kubeaudit helps you audit your Kubernetes clusters against common security controls

Build Status Go Report Card GoDoc

Kubeaudit can now be used as both a command line tool (CLI) and as a Go package!

kubeaudit โ˜๏ธ ๐Ÿ”’ ๐Ÿ’ช

kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:

  • run as non-root
  • use a read-only root filesystem
  • drop scary capabilities, don't add new ones
  • don't run privileged
  • and more!

tldr. kubeaudit makes sure you deploy secure containers!

Package

To use kubeaudit as a Go package, see the package docs.

The rest of this README will focus on how to use kubeaudit as a command line tool.

Command Line Interface (CLI)

Installation

Brew

brew install kubeaudit

Download a binary

Kubeaudit has official releases that are blessed and stable: Official releases

DIY build

Master may have newer features than the stable releases. If you need a newer feature not yet included in a release, make sure you're using Go 1.16+ and run the following:

go get -v github.com/Shopify/kubeaudit

Start using kubeaudit with the Quick Start or view all the supported commands.

Kubectl Plugin

Prerequisite: kubectl v1.12.0 or later

With kubectl v1.12.0 introducing easy pluggability of external functions, kubeaudit can be invoked as kubectl audit by

  • running make plugin and having $GOPATH/bin available in your path.

or

  • renaming the binary to kubectl-audit and having it available in your path.

Docker

We also release a Docker image: shopify/kubeaudit. To run kubeaudit as a job in your cluster see Running kubeaudit in a cluster.

Quick Start

kubeaudit has three modes:

  1. Manifest mode
  2. Local mode
  3. Cluster mode

Manifest Mode

If a Kubernetes manifest file is provided using the -f/--manifest flag, kubeaudit will audit the manifest file.

Example command:

kubeaudit all -f "/path/to/manifest.yml"

Example output:

$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml"

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: deployment
    namespace: deployment-apps-v1

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.
   Metadata:
      Container: container
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.

-- [error] CapabilityShouldDropAll
   Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
   Metadata:
      Container: container
      Capability: AUDIT_WRITE
...

If no errors with a given minimum severity are found, the following is returned:

All checks completed. 0 high-risk vulnerabilities found

Autofix

Manifest mode also supports autofixing all security issues using the autofix command:

kubeaudit autofix -f "/path/to/manifest.yml"

To write the fixed manifest to a new file instead of modifying the source file, use the -o/--output flag.

kubeaudit autofix -f "/path/to/manifest.yml" -o "/path/to/fixed"

To fix a manifest based on custom rules specified on a kubeaudit config file, use the -k/--kconfig flag.

kubeaudit autofix -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" -o "/path/to/fixed"

Cluster Mode

Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:

kubeaudit all

Local Mode

Kubeaudit will try to connect to a cluster using the local kubeconfig file ($HOME/.kube/config). A different kubeconfig location can be specified using the -c/--kubeconfig flag.

kubeaudit all -c "/path/to/config"

For more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

Audit Results

Kubeaudit produces results with three levels of severity:

Error: A security issue or invalid kubernetes configuration Warning: A best practice recommendation Info: Informational, no action required. This includes results that are overridden

The minimum severity level can be set using the --minSeverity/-m flag.

By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the --format json flag. To output results as logs (the previous default) use --format logrus.

If there are results of severity level error, kubeaudit will exit with exit code 2. This can be changed using the --exitcode/-e flag.

For all the ways kubeaudit can be customized, see Global Flags.

Commands

Command Description Documentation
all Runs all available auditors, or those specified using a kubeaudit config. docs
autofix Automatically fixes security issues. docs
version Prints the current kubeaudit version.

Auditors

Auditors can also be run individually.

Command Description Documentation
apparmor Finds containers running without AppArmor. docs
asat Finds pods using an automatically mounted default service account docs
capabilities Finds containers that do not drop the recommended capabilities or add new ones. docs
hostns Finds containers that have HostPID, HostIPC or HostNetwork enabled. docs
image Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. docs
limits Finds containers which exceed the specified CPU and memory limits or do not specify any. docs
mounts Finds containers that have sensitive host paths mounted. docs
netpols Finds namespaces that do not have a default-deny network policy. docs
nonroot Finds containers running as root. docs
privesc Finds containers that allow privilege escalation. docs
privileged Finds containers running as privileged. docs
rootfs Finds containers which do not have a read-only filesystem. docs
seccomp Finds containers running without Seccomp. docs

Global Flags

Short Long Description
--format The output format to use (one of "pretty", "logrus", "json") (default is "pretty")
-c --kubeconfig Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config)
-f --manifest Path to the yaml configuration to audit. Only used in manifest mode.
-n --namespace Only audit resources in the specified namespace. Not currently supported in manifest mode.
-m --minseverity Set the lowest severity level to report (one of "error", "warning", "info") (default "info")
-e --exitcode Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default 2)

Configuration File

The kubeaudit config can be used for two things:

  1. Enabling only some auditors
  2. Specifying configuration for auditors

Any configuration that can be specified using flags for the individual auditors can be represented using the config.

The config has the following format:

enabledAuditors:
  # Auditors are enabled by default if they are not explicitly set to "false"
  apparmor: false
  asat: false
  capabilities: true
  hostns: true
  image: true
  limits: true
  mounts: true
  netpols: true
  nonroot: true
  privesc: true
  privileged: true
  rootfs: true
  seccomp: true
auditors:
  capabilities:
    # add capabilities needed to the add list, so kubeaudit won't report errors
    allowAddList: ['AUDIT_WRITE', 'CHOWN']
  image:
    # If no image is specified and the 'image' auditor is enabled, WARN results
    # will be generated for containers which use an image without a tag
    image: 'myimage:mytag'
  limits:
    # If no limits are specified and the 'limits' auditor is enabled, WARN results
    # will be generated for containers which have no cpu or memory limits specified
    cpu: '750m'
    memory: '500m'

For more details about each auditor, including a description of the auditor-specific configuration in the config, see the Auditor Docs.

Note: The kubeaudit config is not the same as the kubeconfig file specified with the -c/--kubeconfig flag, which refers to the Kubernetes config file (see Local Mode). Also note that only the all and autofix commands support using a kubeaudit config. It will not work with other commands.

Note: If flags are used in combination with the config file, flags will take precedence.

Override Errors

Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce info results instead of error results and the audit result name will have Allowed appended to it. The labels are documented in each auditor's documentation, but the general format for auditors that support overrides is as follows:

An override label consists of a key and a value.

The key is a combination of the override type (container or pod) and an override identifier which is unique to each auditor (see the docs for the specific auditor). The key can take one of two forms depending on the override type:

  1. Container overrides, which override the auditor for that specific container, are formatted as follows:
container.audit.kubernetes.io/[container name].[override identifier]
  1. Pod overrides, which override the auditor for all containers within the pod, are formatted as follows:
audit.kubernetes.io/pod.[override identifier]

If the value is set to a non-empty string, it will be displayed in the info result as the OverrideReason:

$ kubeaudit asat -f "auditors/asat/fixtures/service-account-token-true-allowed.yml"

---------------- Results for ---------------

  apiVersion: v1
  kind: ReplicationController
  metadata:
    name: replicationcontroller
    namespace: service-account-token-true-allowed

--------------------------------------------

-- [info] AutomountServiceAccountTokenTrueAndDefaultSAAllowed
   Message: Audit result overridden: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.
   Metadata:
      OverrideReason: SomeReason

As per Kubernetes spec, value must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between.

Multiple override labels (for multiple auditors) can be added to the same resource.

See the specific auditor docs for the auditor you wish to override for examples.

To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Contributing

If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our Code of Conduct.

  1. Create your own fork!
  2. Get the source: go get github.com/Shopify/kubeaudit
  3. Go to the source: cd $GOPATH/src/github.com/Shopify/kubeaudit
  4. Add your forked repo as a fork: git remote add fork https://github.com/you-are-awesome/kubeaudit
  5. Create your feature branch: git checkout -b awesome-new-feature
  6. Install Kind
  7. Run the tests to see everything is working as expected: make test (to run tests without Kind: USE_KIND=false make test)
  8. Commit your changes: git commit -am 'Adds awesome feature'
  9. Push to the branch: git push fork
  10. Sign the Contributor License Agreement
  11. Submit a PR (All PR must be labeled with ๐Ÿ› (Bug fix), โœจ (New feature), ๐Ÿ“– (Documentation update), or โš ๏ธ (Breaking changes) )
  12. ???
  13. Profit

Note that if you didn't sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says "I've signed the CLA!"!

Comments
  • Add a new command to audit runAsUser fields

    Add a new command to audit runAsUser fields

    Description

    Add a new command to audit runAsUser fields. The audit will trigger an alert when the container user ID is not overridden with a non-root user using the runAsUser either in the Pod Security Context or the container Security Context. The check will fail if no runAsUser is specified or if it uses the 0 UID. This is useful to enforce non-root user in container at runtime.

    Here's a sample result:

    kubeaudit runasuser -f "auditors/runasuser/fixtures/run-as-user-0.yml" 
    
    ---------------- Results for ---------------
    
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: deployment
        namespace: run-as-user-0
    
    --------------------------------------------
    
    -- [error] RunAsUserCSCRoot
       Message: container user ID not overridden to non-root user using runAsUser SecurityContext. It should be set to > 0.
       Metadata:
          Container: container
    

    I've also modified the nonroot command's description from This command determines which containers are running as root (uid=0) to This command determines which containers are allowed to run as root (uid=0). because even when runAsNonRoot is set to true or is missing, this doesn't mean that the container will effectively run as root, only that it will be permitted to use the root user if it's the one specified in the image.

    Type of change
    • [x] New feature :sparkles:
    • [x] This change requires a documentation update ๐Ÿ“–
    How Has This Been Tested?
    • [x] Automated tests
    • [x] Manual tests (cluster - local mode, manifest files)
    Checklist:
    • [x] I have ๐ŸŽฉ my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [x] I have performed a self-review of my own code
    • [x] I have made corresponding changes to the documentation
    • [x] I have added tests that prove my fix is effective or that my feature works
    • [x] New and existing unit tests pass locally with my changes
    • [] The test coverage did not decrease
    • [x] I have signed the appropriate Contributor License Agreement
  • Quota cmd

    Quota cmd

    Hi,

    Setting CPU and memory limits is a good security practice. (see http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html) Why not test this with a kubeaudit command?

    What do you think of this notion and my implementation? Your feedbacks are very welcome.

    Regards, Jeremie.

  • Bugfixes: Allow any of the deployment types to be used, fix spurious errors on services

    Bugfixes: Allow any of the deployment types to be used, fix spurious errors on services

    This PR fixes two issues I encountered while trying out kubeaudit:

    1. When using another deployment type than the one specified in types.go, checks would silently fail.
    2. When running kubeaudit on a type not known to it (Such as, for example, running kubeaudit -f <service yaml>), you'd get an incorrect error that automountServiceAccountToken: false needed to be set.
  • runAsNonRoot False Positive

    runAsNonRoot False Positive

    ISSUE TYPE
    • [x] Bug Report

    BUG REPORT

    SUMMARY

    Kubeaudit currently returns False positives for "runAsNonRoot". It shows that the Security Context does not have this set ('RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!'). Is this because it's looking for "RunAsNonRoot" whereas Security Context has "runAsNonRoot" set on it (Caps on 'r')?

    ENVIRONMENT
    • Kubeaudit version: 0.0.0
    • Kubeaudit install method: DIY-BUILD
    STEPS TO REPRODUCE

    General Run of kubeaudit

    EXPECTED RESULTS

    Not see 'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!' flagged up as an error

    ACTUAL RESULTS
    'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!' as the Error output
    
    ADDITIONAL INFORMATION

    Security Context:

            securityContext:
            fsGroup: 64999
            runAsGroup: 2000
            runAsNonRoot: true
            runAsUser: 2000
    

    Kubeaudit Report:

    {'Container': <Redacted>, 'KubeType': 'daemonSet', 'Name': <Redacted>, 'Namespace': <Redacted>, 'level': 'error', 'msg': 'RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!', 'time': '2020-04-20T14:30:15-07:00'}
    
  • Initial support for networkPolicy audit

    Initial support for networkPolicy audit

    Signed-off-by: Johannes M. Scheuermann [email protected]

    This PR implements: https://github.com/Shopify/kubeaudit/issues/117

    ToDo

    • [x] Implement check for default-deny
    • [x] Add unit test for NetworkPolicy audit
  • Kubeaudit throws errors instead of warning for unsupported types

    Kubeaudit throws errors instead of warning for unsupported types

    ISSUE TYPE
    • [x] Bug Report
    • [ ] Feature Idea

    BUG REPORT

    SUMMARY

    Kubeaudit returns an error instead of a warnig for k8s Jobs because they're unsupported.

    ENVIRONMENT
    • Kubeaudit version: latest
    • Kubeaudit install method: DIY-BUILD/Github app
    STEPS TO REPRODUCE

    Run kubeaudit all -f validJobTemplate.yml

    EXPECTED RESULTS

    Receive a warning that Jobs are not supported by kubeaudit

    ACTUAL RESULTS

    Kubeaudit threw an error that caused my CI to fail

    ADDITIONAL INFORMATION

    image

  • Support dash as short for stdin

    Support dash as short for stdin

    Description

    Simple addition to support a dash as alias for /dev/stdin.

    I would expect a cli tool to accept a simple - in order to read from the stdin stream. For example currently I have to write:

    kustomize build . | kubeaudit all -f /dev/stdin.

    This pr makes it more straightforward: kustomize build . | kubeaudit all -f -

    Type of change
    • [ ] Bug fix :bug:
    • [x] New feature :sparkles:
    • [ ] This change requires a documentation update :book:
    • [ ] Breaking changes :warning:
    How Has This Been Tested?

    Just manually, did not find any preexisting place where cli args are tested, maybe you can point to that if a test is needed.

    • [ ] Test A
    • [ ] Test B
    Checklist:
    • [x] I have :tophat: my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [x] I have performed a self-review of my own code
    • [ ] I have made corresponding changes to the documentation
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    • [ ] The test coverage did not decrease
    • [x] I have signed the appropriate Contributor License Agreement
  • ๐Ÿ›  Fix deadlink in seccomp auditor docs

    ๐Ÿ› Fix deadlink in seccomp auditor docs

    Description

    Replace dead link to gardener.cloud seccomp tutorial with official kubernetes seccomp tutorial.

    Type of change
    • [x] Bug fix :bug:
    • [ ] New feature :sparkles:
    • [ ] This change requires a documentation update :book:
    • [ ] Breaking changes :warning:
  • support for CRD's that extend common types

    support for CRD's that extend common types

    ISSUE TYPE
    • [ ] Bug Report
    • [X] Feature Idea
    SUMMARY

    I've noticed that Kubeaudit doesn't catch CRDS that are extending typical k8s resources, like apps/v1. It looks like either with finagling the data out with kubectl and scanning you can still get to the original source of truth.

    STEPS TO REPRODUCE

    create a custom CRD based off apps scan k8s don't find anything wrong with deploy applications

    EXPECTED RESULTS

    It should find them

    other stuff

    if you guys want to point me in the direction of where in the code one can specify a custom CRD, that'll work for me and I'll add a flag to support it.

  • Running Kubeaudit as a Cronjob and Kubeaudit's Contianer image

    Running Kubeaudit as a Cronjob and Kubeaudit's Contianer image

    ISSUE TYPE
    • [x] Bug Report

    BUG REPORT

    SUMMARY

    I don't seem to find a kubernetes manifest file over here. I would like to run Kubeaudit as a Cronjob for example. Is this documented somewhere?

  • Print INFO message for matching image:tag

    Print INFO message for matching image:tag

    As per the documentation string:

    An INFO log is given when a container has a matching image:tag
    An ERROR log is generated when a container does not match the image:tag
    

    This is not what is happening. Currently, it only prints the ERROR log. This pull request updates the kubectl image command to also print an INFO log when the image:tag matches.

  • Bump k8s.io/apimachinery from 0.24.4 to 0.25.2

    Bump k8s.io/apimachinery from 0.24.4 to 0.25.2

    Bumps k8s.io/apimachinery from 0.24.4 to 0.25.2.

    Commits
    • 478dd6e Merge pull request #112527liggitt/automated-cherry-pick-of-#112526
    • 14bc1be Limit redirect proxy handling to redirected responses
    • 8252641 Merge pull request #112330enj/automated-cherry-pick-of-#112193
    • 10b456c Merge pull request #112161pohly/automated-cherry-pick-of-#112129
    • 4759a80 Add an option for aggregator
    • 3296217 dependencies: update to ginkgo v2.1.6 and gomega v1.20.1
    • 117bd9b Merge pull request #111113 from mimowo/retriable-pod-failures-job-controller
    • 74deb3d Merge pull request #111696 from liggitt/go119mod
    • fef5499 Update go.mod to go1.19
    • 41606c6 Merge pull request #111677 from dims/stop-panic-in-govet-levee
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump k8s.io/apiextensions-apiserver from 0.23.5 to 0.25.2

    Bump k8s.io/apiextensions-apiserver from 0.23.5 to 0.25.2

    Bumps k8s.io/apiextensions-apiserver from 0.23.5 to 0.25.2.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump k8s.io/api from 0.24.3 to 0.25.2

    Bump k8s.io/api from 0.24.3 to 0.25.2

    Bumps k8s.io/api from 0.24.3 to 0.25.2.

    Commits
    • 4b838ea Update dependencies to v0.25.2 tag
    • fce3016 Merge pull request #112161pohly/automated-cherry-pick-of-#112129
    • 29513a2 dependencies: update to ginkgo v2.1.6 and gomega v1.20.1
    • 5c4a1b1 Merge remote-tracking branch 'origin/master' into release-1.25
    • 714e431 Merge pull request #111657 from aojea/hc_nodeport
    • 8608211 Merge pull request #109090 from sarveshr7/multicidr-rangeallocator
    • b88698c Merge pull request #111258 from dobsonj/kep-596-ga-feature-flag
    • 2f9e588 Merge pull request #111113 from mimowo/retriable-pod-failures-job-controller
    • 3be517c Merge pull request #111696 from liggitt/go119mod
    • 991b481 Merge pull request #108692 from jsafrane/selinux
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump k8s.io/client-go from 0.24.3 to 0.25.2

    Bump k8s.io/client-go from 0.24.3 to 0.25.2

    Bumps k8s.io/client-go from 0.24.3 to 0.25.2.

    Commits
    • 593f096 Update dependencies to v0.25.2 tag
    • 1904631 Merge pull request #112161pohly/automated-cherry-pick-of-#112129
    • 8f4eb75 Merge pull request #112336enj/automated-cherry-pick-of-#112017
    • e278668 dependencies: update to ginkgo v2.1.6 and gomega v1.20.1
    • 1874bc6 exec auth: support TLS config caching
    • db7e2d8 Merge pull request #112055aanm/automated-cherry-pick-of-#111752
    • c9008f3 client-go/rest: check if url is nil to prevent nil pointer dereference
    • 1a46dfd Revert "client-go: remove no longer used finalURLTemplate"
    • b3e4a40 Merge remote-tracking branch 'origin/master' into release-1.25
    • c2f61ae Update removal warnings to 1.26
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Migrate to Seccomp profile in security Context :warning:

    Migrate to Seccomp profile in security Context :warning:

    Description

    This PR changes seccomp auditor to scan seccompProfile instead of annotations as requested in https://github.com/Shopify/kubeaudit/issues/343 The following changes were done:

    • seccomp auditor changed to scan securityContext in pod and containers to find seccompProfile. :warning:
    • New fix created in seccomp auditor to create seccomp profile in a pod and containers and to remove profile in containers. The auditor updated to use the new fix.
    • SeccompAnnotationMissing rule renamed to SeccompProfileMissing. :warning:
    • SeccompDeprecatedContainer rule dropped. :warning:
    • Tests updated to cover changes in auditor and fix.
    • Documentation updated.

    Fixes #343

    Type of change
    • [X] This change requires a documentation update :book:
    • [X] Breaking changes :warning:
    How Has This Been Tested?
    • Mostly by automated tests.
    • I've also executed kubeaudit for examples from documentation to update them.
    Checklist:
    • [ ] I have :tophat: my changes (A ๐ŸŽฉ specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
    • [X] I have performed a self-review of my own code
    • [X] I have made corresponding changes to the documentation
    • [X] I have added tests that prove my fix is effective or that my feature works
    • [X] New and existing unit tests pass locally with my changes
    • [X] The test coverage did not decrease
    • [X] I have signed the appropriate Contributor License Agreement
  • github action for kubeaudit to generate sarif results

    github action for kubeaudit to generate sarif results

    ISSUE TYPE
    • [ ] Bug Report
    • [x] Feature Idea
    SUMMARY

    the idea here is to offer open source users the convenience of uploading a sarif result as a step in their github action Some ideas for this suggested by @thepwagner:

    Make Shopify/kubeaudit an action

    We add a action.yml file to the Shopify/kubeaudit, turning it into either a Docker container action or composite action.

    This would mean users enable it like:

    - uses: actions/[email protected]
    
    - uses: Shopify/[email protected]
    - uses: Shopify/[email protected] # or a different version
    
    - uses: github/codeql-action/[email protected]
    

    Depending on the implementation, it can result in compiling the kubeaudit binary each run (and be slow).

    Make a Shopify/kubeaudit-action action

    This is a common pattern when an action is wrapping a tool with its own release process, that doesn't want to pollute the original tool by Actions-izing it. https://github.com/golangci/golangci-lint-action is a good example.

    TypeScript is pretty dope for building actions that do this:

    • https://github.com/actions/typescript-action is handy for getting started (I used it for oncall-action)
    • https://github.com/actions/toolkit/tree/main/packages/tool-cache is a good chunk of the tool's functionality (downloading the appropriate version of kubeaudit).

    This would mean users enable like:

    - uses: actions/[email protected]
    
    - uses: Shopify/[email protected]
      with:
        version: v0.19.0
    - uses: Shopify/[email protected]
      with:
        version: v0.20.0
    
    - uses: github/codeql-action/[email protected]
    

    Since TypeScript runs without container overhead, and this pattern downloads pre-compiled binaries I think this would have the fastest runtimes.

    FEATURE IDEA

    • [x] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1

    Proposal:

    1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.

CLI to run your dataframes against SLU service and generated labeled dataframe.

trail CLI to run your dataframes against different services (currently, SLU service). Setup Get the latest binaries from the releases here. Choose the

Nov 12, 2021
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

Nov 22, 2021
Issue-mafia - An out-of-the-box CLI that helps you to easily synchronize Git hooks with a remote repository

issue-mafia is an out-of-the-box CLI that helps you to easily synchronize Git hooks with a remote repository.

Feb 14, 2022
Are you programming and suddenly your stomach is rumbling? No problem, order your Ifood without leaving your favorite text editor โค๏ธ

vim-ifood Vocรช ta programando e de repente bateu aquela fome? Sem problemas, peรงa seu Ifood sem sair do seu editor de texto favorito โค๏ธ Are you progra

Jun 2, 2022
Commando - run commands against networking devices in batch mode
Commando - run commands against networking devices in batch mode

Commando is a tiny tool that enables users to collect command outputs from a single or a multiple networking devices defined in an inventory file.

Sep 18, 2022
ntest is a cross-platform cli app that runs multiple tests against any address.
ntest is a cross-platform cli app that runs multiple tests against any address.

ntest ntest is a cross-platform cli app that runs multiple tests against any address. About ntest Having the ability to run common tests against any d

Jan 3, 2022
This plugin will analyse the JFrog Platform instance and provide the non conformance against the best practices based on the predefines rules.

hello-frog About this plugin This plugin is a template and a functioning example for a basic JFrog CLI plugin. This README shows the expected structur

Nov 30, 2021
This utility verifies all commands used by a shell script against an allow list

Find external commands required by shell scripts When writing shell scripts that need to run portably across multiple hosts and platforms, it's useful

Aug 15, 2022
The Keel CLI allows you to setup Keel on your local dev machine or on a Kubernetes cluster
The Keel CLI allows you to setup Keel on your local dev machine or on a Kubernetes cluster

keel-cli What is keel-cli The Keel CLI allows you to setup Keel on your local dev machine or on a Kubernetes cluster, launches and manages Keel instan

Oct 7, 2021
The Dapr CLI allows you to setup Dapr on your local dev machine or on a Kubernetes cluster

Dapr CLI The Dapr CLI allows you to setup Dapr on your local dev machine or on a

Dec 23, 2021
A Go library and a command-line tool to manage Docker Swarm clusters

go-swarm go-swarm is a Go library and command-line tool for managing the creation and maintenance of Docker Swarm cluster. Features: Creates new Swarm

Jul 26, 2022
eksctl is a simple CLI tool for creating clusters on EKS
eksctl is a simple CLI tool for creating clusters on EKS

eksctl is a simple CLI tool for creating clusters on EKS - Amazon's new managed Kubernetes service for EC2. It is written in Go, and uses CloudFormation.

Jan 9, 2022
e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal

e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal. It also includes e2db, an ORM-like abstraction for working with etcd.

Aug 23, 2022
Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your Linux machine

magic4linux Allows you to use the magic remote on your webOS LG TV as a keyboard/mouse for your PC Linux machine. This is a Linux implementation of th

Jul 10, 2022
CraftTalk Command Line Tool helps with managing CraftTalk releases on baremetal instances

ctcli - CraftTalk Command Line Tool Commands help Shows help version Shows version init Initializes specified root directory as a ctcli dir. ctcli --r

Jan 20, 2022
CLI for SendGrid, which helps in managing SSO users, can install and update users from yaml config

Sendgrid API This script is needed to add new users to SendGrid as SSO teammates. Previously, all users were manually added and manually migrating the

Jul 20, 2022
Fast, realtime regex-extraction, and aggregation into common formats such as histograms, numerical summaries, tables, and more!
Fast, realtime regex-extraction, and aggregation into common formats such as histograms, numerical summaries, tables, and more!

rare A file scanner/regex extractor and realtime summarizor. Supports various CLI-based graphing and metric formats (histogram, table, etc). Features

Sep 12, 2022
Chore is a elegant and simple tool for executing common tasks on remote servers.
Chore is a elegant and simple tool for executing common tasks on remote servers.

Chore is a tool for executing common tasks you run on your remote servers. You can easily setup tasks for deployment, commands, and more.

May 20, 2022
CLI tool to convert many common document types to plane text.

Textify. CLI tool to convert many common document types to plane text. Goals. SO many different document types exist today. PDFs, EPUB books, Microsof

Nov 19, 2021