Merge pull request #403 from derailed/rel/v0.21.6

Rel v0.21.6

Makefile

@@ -1,6 +1,6 @@
 NAME     := popeye
 PACKAGE  := github.com/derailed/$(NAME)
-VERSION  := v0.21.5
+VERSION  := v0.21.6
 GIT      := $(shell git rev-parse --short HEAD)
 DATE     := $(shell date +%FT%T%Z)
 IMG_NAME := derailed/popeye

README.md

@@ -125,10 +125,14 @@ popeye
 popeye -n fred
 # Run Popeye in all namespaces
 popeye -A
-# Popeye uses a spinach config file of course! aka spinachyaml!
+# Run Popeye uses a spinach config file of course! aka spinachyaml!
 popeye -f spinach.yaml
-# Popeye a cluster using a kubeconfig context.
+# Run Popeye a cluster using a kubeconfig context.
 popeye --context olive
+# Run Popeye with specific linters and log to the console
+popeye -n ns1 -s pod,svc --logs none
+# Run Popeye for a given namespace in a given log file and debug logs
+popeye -n ns1 --logs /tmp/fred.log -v4
 # Stuck?
 popeye help
 ```

change_logs/release_v0.21.6.md

@@ -0,0 +1,32 @@
+<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/popeye_logo.png" align="right" width="200" height="auto"/>
+
+# Release v0.21.6
+
+## Notes
+
+Thank you to all that contributed with flushing out issues and enhancements for Popeye! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close. Your support, kindness and awesome suggestions to make Popeye better is as ever very much noticed and appreciated!
+
+This project offers a GitHub Sponsor button (over here 👆). As you well know this is not pimped out by big corps with deep pockets. If you feel `Popeye` is saving you cycles diagnosing potential cluster issues please consider sponsoring this project!! It does go a long way in keeping our servers lights on and beers in our fridge.
+
+Also if you dig this tool, please make some noise on social! [@kitesurfer](https://twitter.com/kitesurfer)
+
+---
+
+## Maintenance Release
+
+---
+
+## Resolved Issues
+
+* [#370](https://github.com/derailed/popeye/issues/370) default service account check
+* [#356](https://github.com/derailed/popeye/issues/356) Allow foreground execution, with output to STDOUT/STDERR and disabling output to popeye.log file
+* [#341](https://github.com/derailed/popeye/issues/341) Linter Node : no linters matched query
+* [#337](https://github.com/derailed/popeye/issues/337) Output logs in stdout instead of file
+* [#301](https://github.com/derailed/popeye/issues/301) Allow Popeye to be used by more than one user on a host (/tmp/popeye.log permission problem)
+* [#267](https://github.com/derailed/popeye/issues/267) Allow container exclusions based on regex
+* [#200](https://github.com/derailed/popeye/issues/200) Can't filter containers in spinach.yaml for deployments
+* [#168](https://github.com/derailed/popeye/issues/168) Skip checks at container level
+
+---
+
+<img src="https://raw.githubusercontent.com/derailed/popeye/master/assets/imhotep_logo.png" width="32" height="auto"/>&nbsp; © 2024 Imhotep Software LLC. All materials licensed under [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0)

cmd/root.go

@@ -52,13 +52,14 @@ func Execute() {
 
 // Doit runs the scans and lints pass over the specified cluster.
 func doIt(cmd *cobra.Command, args []string) {
+	bomb(initLogs())
+
 	defer func() {
 		if err := recover(); err != nil {
 			pkg.BailOut(err.(error))
 		}
 	}()
 
-	zerolog.SetGlobalLevel(zerolog.DebugLevel)
 	clearScreen()
 	bomb(flags.Validate())
 	flags.StandAlone = true
@@ -84,7 +85,7 @@ func bomb(err error) {
 	if err == nil {
 		return
 	}
-	panic(fmt.Errorf("💥 %s\n", report.Colorize(err.Error(), report.ColorRed)))
+	panic(fmt.Errorf("💥 %s", report.Colorize(err.Error(), report.ColorRed)))
 }
 
 func initPopeyeFlags() {
@@ -166,6 +167,15 @@ func initPopeyeFlags() {
 		[]string{},
 		"Specify which resources to include in the scan ie -s po,svc",
 	)
+
+	rootCmd.Flags().IntVarP(flags.LogLevel, "log-level", "v",
+		1,
+		"Specify log level. Use 0|1|2|3|4 for disable|info|warn|error|debug",
+	)
+	rootCmd.Flags().StringVarP(flags.LogFile, "logs", "",
+		pkg.LogFile,
+		"Specify log file location. Use `none` for stdout",
+	)
 }
 
 func initKubeConfigFlags() {
@@ -212,6 +222,49 @@ func initKubeConfigFlags() {
 	)
 }
 
+func initLogs() error {
+	var logs string
+	if *flags.LogFile != "none" {
+		logs = *flags.LogFile
+	}
+
+	var file = os.Stdout
+	if logs != "" {
+		mod := os.O_CREATE | os.O_APPEND | os.O_WRONLY
+		var err error
+		file, err = os.OpenFile(logs, mod, 0644)
+		if err != nil {
+			return fmt.Errorf("unable to create Popeye log file: %w", err)
+		}
+	}
+	log.Logger = log.Output(zerolog.ConsoleWriter{Out: file})
+
+	if flags.LogLevel == nil {
+		zerolog.SetGlobalLevel(zerolog.InfoLevel)
+	} else {
+		zerolog.SetGlobalLevel(toLogLevel(*flags.LogLevel))
+	}
+
+	return nil
+}
+
+func toLogLevel(level int) zerolog.Level {
+	switch level {
+	case -1:
+		return zerolog.TraceLevel
+	case 0:
+		return zerolog.Disabled
+	case 1:
+		return zerolog.InfoLevel
+	case 2:
+		return zerolog.WarnLevel
+	case 3:
+		return zerolog.ErrorLevel
+	default:
+		return zerolog.DebugLevel
+	}
+}
+
 func initFlags() {
 	initPopeyeFlags()
 	initKubeConfigFlags()

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/xeipuuv/gojsonschema v1.2.0
 	golang.org/x/net v0.31.0
+	golang.org/x/text v0.21.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.32.0
@@ -122,7 +123,6 @@ require (
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect

internal/cilium/cache/cep.go

@@ -27,7 +27,7 @@ func NewCiliumEndpoint(dba *db.DB) *CiliumEndpoint {
 	return &CiliumEndpoint{db: dba}
 }
 
-// CiliumEndpointRefs computes all CiliumEndpoints external references.
+// CEPRefs computes all CiliumEndpoints external references.
 func (p *CiliumEndpoint) CEPRefs(refs *sync.Map) error {
 	txn, it := p.db.MustITFor(internal.Glossary[cilium.CEP])
 	defer txn.Abort()

internal/cilium/lint/ccnp.go

@@ -57,20 +57,18 @@ func (s *CiliumClusterwideNetworkPolicy) Lint(ctx context.Context) error {
 }
 
 func (s *CiliumClusterwideNetworkPolicy) checkRule(ctx context.Context, r *api.Rule) error {
-	if r.EndpointSelector.Size() > 0 {
-		if ok, err := s.checkEPSel(r.EndpointSelector); err != nil {
-			return err
-		} else if !ok {
-			s.AddCode(ctx, 1700, "endpoint")
-		}
+	if ok, err := s.checkEPSel(r.EndpointSelector); err != nil {
+		return err
+	} else if !ok {
+		s.AddCode(ctx, 1700, "endpoint")
 	}
-	if r.NodeSelector.Size() > 0 {
-		if ok, err := s.checkNodeSel(r.NodeSelector); err != nil {
-			return err
-		} else if !ok {
-			s.AddCode(ctx, 1701)
-		}
+
+	if ok, err := s.checkNodeSel(r.NodeSelector); err != nil {
+		return err
+	} else if !ok {
+		s.AddCode(ctx, 1701)
 	}
+
 	for _, ing := range r.Ingress {
 		for _, sel := range ing.FromEndpoints {
 			if ok, err := s.checkEPSel(sel); err != nil {
@@ -94,6 +92,10 @@ func (s *CiliumClusterwideNetworkPolicy) checkRule(ctx context.Context, r *api.R
 }
 
 func (s *CiliumClusterwideNetworkPolicy) checkEPSel(sel api.EndpointSelector) (bool, error) {
+	if sel.Size() == 0 {
+		return true, nil
+	}
+
 	mm, err := s.matchCEPsBySel(sel)
 	if err != nil {
 		return false, err
@@ -103,6 +105,10 @@ func (s *CiliumClusterwideNetworkPolicy) checkEPSel(sel api.EndpointSelector) (b
 }
 
 func (s *CiliumClusterwideNetworkPolicy) checkNodeSel(sel api.EndpointSelector) (bool, error) {
+	if sel.Size() == 0 {
+		return true, nil
+	}
+
 	mm, err := s.matchNodesBySel(sel)
 	if err != nil {
 		return false, err

internal/cilium/lint/cep.go

@@ -100,9 +100,9 @@ func (s *CiliumEndpoint) checkNode(ctx context.Context, cep *v2.CiliumEndpoint)
 	if err != nil {
 		return err
 	}
+	nodeIP := cep.Status.Networking.NodeIP
 	for _, n := range nn {
-		ip, _ := getIPs(n.Status.Addresses)
-		if ip != "" && ip == cep.Status.Networking.NodeIP {
+		if matchIP(n.Status.Addresses, nodeIP) {
 			return nil
 		}
 	}
@@ -113,15 +113,15 @@ func (s *CiliumEndpoint) checkNode(ctx context.Context, cep *v2.CiliumEndpoint)
 
 // Helpers...
 
-func getIPs(addrs []v1.NodeAddress) (iIP, eIP string) {
+func matchIP(addrs []v1.NodeAddress, ip string) bool {
 	for _, a := range addrs {
-		switch a.Type {
-		case v1.NodeExternalIP:
-			eIP = a.Address
-		case v1.NodeInternalIP:
-			iIP = a.Address
+		if a.Type != v1.NodeInternalIP {
+			continue
+		}
+		if a.Address == ip {
+			return true
 		}
 	}
 
-	return
+	return false
 }

internal/cilium/lint/cid.go

@@ -61,8 +61,7 @@ func (s *CiliumIdentity) Lint(ctx context.Context) error {
 }
 
 func (s *CiliumIdentity) checkStale(ctx context.Context, fqn string, refs *sync.Map) error {
-	_, ok := refs.Load(icache.ResFqn(cache.CIDKey, fqn))
-	if !ok {
+	if _, ok := refs.Load(icache.ResFqn(cache.CIDKey, fqn)); !ok {
 		s.AddCode(ctx, 1600)
 	}
 

internal/cilium/lint/cnp.go

@@ -88,6 +88,10 @@ func (s *CiliumNetworkPolicy) checkRule(ctx context.Context, ns string, r *api.R
 }
 
 func (s *CiliumNetworkPolicy) checkEPSel(ns string, sel api.EndpointSelector) (bool, error) {
+	if sel.Size() == 0 {
+		return true, nil
+	}
+
 	mm, err := s.matchCEPsBySel(ns, sel)
 	if err != nil {
 		return false, err

internal/client/config.go

@@ -249,7 +249,7 @@ func (c *Config) CurrentNamespaceName() (string, error) {
 		return ct.Namespace, nil
 	}
 
-	return DefaultNamespace, nil
+	return DefaultNamespace, fmt.Errorf("invalid context specified: %q", cfg.CurrentContext)
 }
 
 // NamespaceNames fetch all available namespaces on current cluster.

internal/dao/generic.go

@@ -5,6 +5,7 @@ package dao
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/derailed/popeye/internal"
 	"github.com/derailed/popeye/internal/client"
@@ -22,7 +23,10 @@ type Generic struct {
 // List returns a collection of resources.
 func (g *Generic) List(ctx context.Context) ([]runtime.Object, error) {
 	labelSel, _ := ctx.Value(internal.KeyLabels).(string)
-	ns, _ := ctx.Value(internal.KeyNamespace).(string)
+	ns, ok := ctx.Value(internal.KeyNamespace).(string)
+	if !ok {
+		return nil, fmt.Errorf("BOOM!! no namespace found in context %s", g.gvr)
+	}
 	if client.IsAllNamespace(ns) {
 		ns = client.AllNamespaces
 	}

internal/dao/resource.go

@@ -29,7 +29,7 @@ func (r *Resource) List(ctx context.Context) ([]runtime.Object, error) {
 	}
 	ns, ok := ctx.Value(internal.KeyNamespace).(string)
 	if !ok {
-		panic(fmt.Sprintf("BOOM no namespace in context %s", r.gvr))
+		return nil, fmt.Errorf("BOOM!! no namespace found in context %s", r.gvr)
 	}
 	if r.gvr == internal.Glossary[internal.NS] {
 		ns = client.AllNamespaces

internal/issues/assets/codes.yaml

@@ -100,6 +100,9 @@ codes:
   307:
     message: "%s references a non existing ServiceAccount: %q"
     severity: 2
+  308:
+    message: Uses "default" bound ServiceAccount. Could be a security risk
+    severity: 3
 
   # General
   400:

internal/issues/codes_test.go

@@ -15,7 +15,7 @@ func TestCodesLoad(t *testing.T) {
 	cc, err := issues.LoadCodes()
 
 	assert.Nil(t, err)
-	assert.Equal(t, 116, len(cc.Glossary))
+	assert.Equal(t, 117, len(cc.Glossary))
 	assert.Equal(t, "No liveness probe", cc.Glossary[103].Message)
 	assert.Equal(t, rules.WarnLevel, cc.Glossary[103].Severity)
 }

internal/lint/cronjob.go

@@ -40,7 +40,7 @@ func (s *CronJob) Lint(ctx context.Context) error {
 		cj := o.(*batchv1.CronJob)
 		fqn := client.FQN(cj.Namespace, cj.Name)
 		s.InitOutcome(fqn)
-		ctx = internal.WithSpec(ctx, SpecFor(fqn, cj))
+		ctx = internal.WithSpec(ctx, coSpecFor(fqn, cj, cj.Spec.JobTemplate.Spec.Template.Spec))
 		s.checkCronJob(ctx, fqn, cj)
 		s.checkContainers(ctx, fqn, cj.Spec.JobTemplate.Spec.Template.Spec)
 		s.checkUtilization(ctx, over, fqn)

internal/lint/dp.go

@@ -39,7 +39,7 @@ func (s *Deployment) Lint(ctx context.Context) error {
 		dp := o.(*appsv1.Deployment)
 		fqn := client.FQN(dp.Namespace, dp.Name)
 		s.InitOutcome(fqn)
-		ctx = internal.WithSpec(ctx, SpecFor(fqn, dp))
+		ctx = internal.WithSpec(ctx, coSpecFor(fqn, dp, dp.Spec.Template.Spec))
 		s.checkDeployment(ctx, dp)
 		s.checkContainers(ctx, fqn, dp.Spec.Template.Spec)
 		s.checkUtilization(ctx, over, dp)

internal/lint/ds.go

@@ -38,7 +38,7 @@ func (s *DaemonSet) Lint(ctx context.Context) error {
 		ds := o.(*appsv1.DaemonSet)
 		fqn := client.FQN(ds.Namespace, ds.Name)
 		s.InitOutcome(fqn)
-		ctx = internal.WithSpec(ctx, SpecFor(fqn, ds))
+		ctx = internal.WithSpec(ctx, coSpecFor(fqn, ds, ds.Spec.Template.Spec))
 
 		s.checkDaemonSet(ctx, ds)
 		s.checkContainers(ctx, fqn, ds.Spec.Template.Spec)