Version{Version: latestVersion, Latest: true}) + supportedVersions, err := GetSupportedVersionsByProviderAndRuleset(providerID, ruleset.ID) + if err != nil { + return err + } + for _, version := range supportedVersions { + if version != latestVersion { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, Version{Version: version, Latest: false}) + } + } + providerData.Rulesets = append(providerData.Rulesets, rulesetMetadata) + } + + if bytes, err := json.Marshal(providerData); err != nil { + return err + } else { + fmt.Println(string(bytes)) + } + } + return nil +} + func generateDiffCmd(args []string, generateDiffOpts generateDiffOptions, rootOpts reportOptions, logger *slog.Logger) error { if len(args) == 0 { return errors.New("generate diff command requires a minimum of one filepath argument") From 30719f19996549bfc8a915c109c81b694fa35753 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 15:27:59 +0200 Subject: [PATCH 05/26] Move JSON defined structures into a separate module --- pkg/metadata/metadata.go | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 pkg/metadata/metadata.go diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go new file mode 100644 index 000000000..6d471f79e --- /dev/null +++ b/pkg/metadata/metadata.go @@ -0,0 +1,41 @@ +// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors +// +// SPDX-License-Identifier: Apache-2.0 + +package metadata + +// Version is used to represent a specific version of a ruleset +type Version struct { + // Version is the human-readable name of the ruleset release + Version string `json:"version"` + // Latest is a bool tag that showcases if the specific version is the latest one + Latest bool `json:"latest"` +} + +// RulesetMetadata is used to represent a specific ruleset and it's metadata +type RulesetMetadata struct { + // RulesetID is the unique identifier of the ruleset + RulesetID string `json:"rulesetID"` + // RulesetName is the user-friendly name of the ruleset + RulesetName string `json:"rulesetName"` + // Versions is used to showcase the supported versions of the specific ruleset + Versions []Version `json:"versions"` +} + +// Provider is used to represent an available provider by it's name and unique identifier +type Provider struct { + // ProviderID is the unique identifier of the provider + ProviderID string `json:"id"` + // ProviderName is the user-friendly name of the provider + ProviderName string `json:"name"` +} + +// ProviderMetadata is used to represent a specific provider and it's metadata +type ProviderMetadata struct { + // ProviderID is the unique identifier of the provider + ProviderID string `json:"providerID"` + // ProviderName is the user-friendly name of the provider + ProviderName string `json:"providerName"` + // ProviderRulesets is a list of rulesets supported by the specific provider + ProviderRulesets []RulesetMetadata `json:"rulesets"` +} From 686523dafeb219ba0e79e5520553eec9b6f1447f Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 15:44:56 +0200 Subject: [PATCH 06/26] Move ruleset user-friendly names into constant variables for broader access --- pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go | 5 +++-- pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 5 +++-- pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 5 +++-- .../managedk8s/ruleset/securityhardenedk8s/ruleset.go | 5 +++-- pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 5 +++-- 5 files changed, 15 insertions(+), 10 deletions(-) diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index 13bd08ebb..da4ec8ab5 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -20,7 +20,8 @@ import ( const ( // RulesetID is a constant containing the id of the Security Hardened Shoot Cluster Ruleset. - RulesetID = "security-hardened-shoot-cluster" + RulesetID = "security-hardened-shoot-cluster" + RulesetName = "Security Hardened Shoot Cluster" ) var ( @@ -66,7 +67,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "Security Hardened Shoot Cluster" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index 36cf8282c..df2b59e77 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) var ( @@ -75,7 +76,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index f9535d007..38efc5a15 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) var ( @@ -73,7 +74,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index 30d151560..c04774eb4 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -19,7 +19,8 @@ import ( const ( // RulesetID is a constant containing the id of the Security Hardened Kubernetes Cluster Ruleset. - RulesetID = "security-hardened-k8s" + RulesetID = "security-hardened-k8s" + RulesetName = "Security Hardened Kubernetes Cluster" ) var ( @@ -58,7 +59,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "Security Hardened Kubernetes Cluster" + return RulesetName } // Version returns the version of the Ruleset. diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 0704e58fb..e25510307 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) var ( @@ -73,7 +74,7 @@ func (r *Ruleset) ID() string { // Name returns the name of the Ruleset. func (r *Ruleset) Name() string { - return "DISA Kubernetes Security Technical Implementation Guide" + return RulesetName } // Version returns the version of the Ruleset. From 1de2bb06db4b25ddd48ecec69a74f3b4d9fd9f84 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 16:07:48 +0200 Subject: [PATCH 07/26] Add description comments for the new constants --- pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go | 5 +++-- pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 3 ++- pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 3 ++- .../managedk8s/ruleset/securityhardenedk8s/ruleset.go | 3 ++- pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 3 ++- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index da4ec8ab5..24918b126 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -19,8 +19,9 @@ import ( ) const ( - // RulesetID is a constant containing the id of the Security Hardened Shoot Cluster Ruleset. - RulesetID = "security-hardened-shoot-cluster" + // RulesetID is a constant containing the id of the Security Hardened Shoot Cluster ruleset. + RulesetID = "security-hardened-shoot-cluster" + // RulesetName is a constant containing the user-friendly name of the Security Hardened Shoot Cluster ruleset. RulesetName = "Security Hardened Shoot Cluster" ) diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index df2b59e77..2bdde2a8c 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index 38efc5a15..48b8cb0e8 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index c04774eb4..2d6a7a894 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -19,7 +19,8 @@ import ( const ( // RulesetID is a constant containing the id of the Security Hardened Kubernetes Cluster Ruleset. - RulesetID = "security-hardened-k8s" + RulesetID = "security-hardened-k8s" + // RulesetName is a constant containing the user-friendly name of the Security Hardened Kubernetes ruleset. RulesetName = "Security Hardened Kubernetes Cluster" ) diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index e25510307..917199da3 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -22,7 +22,8 @@ import ( const ( // RulesetID is a constant containing the id of the DISA Kubernetes STIG Ruleset. - RulesetID = "disa-kubernetes-stig" + RulesetID = "disa-kubernetes-stig" + // RulesetName is a constant containing the user-friendly name of the DISA Kubernetes STIG ruleset. RulesetName = "DISA Kubernetes Security Technical Implementation Guide" ) From 619ac193d78043a12da6d38aa3f3787388743865 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 16:23:11 +0200 Subject: [PATCH 08/26] Add functions that showcase each provider's metadata --- pkg/provider/builder/garden.go | 33 +++++++++++++++++++++++++-- pkg/provider/builder/gardener.go | 33 +++++++++++++++++++++++++-- pkg/provider/builder/managedk8s.go | 33 +++++++++++++++++++++++++-- pkg/provider/builder/virtualgarden.go | 32 ++++++++++++++++++++++++-- 4 files changed, 123 insertions(+), 8 deletions(-) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index 7c2f71447..f56e00719 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/garden" "github.com/gardener/diki/pkg/provider/garden/ruleset/securityhardenedshoot" @@ -49,8 +50,8 @@ func GardenProviderFromConfig(conf config.ProviderConfig) (provider.Provider, er return p, nil } -// GardenGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Garden provider. -func GardenGetSupportedVersions(ruleset string) []string { +// gardenGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Garden provider. +func gardenGetSupportedVersions(ruleset string) []string { switch ruleset { case securityhardenedshoot.RulesetID: return securityhardenedshoot.SupportedVersions @@ -58,3 +59,31 @@ func GardenGetSupportedVersions(ruleset string) []string { return nil } } + +// GardenProviderMetadata returns available metadata for the Garden Provider and it's supported rulesets. +func GardenProviderMetadata() metadata.ProviderMetadata { + providerMetadata := metadata.ProviderMetadata{} + providerMetadata.ProviderID = "garden" + providerMetadata.ProviderName = "Garden" + + var availableRulesets = map[string]string{ + securityhardenedshoot.RulesetID: securityhardenedshoot.RulesetName, + } + + for rulesetID, rulesetName := range availableRulesets { + rulesetMetadata := &metadata.RulesetMetadata{} + rulesetMetadata.RulesetID = rulesetID + rulesetMetadata.RulesetName = rulesetName + rulesetSupportedVersions := gardenGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { + if index == 0 { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) + } else { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) + } + } + providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + } + + return providerMetadata +} diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index 5efc10136..3d0d0c8b3 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -11,6 +11,7 @@ import ( "k8s.io/client-go/rest" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/gardener" "github.com/gardener/diki/pkg/provider/gardener/ruleset/disak8sstig" @@ -62,8 +63,8 @@ func setConfigDefaults(config *rest.Config) { } } -// GardenerGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Gardener provider. -func GardenerGetSupportedVersions(ruleset string) []string { +// gardenerGetSupportedVersions returns the Supported Versions of a specific ruleset that is supported by the Gardener provider. +func gardenerGetSupportedVersions(ruleset string) []string { switch ruleset { case disak8sstig.RulesetID: return disak8sstig.SupportedVersions @@ -71,3 +72,31 @@ func GardenerGetSupportedVersions(ruleset string) []string { return nil } } + +// GardenerProviderMetadata returns available metadata for the Gardener Provider and it's supported rulesets. +func GardenerProviderMetadata() metadata.ProviderMetadata { + providerMetadata := metadata.ProviderMetadata{} + providerMetadata.ProviderID = "gardener" + providerMetadata.ProviderName = "Gardener" + + var availableRulesets = map[string]string{ + disak8sstig.RulesetID: disak8sstig.RulesetName, + } + + for rulesetID, rulesetName := range availableRulesets { + rulesetMetadata := &metadata.RulesetMetadata{} + rulesetMetadata.RulesetID = rulesetID + rulesetMetadata.RulesetName = rulesetName + rulesetSupportedVersions := gardenerGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { + if index == 0 { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) + } else { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) + } + } + providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + } + + return providerMetadata +} diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index 2ce4a59a3..4db249c1f 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/managedk8s" "github.com/gardener/diki/pkg/provider/managedk8s/ruleset/disak8sstig" @@ -58,8 +59,8 @@ func ManagedK8SProviderFromConfig(conf config.ProviderConfig) (provider.Provider return p, nil } -// ManagedK8SGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Managed K8S provider. -func ManagedK8SGetSupportedVersions(ruleset string) []string { +// managedK8SGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Managed K8S provider. +func managedK8SGetSupportedVersions(ruleset string) []string { switch ruleset { case securityhardenedk8s.RulesetID: return securityhardenedk8s.SupportedVersions @@ -69,3 +70,31 @@ func ManagedK8SGetSupportedVersions(ruleset string) []string { return nil } } + +// ManagedK8SProviderMetadata returns available metadata for the Managed Kubernetes Provider and it's supported rulesets. +func ManagedK8SProviderMetadata() metadata.ProviderMetadata { + providerMetadata := metadata.ProviderMetadata{} + providerMetadata.ProviderID = "managedk8s" + providerMetadata.ProviderName = "Managed Kubernetes" + + var availableRulesets = map[string]string{ + securityhardenedk8s.RulesetID: securityhardenedk8s.RulesetName, + disak8sstig.RulesetID: disak8sstig.RulesetName, + } + + for rulesetID, rulesetName := range availableRulesets { + rulesetMetadata := &metadata.RulesetMetadata{} + rulesetMetadata.RulesetID = rulesetID + rulesetMetadata.RulesetName = rulesetName + rulesetSupportedVersions := managedK8SGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { + if index == 0 { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) + } else { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) + } + } + providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + } + return providerMetadata +} diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 37deb58f0..769619839 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -9,6 +9,7 @@ import ( "log/slog" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/virtualgarden" "github.com/gardener/diki/pkg/provider/virtualgarden/ruleset/disak8sstig" @@ -49,8 +50,8 @@ func VirtualGardenProviderFromConfig(conf config.ProviderConfig) (provider.Provi return p, nil } -// VirtualGardenGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Virtual Garden provider. -func VirtualGardenGetSupportedVersions(ruleset string) []string { +// virtualGardenGetSupportedVersions returns the supported versions of a specific ruleset that is supported by the Virtual Garden provider. +func virtualGardenGetSupportedVersions(ruleset string) []string { switch ruleset { case disak8sstig.RulesetID: return disak8sstig.SupportedVersions @@ -58,3 +59,30 @@ func VirtualGardenGetSupportedVersions(ruleset string) []string { return nil } } + +// VirtualGardenProviderMetadata returns available metadata for the Virtual Garden Provider and it's supported rulesets. +func VirtualGardenProviderMetadata() metadata.ProviderMetadata { + providerMetadata := metadata.ProviderMetadata{} + providerMetadata.ProviderID = "virtualgarden" + providerMetadata.ProviderName = "Virtual Garden" + + var availableRulesets = map[string]string{ + disak8sstig.RulesetID: disak8sstig.RulesetName, + } + + for rulesetID, rulesetName := range availableRulesets { + rulesetMetadata := &metadata.RulesetMetadata{} + rulesetMetadata.RulesetID = rulesetID + rulesetMetadata.RulesetName = rulesetName + rulesetSupportedVersions := virtualGardenGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { + if index == 0 { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) + } else { + rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) + } + } + providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + } + return providerMetadata +} From 6a31e326b591243f8e2d8f8b864156448449bd61 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 16:23:55 +0200 Subject: [PATCH 09/26] Refactor showProvider command and additional tabulations --- cmd/diki/app/app.go | 99 +++++++-------------------- pkg/provider/builder/garden.go | 1 + pkg/provider/builder/gardener.go | 1 + pkg/provider/builder/managedk8s.go | 1 + pkg/provider/builder/virtualgarden.go | 1 + 5 files changed, 27 insertions(+), 76 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index 4475a56af..beb9355a0 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -20,6 +20,7 @@ import ( "k8s.io/component-base/version" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/builder" "github.com/gardener/diki/pkg/report" @@ -141,7 +142,7 @@ e.g. to check compliance of your hyperscaler accounts.`, Short: "", Long: "", RunE: func(_ *cobra.Command, args []string) error { - return showProviderCmd(args, providerCreateFuncs) + return showProviderCmd(args) }, } @@ -179,97 +180,43 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { cmd.PersistentFlags().Var(cliflag.NewMapStringString(&opts.identityAttributes), "identity-attributes", "The keys are the IDs of the providers that will be present in the generated difference report and the values are metadata attributes to be used as identifiers.") } -func showProviderCmd(args []string, providerCreateFuncs map[string]provider.ProviderFromConfigFunc) error { - type Version struct { - Version string `json:"version"` - Latest bool `json:"latest"` - } - type RulesetMetadata struct { - RulesetID string `json:"rulesetID"` - RulesetName string `json:"rulesetName"` - Versions []Version `json:"versions"` - } - type ProviderMetadata struct { - ID string `json:"id"` - Name string `json:"name"` - } - type Provider struct { - ID string `json:"id"` - Name string `json:"name"` - Rulesets []RulesetMetadata `json:"rulesets"` - } - +func showProviderCmd(args []string) error { if len(args) > 1 { - return fmt.Errorf("show provider accepts at most one provider") + return errors.New("command `show provider` accepts at most one provider") } - dikiConfigs := map[string]config.DikiConfig{} - for providerName := range providerCreateFuncs { - dikiConfig, err := readConfig(fmt.Sprintf("example/config/%s.yaml", providerName)) - dikiConfigs[providerName] = *dikiConfig - if err != nil { - return err + var ( + providerFuncMap = map[string]func() metadata.ProviderMetadata{ + "gardener": builder.GardenerProviderMetadata, + "garden": builder.GardenProviderMetadata, + "managedk8s": builder.ManagedK8SProviderMetadata, + "virtualgarden": builder.VirtualGardenProviderMetadata, } - } + ) if len(args) == 0 { - var providersMetadata = []ProviderMetadata{} - for provider, config := range dikiConfigs { - providersMetadata = append(providersMetadata, ProviderMetadata{ID: provider, Name: config.Providers[0].Name}) + providersMetadata := []metadata.Provider{} + + for providerID := range providerFuncMap { + providersMetadata = append(providersMetadata, metadata.Provider{ProviderID: providerID, ProviderName: providerFuncMap[providerID]().ProviderName}) } + if bytes, err := json.Marshal(providersMetadata); err != nil { return err } else { fmt.Println(string(bytes)) } } else { - var ( - providerID = args[0] - providerData = Provider{} - providerFuncMap = map[string]func(string) []string{ - "gardener": builder.GardenerGetSupportedVersions, - "garden": builder.GardenGetSupportedVersions, - "managedk8s": builder.ManagedK8SGetSupportedVersions, - "virtualgarden": builder.VirtualGardenGetSupportedVersions, - } - GetSupportedVersionsByProviderAndRuleset = func(provider, ruleset string) ([]string, error) { - getSupportedVersionsByRuleset, ok := providerFuncMap[provider] - if !ok { - return nil, fmt.Errorf("provider %s is not registered for versioning", provider) - } - var result = getSupportedVersionsByRuleset(ruleset) - if result == nil { - return nil, fmt.Errorf("ruleset %s of provider %s is not registered for versioning", ruleset, provider) - } - return result, nil - } - ) - config, ok := dikiConfigs[providerID] + var providerArg = args[0] + + metadataFunc, ok := providerFuncMap[providerArg] if !ok { - return fmt.Errorf("provider %s not found", providerID) - } - providerData.ID = providerID - providerData.Name = config.Providers[0].Name - - for _, ruleset := range config.Providers[0].Rulesets { - var ( - rulesetMetadata = RulesetMetadata{RulesetID: ruleset.ID, RulesetName: ruleset.Name} - latestVersion = ruleset.Version - ) - rulesetMetadata.Versions = append(rulesetMetadata.Versions, Version{Version: latestVersion, Latest: true}) - supportedVersions, err := GetSupportedVersionsByProviderAndRuleset(providerID, ruleset.ID) - if err != nil { - return err - } - for _, version := range supportedVersions { - if version != latestVersion { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, Version{Version: version, Latest: false}) - } - } - providerData.Rulesets = append(providerData.Rulesets, rulesetMetadata) + return fmt.Errorf("provider %s does not exist in the current Diki binary", providerArg) } - if bytes, err := json.Marshal(providerData); err != nil { + providerMetadata := metadataFunc() + + if bytes, err := json.Marshal(providerMetadata); err != nil { return err } else { fmt.Println(string(bytes)) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index f56e00719..3aa2de2cf 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -75,6 +75,7 @@ func GardenProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.RulesetID = rulesetID rulesetMetadata.RulesetName = rulesetName rulesetSupportedVersions := gardenGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index 3d0d0c8b3..a32a568fc 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -88,6 +88,7 @@ func GardenerProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.RulesetID = rulesetID rulesetMetadata.RulesetName = rulesetName rulesetSupportedVersions := gardenerGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index 4db249c1f..8a5aa4f29 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -87,6 +87,7 @@ func ManagedK8SProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.RulesetID = rulesetID rulesetMetadata.RulesetName = rulesetName rulesetSupportedVersions := managedK8SGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 769619839..c3dfaffd7 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -75,6 +75,7 @@ func VirtualGardenProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.RulesetID = rulesetID rulesetMetadata.RulesetName = rulesetName rulesetSupportedVersions := virtualGardenGetSupportedVersions(rulesetMetadata.RulesetID) + for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) From d4a4f1c908fec5721be394be1d5f8b46ebd04326 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 27 Dec 2024 16:24:57 +0200 Subject: [PATCH 10/26] formatting --- cmd/diki/app/app.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index beb9355a0..d1f4688b9 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -211,7 +211,7 @@ func showProviderCmd(args []string) error { metadataFunc, ok := providerFuncMap[providerArg] if !ok { - return fmt.Errorf("provider %s does not exist in the current Diki binary", providerArg) + return fmt.Errorf("provider %s does not exist in the current diki binary", providerArg) } providerMetadata := metadataFunc() From c5e8f5e516792d82ba022cb921ea37893e745dbe Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 11:33:22 +0200 Subject: [PATCH 11/26] Rename variables and comments in the metadata and builder packages --- pkg/metadata/metadata.go | 44 ++++++++++++--------------- pkg/provider/builder/garden.go | 18 +++++------ pkg/provider/builder/gardener.go | 18 +++++------ pkg/provider/builder/managedk8s.go | 18 +++++------ pkg/provider/builder/virtualgarden.go | 18 +++++------ 5 files changed, 56 insertions(+), 60 deletions(-) diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go index 6d471f79e..1f518a358 100644 --- a/pkg/metadata/metadata.go +++ b/pkg/metadata/metadata.go @@ -1,41 +1,37 @@ -// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 package metadata -// Version is used to represent a specific version of a ruleset +// Version is used to represent a specific version of a ruleset. type Version struct { - // Version is the human-readable name of the ruleset release + // Version is the name of the ruleset release. Version string `json:"version"` - // Latest is a bool tag that showcases if the specific version is the latest one + // Latest shows if the specific version is the latest one. Latest bool `json:"latest"` } -// RulesetMetadata is used to represent a specific ruleset and it's metadata -type RulesetMetadata struct { - // RulesetID is the unique identifier of the ruleset - RulesetID string `json:"rulesetID"` - // RulesetName is the user-friendly name of the ruleset - RulesetName string `json:"rulesetName"` - // Versions is used to showcase the supported versions of the specific ruleset +// Ruleset is used to represent a specific ruleset and it's metadata. +type Ruleset struct { + // ID is the unique identifier of the ruleset. + ID string `json:"id"` + // Name is the user-friendly name of the ruleset. + Name string `json:"name"` + // Versions is used to showcase the supported versions of the specific ruleset. Versions []Version `json:"versions"` } -// Provider is used to represent an available provider by it's name and unique identifier +// Provider is used to represent an available provider by it's name and unique identifier. type Provider struct { - // ProviderID is the unique identifier of the provider - ProviderID string `json:"id"` - // ProviderName is the user-friendly name of the provider - ProviderName string `json:"name"` + // ID is the unique identifier of the provider. + ID string `json:"id"` + // Name is the user-friendly name of the provider. + Name string `json:"name"` } -// ProviderMetadata is used to represent a specific provider and it's metadata -type ProviderMetadata struct { - // ProviderID is the unique identifier of the provider - ProviderID string `json:"providerID"` - // ProviderName is the user-friendly name of the provider - ProviderName string `json:"providerName"` - // ProviderRulesets is a list of rulesets supported by the specific provider - ProviderRulesets []RulesetMetadata `json:"rulesets"` +// ProviderDetailed is used to represent a specific provider and it's metadata. +type ProviderDetailed struct { + Provider + Rulesets []Ruleset `json:"rulesets"` } diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index 3aa2de2cf..c827a7593 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -61,20 +61,20 @@ func gardenGetSupportedVersions(ruleset string) []string { } // GardenProviderMetadata returns available metadata for the Garden Provider and it's supported rulesets. -func GardenProviderMetadata() metadata.ProviderMetadata { - providerMetadata := metadata.ProviderMetadata{} - providerMetadata.ProviderID = "garden" - providerMetadata.ProviderName = "Garden" +func GardenProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{} + providerMetadata.ID = "garden" + providerMetadata.Name = "Garden" var availableRulesets = map[string]string{ securityhardenedshoot.RulesetID: securityhardenedshoot.RulesetName, } for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.RulesetMetadata{} - rulesetMetadata.RulesetID = rulesetID - rulesetMetadata.RulesetName = rulesetName - rulesetSupportedVersions := gardenGetSupportedVersions(rulesetMetadata.RulesetID) + rulesetMetadata := &metadata.Ruleset{} + rulesetMetadata.ID = rulesetID + rulesetMetadata.Name = rulesetName + rulesetSupportedVersions := gardenGetSupportedVersions(rulesetMetadata.ID) for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { @@ -83,7 +83,7 @@ func GardenProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) } } - providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index a32a568fc..b65d04338 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -74,20 +74,20 @@ func gardenerGetSupportedVersions(ruleset string) []string { } // GardenerProviderMetadata returns available metadata for the Gardener Provider and it's supported rulesets. -func GardenerProviderMetadata() metadata.ProviderMetadata { - providerMetadata := metadata.ProviderMetadata{} - providerMetadata.ProviderID = "gardener" - providerMetadata.ProviderName = "Gardener" +func GardenerProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{} + providerMetadata.ID = "gardener" + providerMetadata.Name = "Gardener" var availableRulesets = map[string]string{ disak8sstig.RulesetID: disak8sstig.RulesetName, } for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.RulesetMetadata{} - rulesetMetadata.RulesetID = rulesetID - rulesetMetadata.RulesetName = rulesetName - rulesetSupportedVersions := gardenerGetSupportedVersions(rulesetMetadata.RulesetID) + rulesetMetadata := &metadata.Ruleset{} + rulesetMetadata.ID = rulesetID + rulesetMetadata.Name = rulesetName + rulesetSupportedVersions := gardenerGetSupportedVersions(rulesetMetadata.ID) for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { @@ -96,7 +96,7 @@ func GardenerProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) } } - providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index 8a5aa4f29..a621f8081 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -72,10 +72,10 @@ func managedK8SGetSupportedVersions(ruleset string) []string { } // ManagedK8SProviderMetadata returns available metadata for the Managed Kubernetes Provider and it's supported rulesets. -func ManagedK8SProviderMetadata() metadata.ProviderMetadata { - providerMetadata := metadata.ProviderMetadata{} - providerMetadata.ProviderID = "managedk8s" - providerMetadata.ProviderName = "Managed Kubernetes" +func ManagedK8SProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{} + providerMetadata.ID = "managedk8s" + providerMetadata.Name = "Managed Kubernetes" var availableRulesets = map[string]string{ securityhardenedk8s.RulesetID: securityhardenedk8s.RulesetName, @@ -83,10 +83,10 @@ func ManagedK8SProviderMetadata() metadata.ProviderMetadata { } for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.RulesetMetadata{} - rulesetMetadata.RulesetID = rulesetID - rulesetMetadata.RulesetName = rulesetName - rulesetSupportedVersions := managedK8SGetSupportedVersions(rulesetMetadata.RulesetID) + rulesetMetadata := &metadata.Ruleset{} + rulesetMetadata.ID = rulesetID + rulesetMetadata.Name = rulesetName + rulesetSupportedVersions := managedK8SGetSupportedVersions(rulesetMetadata.ID) for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { @@ -95,7 +95,7 @@ func ManagedK8SProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) } } - providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata } diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index c3dfaffd7..69abad58e 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -61,20 +61,20 @@ func virtualGardenGetSupportedVersions(ruleset string) []string { } // VirtualGardenProviderMetadata returns available metadata for the Virtual Garden Provider and it's supported rulesets. -func VirtualGardenProviderMetadata() metadata.ProviderMetadata { - providerMetadata := metadata.ProviderMetadata{} - providerMetadata.ProviderID = "virtualgarden" - providerMetadata.ProviderName = "Virtual Garden" +func VirtualGardenProviderMetadata() metadata.ProviderDetailed { + providerMetadata := metadata.ProviderDetailed{} + providerMetadata.ID = "virtualgarden" + providerMetadata.Name = "Virtual Garden" var availableRulesets = map[string]string{ disak8sstig.RulesetID: disak8sstig.RulesetName, } for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.RulesetMetadata{} - rulesetMetadata.RulesetID = rulesetID - rulesetMetadata.RulesetName = rulesetName - rulesetSupportedVersions := virtualGardenGetSupportedVersions(rulesetMetadata.RulesetID) + rulesetMetadata := &metadata.Ruleset{} + rulesetMetadata.ID = rulesetID + rulesetMetadata.Name = rulesetName + rulesetSupportedVersions := virtualGardenGetSupportedVersions(rulesetMetadata.ID) for index, supportedVersion := range rulesetSupportedVersions { if index == 0 { @@ -83,7 +83,7 @@ func VirtualGardenProviderMetadata() metadata.ProviderMetadata { rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) } } - providerMetadata.ProviderRulesets = append(providerMetadata.ProviderRulesets, *rulesetMetadata) + providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata } From 688fadc83e9ddb317b847ea0cc2e18bdde388d07 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 11:33:39 +0200 Subject: [PATCH 12/26] Add comment and reference changes to the app command --- cmd/diki/app/app.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index d1f4688b9..90b00bff7 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -139,8 +139,8 @@ e.g. to check compliance of your hyperscaler accounts.`, showProviderCmd := &cobra.Command{ Use: "provider", - Short: "", - Long: "", + Short: "Show detailed information for the given provider.", + Long: "Show detailed information for the given provider.", RunE: func(_ *cobra.Command, args []string) error { return showProviderCmd(args) }, @@ -186,7 +186,7 @@ func showProviderCmd(args []string) error { } var ( - providerFuncMap = map[string]func() metadata.ProviderMetadata{ + providerFuncMap = map[string]func() metadata.ProviderDetailed{ "gardener": builder.GardenerProviderMetadata, "garden": builder.GardenProviderMetadata, "managedk8s": builder.ManagedK8SProviderMetadata, @@ -198,7 +198,7 @@ func showProviderCmd(args []string) error { providersMetadata := []metadata.Provider{} for providerID := range providerFuncMap { - providersMetadata = append(providersMetadata, metadata.Provider{ProviderID: providerID, ProviderName: providerFuncMap[providerID]().ProviderName}) + providersMetadata = append(providersMetadata, metadata.Provider{ID: providerID, Name: providerFuncMap[providerID]().Name}) } if bytes, err := json.Marshal(providersMetadata); err != nil { From 99e3b2e450157182b1093782383214f26edbc562 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 11:42:31 +0200 Subject: [PATCH 13/26] Add additional comments to the ruleset files --- pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go | 1 + pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 1 + pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 1 + pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go | 1 + pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 1 + 5 files changed, 5 insertions(+) diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go index 24918b126..299289efb 100644 --- a/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go +++ b/pkg/provider/garden/ruleset/securityhardenedshoot/ruleset.go @@ -28,6 +28,7 @@ const ( var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the Security Hardened Shoot Cluster Ruleset. + // Versions are sorted from newest to oldest. SupportedVersions = []string{"v0.1.0"} ) diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index 2bdde2a8c..f297d5fc9 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -30,6 +30,7 @@ const ( var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. SupportedVersions = []string{"v2r1", "v1r11"} ) diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index 48b8cb0e8..91ee204e8 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -30,6 +30,7 @@ const ( var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. SupportedVersions = []string{"v2r1", "v1r11"} ) diff --git a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go index 2d6a7a894..987acad11 100644 --- a/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/securityhardenedk8s/ruleset.go @@ -27,6 +27,7 @@ const ( var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the Security Hardened Kubernetes Cluster Ruleset. + // Versions are sorted from newest to oldest. SupportedVersions = []string{"v0.1.0"} ) diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 917199da3..8f23496ef 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -30,6 +30,7 @@ const ( var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. + // Versions are sorted from newest to oldest. SupportedVersions = []string{"v2r1", "v1r11"} ) From 683c7b5ebb4b949941b2c856b24e817eb9148bf3 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 13:06:39 +0200 Subject: [PATCH 14/26] Refactor metadata initalizing builder methods --- pkg/provider/builder/garden.go | 40 ++++++++++++----------- pkg/provider/builder/gardener.go | 40 ++++++++++++----------- pkg/provider/builder/managedk8s.go | 46 ++++++++++++++++----------- pkg/provider/builder/virtualgarden.go | 41 +++++++++++++----------- 4 files changed, 94 insertions(+), 73 deletions(-) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index c827a7593..7beec0a72 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -62,28 +62,32 @@ func gardenGetSupportedVersions(ruleset string) []string { // GardenProviderMetadata returns available metadata for the Garden Provider and it's supported rulesets. func GardenProviderMetadata() metadata.ProviderDetailed { - providerMetadata := metadata.ProviderDetailed{} - providerMetadata.ID = "garden" - providerMetadata.Name = "Garden" - - var availableRulesets = map[string]string{ - securityhardenedshoot.RulesetID: securityhardenedshoot.RulesetName, + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: "garden", + Name: "Garden", + }, + Rulesets: []metadata.Ruleset{ + { + ID: securityhardenedshoot.RulesetID, + Name: securityhardenedshoot.RulesetName, + }, + }, } - for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.Ruleset{} - rulesetMetadata.ID = rulesetID - rulesetMetadata.Name = rulesetName - rulesetSupportedVersions := gardenGetSupportedVersions(rulesetMetadata.ID) + for i := range providerMetadata.Rulesets { + supportedVersions := gardenGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } - for index, supportedVersion := range rulesetSupportedVersions { - if index == 0 { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) - } else { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) - } + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true } - providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index b65d04338..0dca11c56 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -75,28 +75,32 @@ func gardenerGetSupportedVersions(ruleset string) []string { // GardenerProviderMetadata returns available metadata for the Gardener Provider and it's supported rulesets. func GardenerProviderMetadata() metadata.ProviderDetailed { - providerMetadata := metadata.ProviderDetailed{} - providerMetadata.ID = "gardener" - providerMetadata.Name = "Gardener" - - var availableRulesets = map[string]string{ - disak8sstig.RulesetID: disak8sstig.RulesetName, + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: "gardener", + Name: "Gardener", + }, + Rulesets: []metadata.Ruleset{ + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, } - for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.Ruleset{} - rulesetMetadata.ID = rulesetID - rulesetMetadata.Name = rulesetName - rulesetSupportedVersions := gardenerGetSupportedVersions(rulesetMetadata.ID) + for i := range providerMetadata.Rulesets { + supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } - for index, supportedVersion := range rulesetSupportedVersions { - if index == 0 { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) - } else { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) - } + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true } - providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } return providerMetadata diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index a621f8081..28b2d6420 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -73,29 +73,37 @@ func managedK8SGetSupportedVersions(ruleset string) []string { // ManagedK8SProviderMetadata returns available metadata for the Managed Kubernetes Provider and it's supported rulesets. func ManagedK8SProviderMetadata() metadata.ProviderDetailed { - providerMetadata := metadata.ProviderDetailed{} - providerMetadata.ID = "managedk8s" - providerMetadata.Name = "Managed Kubernetes" - - var availableRulesets = map[string]string{ - securityhardenedk8s.RulesetID: securityhardenedk8s.RulesetName, - disak8sstig.RulesetID: disak8sstig.RulesetName, + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: "managedk8s", + Name: "Managed Kubernetes", + }, + Rulesets: []metadata.Ruleset{ + { + ID: securityhardenedk8s.RulesetID, + Name: securityhardenedk8s.RulesetName, + }, + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, } - for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.Ruleset{} - rulesetMetadata.ID = rulesetID - rulesetMetadata.Name = rulesetName - rulesetSupportedVersions := managedK8SGetSupportedVersions(rulesetMetadata.ID) + for i := range providerMetadata.Rulesets { + supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } - for index, supportedVersion := range rulesetSupportedVersions { - if index == 0 { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) - } else { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) - } + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true } - providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } + return providerMetadata } diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index 69abad58e..c4919d672 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -62,28 +62,33 @@ func virtualGardenGetSupportedVersions(ruleset string) []string { // VirtualGardenProviderMetadata returns available metadata for the Virtual Garden Provider and it's supported rulesets. func VirtualGardenProviderMetadata() metadata.ProviderDetailed { - providerMetadata := metadata.ProviderDetailed{} - providerMetadata.ID = "virtualgarden" - providerMetadata.Name = "Virtual Garden" - - var availableRulesets = map[string]string{ - disak8sstig.RulesetID: disak8sstig.RulesetName, + providerMetadata := metadata.ProviderDetailed{ + Provider: metadata.Provider{ + ID: "virtualgarden", + Name: "Virtual Garden", + }, + Rulesets: []metadata.Ruleset{ + { + ID: disak8sstig.RulesetID, + Name: disak8sstig.RulesetName, + }, + }, } - for rulesetID, rulesetName := range availableRulesets { - rulesetMetadata := &metadata.Ruleset{} - rulesetMetadata.ID = rulesetID - rulesetMetadata.Name = rulesetName - rulesetSupportedVersions := virtualGardenGetSupportedVersions(rulesetMetadata.ID) + for i := range providerMetadata.Rulesets { + supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + for _, supportedVersion := range supportedVersions { + providerMetadata.Rulesets[i].Versions = append( + providerMetadata.Rulesets[i].Versions, + metadata.Version{Version: supportedVersion, Latest: false}, + ) + } - for index, supportedVersion := range rulesetSupportedVersions { - if index == 0 { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: true}) - } else { - rulesetMetadata.Versions = append(rulesetMetadata.Versions, metadata.Version{Version: supportedVersion, Latest: false}) - } + // Mark the first version as latest as the versions are sorted from newest to oldest + if len(providerMetadata.Rulesets[i].Versions) > 0 { + providerMetadata.Rulesets[i].Versions[0].Latest = true } - providerMetadata.Rulesets = append(providerMetadata.Rulesets, *rulesetMetadata) } + return providerMetadata } From 98adb5e316784ea2a0a21bc90c8e086ecec837e4 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 13:09:42 +0200 Subject: [PATCH 15/26] Fix typo --- pkg/provider/builder/managedk8s.go | 2 +- pkg/provider/builder/virtualgarden.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index 28b2d6420..e8166c152 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -91,7 +91,7 @@ func ManagedK8SProviderMetadata() metadata.ProviderDetailed { } for i := range providerMetadata.Rulesets { - supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + supportedVersions := managedK8SGetSupportedVersions(providerMetadata.Rulesets[i].ID) for _, supportedVersion := range supportedVersions { providerMetadata.Rulesets[i].Versions = append( providerMetadata.Rulesets[i].Versions, diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index c4919d672..fcd3860ae 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -76,7 +76,7 @@ func VirtualGardenProviderMetadata() metadata.ProviderDetailed { } for i := range providerMetadata.Rulesets { - supportedVersions := gardenerGetSupportedVersions(providerMetadata.Rulesets[i].ID) + supportedVersions := virtualGardenGetSupportedVersions(providerMetadata.Rulesets[i].ID) for _, supportedVersion := range supportedVersions { providerMetadata.Rulesets[i].Versions = append( providerMetadata.Rulesets[i].Versions, From 9011efdac2efc6a0d7575642253014b1338a6656 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 14:02:42 +0200 Subject: [PATCH 16/26] Add constants to the provider definition files --- pkg/provider/garden/provider.go | 7 +++++++ pkg/provider/gardener/provider.go | 7 +++++++ pkg/provider/managedk8s/provider.go | 7 +++++++ pkg/provider/virtualgarden/provider.go | 7 +++++++ 4 files changed, 28 insertions(+) diff --git a/pkg/provider/garden/provider.go b/pkg/provider/garden/provider.go index c24691aaf..c4ac24acf 100644 --- a/pkg/provider/garden/provider.go +++ b/pkg/provider/garden/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Garden provider. + ProviderID = "garden" + // ProviderName is a constant containing the user-friendly name of the Garden provider. + ProviderName = "Garden" +) + // Provider is a Garden Cluster Provider that can // be used to implement rules against a garden cluster. type Provider struct { diff --git a/pkg/provider/gardener/provider.go b/pkg/provider/gardener/provider.go index 277cf5017..f44789aa3 100644 --- a/pkg/provider/gardener/provider.go +++ b/pkg/provider/gardener/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Gardener provider. + ProviderID = "gardener" + // ProviderName is a constant containing the user-friendly name of the Gardener provider. + ProviderName = "Gardener" +) + // Provider is a Gardener Provider that can be used to implement rules // against a shoot cluster and its controlplane (residing in a seed cluster). type Provider struct { diff --git a/pkg/provider/managedk8s/provider.go b/pkg/provider/managedk8s/provider.go index bd4dc411a..53be63d70 100644 --- a/pkg/provider/managedk8s/provider.go +++ b/pkg/provider/managedk8s/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Managed Kubernetes provider. + ProviderID = "managedk8s" + // ProviderName is a constant containing the user-friendly name of the Managed Kubernetes provider. + ProviderName = "Managed Kubernetes" +) + // Provider is a Managed Kubernetes Cluster Provider that can // be used to implement rules against a kubernetes cluster. type Provider struct { diff --git a/pkg/provider/virtualgarden/provider.go b/pkg/provider/virtualgarden/provider.go index 91f11c8e7..66c23d259 100644 --- a/pkg/provider/virtualgarden/provider.go +++ b/pkg/provider/virtualgarden/provider.go @@ -21,6 +21,13 @@ import ( sharedprovider "github.com/gardener/diki/pkg/shared/provider" ) +const ( + // ProviderID is a constant containing the id of the Virtual Garden provider. + ProviderID = "virtualgarden" + // ProviderName is a constant containing the user-friendly name of the Virtual Garden provider. + ProviderName = "Virtual Garden" +) + // Provider is a Garden Cluster Provider that can be used to implement rules // against a virtual garden cluster and its controlplane (residing in a runtime cluster). type Provider struct { From ff6f2e6beb78cc8c1e5b6b1a4d35e00a1b4b468b Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 14:12:18 +0200 Subject: [PATCH 17/26] Add constants to the metadata builder methods --- pkg/provider/builder/garden.go | 4 ++-- pkg/provider/builder/gardener.go | 4 ++-- pkg/provider/builder/managedk8s.go | 4 ++-- pkg/provider/builder/virtualgarden.go | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/provider/builder/garden.go b/pkg/provider/builder/garden.go index 7beec0a72..695adcedd 100644 --- a/pkg/provider/builder/garden.go +++ b/pkg/provider/builder/garden.go @@ -64,8 +64,8 @@ func gardenGetSupportedVersions(ruleset string) []string { func GardenProviderMetadata() metadata.ProviderDetailed { providerMetadata := metadata.ProviderDetailed{ Provider: metadata.Provider{ - ID: "garden", - Name: "Garden", + ID: garden.ProviderID, + Name: garden.ProviderName, }, Rulesets: []metadata.Ruleset{ { diff --git a/pkg/provider/builder/gardener.go b/pkg/provider/builder/gardener.go index 0dca11c56..c2a9005e8 100644 --- a/pkg/provider/builder/gardener.go +++ b/pkg/provider/builder/gardener.go @@ -77,8 +77,8 @@ func gardenerGetSupportedVersions(ruleset string) []string { func GardenerProviderMetadata() metadata.ProviderDetailed { providerMetadata := metadata.ProviderDetailed{ Provider: metadata.Provider{ - ID: "gardener", - Name: "Gardener", + ID: gardener.ProviderID, + Name: gardener.ProviderName, }, Rulesets: []metadata.Ruleset{ { diff --git a/pkg/provider/builder/managedk8s.go b/pkg/provider/builder/managedk8s.go index e8166c152..866e348f9 100644 --- a/pkg/provider/builder/managedk8s.go +++ b/pkg/provider/builder/managedk8s.go @@ -75,8 +75,8 @@ func managedK8SGetSupportedVersions(ruleset string) []string { func ManagedK8SProviderMetadata() metadata.ProviderDetailed { providerMetadata := metadata.ProviderDetailed{ Provider: metadata.Provider{ - ID: "managedk8s", - Name: "Managed Kubernetes", + ID: managedk8s.ProviderID, + Name: managedk8s.ProviderName, }, Rulesets: []metadata.Ruleset{ { diff --git a/pkg/provider/builder/virtualgarden.go b/pkg/provider/builder/virtualgarden.go index fcd3860ae..5adbfc105 100644 --- a/pkg/provider/builder/virtualgarden.go +++ b/pkg/provider/builder/virtualgarden.go @@ -64,8 +64,8 @@ func virtualGardenGetSupportedVersions(ruleset string) []string { func VirtualGardenProviderMetadata() metadata.ProviderDetailed { providerMetadata := metadata.ProviderDetailed{ Provider: metadata.Provider{ - ID: "virtualgarden", - Name: "Virtual Garden", + ID: virtualgarden.ProviderID, + Name: virtualgarden.ProviderName, }, Rulesets: []metadata.Ruleset{ { From 03bc32a1b41d22ef8c5329722ac9c05c1673e366 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 14:20:43 +0200 Subject: [PATCH 18/26] Declare and utilize a new string to Metadata map in main.go --- cmd/diki/app/app.go | 22 ++++++---------------- cmd/diki/main.go | 9 ++++++++- pkg/metadata/metadata.go | 3 +++ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index 90b00bff7..65bfd74ad 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -22,13 +22,12 @@ import ( "github.com/gardener/diki/pkg/config" "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" - "github.com/gardener/diki/pkg/provider/builder" "github.com/gardener/diki/pkg/report" "github.com/gardener/diki/pkg/ruleset" ) // NewDikiCommand creates a new command that is used to start Diki. -func NewDikiCommand(providerCreateFuncs map[string]provider.ProviderFromConfigFunc) *cobra.Command { +func NewDikiCommand(providerCreateFuncs map[string]provider.ProviderFromConfigFunc, metadataFuncs map[string]metadata.MetadataFunc) *cobra.Command { handler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}) logger := slog.New(handler) slog.SetDefault(logger) @@ -142,7 +141,7 @@ e.g. to check compliance of your hyperscaler accounts.`, Short: "Show detailed information for the given provider.", Long: "Show detailed information for the given provider.", RunE: func(_ *cobra.Command, args []string) error { - return showProviderCmd(args) + return showProviderCmd(args, metadataFuncs) }, } @@ -180,25 +179,16 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { cmd.PersistentFlags().Var(cliflag.NewMapStringString(&opts.identityAttributes), "identity-attributes", "The keys are the IDs of the providers that will be present in the generated difference report and the values are metadata attributes to be used as identifiers.") } -func showProviderCmd(args []string) error { +func showProviderCmd(args []string, metadataFuncs map[string]metadata.MetadataFunc) error { if len(args) > 1 { return errors.New("command `show provider` accepts at most one provider") } - var ( - providerFuncMap = map[string]func() metadata.ProviderDetailed{ - "gardener": builder.GardenerProviderMetadata, - "garden": builder.GardenProviderMetadata, - "managedk8s": builder.ManagedK8SProviderMetadata, - "virtualgarden": builder.VirtualGardenProviderMetadata, - } - ) - if len(args) == 0 { providersMetadata := []metadata.Provider{} - for providerID := range providerFuncMap { - providersMetadata = append(providersMetadata, metadata.Provider{ID: providerID, Name: providerFuncMap[providerID]().Name}) + for providerID := range metadataFuncs { + providersMetadata = append(providersMetadata, metadata.Provider{ID: providerID, Name: metadataFuncs[providerID]().Name}) } if bytes, err := json.Marshal(providersMetadata); err != nil { @@ -209,7 +199,7 @@ func showProviderCmd(args []string) error { } else { var providerArg = args[0] - metadataFunc, ok := providerFuncMap[providerArg] + metadataFunc, ok := metadataFuncs[providerArg] if !ok { return fmt.Errorf("provider %s does not exist in the current diki binary", providerArg) } diff --git a/cmd/diki/main.go b/cmd/diki/main.go index a57ab59f7..7376d39a5 100644 --- a/cmd/diki/main.go +++ b/cmd/diki/main.go @@ -10,6 +10,7 @@ import ( controllerruntime "sigs.k8s.io/controller-runtime" "github.com/gardener/diki/cmd/diki/app" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/builder" ) @@ -20,7 +21,13 @@ func main() { "gardener": builder.GardenerProviderFromConfig, "managedk8s": builder.ManagedK8SProviderFromConfig, "virtualgarden": builder.VirtualGardenProviderFromConfig, - }) + }, + map[string]metadata.MetadataFunc{ + "garden": builder.GardenProviderMetadata, + "gardener": builder.GardenerProviderMetadata, + "managedk8s": builder.ManagedK8SProviderMetadata, + "virtualgarden": builder.VirtualGardenProviderMetadata, + }) if err := cmd.ExecuteContext(controllerruntime.SetupSignalHandler()); err != nil { log.Fatal(err) diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go index 1f518a358..f73f5bc84 100644 --- a/pkg/metadata/metadata.go +++ b/pkg/metadata/metadata.go @@ -35,3 +35,6 @@ type ProviderDetailed struct { Provider Rulesets []Ruleset `json:"rulesets"` } + +// MetadataFunc constructs a detailed Provider metadata object +type MetadataFunc func() ProviderDetailed From 95bc6bdc7e765e185bcbfc2d7a535fe2a222fe4c Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Fri, 3 Jan 2025 14:39:47 +0200 Subject: [PATCH 19/26] Simplify some code --- cmd/diki/app/app.go | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index 65bfd74ad..b7ecaebec 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -185,7 +185,7 @@ func showProviderCmd(args []string, metadataFuncs map[string]metadata.MetadataFu } if len(args) == 0 { - providersMetadata := []metadata.Provider{} + var providersMetadata []metadata.Provider for providerID := range metadataFuncs { providersMetadata = append(providersMetadata, metadata.Provider{ID: providerID, Name: metadataFuncs[providerID]().Name}) @@ -196,21 +196,20 @@ func showProviderCmd(args []string, metadataFuncs map[string]metadata.MetadataFu } else { fmt.Println(string(bytes)) } - } else { - var providerArg = args[0] + return nil + } - metadataFunc, ok := metadataFuncs[providerArg] - if !ok { - return fmt.Errorf("provider %s does not exist in the current diki binary", providerArg) - } + metadataFunc, ok := metadataFuncs[args[0]] + if !ok { + return fmt.Errorf("provider %s does not exist in the current diki binary", args[0]) + } - providerMetadata := metadataFunc() + providerMetadata := metadataFunc() - if bytes, err := json.Marshal(providerMetadata); err != nil { - return err - } else { - fmt.Println(string(bytes)) - } + if bytes, err := json.Marshal(providerMetadata); err != nil { + return err + } else { + fmt.Println(string(bytes)) } return nil } From 98131a60e05ae8c8c53e60eac389ca1f9f267fbc Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Mon, 6 Jan 2025 08:46:47 +0200 Subject: [PATCH 20/26] Tabulation --- cmd/diki/main.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/cmd/diki/main.go b/cmd/diki/main.go index 7376d39a5..9bcddb251 100644 --- a/cmd/diki/main.go +++ b/cmd/diki/main.go @@ -16,18 +16,20 @@ import ( ) func main() { - cmd := app.NewDikiCommand(map[string]provider.ProviderFromConfigFunc{ - "garden": builder.GardenProviderFromConfig, - "gardener": builder.GardenerProviderFromConfig, - "managedk8s": builder.ManagedK8SProviderFromConfig, - "virtualgarden": builder.VirtualGardenProviderFromConfig, - }, + cmd := app.NewDikiCommand( + map[string]provider.ProviderFromConfigFunc{ + "garden": builder.GardenProviderFromConfig, + "gardener": builder.GardenerProviderFromConfig, + "managedk8s": builder.ManagedK8SProviderFromConfig, + "virtualgarden": builder.VirtualGardenProviderFromConfig, + }, map[string]metadata.MetadataFunc{ "garden": builder.GardenProviderMetadata, "gardener": builder.GardenerProviderMetadata, "managedk8s": builder.ManagedK8SProviderMetadata, "virtualgarden": builder.VirtualGardenProviderMetadata, - }) + }, + ) if err := cmd.ExecuteContext(controllerruntime.SetupSignalHandler()); err != nil { log.Fatal(err) From afe1993ed9fd701adda24073cd627e93733b4d2e Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 7 Jan 2025 17:23:56 +0200 Subject: [PATCH 21/26] Remove support for version v1r11 --- pkg/provider/gardener/ruleset/disak8sstig/ruleset.go | 2 +- pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go | 2 +- pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index 9d8b3f1e1..94a7ef3ad 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -31,7 +31,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r1", "v1r11"} + SupportedVersions = []string{"v2r2", "v2r1"} ) // Ruleset implements DISA Kubernetes STIG. diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index cc8029266..f8d722b71 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -31,7 +31,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r1", "v1r11"} + SupportedVersions = []string{"v2r2", "v2r1"} ) // Ruleset implements DISA Kubernetes STIG. diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index ede7357e4..dd0a66145 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -31,7 +31,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r1", "v1r11"} + SupportedVersions = []string{"v2r2", "v2r1"} ) // Ruleset implements DISA Kubernetes STIG. From d5ac7d086f2e3630d36cb1d4518f28f5410f2dbd Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 7 Jan 2025 17:59:32 +0200 Subject: [PATCH 22/26] Correct some nits --- cmd/diki/app/app.go | 4 +--- pkg/metadata/metadata.go | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index b7ecaebec..d09945d9c 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -204,9 +204,7 @@ func showProviderCmd(args []string, metadataFuncs map[string]metadata.MetadataFu return fmt.Errorf("provider %s does not exist in the current diki binary", args[0]) } - providerMetadata := metadataFunc() - - if bytes, err := json.Marshal(providerMetadata); err != nil { + if bytes, err := json.Marshal(metadataFunc()); err != nil { return err } else { fmt.Println(string(bytes)) diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go index f73f5bc84..410786fba 100644 --- a/pkg/metadata/metadata.go +++ b/pkg/metadata/metadata.go @@ -36,5 +36,5 @@ type ProviderDetailed struct { Rulesets []Ruleset `json:"rulesets"` } -// MetadataFunc constructs a detailed Provider metadata object +// MetadataFunc constructs a detailed Provider metadata object. type MetadataFunc func() ProviderDetailed From 94a0128076b49eacb451850e0030c47911dfc075 Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 21 Jan 2025 11:25:37 +0200 Subject: [PATCH 23/26] Add suggestions --- cmd/diki/app/app.go | 14 ++++++++++++-- cmd/diki/main.go | 22 ++++++++++------------ pkg/metadata/metadata.go | 3 --- pkg/provider/provider.go | 10 ++++++++++ 4 files changed, 32 insertions(+), 17 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index d09945d9c..7313bd386 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -27,11 +27,21 @@ import ( ) // NewDikiCommand creates a new command that is used to start Diki. -func NewDikiCommand(providerCreateFuncs map[string]provider.ProviderFromConfigFunc, metadataFuncs map[string]metadata.MetadataFunc) *cobra.Command { +func NewDikiCommand(providerOptions map[string]provider.ProviderOption) *cobra.Command { handler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}) logger := slog.New(handler) slog.SetDefault(logger) + providerCreateFuncs := map[string]provider.ProviderFromConfigFunc{} + for providerID, providerOption := range providerOptions { + providerCreateFuncs[providerID] = providerOption.ProviderFromConfigFunc + } + + metadataFuncs := map[string]provider.MetadataFunc{} + for providerID, providerOption := range providerOptions { + metadataFuncs[providerID] = providerOption.MetadataFunc + } + rootCmd := &cobra.Command{ Use: "diki", Short: "Diki a \"compliance checker\" or sorts, a detective control framework.", @@ -179,7 +189,7 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { cmd.PersistentFlags().Var(cliflag.NewMapStringString(&opts.identityAttributes), "identity-attributes", "The keys are the IDs of the providers that will be present in the generated difference report and the values are metadata attributes to be used as identifiers.") } -func showProviderCmd(args []string, metadataFuncs map[string]metadata.MetadataFunc) error { +func showProviderCmd(args []string, metadataFuncs map[string]provider.MetadataFunc) error { if len(args) > 1 { return errors.New("command `show provider` accepts at most one provider") } diff --git a/cmd/diki/main.go b/cmd/diki/main.go index 9bcddb251..0b28bbb38 100644 --- a/cmd/diki/main.go +++ b/cmd/diki/main.go @@ -10,24 +10,22 @@ import ( controllerruntime "sigs.k8s.io/controller-runtime" "github.com/gardener/diki/cmd/diki/app" - "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/builder" + + "github.com/gardener/diki/pkg/provider/garden" + "github.com/gardener/diki/pkg/provider/gardener" + "github.com/gardener/diki/pkg/provider/managedk8s" + "github.com/gardener/diki/pkg/provider/virtualgarden" ) func main() { cmd := app.NewDikiCommand( - map[string]provider.ProviderFromConfigFunc{ - "garden": builder.GardenProviderFromConfig, - "gardener": builder.GardenerProviderFromConfig, - "managedk8s": builder.ManagedK8SProviderFromConfig, - "virtualgarden": builder.VirtualGardenProviderFromConfig, - }, - map[string]metadata.MetadataFunc{ - "garden": builder.GardenProviderMetadata, - "gardener": builder.GardenerProviderMetadata, - "managedk8s": builder.ManagedK8SProviderMetadata, - "virtualgarden": builder.VirtualGardenProviderMetadata, + map[string]provider.ProviderOption{ + garden.ProviderID: {ProviderFromConfigFunc: builder.GardenProviderFromConfig, MetadataFunc: builder.GardenProviderMetadata}, + gardener.ProviderID: {ProviderFromConfigFunc: builder.GardenerProviderFromConfig, MetadataFunc: builder.GardenerProviderMetadata}, + managedk8s.ProviderID: {ProviderFromConfigFunc: builder.ManagedK8SProviderFromConfig, MetadataFunc: builder.ManagedK8SProviderMetadata}, + virtualgarden.ProviderID: {ProviderFromConfigFunc: builder.VirtualGardenProviderFromConfig, MetadataFunc: builder.VirtualGardenProviderMetadata}, }, ) diff --git a/pkg/metadata/metadata.go b/pkg/metadata/metadata.go index 410786fba..1f518a358 100644 --- a/pkg/metadata/metadata.go +++ b/pkg/metadata/metadata.go @@ -35,6 +35,3 @@ type ProviderDetailed struct { Provider Rulesets []Ruleset `json:"rulesets"` } - -// MetadataFunc constructs a detailed Provider metadata object. -type MetadataFunc func() ProviderDetailed diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 3e7f95ea1..417a69f50 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -8,6 +8,7 @@ import ( "context" "github.com/gardener/diki/pkg/config" + "github.com/gardener/diki/pkg/metadata" "github.com/gardener/diki/pkg/rule" "github.com/gardener/diki/pkg/ruleset" ) @@ -32,3 +33,12 @@ type ProviderResult struct { // ProviderFromConfigFunc constructs a Provider from ProviderConfig. type ProviderFromConfigFunc func(conf config.ProviderConfig) (Provider, error) + +// MetadataFunc constructs a detailed Provider metadata object. +type MetadataFunc func() metadata.ProviderDetailed + +// ProviderOptions constructs a pair of a configuarion and metadata function for a specific provider. +type ProviderOption struct { + ProviderFromConfigFunc + MetadataFunc +} From 271e5907d0705d84aa621c72f947c239fe9576dc Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 21 Jan 2025 12:20:27 +0200 Subject: [PATCH 24/26] Fix typo --- pkg/provider/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 417a69f50..1194033ac 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -37,7 +37,7 @@ type ProviderFromConfigFunc func(conf config.ProviderConfig) (Provider, error) // MetadataFunc constructs a detailed Provider metadata object. type MetadataFunc func() metadata.ProviderDetailed -// ProviderOptions constructs a pair of a configuarion and metadata function for a specific provider. +// ProviderOption constructs a pair of a configuarion and metadata function for a specific provider. type ProviderOption struct { ProviderFromConfigFunc MetadataFunc From 7ca3599db0943408e2af8e3fdec775553650e84f Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 21 Jan 2025 13:15:11 +0200 Subject: [PATCH 25/26] Tabulation --- cmd/diki/main.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/diki/main.go b/cmd/diki/main.go index 0b28bbb38..e4d6b8ee3 100644 --- a/cmd/diki/main.go +++ b/cmd/diki/main.go @@ -12,7 +12,6 @@ import ( "github.com/gardener/diki/cmd/diki/app" "github.com/gardener/diki/pkg/provider" "github.com/gardener/diki/pkg/provider/builder" - "github.com/gardener/diki/pkg/provider/garden" "github.com/gardener/diki/pkg/provider/gardener" "github.com/gardener/diki/pkg/provider/managedk8s" From 8fbdbce0b18e3bd966ed4de53a0cb9a6c65912bc Mon Sep 17 00:00:00 2001 From: georgibaltiev Date: Tue, 21 Jan 2025 13:39:14 +0200 Subject: [PATCH 26/26] Change comments --- cmd/diki/app/app.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/diki/app/app.go b/cmd/diki/app/app.go index 7313bd386..98fb0c926 100644 --- a/cmd/diki/app/app.go +++ b/cmd/diki/app/app.go @@ -137,8 +137,8 @@ e.g. to check compliance of your hyperscaler accounts.`, showCmd := &cobra.Command{ Use: "show", - Short: "Show metadata of the providers that the current diki binary supports.", - Long: "Show metadata of the providers that the current diki binary supports.", + Short: "Show metadata information for different diki internals, i.e. providers.", + Long: "Show metadata information for different diki internals, i.e. providers.", RunE: func(_ *cobra.Command, _ []string) error { return errors.New("show subcommand not selected") }, @@ -148,8 +148,8 @@ e.g. to check compliance of your hyperscaler accounts.`, showProviderCmd := &cobra.Command{ Use: "provider", - Short: "Show detailed information for the given provider.", - Long: "Show detailed information for the given provider.", + Short: "Show detailed information for providers.", + Long: "Show detailed information for providers.", RunE: func(_ *cobra.Command, args []string) error { return showProviderCmd(args, metadataFuncs) }, @@ -191,7 +191,7 @@ func addReportGenerateDiffFlags(cmd *cobra.Command, opts *generateDiffOptions) { func showProviderCmd(args []string, metadataFuncs map[string]provider.MetadataFunc) error { if len(args) > 1 { - return errors.New("command `show provider` accepts at most one provider") + return errors.New("command 'show provider' accepts at most one provider") } if len(args) == 0 { @@ -211,7 +211,7 @@ func showProviderCmd(args []string, metadataFuncs map[string]provider.MetadataFu metadataFunc, ok := metadataFuncs[args[0]] if !ok { - return fmt.Errorf("provider %s does not exist in the current diki binary", args[0]) + return fmt.Errorf("unknown provider: %s", args[0]) } if bytes, err := json.Marshal(metadataFunc()); err != nil {