#39: add support port range generation (#40)

Signed-off-by: kaizhe <derek0405@gmail.com>

Author: Kaizhe

advisor/types/portrange.go

@@ -0,0 +1,123 @@
+package types
+
+import (
+	"fmt"
+	"sort"
+)
+
+type PortRangeList []*PortRange
+
+type PortRange struct {
+	Min int32
+	Max int32
+}
+
+func NewPortRange(min, max int32) *PortRange {
+	return &PortRange{
+		Min: min,
+		Max: max,
+	}
+}
+
+func (pl PortRangeList) Consolidate() PortRangeList {
+	newPortRangeList := PortRangeList{}
+
+	max := pl.GetMax()
+
+	min := pl.GetMin()
+
+	if min == -1 {
+		return newPortRangeList
+	}
+
+	tmpPl := make(PortRangeList, max+1)
+
+	for _, pr := range pl {
+		tmpPl[pr.Min] = pr
+	}
+
+	pr := tmpPl[min]
+	i := min
+
+	for ; i <= max; i++ {
+		if tmpPl[i] != nil {
+			pr.Max = tmpPl[i].Max
+		} else {
+			// there is a break
+			newPortRangeList = append(newPortRangeList, pr)
+
+			// look for next port range
+			for {
+				i++
+				if i > max {
+					break
+				}
+
+				if tmpPl[i] != nil {
+					pr = tmpPl[i]
+					break
+				}
+			}
+		}
+	}
+
+	newPortRangeList = append(newPortRangeList, pr)
+
+	sort.Sort(newPortRangeList)
+
+	return newPortRangeList
+}
+
+func (pl PortRangeList) GetMin() int32 {
+	min := int32(-1)
+
+	for _, pr := range pl {
+		if pr != nil {
+			if min == int32(-1) {
+				min = pr.Min
+			}
+
+			if pr.Min < min {
+				min = pr.Min
+			}
+		}
+	}
+
+	return min
+}
+
+func (pl PortRangeList) GetMax() int32 {
+	max := int32(-1)
+
+	for _, pr := range pl {
+		if pr != nil {
+			if pr.Max > max {
+				max = pr.Max
+			}
+		}
+	}
+
+	return max
+}
+
+func (pl PortRangeList) String() string {
+	ret := "["
+
+	for idx, pr := range pl {
+		ret += fmt.Sprintf("{%d %d}", pr.Min, pr.Max)
+
+		if idx < len(pl)-1 {
+			ret += ", "
+		}
+	}
+
+	ret += "]"
+
+	return ret
+}
+
+func (pl PortRangeList) Less(i, j int) bool { return pl[i].Min < pl[j].Min }
+
+func (pl PortRangeList) Len() int { return len(pl) }
+
+func (pl PortRangeList) Swap(i, j int) { pl[j], pl[i] = pl[i], pl[j] }

advisor/types/portrange_test.go

@@ -0,0 +1,39 @@
+package types
+
+import (
+	"testing"
+)
+
+var (
+	prList = PortRangeList{
+		&PortRange{Min: 1, Max: 1},
+		&PortRange{Min: 2, Max: 2},
+		&PortRange{Min: 3, Max: 3},
+		&PortRange{Min: 5, Max: 5},
+		&PortRange{Min: 6, Max: 6},
+		&PortRange{Min: 7, Max: 7},
+		&PortRange{Min: 50, Max: 50},
+		&PortRange{Min: 99, Max: 99},
+	}
+
+	expectedPrList = PortRangeList{
+		&PortRange{Min: 1, Max: 3},
+		&PortRange{Min: 5, Max: 7},
+		&PortRange{Min: 50, Max: 50},
+		&PortRange{Min: 99, Max: 99},
+	}
+)
+
+func TestPortRange(t *testing.T) {
+	newPrList := prList.Consolidate()
+
+	if len(newPrList) != 4 {
+		t.Errorf("length is not 3: %+v", newPrList)
+	}
+
+	for i := range expectedPrList {
+		if newPrList[i].Min != expectedPrList[i].Min || newPrList[i].Max != expectedPrList[i].Max {
+			t.Errorf("expected port range: %v; actual port range: %v", *expectedPrList[i], *newPrList[i])
+		}
+	}
+}

advisor/types/securityspec.go

@@ -26,15 +26,15 @@ const (
 //PodSecurityPolicy Recommendation System help in the following attributes:
 //	1. allowPrivilegeEscalation - done
 //	2. allowedCapabilities - done
-//	3. allowedHostPaths - need further investigation
+//	3. allowedHostPaths - done
 //	4. hostIPC - done
 //	5. hostNetwork - done
 //	6. hostPID - done
-//	7. hostPorts - need further investigation
+//	7. hostPorts - done
 //	8. privileged - done
 //	9. readOnlyRootFilesystem - done
 //  10. runAsUser - done
-//  11. runAsGroup - half done
+//  11. runAsGroup - done
 //  12. Volume - done
 //	13. seLinux and others - need further investigation
 

generator/generator.go

@@ -372,6 +372,8 @@ func (pg *Generator) GeneratePSPWithName(
 
 	hostPaths := map[string]bool{}
 
+	hostPorts := map[int32]bool{}
+
 	runAsUserCount := 0
 
 	runAsGroupCount := 0
@@ -447,11 +449,9 @@ func (pg *Generator) GeneratePSPWithName(
 			notAllowPrivilegeEscationCount++
 		}
 
-		// set host ports
-		//TODO: need to integrate with listening port during the runtime, might cause false positive.
-		//for _, port := range sc.HostPorts {
-		//	psp.Spec.HostPorts = append(psp.Spec.HostPorts, policyv1beta1.HostPortRange{Min: port, Max: port})
-		//}
+		for _, port := range sc.HostPorts {
+			hostPorts[port] = true
+		}
 	}
 
 	// set allowedPrivilegeEscalation
@@ -532,6 +532,17 @@ func (pg *Generator) GeneratePSPWithName(
 		}
 	}
 
+	// set host ports
+	portRangeList := types.PortRangeList{}
+	for hostPort := range hostPorts {
+		portRange := types.NewPortRange(hostPort, hostPort)
+		portRangeList = append(portRangeList, portRange)
+	}
+
+	for _, portRange := range portRangeList.Consolidate() {
+		psp.Spec.HostPorts = append(psp.Spec.HostPorts, policyv1beta1.HostPortRange{Min: portRange.Min, Max: portRange.Max})
+	}
+
 	// set to default values
 	if string(psp.Spec.RunAsUser.Rule) == "" {
 		psp.Spec.RunAsUser.Rule = policyv1beta1.RunAsUserStrategyRunAsAny

generator/generator_test.go

@@ -32,6 +32,7 @@ var (
 			Namespace:                namespaceTest,
 			RunAsUser:                &runAsUser,
 			RunAsGroup:               &runAsGroup,
+			HostPorts:                []int32{80, 8080},
 		},
 		{Metadata: types.Metadata{
 			Kind: "Deployment",
@@ -47,6 +48,7 @@ var (
 			Namespace:      namespaceTest,
 			RunAsUser:      &runAsUser,
 			RunAsGroup:     &runAsGroup,
+			HostPorts:      []int32{80, 8081},
 		},
 	}
 
@@ -118,6 +120,18 @@ func TestCSS(t *testing.T) {
 	if psp.Spec.RunAsGroup.Ranges[0].Min != runAsGroup && psp.Spec.RunAsGroup.Ranges[0].Max != runAsGroup {
 		t.Fatal("psp should have set run as group to 1000")
 	}
+
+	if len(psp.Spec.HostPorts) != 2 {
+		t.Fatalf("there should be 2 port ranges, actual: %d", len(psp.Spec.HostPorts))
+	}
+
+	if psp.Spec.HostPorts[0].Min != 80 || psp.Spec.HostPorts[0].Max != 80 {
+		t.Fatalf("Expect port range [80, 80], actual: %v", psp.Spec.HostPorts[0])
+	}
+
+	if psp.Spec.HostPorts[1].Min != 8080 || psp.Spec.HostPorts[1].Max != 8081 {
+		t.Fatalf("Expect port range [8080, 8081], actual: %v", psp.Spec.HostPorts[1])
+	}
 }
 
 func TestPSS(t *testing.T) {

go.mod

@@ -18,12 +18,11 @@ require (
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/sirupsen/logrus v1.4.2
 	github.com/spf13/cobra v0.0.5
-	golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect
 	golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f // indirect
 	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 // indirect
-	golang.org/x/tools v0.0.0-20200206204726-37215997d4fb // indirect
+	golang.org/x/tools v0.0.0-20200519205726-57a9e4404bf7
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/inf.v0 v0.9.0 // indirect
 	gopkg.in/yaml.v2 v2.2.4 // indirect

go.sum

@@ -92,22 +92,28 @@ github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0 h1:KU7oHjnv3XNWfa5COkzUifxZmxp1TyI7ImMXqFxLwvQ=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQeSA51uaEfbOW5dNb68=
 golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -122,9 +128,17 @@ golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 h1:xQwXv67TxFo9nC1GJFyab5eq
 golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200206204726-37215997d4fb h1:EvFvbyipa48qGILQqY8iDrep83Zd1YCssXQFh/6zhpY=
 golang.org/x/tools v0.0.0-20200206204726-37215997d4fb/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200401192744-099440627f01 h1:ysQJ/fU6laLOZJseIeOqXl6Mo+lw5z6b7QHnmUKjW+k=
+golang.org/x/tools v0.0.0-20200401192744-099440627f01/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200519205726-57a9e4404bf7 h1:nm4zDh9WvH4jiuUpMY5RUsvOwrtTVVAsUaCdLW71hfY=
+golang.org/x/tools v0.0.0-20200519205726-57a9e4404bf7/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

kube-psp-advisor_test.go

@@ -9,7 +9,14 @@ import (
 var (
 	workloadDir = "./test-yaml"
 
-	expectedYamls = []string{"test-yaml/base-busybox.yaml", "test-yaml/psp-grant.yaml", "test-yaml/testSrcDir/testdir/busy-box.yaml", "test-yaml/testTargetDir/testdir/busy-box.yaml"}
+	expectedYamls = []string{
+		"test-yaml/base-busybox.yaml",
+		"test-yaml/psp-grant.yaml",
+		"test-yaml/srcYamls/busy-box.yaml",
+		"test-yaml/srcYamls/nginx.yaml",
+		"test-yaml/targetYamls/busy-box.yaml",
+		"test-yaml/targetYamls/nginx.yaml",
+	}
 )
 
 func TestReadYamls(t *testing.T) {

version

@@ -1 +1 @@
-1.7.0
+1.8.0