Skip to content

Commit

Permalink
Warnings, code style, convention fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@ilia1243
ilia1243 committed Mar 4, 2024
1 parent 6f74536 commit c390789
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 36 deletions.
23 changes: 10 additions & 13 deletions kubemarine/admission.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
import io
import os
import re
from typing import Dict, Any, List, Optional, Union
from typing import Dict, List, Optional, Union

import ruamel.yaml
import yaml
Expand Down Expand Up @@ -45,8 +45,6 @@
valid_modes = ['enforce', 'audit', 'warn']
valid_versions_templ = r"^v1\.\d{1,2}$"

loaded_oob_policies = {}

ERROR_INCONSISTENT_INVENTORIES = "Procedure config and cluster config are inconsistent. Please check 'admission' option"
ERROR_CHANGE_OOB_PSP_DISABLED = "OOB policies can not be configured when security is disabled"
ERROR_PSS_BOTH_STATES_DISABLED = ("both 'pod-security' in procedure config and current config are 'disabled'. "
Expand All @@ -67,9 +65,6 @@ def is_pod_security_unconditional(cluster: KubernetesCluster) -> bool:
def enrich_inventory_psp(cluster: KubernetesCluster) -> None:
inventory = cluster.inventory

global loaded_oob_policies
loaded_oob_policies = load_oob_policies_files()

# validate custom
custom_policies = inventory["rbac"]["psp"]["custom-policies"]
verify_custom(custom_policies)
Expand Down Expand Up @@ -165,11 +160,11 @@ def verify_custom(custom_scope: Dict[str, List[dict]]) -> None:
verify_custom_list(bindings_list, "binding")


def verify_custom_list(custom_list: List[dict], type: str) -> None:
def verify_custom_list(custom_list: List[dict], type_: str) -> None:
for item in custom_list:
# forbid using 'oob-' prefix in order to avoid conflicts of our policies and users policies
if item["metadata"]["name"].startswith("oob-"):
raise Exception("Name %s is not allowed for custom %s" % (item["metadata"]["name"], type))
raise Exception("Name %s is not allowed for custom %s" % (item["metadata"]["name"], type_))


def verify_version(owner: str, version: str, kubernetes_version: str) -> None:
Expand Down Expand Up @@ -302,7 +297,9 @@ def reconfigure_oob_policies(cluster: KubernetesCluster) -> None:

cluster.log.debug("Deleting all OOB policies...")
first_control_plane.call(delete_privileged_policy)
first_control_plane.call(manage_policies, manage_type="delete", manage_scope=resolve_oob_scope(loaded_oob_policies, "all"))
first_control_plane.call(manage_policies,
manage_type="delete",
manage_scope=resolve_oob_scope(target_config, "all"))

if target_state == "disabled":
cluster.log.debug("Security disabled, OOB will not be recreated")
Expand Down Expand Up @@ -389,13 +386,15 @@ def manage_privileged_from_file(group: NodeGroup, filename: str, manage_type: st
return group.sudo("kubectl %s -f %s" % (manage_type, remote_path), warn=True)


def resolve_oob_scope(oob_policies_conf: Dict[str, Any], selector: str) -> Dict[str, List[dict]]:
def resolve_oob_scope(oob_policies_conf: Dict[str, str], selector: str) -> Dict[str, List[dict]]:
result: Dict[str, List[dict]] = {
psp_list_option: [],
roles_list_option: [],
bindings_list_option: []
}

loaded_oob_policies = load_oob_policies_files()

for key, value in oob_policies_conf.items():
if value == selector or selector == "all":
policy = loaded_oob_policies[key]
Expand Down Expand Up @@ -440,8 +439,6 @@ def manage_policies(group: NodeGroup, manage_type: str,
def collect_policies_template(psp_list: Optional[List[dict]],
roles_list: Optional[List[dict]],
bindings_list: Optional[List[dict]]) -> str:
yaml = ruamel.yaml.YAML()

buf = io.StringIO()
if psp_list:
for psp in psp_list:
Expand Down Expand Up @@ -614,7 +611,7 @@ def label_namespace_pss(cluster: KubernetesCluster) -> None:
namespaces_defaults = procedure_config.get("namespaces_defaults")
if namespaces_defaults:
for default_mode in namespaces_defaults:
default_modes[default_mode] = namespaces_defaults[default_mode]
default_modes[default_mode] = namespaces_defaults[default_mode]
for namespace in namespaces:
# define name of namespace
if isinstance(namespace, dict):
Expand Down
18 changes: 9 additions & 9 deletions kubemarine/apparmor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,14 @@


def get_status(group: NodeGroup) -> Dict[str, dict]:
log = group.cluster.log
logger = group.cluster.log
result = group.sudo("apparmor_status --json")
parsed_result = {}
if result:
for host, node_result in result.items():
log.verbose('Parsing status for %s...' % host)
parsed_result[host] = parse_status(log, node_result.stdout)
print_status(log, parsed_result)
logger.verbose('Parsing status for %s...' % host)
parsed_result[host] = parse_status(logger, node_result.stdout)
print_status(logger, parsed_result)
return parsed_result


Expand Down Expand Up @@ -65,9 +65,9 @@ def print_status(logger: log.EnhancedLogger, parsed_result: dict) -> None:


def is_state_valid(group: NodeGroup, expected_profiles: dict) -> bool:
log = group.cluster.log
logger = group.cluster.log

log.verbose('Verifying Apparmor modes...')
logger.verbose('Verifying Apparmor modes...')

parsed_result = get_status(group)
valid = True
Expand All @@ -81,18 +81,18 @@ def is_state_valid(group: NodeGroup, expected_profiles: dict) -> bool:
for remote_profiles in status.values():
if profile in remote_profiles:
valid = False
log.verbose('Mode %s is enabled on remote host %s' % (state, host))
logger.verbose('Mode %s is enabled on remote host %s' % (state, host))
break
else:
if not status.get(state):
valid = False
log.verbose('Mode %s is not presented on remote host %s' % (state, host))
logger.verbose('Mode %s is not presented on remote host %s' % (state, host))
break
# check if all 'cluster.yaml' settings reflect on particular node
for profile in profiles:
if profile not in status[state]:
valid = False
log.verbose('Profile %s is not enabled in %s mode on remote host %s' % (profile, state, host))
logger.verbose('Profile %s is not enabled in %s mode on remote host %s' % (profile, state, host))
break

return valid
Expand Down
9 changes: 3 additions & 6 deletions kubemarine/core/static.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,12 @@


def reload() -> None:
global GLOBALS
GLOBALS.clear()
GLOBALS.update(_load_globals())

global DEFAULTS
DEFAULTS.clear()
DEFAULTS.update(_load_defaults())

global KUBERNETES_VERSIONS
KUBERNETES_VERSIONS.clear()
KUBERNETES_VERSIONS.update(load_kubernetes_versions())

Expand All @@ -42,20 +39,20 @@ def load_kubernetes_versions() -> dict:


def _load_globals() -> dict:
globals = utils.load_yaml(
globals_ = utils.load_yaml(
utils.get_internal_resource_path('resources/configurations/globals.yaml'))

for config_filename in ('kubernetes_images.yaml', 'packages.yaml', 'plugins.yaml', 'thirdparties.yaml'):
internal_compatibility = load_compatibility_map(config_filename)

globals_compatibility = globals['compatibility_map']['software']
globals_compatibility = globals_['compatibility_map']['software']
duplicates = set(internal_compatibility) & set(globals_compatibility)
if duplicates:
raise Exception(f"Duplicated software {', '.join(repr(s) for s in duplicates)}")

globals_compatibility.update(internal_compatibility)

return globals
return globals_


def _load_defaults() -> dict:
Expand Down
16 changes: 8 additions & 8 deletions kubemarine/coredns.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ def proceed_section_keyvalue(data: Dict[str, Any], tabsize: int) -> str:
return config


def generate_nested_sections(type: str, data: Dict[str, Dict[str, Any]], tabsize: int) -> str:
def generate_nested_sections(type_: str, data: Dict[str, Dict[str, Any]], tabsize: int) -> str:
tab = " "*tabsize
config = ''

Expand All @@ -78,28 +78,28 @@ def generate_nested_sections(type: str, data: Dict[str, Dict[str, Any]], tabsize
for section in sections:
section_name, _ = section
section_value = data[section_name]
if type == 'kubernetes':
config += '\n' + tab + type
if type_ == 'kubernetes':
config += '\n' + tab + type_
if section_value.get('zone'):
if isinstance(section_value['zone'], list):
section_value['zone'] = ' '.join(section_value['zone'])
config += ' ' + section_value['zone']
config += ' {' + proceed_section_keyvalue(section_value['data'], tabsize + 2) + '\n' + tab + '}'

elif type == 'hosts':
config += '\n' + tab + type
elif type_ == 'hosts':
config += '\n' + tab + type_
if section_value.get('file') and isinstance(section_value['file'], str):
config += ' ' + section_value['file']
config += ' {' + proceed_section_keyvalue(section_value['data'], tabsize + 2) + '\n' + tab + '}'

elif type == 'template':
elif type_ == 'template':
zones: Union[str, List[Optional[str]]] = [None]
if section_value.get('zone'):
zones = section_value['zone']
if isinstance(zones, str):
zones = [zones]
for zone in zones:
config += '\n' + tab + type
config += '\n' + tab + type_
if section_value.get('class'):
config += ' ' + section_value['class']
if section_value.get('type'):
Expand All @@ -109,7 +109,7 @@ def generate_nested_sections(type: str, data: Dict[str, Dict[str, Any]], tabsize
config += ' {' + proceed_section_keyvalue(section_value['data'], tabsize + 2) + '\n' + tab + '}'

else:
config += '\n' + tab + type + ' {' + proceed_section_keyvalue(section_value['data'], tabsize + 2)\
config += '\n' + tab + type_ + ' {' + proceed_section_keyvalue(section_value['data'], tabsize + 2) \
+ '\n' + tab + '}'

return config
Expand Down

0 comments on commit c390789

Please sign in to comment.