istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/deployment/pod.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package deployment 16 17 import ( 18 appsv1 "k8s.io/api/apps/v1" 19 v1 "k8s.io/api/core/v1" 20 21 "istio.io/istio/pkg/config" 22 "istio.io/istio/pkg/config/analysis" 23 "istio.io/istio/pkg/config/analysis/analyzers/util" 24 "istio.io/istio/pkg/config/analysis/msg" 25 "istio.io/istio/pkg/config/resource" 26 "istio.io/istio/pkg/config/schema/gvk" 27 ) 28 29 type ApplicationUIDAnalyzer struct{} 30 31 var _ analysis.Analyzer = &ApplicationUIDAnalyzer{} 32 33 const ( 34 UserID = int64(1337) 35 ) 36 37 func (appUID *ApplicationUIDAnalyzer) Metadata() analysis.Metadata { 38 return analysis.Metadata{ 39 Name: "applicationUID.Analyzer", 40 Description: "Checks invalid application UID", 41 Inputs: []config.GroupVersionKind{ 42 gvk.Pod, 43 gvk.Deployment, 44 }, 45 } 46 } 47 48 func (appUID *ApplicationUIDAnalyzer) Analyze(context analysis.Context) { 49 context.ForEach(gvk.Pod, func(resource *resource.Instance) bool { 50 appUID.analyzeAppUIDForPod(resource, context) 51 return true 52 }) 53 context.ForEach(gvk.Deployment, func(resource *resource.Instance) bool { 54 appUID.analyzeAppUIDForDeployment(resource, context) 55 return true 56 }) 57 } 58 59 func (appUID *ApplicationUIDAnalyzer) analyzeAppUIDForPod(resource *resource.Instance, context analysis.Context) { 60 p := resource.Message.(*v1.PodSpec) 61 // Skip analyzing control plane for IST0144 62 if util.IsIstioControlPlane(resource) { 63 return 64 } 65 message := msg.NewInvalidApplicationUID(resource) 66 67 if p.SecurityContext != nil && p.SecurityContext.RunAsUser != nil { 68 if *p.SecurityContext.RunAsUser == UserID { 69 context.Report(gvk.Pod, message) 70 } 71 } 72 for _, container := range p.Containers { 73 if container.Name != util.IstioProxyName && container.Name != util.IstioOperator { 74 if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil { 75 if *container.SecurityContext.RunAsUser == UserID { 76 context.Report(gvk.Pod, message) 77 } 78 } 79 } 80 } 81 } 82 83 func (appUID *ApplicationUIDAnalyzer) analyzeAppUIDForDeployment(resource *resource.Instance, context analysis.Context) { 84 d := resource.Message.(*appsv1.DeploymentSpec) 85 // Skip analyzing control plane for IST0144 86 if util.IsIstioControlPlane(resource) { 87 return 88 } 89 message := msg.NewInvalidApplicationUID(resource) 90 spec := d.Template.Spec 91 92 if spec.SecurityContext != nil && spec.SecurityContext.RunAsUser != nil { 93 if *spec.SecurityContext.RunAsUser == UserID { 94 context.Report(gvk.Deployment, message) 95 } 96 } 97 for _, container := range spec.Containers { 98 if container.Name != util.IstioProxyName && container.Name != util.IstioOperator { 99 if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil { 100 if *container.SecurityContext.RunAsUser == UserID { 101 context.Report(gvk.Deployment, message) 102 } 103 } 104 } 105 } 106 }