search

validator-labs / validator-plugin-kubescape

validator-plugin-kubescape provides configurable CVE alerting on top of Kubescape and creates ValidationResults for validator to consume.
https://validator-labs.github.io/docs
Apache License 2.0
4 stars 0 forks source link

🌱 Allow multiple rules per validator #61

Open mattwelke opened 1 month ago

mattwelke commented 1 month ago

Summary

Plugins should support defining more than one rule of the same rule type per validator. For example, in the AWS plugin:

type AwsValidatorSpec struct {
...
    AmiRules []AmiRule `json:"amiRules,omitempty" yaml:"amiRules,omitempty"`
...
}

The Kubescape plugin should be changed to allow this too. Right now, its spec only allows one rule of each type per validator:

type KubescapeValidatorSpec struct {
...
    SeverityLimitRule SeverityLimitRule `json:"severityLimitRule,omitempty" yaml:"severityLimitRule,omitempty"`
...
    IgnoredCVERule []string `json:"ignoredCVERule,omitempty" yaml:"ignoredCVERule,omitempty"`
...
    FlaggedCVERule []FlaggedCVE `json:"flaggedCVERule,omitempty" yaml:"flaggedCVERule,omitempty"`
}

For example, SeverityLimitRule can be changed to []SeverityLimitRule to accomplish this.

After the spec is changed, the controller logic should be changed to iterate through each rule, processing them one at a time.

TylerGillson commented 1 month ago

@wcrum was working on a refactor to the plugin that I believe would address this. @wcrum can you please chime in?