feat: Define ClusterConfigAuditReport (#622)

We could not associate ConfigAuditReports with cluster-scoped
resources such as ClusterRole or CustomResourceDefinition.
Therefore, this commit defines cluster-scoped equivalent to
ConfigAuditReport called ClusterConfigAuditReport.

Signed-off-by: Daniel Pacak <[email protected]>

build/mkdocs-material/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material
+FROM squidfunk/mkdocs-material:7.0.6
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.

deploy/crd/clusterconfigauditreports.crd.yaml

@@ -0,0 +1,50 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterconfigauditreports.aquasecurity.github.io
+  labels:
+    app.kubernetes.io/managed-by: starboard
+spec:
+  group: aquasecurity.github.io
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - jsonPath: .report.scanner.name
+          type: string
+          name: Scanner
+          description: The name of the config audit scanner
+        - jsonPath: .metadata.creationTimestamp
+          type: date
+          name: Age
+          description: The age of the report
+        - jsonPath: .report.summary.dangerCount
+          type: integer
+          name: Danger
+          priority: 1
+          description: The number of checks that failed with Danger status
+        - jsonPath: .report.summary.warningCount
+          type: integer
+          name: Warning
+          priority: 1
+          description: The number of checks that failed with Warning status
+        - jsonPath: .report.summary.passCount
+          type: integer
+          name: Pass
+          priority: 1
+          description: The number of checks that passed
+      schema:
+        openAPIV3Schema:
+          x-kubernetes-preserve-unknown-fields: true
+          type: object
+  scope: Cluster
+  names:
+    singular: clusterconfigauditreport
+    plural: clusterconfigauditreports
+    kind: ClusterConfigAuditReport
+    listKind: ClusterConfigAuditReportList
+    categories:
+      - all
+    shortNames:
+      - clusterconfigaudit

docs/crds.md

@@ -3,12 +3,13 @@
 This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code
 generated by Kubernetes [code generators][k8s-code-generator] to write such custom resources in a natural way.
 
-| NAME                                             | SHORTNAMES   | APIGROUP               | NAMESPACED |  KIND               |
-| ------------------------------------------------ | ------------ | ---------------------- | ---------- | ------------------- |
-| [vulnerabilityreports][vulnerabilityreports-crd] | vulns,vuln   | aquasecurity.github.io | true       | [VulnerabilityReport](#vulnerabilityreport) |
-| [configauditreports][configauditreports-crd]     | configaudit  | aquasecurity.github.io | true       | [ConfigAuditReport](#configauditreport)     |
-| [ciskubebenchreports][ciskubebenchreports-crd]   | kubebench    | aquasecurity.github.io | false      | [CISKubeBenchReport](#ciskubebenchreport)   |
-| [kubehunterreports][kubehunterreports-crd]       | kubehunter   | aquasecurity.github.io | false      | [KubeHunterReport](#kubehunterreport)       |
+| NAME                        | SHORTNAMES         | APIGROUP               | NAMESPACED |  KIND |
+| --------------------------- | ------------------ | ---------------------- | ---------- | ----- |
+| [vulnerabilityreports]      | vulns,vuln         | aquasecurity.github.io | true       | [VulnerabilityReport](#vulnerabilityreport) |
+| [configauditreports]        | configaudit        | aquasecurity.github.io | true       | [ConfigAuditReport](#configauditreport)     |
+| [clusterconfigauditreports] | clusterconfigaudit | aquasecurity.github.io | false      | [ClusterConfigAuditReport](#clusterconfigauditreport) |
+| [ciskubebenchreports]       | kubebench          | aquasecurity.github.io | false      | [CISKubeBenchReport](#ciskubebenchreport)   |
+| [kubehunterreports]         | kubehunter         | aquasecurity.github.io | false      | [KubeHunterReport](#kubehunterreport)       |
 
 !!! note
     We are open to suggestions for adding new or changes to the existing CRDs in the case that would enable
@@ -87,12 +88,12 @@ You can find the list of available integrations [here](./integrations/vulnerabil
 
 ## ConfigAuditReport
 
-An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as [Polaris][polaris],
-against a Kubernetes workload's configuration. For example, check that a given container image runs as non root user
-or that a container has resource requests and limits set. Currently checks only relate to Kubernetes workloads, but most
-likely we'll extend this model to cater for other Kubernetes objects such as Services, ConfigMaps, etc (see [#300][discussion-300]).
+An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as [Polaris]
+and [Conftest], against a Kubernetes object's configuration. For example, check that a given container image runs as
+non-root user or that a container has resource requests and limits set. Checks might relate to Kubernetes workloads
+and other namespaced Kubernetes objects such as Services, ConfigMaps, Roles, and RoleBindings.
 
-Each report owned by the underlying Kubernetes workload and is stored in the same namespace, following the
+Each report is owned by the underlying Kubernetes object and is stored in the same namespace, following the
 `<workload-kind>-<workload-name>` naming convention.
 
 ```yaml
@@ -163,6 +164,11 @@ schema can be integrated with Starboard.
     to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors
     for known configuration pitfalls.
 
+## ClusterConfigAuditReport
+
+ClusterConfigAuditReport is equivalent to ConfigAuditReport for cluster-scoped objects such as ClusterRoles,
+ClusterRoleBindings, and CustomResourceDefinitions.
+
 ## CISKubeBenchReport
 
 The CISKubeBenchReport is a cluster scoped resource owned by a Kubernetes node, which represents the latest result
@@ -287,13 +293,15 @@ report:
 
 [k8s-code-generator]: https://github.com/kubernetes/code-generator
 
-[vulnerabilityreports-crd]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml
-[ciskubebenchreports-crd]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
-[kubehunterreports-crd]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/kubehunterreports.crd.yaml
-[configauditreports-crd]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml
+[vulnerabilityreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml
+[ciskubebenchreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
+[kubehunterreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/kubehunterreports.crd.yaml
+[configauditreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml
+[clusterconfigauditreports]: https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/clusterconfigauditreports.crd.yaml
 
 [issue-288]: https://github.com/aquasecurity/starboard/issues/288
 [discussion-300]: https://github.com/aquasecurity/starboard/discussions/300
-[polaris]: https://github.com/FairwindsOps/polaris
+[Polaris]: ./integrations/config-checkers/polaris.md
+[Conftest]: ./integrations/config-checkers/conftest.md
 [kube-bench]: https://github.com/aquasecurity/kube-bench
 [kube-hunter]: https://github.com/aquasecurity/kube-hunter

pkg/apis/aquasecurity/v1alpha1/config_audit_types.go

@@ -43,6 +43,29 @@ type ConfigAuditReportList struct {
 	Items []ConfigAuditReport `json:"items"`
 }
 
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport resource.
+type ClusterConfigAuditReport struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Report ConfigAuditResult `json:"report"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterConfigAuditReportList is a list of ClusterConfigAuditReport resources.
+type ClusterConfigAuditReportList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ClusterConfigAuditReport `json:"items"`
+}
+
+// TODO Rename to ConfigAuditReportData
 type ConfigAuditResult struct {
 	UpdateTimestamp metav1.Time        `json:"updateTimestamp"`
 	Scanner         Scanner            `json:"scanner"`

pkg/apis/aquasecurity/v1alpha1/register.go

@@ -39,6 +39,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&KubeHunterReportList{},
 		&ConfigAuditReport{},
 		&ConfigAuditReportList{},
+		&ClusterConfigAuditReport{},
+		&ClusterConfigAuditReportList{},
 	)
 	meta.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil