Merge pull request #72 from prachidamle/fix_custom

CIS v2 Alerting and Custom Benchmark fixes

Author: prachidamle

crds/clusterscan.yaml

@@ -28,7 +28,7 @@ spec:
   - JSONPath: .status.lastRunTimestamp
     name: LastRunTimestamp
     type: string
-  - JSONPath: .spec.cronSchedule
+  - JSONPath: .spec.scheduledScanConfig.cronSchedule
     name: CronSchedule
     type: string
   group: cis.cattle.io

crds/clusterscanbenchmark.yaml

@@ -13,6 +13,12 @@ spec:
   - JSONPath: .spec.maxKubernetesVersion
     name: MaxKubernetesVersion
     type: string
+  - JSONPath: .spec.customBenchmarkConfigMapName
+    name: customBenchmarkConfigMapName
+    type: string
+  - JSONPath: .spec.customBenchmarkConfigMapNamespace
+    name: customBenchmarkConfigMapNamespace
+    type: string
   group: cis.cattle.io
   names:
     kind: ClusterScanBenchmark
@@ -31,7 +37,7 @@ spec:
             customBenchmarkConfigMapName:
               nullable: true
               type: string
-            customBenchmarkConfigMapNameSpace:
+            customBenchmarkConfigMapNamespace:
               nullable: true
               type: string
             maxKubernetesVersion:

examples/clusterscanrke.yml

@@ -2,6 +2,11 @@
 apiVersion: cis.cattle.io/v1
 kind: ClusterScan
 metadata:
-  name: rke-cis
+  name: can-you-alert
 spec:
   scanProfileName: rke-profile-hardened
+  scheduledScanConfig:
+    cronSchedule: "*/2 * * * *"
+    scanAlertRule:
+      alertOnComplete: true
+      alertOnFailure: true

examples/custombenchmarkscan.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScan
+metadata:
+  name: rke-cis-1.6-perm-custom
+spec:
+  scanProfileName: "rke-cis-1.6-permissive"

main.go

@@ -38,6 +38,7 @@ var (
 	securityScanImageTag = "v0.2.1"
 	sonobuoyImage        = "rancher/sonobuoy-sonobuoy"
 	sonobuoyImageTag     = "v0.16.3"
+	clusterName          string
 )
 
 func main() {
@@ -104,6 +105,12 @@ func main() {
 			Value:       "warning",
 			Destination: &alertSeverity,
 		},
+		cli.StringFlag{
+			Name:        "clusterName",
+			EnvVar:      "CLUSTER_NAME",
+			Value:       "",
+			Destination: &clusterName,
+		},
 	}
 	app.Action = run
 
@@ -137,6 +144,7 @@ func run(c *cli.Context) {
 		SonobuoyImage:        sonobuoyImage,
 		SonobuoyImageTag:     sonobuoyImageTag,
 		AlertSeverity:        alertSeverity,
+		ClusterName:          clusterName,
 	}
 
 	if err := validateConfig(imgConfig); err != nil {

pkg/apis/cis.cattle.io/v1/types.go

@@ -117,7 +117,7 @@ type ClusterScanBenchmarkSpec struct {
 	MaxKubernetesVersion string `json:"maxKubernetesVersion,omitempty"`
 
 	CustomBenchmarkConfigMapName      string `json:"customBenchmarkConfigMapName,omitempty"`
-	CustomBenchmarkConfigMapNameSpace string `json:"customBenchmarkConfigMapNameSpace,omitempty"`
+	CustomBenchmarkConfigMapNamespace string `json:"customBenchmarkConfigMapNamespace,omitempty"`
 }
 
 // +genclient
@@ -159,4 +159,5 @@ type ScanImageConfig struct {
 	SonobuoyImage        string
 	SonobuoyImageTag     string
 	AlertSeverity        string
+	ClusterName          string
 }

pkg/crds/crd.go

@@ -49,7 +49,7 @@ func List() []crd.CRD {
 				WithColumn("Warn", ".status.summary.warn").
 				WithColumn("Not Applicable", ".status.summary.notApplicable").
 				WithColumn("LastRunTimestamp", ".status.lastRunTimestamp").
-				WithColumn("CronSchedule", ".spec.cronSchedule")
+				WithColumn("CronSchedule", ".spec.scheduledScanConfig.cronSchedule")
 		}),
 		newCRD(&cisoperator.ClusterScanProfile{}, func(c crd.CRD) crd.CRD {
 			return c.
@@ -64,7 +64,9 @@ func List() []crd.CRD {
 			return c.
 				WithColumn("ClusterProvider", ".spec.clusterProvider").
 				WithColumn("MinKubernetesVersion", ".spec.minKubernetesVersion").
-				WithColumn("MaxKubernetesVersion", ".spec.maxKubernetesVersion")
+				WithColumn("MaxKubernetesVersion", ".spec.maxKubernetesVersion").
+				WithColumn("customBenchmarkConfigMapName", ".spec.customBenchmarkConfigMapName").
+				WithColumn("customBenchmarkConfigMapNamespace", ".spec.customBenchmarkConfigMapNamespace")
 		}),
 	}
 }

pkg/securityscan/alert/prometheusrule.go

@@ -26,6 +26,7 @@ func NewPrometheusRule(clusterscan *cisoperatorapiv1.ClusterScan, clusterscanpro
 		"scanProfileName": clusterscanprofile.Name,
 		"alertOnFailure":  clusterscan.Spec.ScheduledScanConfig.ScanAlertRule.AlertOnFailure,
 		"alertOnComplete": clusterscan.Spec.ScheduledScanConfig.ScanAlertRule.AlertOnComplete,
+		"failOnWarn":      clusterscan.Spec.ScoreWarning == cisoperatorapiv1.ClusterScanFailOnWarning,
 	}
 	scanAlertRule, err := generatePrometheusRule(clusterscan, templateName, templatePath, configdata)
 	if err != nil {

pkg/securityscan/alert/templates/prometheusrule.template

@@ -12,9 +12,13 @@ spec:
 {{- if .alertOnFailure }}
     - alert: CISScanHasFailures
       annotations:
-        description: CIS ClusterScan "{{ .scanName }}" has {{ "{{ $value }}" }} test failures
+        description: CIS ClusterScan "{{ .scanName }}" has {{ "{{ $value }}" }} test failures or warnings
         summary: CIS ClusterScan has tests failures
+      {{- if .failOnWarn }}
+      expr: cis_scan_num_tests_fail{scan_name="{{ .scanName }}"} > 0 or ON(scan_name) cis_scan_num_tests_warn{scan_name="{{ .scanName }}"} > 0
+      {{- else }}
       expr: cis_scan_num_tests_fail{scan_name="{{ .scanName }}"} > 0
+      {{- end }}
       for: 1m
       labels:
         severity: {{ .severity }}

pkg/securityscan/controller.go

@@ -50,6 +50,7 @@ type Controller struct {
 	numTestsTotal    *prometheus.GaugeVec
 	numTestsNA       *prometheus.GaugeVec
 	numTestsPassed   *prometheus.GaugeVec
+	numTestsWarn     *prometheus.GaugeVec
 }
 
 func NewController(ctx context.Context, cfg *rest.Config, namespace, name string, imgConfig *cisoperatorapiv1.ScanImageConfig) (ctl *Controller, err error) {
@@ -186,6 +187,7 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numTestsFailed); err != nil {
@@ -202,6 +204,7 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numScansComplete); err != nil {
@@ -218,6 +221,7 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numTestsTotal); err != nil {
@@ -234,6 +238,7 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numTestsPassed); err != nil {
@@ -250,6 +255,7 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numTestsSkipped); err != nil {
@@ -266,11 +272,29 @@ func initializeMetrics(ctl *Controller) error {
 			"scan_name",
 			// name of the clusterScanProfile used for scanning
 			"scan_profile_name",
+			"cluster_name",
 		},
 	)
 	if err := prometheus.Register(ctl.numTestsNA); err != nil {
 		return err
 	}
 
+	ctl.numTestsWarn = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: "cis_scan_num_tests_warn",
+			Help: "Number of tests having warn status in the CIS scans, partioned by scan_name, scan_profile_name",
+		},
+		[]string{
+			// scan_name will be set to "manual" for on-demand manual scans and the actual name set for the scheduled scans
+			"scan_name",
+			// name of the clusterScanProfile used for scanning
+			"scan_profile_name",
+			"cluster_name",
+		},
+	)
+	if err := prometheus.Register(ctl.numTestsWarn); err != nil {
+		return err
+	}
+
 	return nil
 }