Squashed commit of the following:

commit 02c7d25 Author: Kugamoorthy Gajananan <[email protected]> Date: Thu Jan 21 15:39:59 2021 +0900 Added make target and script to update version in nessary files after building bundle based on new version (IBM#261) commit 6546dc1 Author: hirokuni-kitahara <[email protected]> Date: Thu Jan 21 15:37:29 2021 +0900 fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (IBM#262) * update role & cert duration and fix e2e test issue * add event type annotation and fix e2e test commit 121e937 Author: hirokuni-kitahara <[email protected]> Date: Wed Jan 20 22:29:17 2021 +0900 fix patch functions and add troubleshooting doc (IBM#259) * fix patch functions and add troubleshooting doc * fix scripts and some parts in doc commit 0ef8683 Author: Yuji Watanabe <[email protected]> Date: Wed Jan 20 22:18:16 2021 +0900 change from K8s to k8s (IBM#260) * change from K8s to k8s * fix tested cluster version
stolostron · Jan 21, 2021 · 385bce0 · 385bce0
1 parent 020e973
commit 385bce0
Show file tree

Hide file tree

Showing 11 changed files with 69 additions and 62 deletions.
diff --git a/Makefile b/Makefile
@@ -298,6 +298,7 @@ delete-test-env:
  @echo
  @echo deleting test namespace
  kubectl delete ns $(TEST_NS)
+ kubectl delete ns $(TEST_NS_NEW)
  kubectl delete ns $(TEST_UNPROTECTED_NS)
 
 setup-test-resources:
@@ -392,6 +393,7 @@ setup-tmp-cr:
  yq write -i $(TMP_CR_FILE) spec.keyConfig[1].secretName $(TEST_SECRET2)
  @echo setup signer config
  yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[0] $(TEST_NS)
+ yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[1] $(TEST_NS_NEW)
  yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].signers[0] $(TEST_SIGNERS)
  yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].name $(TEST_SIGNERS)
  yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].keyConfig $(TEST_KEYCONFIG)
@@ -524,3 +526,9 @@ create-private-registry:
 
 delete-private-registry:
  $(ISHIELD_REPO_ROOT)/build/delete-private-registry.sh
+
+.PHONY: update-version
+
+# use this command to update VERSION after doing 'make build-bundle'
+update-version:
+ $(ISHIELD_REPO_ROOT)/build/update-version.sh
diff --git a/build/update-version.sh b/build/update-version.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Copyright 2020 IBM Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
+sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/scripts/install_shield.sh
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}Makefile
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/deploymentForIShield.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCRForTest.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCR.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/default-ishield-cr.yaml
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}version/version.go
+sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}pkg/util/mapnode/node_test.go
diff --git a/integrity-shield-operator/cert/cert.go b/integrity-shield-operator/cert/cert.go
@@ -45,7 +45,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
  KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
  BasicConstraintsValid: true,
  NotBefore: time.Now(),
- NotAfter: time.Now().AddDate(10, 0, 0),
+ NotAfter: time.Now().AddDate(2, 0, 0),
  }
 
  caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caKey.PublicKey, caKey)
@@ -92,7 +92,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
  CommonName: cn,
  },
  NotBefore: time.Now(),
- NotAfter: time.Now().AddDate(10, 0, 0),
+ NotAfter: time.Now().AddDate(2, 0, 0),
  ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
  KeyUsage: x509.KeyUsageDigitalSignature,
  DNSNames: []string{cn},

diff --git a/integrity-shield-operator/config/rbac/role.yaml b/integrity-shield-operator/config/rbac/role.yaml
@@ -39,10 +39,7 @@ rules:
 - apiGroups:
  - apps
  resources:
- - daemonsets
  - deployments
- - replicasets
- - statefulsets
  verbs:
  - create
  - delete
@@ -51,33 +48,14 @@ rules:
  - patch
  - update
  - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- - replicasets
- verbs:
- - get
-- apiGroups:
- - apps
- resourceNames:
- - integrity-shield-operator
- resources:
- - deployments/finalizers
- verbs:
- - update
 - apiGroups:
  - ""
  resources:
  - configmaps
- - endpoints
  - events
- - persistentvolumeclaims
- - pods
  - secrets
  - serviceaccounts
  - services
- - services/finalizers
  verbs:
  - create
  - delete
@@ -86,29 +64,6 @@ rules:
  - patch
  - update
  - watch
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
-- apiGroups:
- - monitoring.coreos.com
- resources:
- - servicemonitors
- verbs:
- - create
- - get
 - apiGroups:
  - policy
  resources:

diff --git a/integrity-shield-operator/controllers/integrityshield.go b/integrity-shield-operator/controllers/integrityshield.go
@@ -27,6 +27,7 @@ import (
  apiv1alpha1 "github.com/IBM/integrity-enforcer/integrity-shield-operator/api/v1alpha1"
  res "github.com/IBM/integrity-enforcer/integrity-shield-operator/resources"
  rsp "github.com/IBM/integrity-enforcer/shield/pkg/apis/resourcesigningprofile/v1alpha1"
+ common "github.com/IBM/integrity-enforcer/shield/pkg/common"
  admv1 "k8s.io/api/admissionregistration/v1beta1"
  appsv1 "k8s.io/api/apps/v1"
  corev1 "k8s.io/api/core/v1"
@@ -1022,6 +1023,9 @@ func (r *IntegrityShieldReconciler) createOrUpdateWebhookEvent(instance *apiv1al
  ObjectMeta: metav1.ObjectMeta{
  Name: evtName,
  Namespace: evtNamespace,
+ Annotations: map[string]string{
+ common.EventTypeAnnotationKey: common.EventTypeValueReconcileReport,
+ },
  },
  InvolvedObject: involvedObject,
  Type: evtSourceName,

diff --git a/integrity-shield-operator/controllers/integrityshield_controller.go b/integrity-shield-operator/controllers/integrityshield_controller.go
@@ -41,13 +41,8 @@ type IntegrityShieldReconciler struct {
  Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
-// +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,resourceNames=integrity-shield-operator,verbs=update
-// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
-// +kubebuilder:rbac:groups=apps,resources=deployments;replicasets,verbs=get
+// +kubebuilder:rbac:groups=core,resources=services;serviceaccounts;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apis.integrityshield.io,resources=integrityshields;integrityshields/finalizers;shieldconfigs;signerconfigs;resourcesigningprofiles;resourcesignatures;helmreleasemetadatas,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=*
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=*

diff --git a/integrity-shield-operator/test/e2e/e2e_test.go b/integrity-shield-operator/test/e2e/e2e_test.go
@@ -418,25 +418,25 @@ var _ = Describe("Test integrity shield", func() {
  framework := initFrameWork()
  var timeout int = 120
  expected := "test-configmap"
- By("Creating new namespace: " + test_namespace)
- cmd_err := Kubectl("create", "ns", test_namespace)
+ By("Creating new namespace: " + test_namespace_new)
+ cmd_err := Kubectl("create", "ns", test_namespace_new)
  Expect(cmd_err).To(BeNil())
- By("Creating test configmap in ns: " + test_namespace)
- cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace)
+ By("Creating test configmap in ns: " + test_namespace_new)
+ cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace_new)
  Expect(cmd_err).NotTo(BeNil())
  Eventually(func() error {
- return CheckBlockEvent(framework, "no-signature", test_namespace, expected)
+ return CheckBlockEvent(framework, "no-signature", test_namespace_new, expected)
  }, timeout, 1).Should(BeNil())
  })
  It("Signed resource should be allowed in new namespace", func() {
  framework := initFrameWork()
  var timeout int = 120
  expected := "test-configmap-annotation"
- By("Creating test configmap in ns: " + test_namespace)
- cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace)
+ By("Creating test configmap in ns: " + test_namespace_new)
+ cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace_new)
  Expect(cmd_err).To(BeNil())
  Eventually(func() error {
- return CheckConfigMap(framework, test_namespace, expected)
+ return CheckConfigMap(framework, test_namespace_new, expected)
  }, timeout, 1).Should(BeNil())
  })
  It("Resources in unmonitored ns can be created without signature", func() {

diff --git a/integrity-shield-operator/test/e2e/framework.go b/integrity-shield-operator/test/e2e/framework.go
@@ -48,6 +48,7 @@ var (
  kubeconfig_user = os.Getenv("KUBE_CONTEXT_USERNAME")
  ishield_namespace = os.Getenv("ISHIELD_OP_NS")
  test_namespace = os.Getenv("TEST_NS")
+ test_namespace_new = os.Getenv("TEST_NS_NEW")
  test_unprotected_namespace = os.Getenv("TEST_UNPROTECTED_NS")
  shield_dir = os.Getenv("SHIELD_OP_DIR")
  deploy_dir = shield_dir + "test/deploy/"

diff --git a/ishield-build.conf b/ishield-build.conf
@@ -30,6 +30,7 @@ WATCH_NAMESPACE=integrity-shield-operator-system
 SHIELD_DIR=${ISHIELD_REPO_ROOT}/shield/
 SHIELD_OP_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/
 TEST_NS=test-ns
+TEST_NS_NEW=test-ns-new
 TEST_UNPROTECTED_NS=unprotected-test-ns
 ENVTEST_ASSETS_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin
 TEST_ASSET_ETCD=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin/bin/etcd

diff --git a/shield/pkg/common/common.go b/shield/pkg/common/common.go
@@ -67,6 +67,16 @@ const (
  LabelValueUnverified = "unverified"
 )
 
+const (
+ EventTypeAnnotationKey = "integrityshield.io/eventType"
+ EventResultAnnotationKey = "integrityshield.io/eventResult"
+
+ EventTypeValueReconcileReport = "reconcile-report"
+ EventTypeValueVerifyResult = "verify-result"
+ EventResultValueAllow = "allow"
+ EventResultValueDeny = "deny"
+)
+
 type SignatureType string
 
 const (

diff --git a/shield/pkg/shield/checkUtils.go b/shield/pkg/shield/checkUtils.go
@@ -59,8 +59,10 @@ func createOrUpdateEvent(reqc *common.ReqContext, ctx *CheckContext, sconfig *co
  }
 
  resultStr := "deny"
+ eventResult := common.EventResultValueDeny
  if ctx.Allow {
  resultStr = "allow"
+ eventResult = common.EventResultValueAllow
  }
 
  sourceName := "IntegrityShield"
@@ -87,6 +89,10 @@ func createOrUpdateEvent(reqc *common.ReqContext, ctx *CheckContext, sconfig *co
  evt := &v1.Event{
  ObjectMeta: metav1.ObjectMeta{
  Name: evtName,
+ Annotations: map[string]string{
+ common.EventTypeAnnotationKey: common.EventTypeValueVerifyResult,
+ common.EventResultAnnotationKey: eventResult,
+ },
  },
  InvolvedObject: involvedObject,
  Type: sourceName,