accuknox · nyrahul · Apr 25, 2023 · Mar 8, 2023 · Apr 18, 2023 · Apr 20, 2023
diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml
@@ -40,7 +40,7 @@ clusterRole:
   name: discovery-engine-role
   rules:
   - apiGroups: ["*"]
-    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes"]
+    resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
     verbs: ["get", "list", "watch"]
 
 #clusterroleBinding

diff --git a/deployments/k8s/deployment.yaml b/deployments/k8s/deployment.yaml
@@ -163,7 +163,7 @@ metadata:
   name: discovery-engine-role
 rules:
 - apiGroups: ["*"]
-  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes"]
+  resources: ["pods", "services", "deployments", "endpoints", "namespaces", "nodes", "replicasets", "statefulsets"]
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/src/recommendpolicy/recommendPolicy.go b/src/recommendpolicy/recommendPolicy.go
@@ -2,6 +2,7 @@ package recommendpolicy
 
 import (
 	"context"
+
 	"github.com/accuknox/auto-policy-discovery/src/admissioncontrollerpolicy"
 	"github.com/accuknox/auto-policy-discovery/src/cluster"
 	cfg "github.com/accuknox/auto-policy-discovery/src/config"
@@ -10,6 +11,7 @@ import (
 	"github.com/accuknox/auto-policy-discovery/src/types"
 	"github.com/robfig/cron"
 	"github.com/rs/zerolog"
+	v1 "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -31,13 +33,12 @@ var RecommendStopChan chan struct{}
 // const values
 const (
 	// operation mode
-	OP_MODE_NOOP    = 0
-	OP_MODE_CRONJOB = 1
-	OP_MODE_ONETIME = 2
+	opModeNoop    = 0
+	opModeCronjob = 1
 
 	// status
-	STATUS_RUNNING = "running"
-	STATUS_IDLE    = "idle"
+	statusRunning = "running"
+	statusIdle    = "idle"
 )
 
 // CurrentVersion stores the current version of policy-template
@@ -55,20 +56,20 @@ var DeployNsName []types.Deployment
 // init Function
 func init() {
 	log = logger.GetInstance()
-	RecommendWorkerStatus = STATUS_IDLE
+	RecommendWorkerStatus = statusIdle
 	RecommendStopChan = make(chan struct{})
 }
 
 // StartRecommendWorker starts the recommended worker
 func StartRecommendWorker() {
-	if RecommendWorkerStatus != STATUS_IDLE {
+	if RecommendWorkerStatus != statusIdle {
 		log.Info().Msg("There is no idle recommend policy worker")
 
 		return
 	}
-	if cfg.GetCfgRecOperationMode() == OP_MODE_NOOP { // Do not run the operation
+	if cfg.GetCfgRecOperationMode() == opModeNoop { // Do not run the operation
 		log.Info().Msg("Recommendation operation mode is NOOP ... NO RECOMMENDED POLICY")
-	} else if cfg.GetCfgRecOperationMode() == OP_MODE_CRONJOB { // every time intervals
+	} else if cfg.GetCfgRecOperationMode() == opModeCronjob { // every time intervals
 		DeployNsName = []types.Deployment{}
 		log.Info().Msg("Recommended policy cron job started")
 		RecommendPolicyMain()
@@ -81,10 +82,10 @@ func StartRecommendWorker() {
 
 // StopRecommendWorker stops the recommendation worker
 func StopRecommendWorker() {
-	if cfg.GetCfgRecOperationMode() == OP_MODE_CRONJOB { // every time intervals
+	if cfg.GetCfgRecOperationMode() == opModeCronjob { // every time intervals
 		StopRecommendCronJob()
 	} else {
-		if RecommendWorkerStatus != STATUS_RUNNING {
+		if RecommendWorkerStatus != statusRunning {
 			log.Info().Msg("There is no running policy recommendation worker")
 			return
 		}
@@ -122,20 +123,31 @@ func StopRecommendCronJob() {
 // RecommendPolicyMain generates recommended policies from policy-template GH
 func RecommendPolicyMain() {
 
-	nsNotFilterSysPolicy := cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
-
-	if !isLatest() {
-		if _, err := DownloadAndUnzipRelease(); err != nil {
-			log.Error().Msgf("Unable to download %v", err.Error())
-		}
-	}
+	nsNotFilter := cfg.CurrentCfg.ConfigSysPolicy.NsNotFilter
 	client := cluster.ConnectK8sClient()
 	deployments, err := client.AppsV1().Deployments("").List(context.Background(), metav1.ListOptions{})
 	if err != nil {
 		log.Error().Msg(err.Error())
 		return
 	}
+	replicaSets, err := client.AppsV1().ReplicaSets("").List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		log.Error().Msg("Error getting replicasets err=" + err.Error())
+		return
+	}
+	statefulSets, err := client.AppsV1().StatefulSets("").List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		log.Error().Msg("Error getting statefulsets err=" + err.Error())
+		return
+	}
 	systempolicy.InitSysPolicyDiscoveryConfiguration()
+	policies := GetHardenPolicy(deployments, replicaSets, statefulSets, nsNotFilter)
+	if policies == nil {
+		log.Error().Msg("Error generating hardened policies")
+		return
+	}
+	systempolicy.UpdateSysPolicies(policies)
+
 	admissioncontrollerpolicy.InitAdmissionControllerPolicyDiscoveryConfiguration()
 	for _, d := range deployments.Items {
 		deploy := uniqueNsDeploy(d.Name, d.Namespace)
@@ -144,7 +156,7 @@ func RecommendPolicyMain() {
 			DeployNsName = append(DeployNsName, *deploy)
 		}
 
-		for _, ns := range nsNotFilterSysPolicy {
+		for _, ns := range nsNotFilter {
 			if d.Namespace != ns {
 				generateHardenPolicy(d.Name, d.Namespace, d.Spec.Template.Labels)
 			}
@@ -159,16 +171,18 @@ func RecommendPolicyMain() {
 			generateAdmissionControllerPolicy(d.Name, d.Namespace, d.Spec.Template.Labels)
 		}
 	}
+
 }
 
-func generateHardenPolicy(name, namespace string, labels LabelMap) {
-	log.Info().Msgf("Generating hardening policy for deployment: %v in namespace: %v", name, namespace)
+func generateHardenPolicy(name, namespace string, labels LabelMap) []types.KnoxSystemPolicy {
+	log.Info().Msgf("Generating hardening policy for: %v in namespace: %v", name, namespace)
 	policies, err := generateKnoxSystemPolicy(name, namespace, labels)
+
 	if err != nil {
 		log.Error().Msg(err.Error())
-		return
+		return nil
 	}
-	systempolicy.UpdateSysPolicies(policies)
+	return policies
 }
 
 func generateAdmissionControllerPolicy(name, namespace string, labels LabelMap) {
@@ -199,3 +213,47 @@ func uniqueNsDeploy(deployName, deployNamespace string) *types.Deployment {
 
 	return &deploy
 }
+
+func GetHardenPolicy(deployments *v1.DeploymentList, replicaSets *v1.ReplicaSetList, statefulSets *v1.StatefulSetList, nsNotFilter []string) []types.KnoxSystemPolicy {
+
+	var policies []types.KnoxSystemPolicy
+	if !isLatest() {
+		version, err := DownloadAndUnzipRelease()
+		if err != nil {
+			log.Error().Msgf("Unable to download %v", err.Error())
+			return nil
+		} else {
+			log.Info().Msgf("Downloaded version: %v", version)
+		}
+	}
+	for _, d := range deployments.Items {
+		deploy := uniqueNsDeploy(d.Name, d.Namespace)
+
+		if deploy != nil {
+			DeployNsName = append(DeployNsName, *deploy)
+		}
+
+		for _, ns := range nsNotFilter {
+			if d.Namespace != ns && len(d.ObjectMeta.OwnerReferences) == 0 {
+				policies = append(policies, generateHardenPolicy(d.Name, d.Namespace, d.Spec.Template.Labels)...)
+			}
+		}
+	}
+
+	for _, r := range replicaSets.Items {
+		for _, ns := range nsNotFilter {
+			if r.Namespace != ns && len(r.ObjectMeta.OwnerReferences) == 0 {
+				policies = append(policies, generateHardenPolicy(r.Name, r.Namespace, r.Spec.Template.Labels)...)
+			}
+		}
+	}
+
+	for _, s := range statefulSets.Items {
+		for _, ns := range nsNotFilter {
+			if s.Namespace != ns && len(s.ObjectMeta.OwnerReferences) == 0 {
+				policies = append(policies, generateHardenPolicy(s.Name, s.Namespace, s.Spec.Template.Labels)...)
+			}
+		}
+	}
+	return policies
+}
diff --git a/tests/go.mod b/tests/go.mod
@@ -3,7 +3,6 @@ module github.com/kubearmor/discovery-engine/tests
 go 1.19
 
 require (
-	github.com/accuknox/auto-policy-discovery/src v0.0.0-20230207142942-3e2adb51594b
 	github.com/kubearmor/KubeArmor/tests v0.0.0-20230110035627-26adfb0a0f18
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.24.2
@@ -12,24 +11,43 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require (
+	github.com/accuknox/auto-policy-discovery/src v0.0.0-20230320081550-86bcb8b555bd
+	k8s.io/apimachinery v0.24.3
+)
+
+replace github.com/accuknox/auto-policy-discovery/src v0.0.0-20230320081550-86bcb8b555bd => ../src
+
 require (
 	cloud.google.com/go/compute v1.14.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/99designs/keyring v1.1.6 // indirect
+	github.com/AthenZ/athenz v1.10.39 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.22 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/DATA-DOG/go-sqlmock v1.5.0 // indirect
+	github.com/DataDog/zstd v1.5.0 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
+	github.com/apache/pulsar-client-go v0.8.1 // indirect
+	github.com/apache/pulsar-client-go/oauth2 v0.0.0-20220120090717-25e59572242e // indirect
+	github.com/ardielle/ardielle-go v1.5.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cavaliergopher/grab/v3 v3.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cilium/cilium v1.10.14 // indirect
+	github.com/clarketm/json v1.17.1 // indirect
+	github.com/confluentinc/confluent-kafka-go v1.6.1 // indirect
+	github.com/danieljoos/wincred v1.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
@@ -40,58 +58,76 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.6 // indirect
 	github.com/go-openapi/loads v0.21.0 // indirect
-	github.com/go-openapi/runtime v0.21.0 // indirect
+	github.com/go-openapi/runtime v0.21.1 // indirect
 	github.com/go-openapi/spec v0.20.4 // indirect
-	github.com/go-openapi/strfmt v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.21.1 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/go-openapi/validate v0.20.3 // indirect
+	github.com/go-sql-driver/mysql v1.5.0 // indirect
 	github.com/go-stack/stack v1.8.1 // indirect
+	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.1.0 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-github v17.0.0+incompatible // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/kubearmor/KVMService/src/types v0.0.0-20220714130113-b0eba8c9ff34 // indirect
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorHostPolicy v0.0.0-20220823050108-4455a183e9ef // indirect
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorPolicy v0.0.0-20220823050108-4455a183e9ef // indirect
 	github.com/kubearmor/KubeArmor/protobuf v0.0.0-20220815044951-425f333210e1 // indirect
 	github.com/kubearmor/kubearmor-client v0.8.3 // indirect
+	github.com/kyverno/kyverno v1.6.10 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/linkedin/goavro/v2 v2.9.8 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-sqlite3 v1.14.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
 	github.com/prometheus/client_model v0.2.1-0.20210607210712-147c58e9608a // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/sasha-s/go-deadlock v0.3.1 // indirect
 	github.com/shirou/gopsutil/v3 v3.21.10 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.4.0 // indirect
@@ -103,6 +139,7 @@ require (
 	github.com/xlab/treeprint v1.0.0 // indirect
 	go.mongodb.org/mongo-driver v1.8.4 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/exp v0.0.0-20221114191408-850992195362 // indirect
 	golang.org/x/net v0.5.0 // indirect
@@ -118,10 +155,10 @@ require (
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.22.3 // indirect
-	k8s.io/apimachinery v0.24.3 // indirect
+	k8s.io/apiextensions-apiserver v0.23.2 // indirect
 	k8s.io/cli-runtime v0.24.3 // indirect
 	k8s.io/client-go v11.0.0+incompatible // indirect
 	k8s.io/klog/v2 v2.70.1 // indirect