-
Notifications
You must be signed in to change notification settings - Fork 5
/
main.go
96 lines (81 loc) · 2.49 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package main
import (
"flag"
"fmt"
"os"
"strings"
_ "github.com/golang/glog"
"github.com/in-toto/kubectl-in-toto/pkg/in_toto"
"k8s.io/client-go/kubernetes"
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
"k8s.io/kubectl/pkg/pluginutils"
)
const (
unknown = "unknown type, must be pod"
)
func parseTarget(target []string) (string, string, error) {
if len(target) < 1 {
return "", "", fmt.Errorf("")
}
parts := strings.SplitN(target[0], "/", 2)
targetType := parts[0]
targetName := parts[1]
if targetType != "pod" {
return "", "" , fmt.Errorf(unknown)
}
return targetType, targetName, nil
}
func parseArgs() (*in_toto.VerificationSetup, error) {
setup := new(in_toto.VerificationSetup)
flag.StringVar(&setup.KeyPath, "key", "root.pub",
"the pathname to the root pubkey (root.pub)")
flag.StringVar(&setup.KeyPath, "k", "root.pub",
"the pathname to the root pubkey (root.pub)")
flag.StringVar(&setup.LayoutPath,
"layout", "root.layout", "the name of the root layout (root.layout")
flag.StringVar(&setup.LayoutPath,
"l", "root.layout", "the name of the root layout (root.layout")
flag.Parse()
targetType, targetName, err := parseTarget(flag.Args())
if err != nil {
return nil, err
}
setup.TargetType = targetType
setup.Name = targetName
return setup, nil
}
func loadConfig() (*kubernetes.Clientset, string) {
restConfig, kubeConfig, err := pluginutils.InitClientAndConfig()
if err != nil {
panic(err)
}
c := kubernetes.NewForConfigOrDie(restConfig)
ns, _, _ := kubeConfig.Namespace()
return c, ns
}
func main() {
inTotoConfig, err := parseArgs();
if err != nil {
fmt.Println(err.Error())
flag.Usage()
os.Exit(1)
}
client, ns := loadConfig()
fmt.Printf("[resolve] scanning pod: %s\n", inTotoConfig.Name)
handler := in_toto.ResolveResourceTypeHandler(inTotoConfig.TargetType)
if handler == nil {
flag.Usage()
os.Exit(1)
}
containers := handler(client, inTotoConfig.Name, ns)
for _, container := range containers {
fmt.Printf("[scan] resolved pod container as: %v (%v). \n\tIn-toto output follows:\n",
container.ImageID, container.Imagename)
result := in_toto.ScanContainer(inTotoConfig, container.ImageID)
if result != nil {
fmt.Printf("Error: %v\n", result)
os.Exit(1)
}
fmt.Println("[result]: Verification successful!")
}
}