Gather installed PSP names (openshift#489)

tremes · web-flow · commit 22f7d362b390 · 2021-09-04T17:51:28.000+02:00
diff --git a/docs/gathered-data.md b/docs/gathered-data.md
@@ -585,6 +585,19 @@ Response see https://docs.okd.io/latest/rest_api/policy_apis/poddisruptionbudget
   * 4.6+
 
 
+## PodSecurityPolicies
+
+gathers the names of installed PodSecurityPolicies
+
+The Kubernetes API https://github.com/kubernetes/client-go/blob/v12.0.0/kubernetes/typed/policy/v1beta1/podsecuritypolicy.go#L76
+
+* Location in archive: config/psp_names.json
+* See: docs/insights-archive-sample/config/psp_names.json
+* Id in config: psps
+* Since versions:
+  * 4.10+
+
+
 ## SAPConfig
 
 collects selected security context constraints
diff --git a/docs/insights-archive-sample/config/psp_names.json b/docs/insights-archive-sample/config/psp_names.json
@@ -0,0 +1,4 @@
+[
+    "100-psp",
+    "next-psp-name"
+]
diff --git a/pkg/gatherers/clusterconfig/clusterconfig_gatherer.go b/pkg/gatherers/clusterconfig/clusterconfig_gatherer.go
@@ -86,6 +86,7 @@ var gatheringFunctions = map[string]gatheringFunction{
 	"pod_network_connectivity_checks":   failableFunc((*Gatherer).GatherPNCC),
 	"machine_autoscalers":               failableFunc((*Gatherer).GatherMachineAutoscalers),
 	"openshift_logging":                 failableFunc((*Gatherer).GatherOpenshiftLogging),
+	"psps":                              failableFunc((*Gatherer).GatherPodSecurityPolicies),
 }
 
 func New(
diff --git a/pkg/gatherers/clusterconfig/pod_security_policies.go b/pkg/gatherers/clusterconfig/pod_security_policies.go
@@ -0,0 +1,43 @@
+package clusterconfig
+
+import (
+	"context"
+
+	"github.com/openshift/insights-operator/pkg/record"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	policyclient "k8s.io/client-go/kubernetes/typed/policy/v1beta1"
+)
+
+// GatherPodSecurityPolicies gathers the names of installed PodSecurityPolicies
+//
+// The Kubernetes API https://github.com/kubernetes/client-go/blob/v12.0.0/kubernetes/typed/policy/v1beta1/podsecuritypolicy.go#L76
+//
+// * Location in archive: config/psp_names.json
+// * See: docs/insights-archive-sample/config/psp_names.json
+// * Id in config: psps
+// * Since versions:
+//   * 4.10+
+func (g *Gatherer) GatherPodSecurityPolicies(ctx context.Context) ([]record.Record, []error) {
+	gatherPolicyClient, err := policyclient.NewForConfig(g.gatherKubeConfig)
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	return gatherPodSecurityPolicies(ctx, gatherPolicyClient)
+}
+
+func gatherPodSecurityPolicies(ctx context.Context, policyClient policyclient.PolicyV1beta1Interface) ([]record.Record, []error) {
+	psps, err := policyClient.PodSecurityPolicies().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, []error{err}
+	}
+	pspNames := make([]string, 0, len(psps.Items))
+	for i := range psps.Items {
+		psp := psps.Items[i]
+		pspNames = append(pspNames, psp.Name)
+	}
+	return []record.Record{{
+		Name: "config/psp_names",
+		Item: record.JSONMarshaller{Object: pspNames},
+	}}, nil
+}
diff --git a/pkg/gatherers/clusterconfig/pod_security_policies_test.go b/pkg/gatherers/clusterconfig/pod_security_policies_test.go
@@ -0,0 +1,47 @@
+package clusterconfig
+
+import (
+	"context"
+	"testing"
+
+	"github.com/openshift/insights-operator/pkg/record"
+	"github.com/stretchr/testify/assert"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+)
+
+var (
+	psp1 *policyv1beta1.PodSecurityPolicy = &policyv1beta1.PodSecurityPolicy{
+		ObjectMeta: v1.ObjectMeta{Name: "psp-1"},
+	}
+	psp2 *policyv1beta1.PodSecurityPolicy = &policyv1beta1.PodSecurityPolicy{
+		ObjectMeta: v1.ObjectMeta{Name: "psp-2"},
+	}
+)
+
+func Test_PodSecurityPolicies_Gather(t *testing.T) {
+	coreClient := kubefake.NewSimpleClientset()
+	ctx := context.Background()
+	records, errs := gatherPodSecurityPolicies(ctx, coreClient.PolicyV1beta1())
+	assert.Empty(t, errs, "Unexpected errors: %#v", errs)
+	assert.Len(t, records, 1)
+	s, ok := records[0].Item.(record.JSONMarshaller).Object.([]string)
+	assert.True(t, ok, "Unexpected data format. Expecting an array of strings")
+	assert.Equal(t, s, []string{}, "Expecting an empty array")
+
+	// create some psps
+	_, err := coreClient.PolicyV1beta1().PodSecurityPolicies().Create(ctx, psp1, v1.CreateOptions{})
+	assert.NoError(t, err, "Unexpected error when creating test PodSecurityPolicy")
+	_, err = coreClient.PolicyV1beta1().PodSecurityPolicies().Create(ctx, psp2, v1.CreateOptions{})
+	assert.NoError(t, err, "Unexpected error when creating test PodSecurityPolicy")
+
+	// check that the created PSPs are actually gathered
+	records, errs = gatherPodSecurityPolicies(ctx, coreClient.PolicyV1beta1())
+	assert.Empty(t, errs, "Unexpected errors: %#v", errs)
+	assert.Len(t, records, 1)
+
+	s, ok = records[0].Item.(record.JSONMarshaller).Object.([]string)
+	assert.True(t, ok, "Unexpected data format. Expecting an array of strings")
+	assert.Equal(t, s, []string{"psp-1", "psp-2"}, "Expecting an empty array")
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +[
 +    "100-psp",
 +    "next-psp-name"
 +]
Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ var gatheringFunctions = map[string]gatheringFunction{`
`86`	`86`	`"pod_network_connectivity_checks": failableFunc((*Gatherer).GatherPNCC),`
`87`	`87`	`"machine_autoscalers": failableFunc((*Gatherer).GatherMachineAutoscalers),`
`88`	`88`	`"openshift_logging": failableFunc((*Gatherer).GatherOpenshiftLogging),`
	`89`	`+ "psps": failableFunc((*Gatherer).GatherPodSecurityPolicies),`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`func New(`