Return errors instead of panic
This commit is contained in:
parent
75575b9f98
commit
872b97fc45
@ -42,7 +42,10 @@ var MigrateCmd = &cobra.Command{
|
|||||||
Suggested Pod Security Standard for each namespace. In addition, it also
|
Suggested Pod Security Standard for each namespace. In addition, it also
|
||||||
checks whether a PSP object is mutating pods in every namespace.`,
|
checks whether a PSP object is mutating pods in every namespace.`,
|
||||||
Run: func(cmd *cobra.Command, args []string) {
|
Run: func(cmd *cobra.Command, args []string) {
|
||||||
pods := GetPods()
|
pods, err := GetPods()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln("Error getting pods", err.Error())
|
||||||
|
}
|
||||||
fmt.Println("Checking if any pods are being mutated by a PSP object")
|
fmt.Println("Checking if any pods are being mutated by a PSP object")
|
||||||
mutatedPods := make([]v1.Pod, 0)
|
mutatedPods := make([]v1.Pod, 0)
|
||||||
for _, pod := range pods.Items {
|
for _, pod := range pods.Items {
|
||||||
@ -71,7 +74,12 @@ var MigrateCmd = &cobra.Command{
|
|||||||
fmt.Printf("Please re-run the tool again after you've modified your PodSpecs.\n")
|
fmt.Printf("Please re-run the tool again after you've modified your PodSpecs.\n")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
for _, namespace := range GetNamespaces().Items {
|
|
||||||
|
namespaces, err := GetNamespaces()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln("Error getting namespaces:", err.Error())
|
||||||
|
}
|
||||||
|
for _, namespace := range namespaces.Items {
|
||||||
// Check if namespace already has psa labels
|
// Check if namespace already has psa labels
|
||||||
if NamespaceHasPSALabels(&namespace) {
|
if NamespaceHasPSALabels(&namespace) {
|
||||||
log.Printf("The namespace %v already has PSA labels set. So skipping....\n", namespace.Name)
|
log.Printf("The namespace %v already has PSA labels set. So skipping....\n", namespace.Name)
|
||||||
@ -80,7 +88,13 @@ var MigrateCmd = &cobra.Command{
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
suggestions := make(map[string]bool)
|
suggestions := make(map[string]bool)
|
||||||
pods := GetPodsByNamespace(namespace.Name).Items
|
podList, err := GetPodsByNamespace(namespace.Name)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("Error getting pods for namespace %v. Error: %v\n", namespace.Name, err.Error())
|
||||||
|
log.Println("Continuing with next namespace")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
pods := podList.Items
|
||||||
if len(pods) == 0 {
|
if len(pods) == 0 {
|
||||||
fmt.Printf("There are no pods running in namespace %v. Skipping and going to the next one.\n", namespace.Name)
|
fmt.Printf("There are no pods running in namespace %v. Skipping and going to the next one.\n", namespace.Name)
|
||||||
continue
|
continue
|
||||||
@ -121,7 +135,9 @@ var MigrateCmd = &cobra.Command{
|
|||||||
if control == skipStr {
|
if control == skipStr {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
ApplyPSSLevel(&namespace, suggested, control)
|
if err := ApplyPSSLevel(&namespace, suggested, control); err != nil {
|
||||||
|
log.Printf("Error applying %v on namespace %v. Error: %v\n", suggested, namespace.Name, err.Error())
|
||||||
|
}
|
||||||
fmt.Printf("Applied pod security level %v on namespace %v in %v control mode\n", suggested, namespace.Name, control)
|
fmt.Printf("Applied pod security level %v on namespace %v in %v control mode\n", suggested, namespace.Name, control)
|
||||||
fmt.Printf("Review the labels by running `kubectl get ns %v -o yaml`\n", namespace.Name)
|
fmt.Printf("Review the labels by running `kubectl get ns %v -o yaml`\n", namespace.Name)
|
||||||
}
|
}
|
||||||
|
@ -88,7 +88,10 @@ func initMutating() {
|
|||||||
Run: func(cmd *cobra.Command, args []string) {
|
Run: func(cmd *cobra.Command, args []string) {
|
||||||
table := tablewriter.NewWriter(os.Stdout)
|
table := tablewriter.NewWriter(os.Stdout)
|
||||||
table.SetHeader([]string{"Name", "Namespace", "Mutated", "PSP"})
|
table.SetHeader([]string{"Name", "Namespace", "Mutated", "PSP"})
|
||||||
pods := GetPods()
|
pods, err := GetPods()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln("Error getting pods", err.Error())
|
||||||
|
}
|
||||||
fmt.Printf("There are %d pods in the cluster\n", len(pods.Items))
|
fmt.Printf("There are %d pods in the cluster\n", len(pods.Items))
|
||||||
for _, pod := range pods.Items {
|
for _, pod := range pods.Items {
|
||||||
if pspName, ok := pod.ObjectMeta.Annotations["kubernetes.io/psp"]; ok {
|
if pspName, ok := pod.ObjectMeta.Annotations["kubernetes.io/psp"]; ok {
|
||||||
|
29
cmd/utils.go
29
cmd/utils.go
@ -35,39 +35,28 @@ func IgnoreNamespaceSelector(field string) string {
|
|||||||
return fields.AndSelectors(selectors...).String()
|
return fields.AndSelectors(selectors...).String()
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetPods() *v1.PodList {
|
func GetPods() (*v1.PodList, error) {
|
||||||
listOptions := metav1.ListOptions{FieldSelector: IgnoreNamespaceSelector("metadata.namespace")}
|
listOptions := metav1.ListOptions{FieldSelector: IgnoreNamespaceSelector("metadata.namespace")}
|
||||||
pods, err := clientset.CoreV1().Pods("").List(context.TODO(), listOptions)
|
pods, err := clientset.CoreV1().Pods("").List(context.TODO(), listOptions)
|
||||||
if err != nil {
|
return pods, err
|
||||||
panic(err.Error())
|
|
||||||
}
|
|
||||||
return pods
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetPodsByNamespace(namespace string) *v1.PodList {
|
func GetPodsByNamespace(namespace string) (*v1.PodList, error) {
|
||||||
listOptions := metav1.ListOptions{}
|
listOptions := metav1.ListOptions{}
|
||||||
pods, err := clientset.CoreV1().Pods(namespace).List(context.TODO(), listOptions)
|
pods, err := clientset.CoreV1().Pods(namespace).List(context.TODO(), listOptions)
|
||||||
if err != nil {
|
return pods, err
|
||||||
panic(err.Error())
|
|
||||||
}
|
|
||||||
return pods
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetNamespaces() *v1.NamespaceList {
|
func GetNamespaces() (*v1.NamespaceList, error) {
|
||||||
listOptions := metav1.ListOptions{FieldSelector: IgnoreNamespaceSelector("metadata.name")}
|
listOptions := metav1.ListOptions{FieldSelector: IgnoreNamespaceSelector("metadata.name")}
|
||||||
namespaces, err := clientset.CoreV1().Namespaces().List(context.TODO(), listOptions)
|
namespaces, err := clientset.CoreV1().Namespaces().List(context.TODO(), listOptions)
|
||||||
if err != nil {
|
return namespaces, err
|
||||||
panic(err.Error())
|
|
||||||
}
|
|
||||||
return namespaces
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func ApplyPSSLevel(namespace *v1.Namespace, level psaApi.Level, control string) {
|
func ApplyPSSLevel(namespace *v1.Namespace, level psaApi.Level, control string) error {
|
||||||
namespace.Labels["pod-security.kubernetes.io/"+control] = string(level)
|
namespace.Labels["pod-security.kubernetes.io/"+control] = string(level)
|
||||||
namespace, err := clientset.CoreV1().Namespaces().Update(context.TODO(), namespace, metav1.UpdateOptions{})
|
_, err := clientset.CoreV1().Namespaces().Update(context.TODO(), namespace, metav1.UpdateOptions{})
|
||||||
if err != nil {
|
return err
|
||||||
panic(err.Error())
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func NamespaceHasPSALabels(namespace *v1.Namespace) bool {
|
func NamespaceHasPSALabels(namespace *v1.Namespace) bool {
|
||||||
|
Loading…
Reference in New Issue
Block a user