make cis mode known throughout the code (#307)

* make cis mode known throughout the code
rancher · Sep 11, 2020 · 5947916 · 5947916
1 parent 7c82ee7
commit 5947916
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 13 deletions.
diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go
@@ -54,7 +54,7 @@ func NewAgentCommand() cli.Command {
 }
 
 func AgentRun(clx *cli.Context) error {
-	if clx.String("profile") == "" {
+	if profile == "" {
 		logrus.Warn("not running in CIS 1.5 mode")
 	}
 	return rke2.Agent(clx, config)

diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go
@@ -101,7 +101,7 @@ func NewServerCommand() cli.Command {
 }
 
 func ServerRun(clx *cli.Context) error {
-	if clx.String("profile") == "" {
+	if profile == "" {
 		logrus.Warn("not running in CIS 1.5 mode")
 	}
 	return rke2.Server(clx, config)

diff --git a/pkg/cli/defaults/defaults.go b/pkg/cli/defaults/defaults.go
@@ -12,7 +12,7 @@ import (
 	"google.golang.org/grpc/grpclog"
 )
 
-func Set(clx *cli.Context, images images.Images, dataDir string) error {
+func Set(clx *cli.Context, images images.Images, dataDir string, cisMode bool) error {
 	logsDir := filepath.Join(dataDir, "agent", "logs")
 	if err := os.MkdirAll(logsDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create directory %s", logsDir)
@@ -38,7 +38,7 @@ func Set(clx *cli.Context, images images.Images, dataDir string) error {
 		"alsologtostderr=false",
 		"logtostderr=false",
 		"log-file="+filepath.Join(logsDir, "kubelet.log"))
-	if clx.String("profile") != "" {
+	if cisMode {
 		cmds.AgentConfig.ExtraKubeletArgs = append(cmds.AgentConfig.ExtraKubeletArgs,
 			"protect-kernel-defaults=true")
 	}

diff --git a/pkg/rke2/np.go b/pkg/rke2/np.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 
 	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -172,11 +171,11 @@ func setNetworkDNSPolicy(ctx context.Context, cs *kubernetes.Clientset) error {
 }
 
 // setNetworkPolicies applies a default network policy across the 3 primary namespaces.
-func setNetworkPolicies(clx *cli.Context) func(context.Context, <-chan struct{}, string) error {
+func setNetworkPolicies() func(context.Context, <-chan struct{}, string) error {
 	return func(ctx context.Context, apiServerReady <-chan struct{}, kubeConfigAdmin string) error {
 		// check if we're running in CIS mode and if so,
 		// apply the network policy.
-		if clx.String("profile") != "" {
+		if cisMode {
 			logrus.Info("Applying network policies...")
 			go func() {
 				<-apiServerReady

diff --git a/pkg/rke2/psp.go b/pkg/rke2/psp.go
@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/api/policy/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -152,7 +151,7 @@ func setSystemUnrestricted(ctx context.Context, cs *kubernetes.Clientset, ns *v1
 // - If the globalRestricted annotation does not exist, then check if the PSP exists and
 //   if it doesn't, create it. Check if the associated role and bindings exist and
 //   if they do, delete them.
-func setPSPs(clx *cli.Context) func(context.Context, <-chan struct{}, string) error {
+func setPSPs() func(context.Context, <-chan struct{}, string) error {
 	return func(ctx context.Context, apiServerReady <-chan struct{}, kubeConfigAdmin string) error {
 		logrus.Info("Applying PSP's...")
 		go func() {
@@ -171,7 +170,7 @@ func setPSPs(clx *cli.Context) func(context.Context, <-chan struct{}, string) er
 				ns.Annotations = make(map[string]string)
 			}
 
-			if clx.String("profile") == "" { // non-CIS mode
+			if !cisMode { // non-CIS mode
 				if err := setGlobalUnrestricted(ctx, cs, ns); err != nil {
 					logrus.Fatalf("psp: set globalUnrestricted: %s", err.Error())
 				}

diff --git a/pkg/rke2/rke2.go b/pkg/rke2/rke2.go
@@ -26,6 +26,8 @@ type Config struct {
 	CloudProviderConfig   string
 }
 
+var cisMode bool
+
 func Server(clx *cli.Context, cfg Config) error {
 	if err := setup(clx, cfg); err != nil {
 		return err
@@ -38,8 +40,8 @@ func Server(clx *cli.Context, cfg Config) error {
 	}
 
 	cmds.ServerConfig.StartupHooks = append(cmds.ServerConfig.StartupHooks,
-		setPSPs(clx),
-		setNetworkPolicies(clx),
+		setPSPs(),
+		setNetworkPolicies(),
 	)
 
 	return server.Run(clx)
@@ -63,8 +65,19 @@ func setup(clx *cli.Context, cfg Config) error {
 		}
 	}
 
+	for _, f := range clx.App.Flags {
+		switch t := f.(type) {
+		case cli.StringFlag:
+			if t.Name == "profile" && t.Destination != nil && *t.Destination != "" {
+				cisMode = true
+			}
+		default:
+			// nothing to do. Keep moving.
+		}
+	}
+
 	images := images.New(cfg.SystemDefaultRegistry)
-	if err := defaults.Set(clx, images, dataDir); err != nil {
+	if err := defaults.Set(clx, images, dataDir, cisMode); err != nil {
 		return err
 	}