update observer (#358)

* add image verification to observer Signed-off-by: ruriko <[email protected]> * add param to change provenance option, update observer result detail for web ui Signed-off-by: ruriko <[email protected]> * fix operator Signed-off-by: ruriko <[email protected]> * update csv Signed-off-by: ruriko <[email protected]> * remove vulnerable pacakge Signed-off-by: ruriko <[email protected]>
IBM · Sep 27, 2021 · eeb0b4b · eeb0b4b
1 parent 304ad24
commit eeb0b4b
Show file tree

Hide file tree

Showing 11 changed files with 167 additions and 105 deletions.
diff --git a/integrity-shield-operator/api/v1/integrityshield_types.go b/integrity-shield-operator/api/v1/integrityshield_types.go
@@ -123,6 +123,7 @@ type Observer struct {
  LogLevel string `json:"logLevel,omitempty"`
  Interval string `json:"interval,omitempty"`
  ExportDetailResult bool `json:"exportDetailResult,omitempty"`
+ Provenanece bool `json:"provenanece,omitempty"`
  ResultDetailConfigName string `json:"resultDetailConfigName,omitempty"`
  ResultDetailConfigKey string `json:"resultDetailConfigKey,omitempty"`
 }

diff --git a/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml b/integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml
@@ -1103,6 +1103,8 @@ spec:
  type: string
  name:
  type: string
+ provenanece:
+ type: boolean
  resultDetailConfigKey:
  type: string
  resultDetailConfigName:

diff --git a/...ity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml b/...ity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml
@@ -16,7 +16,7 @@ metadata:
  "spec": {
  "affinity": {},
  "labels": {
- "app": "ishield-server"
+ "app": "ishield-api"
  },
  "observer": {
  "enabled": true,
@@ -26,6 +26,7 @@ metadata:
  "interval": "5",
  "logLevel": "info",
  "name": "integrity-shield-observer",
+ "provenanece": true,
  "resultDetailConfigKey": "config.yaml",
  "resultDetailConfigName": "verify-resource-result",
  "selector": {

diff --git a/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml b/integrity-shield-operator/config/crd/bases/apis.integrityshield.io_integrityshields.yaml
@@ -666,6 +666,8 @@ spec:
  type: string
  name:
  type: string
+ provenanece:
+ type: boolean
  resultDetailConfigKey:
  type: string
  resultDetailConfigName:

diff --git a/integrity-shield-operator/config/samples/apis_v1_integrityshield.yaml b/integrity-shield-operator/config/samples/apis_v1_integrityshield.yaml
@@ -418,6 +418,7 @@ spec:
  logLevel: info
  interval: "5"
  exportDetailResult: true
+ provenanece: true
  resultDetailConfigName: verify-resource-result
  resultDetailConfigKey: "config.yaml"
 
diff --git a/integrity-shield-operator/controllers/integrityshield_controller.go b/integrity-shield-operator/controllers/integrityshield_controller.go
@@ -284,9 +284,11 @@ func (r *IntegrityShieldReconciler) deleteClusterScopedChildrenResources(instanc
  }
 
  if instance.Spec.UseGatekeeper {
- _, err = r.deleteConstraintTemplate(instance)
- if err != nil {
- return err
+ if r.isGatekeeperAvailable(instance) {
+ _, err = r.deleteConstraintTemplate(instance)
+ if err != nil {
+ return err
+ }
  }
  } else {
  _, err = r.deleteWebhook(instance)

diff --git a/integrity-shield-operator/resources/deploy.go b/integrity-shield-operator/resources/deploy.go
@@ -309,9 +309,13 @@ func BuildDeploymentForObserver(cr *apiv1.IntegrityShield) *appsv1.Deployment {
  Value: cr.Spec.RequestHandlerConfigName,
  },
  {
- Name: "OBSERVER_RESULT_ENABLED",
+ Name: "ENABLE_DETAIL_RESULT",
  Value: strconv.FormatBool(cr.Spec.Observer.ExportDetailResult),
  },
+ {
+ Name: "ENABLE_PROVENANCE_RESULT",
+ Value: strconv.FormatBool(cr.Spec.Observer.Provenanece),
+ },
  {
  Name: "OBSERVER_RESULT_CONFIG_NAME",
  Value: cr.Spec.Observer.ResultDetailConfigName,

diff --git a/observer/go.mod b/observer/go.mod
@@ -21,4 +21,4 @@ replace (
 
 )
 
-replace github.com/docker/docker => github.com/moby/moby v0.7.3-0.20190826074503-38ab9da00309 // Required by Helm
+// replace github.com/docker/docker => github.com/moby/moby v0.7.3-0.20190826074503-38ab9da00309 // Required by Helm
diff --git a/observer/go.sum b/observer/go.sum
@@ -173,15 +173,13 @@ github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugX
 github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.5.0 h1:Elr9Wn+sGKPlkaBvwu4mTrxtmOp3F3yV9qhaHbXGjwU=
 github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
 github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
 github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
 github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
-github.com/Microsoft/hcsshim v0.8.16 h1:8/auA4LFIZFTGrqfKhGBSXwM6/4X1fHa/xniyEHu8ac=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
@@ -394,7 +392,6 @@ github.com/containerd/continuity v0.0.0-20200709052629-daa8e1ccc0bc/go.mod h1:cE
 github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo=
 github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y=
 github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
-github.com/containerd/continuity v0.1.0 h1:UFRRY5JemiAhPZrr/uE0n8fMTLcZsUvySPr1+D7pgr8=
 github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
 github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
@@ -509,6 +506,11 @@ github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TT
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v1.4.2-0.20200319182547-c7ad2b866182/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.7+incompatible h1:Z6O9Nhsjv+ayUEeI1IojKbYcsGdgYSNqxe1s2MYzUhQ=
+github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
@@ -517,7 +519,6 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6Uezg
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
@@ -1311,8 +1312,6 @@ github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQ
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby v0.7.3-0.20190826074503-38ab9da00309 h1:cvy4lBOYN3gKfKj8Lzz5Q9TfviP+L7koMHY7SvkyTKs=
-github.com/moby/moby v0.7.3-0.20190826074503-38ab9da00309/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
@@ -1422,7 +1421,6 @@ github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5X
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc93 h1:x2UMpOOVf3kQ8arv/EsDGwim8PTNqzL1/EYDr/+scOM=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

diff --git a/observer/pkg/observer/observer.go b/observer/pkg/observer/observer.go
@@ -48,7 +48,7 @@ import (
 
 const timeFormat = "2006-01-02 15:04:05"
 
-const exportDetailResult = "OBSERVER_RESULT_ENABLED"
+const exportDetailResult = "ENABLE_DETAIL_RESULT"
 const detailResultConfigName = "OBSERVER_RESULT_CONFIG_NAME"
 const detailResultConfigKey = "OBSERVER_RESULT_CONFIG_KEY"
 
@@ -87,13 +87,15 @@ type VerifyResultDetail struct {
  VerifyResourceResult *k8smanifest.VerifyResourceResult `json:"verifyResourceResult"`
 }
 type ConstraintResult struct {
- ConstraintName string `json:"constraintName"`
- Violation bool `json:"violation"`
- TotalViolations int `json:"totalViolations"`
- Results []VerifyResultDetail `json:"results"`
+ ConstraintName string `json:"constraintName"`
+ Violation bool `json:"violation"`
+ TotalViolations int `json:"totalViolations"`
+ Results []VerifyResultDetail `json:"results"`
+ Constraint k8smnfconfig.ParameterObject `json:"constraint"`
 }
 
 type ObservationDetailResults struct {
+ Time string `json:"time"`
  ConstraintResults []ConstraintResult `json:"constraintResults"`
 }
 
@@ -214,7 +216,24 @@ func (self *Observer) Run() {
  ignoreFields := constraint.Parameters.IgnoreFields
  secrets := constraint.Parameters.KeyConfigs
  ignoreFields = append(ignoreFields, rhconfig.RequestFilterProfile.IgnoreFields...)
- results := ObserveResources(resources, constraint.Parameters.SignatureRef, ignoreFields, secrets)
+ results := []VerifyResultDetail{}
+ for _, resource := range resources {
+ result := ObserveResource(resource, constraint.Parameters.SignatureRef, ignoreFields, secrets)
+ imgAllow, imgMsg := ObserveImage(resource, constraint.Parameters.ImageProfile)
+ if !imgAllow {
+ if !result.Violation {
+ result.Violation = true
+ result.Message = imgMsg
+ } else {
+ result.Message = fmt.Sprintf("%s, [Image]%s", result.Message, imgMsg)
+ }
+ }
+
+ log.Debug("VerifyResultDetail", result)
+ results = append(results, result)
+ }
+
+ // prepare for manifest integrity state
  for _, res := range results {
  // simple result
  if res.Violation {
@@ -284,13 +303,15 @@ func (self *Observer) Run() {
  Results: results,
  Violation: violated,
  TotalViolations: count,
+ Constraint: constraint.Parameters,
  }
  constraintResults = append(constraintResults, cres)
  }
 
  // export ConstraintResult
  res := ObservationDetailResults{
  ConstraintResults: constraintResults,
+ Time: time.Now().Format(timeFormat),
  }
  _ = exportResultDetail(res)
  return