Skip to content

Commit

Permalink
Merge pull request #2 from deggja/add_scoring
Browse files Browse the repository at this point in the history
Add scoring
  • Loading branch information
deggja authored Nov 24, 2023
2 parents d5f28bd + db99105 commit 4863ab0
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 7 deletions.
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2023 Daniel Dagfinrud

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
20 changes: 16 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ You are welcome to contribute!

Open an issue or create a pull request if there is some functionality missing that you would like.

## Installation via Homebrew
## Installation via Homebrew for Mac

You can install `netfetch` using our Homebrew tap:

Expand All @@ -20,6 +20,8 @@ brew tap deggja/netfetch https://github.com/deggja/netfetch
brew install netfetch
```

For specific Linux distros, Windows etc. Check the latest release for a downloadable binary.

### Prerequisites

Before you begin, ensure you have the following:
Expand All @@ -28,11 +30,11 @@ Before you begin, ensure you have the following:
- Access to a Kubernetes cluster with configured `kubectl`.
- Sufficient permissions to list namespaces and network policies in the cluster.

### Basic Usage
### Basic usage

The primary command provided by `netfetch` is `scan`. This command scans all non-system Kubernetes namespaces for network policies.

#### Command Structure
#### Command structure

```sh
netfetch scan
Expand All @@ -42,4 +44,14 @@ You can also specifiy namespaces when running netfetch.

```sh
netfetch scan default
```
```

## Netfetch score

The `netfetch` tool provides a score at the end of each scan. The score ranges from 1 to 42, with 1 being the lowest and 42 being the highest possible score.

This score reflects the security posture of your Kubernetes namespaces based on network policies and pod coverage. If changes are made based on recommendations from the initial scan, rerunning `netfetch` will likely result in an improved score.

## License

[MIT License], see [LICENSE](LICENSE).
Binary file modified netfetch
Binary file not shown.
48 changes: 45 additions & 3 deletions pkg/k8s/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,10 @@ func printToBoth(writer *bufio.Writer, s string) {
// ScanNetworkPolicies scans namespaces for network policies
func ScanNetworkPolicies(specificNamespace string) {
var output bytes.Buffer
writer := bufio.NewWriter(&output)

var namespacesToScan []string
var kubeconfig string

writer := bufio.NewWriter(&output)
if home := homedir.HomeDir(); home != "" {
kubeconfig = filepath.Join(home, ".kube", "config")
}
Expand All @@ -47,7 +48,6 @@ func ScanNetworkPolicies(specificNamespace string) {
return
}

var namespacesToScan []string
if specificNamespace != "" {
namespacesToScan = append(namespacesToScan, specificNamespace)
} else {
Expand All @@ -65,7 +65,11 @@ func ScanNetworkPolicies(specificNamespace string) {

missingPoliciesOrUncoveredPods := false
userDeniedPolicyApplication := false
policyChangesMade := false
confirm := false

deniedNamespaces := []string{}
unprotectedPodDetails := []string{}

for _, nsName := range namespacesToScan {
policies, err := clientset.NetworkingV1().NetworkPolicies(nsName).List(context.TODO(), metav1.ListOptions{})
Expand Down Expand Up @@ -107,6 +111,13 @@ func ScanNetworkPolicies(specificNamespace string) {
printToBoth(writer, errorMsg)
continue
}
unprotectedPodsCount := len(unprotectedPodDetails)
if unprotectedPodsCount > 0 || !hasDenyAll || !hasPolicies {
missingPoliciesOrUncoveredPods = true
}
if confirm {
policyChangesMade = true
}

unprotectedPods := false
var unprotectedPodDetails []string
Expand Down Expand Up @@ -174,6 +185,14 @@ func ScanNetworkPolicies(specificNamespace string) {
}
}

// Calculate the final score after scanning all namespaces
finalScore := calculateScore(!missingPoliciesOrUncoveredPods, !userDeniedPolicyApplication, len(deniedNamespaces))
fmt.Printf("\nYour Netfetch security score is: %d/42\n", finalScore)

if policyChangesMade {
fmt.Println("\nChanges were made during this scan. It's recommended to re-run the scan for an updated score.")
}

if missingPoliciesOrUncoveredPods {
if userDeniedPolicyApplication {
printToBoth(writer, "\nFor the following namespaces, you should assess the need of implementing network policies:\n")
Expand Down Expand Up @@ -234,3 +253,26 @@ func isSystemNamespace(namespace string) bool {
return false
}
}

// Scoring logic
func calculateScore(hasPolicies bool, hasDenyAll bool, unprotectedPodsCount int) int {
// Simple scoring logic - can be more complex based on requirements
score := 42 // Start with the highest score

if !hasPolicies {
score -= 20
}

if !hasDenyAll {
score -= 15
}

// Deduct score based on the number of unprotected pods
score -= unprotectedPodsCount

if score < 1 {
score = 1 // Minimum score
}

return score
}

0 comments on commit 4863ab0

Please sign in to comment.