Merge pull request #178 from snyk/feat/force-static-analysis

feat: force static analysis

Author: Amir Moualem

Dockerfile

@@ -29,15 +29,6 @@ LABEL maintainer="Snyk Ltd"
 
 ENV NODE_ENV production
 
-# INSTALLING DOCKER, CAN BE REMOVED WHEN WE DON'T TRY TO `DOCKER PULL`
-ENV DOCKERVERSION=18.06.3-ce
-RUN apk --no-cache add --virtual curl-dep curl \
- && curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
- && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
-                -C /usr/local/bin docker/docker \
- && rm docker-${DOCKERVERSION}.tgz \
- && apk del curl-dep
-
 COPY --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
 COPY --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml
 COPY --from=skopeo-build /etc/containers/policy.json /etc/containers/policy.json

README.md

@@ -1,12 +1,15 @@
 # snyk/kubernetes-monitor #
 
 ## Summary ##
+
 Container to monitor Kubernetes clusters' security
 
 ## Prerequisites ##
 
-*Note that by default the monitor uses Docker to scan your cluster and requires Docker to be your container runtime.*
-*Alternatively, you can enable static analysis, which allows the use of any container runtime.*
+* 50 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
+* External internet access from the Kubernetes cluster.
+
+## Installing ##
 
 The Snyk monitor (`kubernetes-monitor`) requires some minimal configuration items in order to work correctly.
 
@@ -75,10 +78,3 @@ Finally, to launch the Snyk monitor in your cluster, run the following:
 ```shell
 kubectl apply -f snyk-monitor-deployment.yaml
 ```
-
-## Enabling static analysis ##
-
-Static analysis works with any container runtime and does not rely on Docker to scan the images in your cluster.
-It works by pulling the image, unpacking it and inspecting the files directly. For this process it needs temporary storage, so the Snyk monitor uses 50 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
-
-To enable static analysis, modify one of the permissions files (`snyk-monitor-namespaced-permissions.yaml` for the Namespaced deployment or `snyk-monitor-cluster-permissions.yaml` for the Cluster-scoped deployment) and set the string value of `staticAnalysis` to `"true"`.

package.json

@@ -6,7 +6,7 @@
     "pretest": "./scripts/build-image.sh",
     "test": "npm run lint && npm run build && npm run test:unit && npm run test:integration",
     "test:unit": "./tap test/unit -R spec",
-    "test:integration": "./tap test/integration -Rdot --timeout=600 && STATIC_ANALYSIS=true ./tap test/integration -Rdot --timeout=1200",
+    "test:integration": "./tap test/integration -Rdot --timeout=1200",
     "test:coverage": "npm run test:unit -- --coverage",
     "test:watch": "tsc-watch --onSuccess 'npm run test:unit'",
     "test:apk": "./scripts/build-image.sh && PACKAGE_MANAGER=apk ./tap test/package-manager/regression.test.ts -Rdot --timeout=7200",

snyk-monitor-cluster-permissions.yaml

@@ -83,5 +83,4 @@ data:
   namespace: ""
   integrationApi: ""
   clusterName: ""
-  staticAnalysis: "false"
 ---

snyk-monitor-deployment.yaml

@@ -21,8 +21,6 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
-        - name: docker-socket-mount
-          mountPath: /var/run/docker.sock
         - name: docker-config
           readOnly: true
           mountPath: "/root/.docker"
@@ -52,12 +50,6 @@ spec:
                 name: snyk-monitor
                 key: clusterName
                 optional: true
-          - name: SNYK_STATIC_ANALYSIS
-            valueFrom:
-              configMapKeyRef:
-                name: snyk-monitor
-                key: staticAnalysis
-                optional: true
         resources:
           requests:
             cpu: '250m'
@@ -67,9 +59,6 @@ spec:
             memory: '2Gi'
       securityContext: {}
       volumes:
-      - name: docker-socket-mount
-        hostPath:
-          path: /var/run/docker.sock
       - name: docker-config
         secret:
           secretName: snyk-monitor

snyk-monitor-namespaced-permissions.yaml

@@ -75,5 +75,4 @@ data:
   namespace: snyk-monitor
   integrationApi: ""
   clusterName: ""
-  staticAnalysis: "false"
 ---

snyk-monitor/README.md

@@ -1,12 +1,10 @@
 # snyk/kubernetes-monitor-chart #
 
 ## Summary ##
-A Helm chart for the Snyk monitor
 
-## Prerequisites ##
+A Helm chart for the Snyk monitor
 
-*Note that by default the monitor uses Docker to scan your cluster and requires Docker to be your container runtime.*
-*Alternatively, you can enable static analysis, which removes the reliance on Docker completely and works with any container runtime.*
+## Installing ##
 
 The Snyk monitor (`kubernetes-monitor`) requires some minimal configuration items in order to work correctly.
 
@@ -70,14 +68,3 @@ For Helm 3, you may run the following:
 ```shell
 helm upgrade --generate-name --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-monitor --set clusterName="Production cluster"
 ```
-
-## Enabling static analysis ##
-
-Static analysis works with any container runtime and does not rely on Docker to scan the images in your cluster.
-It works by pulling the image, unpacking it and inspecting the files directly. For this process it needs temporary storage, so the Snyk monitor uses 50 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
-The Docker socket is _not_ mounted when static analysis is enabled.
-
-To enable static analysis, set the `featureFlags.staticAnalysis` value to `true`:
-```shell
-helm upgrade --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-monitor --set clusterName="Production cluster" --set featureFlags.staticAnalysis=true
-```

snyk-monitor/templates/deployment.yaml

@@ -27,17 +27,11 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
-          {{- if ne .Values.featureFlags.staticAnalysis true }}
-          - name: docker-socket-mount
-            mountPath: /var/run/docker.sock
-          {{- end }}
           - name: docker-config
             readOnly: true
             mountPath: "/root/.docker"
-          {{- if eq .Values.featureFlags.staticAnalysis true }}
           - name: temporary-storage
             mountPath: "/snyk-monitor"
-          {{- end }}
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -50,8 +44,6 @@ spec:
             value: {{ .Values.integrationApi }}
           - name: SNYK_CLUSTER_NAME
             value: {{ .Values.clusterName }}
-          - name: SNYK_STATIC_ANALYSIS
-            value: {{ quote .Values.featureFlags.staticAnalysis }}
           resources:
             requests:
               cpu: '250m'
@@ -60,19 +52,12 @@ spec:
               cpu: '1'
               memory: '2Gi'
       volumes:
-        {{- if ne .Values.featureFlags.staticAnalysis true }}
-        - name: docker-socket-mount
-          hostPath:
-            path: {{ .Values.dockerSocketHostPath }}
-        {{- end }}
         - name: docker-config
           secret:
             secretName: {{ .Values.monitorSecrets }}
             items:
               - key: dockercfg.json
                 path: config.json
-        {{- if eq .Values.featureFlags.staticAnalysis true }}
         - name: temporary-storage
           emptyDir:
             sizeLimit: {{ .Values.temporaryStorageSize }}
-        {{- end }}

snyk-monitor/values.yaml

@@ -28,9 +28,6 @@ clusterName: ""
 # The path of the docker socket on the node. For PKS: /var/vcap/data/sys/run/docker/docker.sock
 dockerSocketHostPath: "/var/run/docker.sock"
 
-featureFlags:
-  staticAnalysis: false
-
 # The snyk-monitor requires disk storage to temporarily pull container images and to scan them for vulnerabilities.
 # This value controls how much disk storage _at most_ may be allocated for the snyk-monitor. The snyk-monitor mounts an emptyDir for storage.
 temporaryStorageSize: 50Gi

src/common/config.ts

@@ -8,6 +8,5 @@ config.AGENT_ID = uuidv4();
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
 config.IMAGE_STORAGE_ROOT = '/snyk-monitor';
-config.STATIC_ANALYSIS = config.STATIC_ANALYSIS || false;
 
 export = config;

src/common/features.ts

@@ -1,8 +1,6 @@
 import logger = require('../common/logger');
-import { pull as dockerPull } from './docker';
 import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
 import { unlink } from 'fs';
-import { isStaticAnalysisEnabled } from '../common/features';
 import { IPullableImage } from './types';
 
 export async function pullImages(images: IPullableImage[]): Promise<IPullableImage[]> {
@@ -11,14 +9,7 @@ export async function pullImages(images: IPullableImage[]): Promise<IPullableIma
   for (const image of images) {
     const {imageName, fileSystemPath} = image;
     try {
-      if (isStaticAnalysisEnabled()) {
-        if (!fileSystemPath) {
-          throw new Error('Missing required parameter fileSystemPath for static analysis');
-        }
-        await skopeoCopy(imageName, fileSystemPath);
-      } else {
-        await dockerPull(imageName);
-      }
+      await skopeoCopy(imageName, fileSystemPath);
       pulledImages.push(image);
     } catch (error) {
       logger.error({error, image: imageName}, 'failed to pull image');
@@ -28,28 +19,13 @@ export async function pullImages(images: IPullableImage[]): Promise<IPullableIma
   return pulledImages;
 }
 
-/**
- * TODO: For Docker (dynamic scanning) it returns the image but with an empty file system path
- * (because Docker does not pull images to a temporary directory). This will no longer be true
- * when static analysis becomes the only option, but worth nothing it here to avoid confusion!
- * @param images a list of images for which to generate a file system path
- */
 export function getImagesWithFileSystemPath(images: string[]): IPullableImage[] {
-  return isStaticAnalysisEnabled()
-    ? images.map((image) => ({ imageName: image, fileSystemPath: getDestinationForImage(image) }))
-    : images.map((image) => ({ imageName: image }));
+  return images.map((image) => ({ imageName: image, fileSystemPath: getDestinationForImage(image) }));
 }
 
 export async function removePulledImages(images: IPullableImage[]) {
-  if (!isStaticAnalysisEnabled()) {
-    return;
-  }
-
   for (const {imageName, fileSystemPath} of images) {
     try {
-      if (!fileSystemPath) {
-        throw new Error('Missing required parameter fileSystemPath for static analysis');
-      }
       await new Promise((resolve) => unlink(fileSystemPath, resolve));
     } catch (error) {
       logger.warn({error, image: imageName}, 'failed to delete pulled image');

src/images/docker.ts

@@ -1,4 +1,4 @@
 export interface IPullableImage {
   imageName: string;
-  fileSystemPath?: string;
+  fileSystemPath: string;
 }

src/images/index.ts

@@ -1,7 +1,6 @@
 import * as plugin from 'snyk-docker-plugin';
 import logger = require('../common/logger');
 import { IStaticAnalysisOptions, StaticAnalysisImageType } from './types';
-import { isStaticAnalysisEnabled } from '../common/features';
 import { IPullableImage } from '../images/types';
 
 export interface IScanResult {
@@ -45,9 +44,7 @@ export async function scanImages(images: IPullableImage[]): Promise<IScanResult[
 
   for (const {imageName, fileSystemPath} of images) {
     try {
-      const options = isStaticAnalysisEnabled()
-        ? constructStaticAnalysisOptions(fileSystemPath)
-        : undefined;
+      const options = constructStaticAnalysisOptions(fileSystemPath);
 
       const result = await plugin.inspect(imageName, dockerfile, options);
 

src/images/types.ts

@@ -1,7 +1,6 @@
 import { makeInformer, ADD } from '@kubernetes/client-node';
 import { V1Namespace } from '@kubernetes/client-node';
 import config = require('../../common/config');
-import { isStaticAnalysisEnabled } from '../../common/features';
 import logger = require('../../common/logger');
 import { WorkloadKind } from '../types';
 import { setupInformer } from './handlers';
@@ -57,9 +56,6 @@ function setupWatchesForCluster() {
 }
 
 export function beginWatchingWorkloads() {
-  logger.info({isStaticAnalysisEnabled: isStaticAnalysisEnabled()},
-    'static analysis check');
-
   if (config.NAMESPACE) {
     logger.info({namespace: config.NAMESPACE}, 'kubernetes-monitor restricted to specific namespace');
     setupWatchesForNamespace(config.NAMESPACE);

src/kube-scanner/image-scanner.ts

@@ -20,10 +20,6 @@
         {
           "name": "SNYK_CLUSTER_NAME",
           "value": "Production cluster"
-        },
-        {
-          "name": "SNYK_STATIC_ANALYSIS",
-          "value": "true"
         }
       ],
       "image": "snyk/kubernetes-monitor:1.8.5",

src/kube-scanner/watchers/namespaces.ts

@@ -24,8 +24,7 @@ tap.tearDown(tearDown);
 tap.test('deploy snyk-monitor', async (t) => {
   t.plan(1);
 
-  const isStaticAnalysis = process.env.STATIC_ANALYSIS === 'true';
-  integrationId = await setup.deployMonitor(isStaticAnalysis);
+  integrationId = await setup.deployMonitor();
 
   t.pass('successfully deployed the snyk-monitor');
 });

test/fixtures/cluster-config.yaml

@@ -26,8 +26,7 @@ tap.tearDown(tearDown);
 tap.test('deploy snyk-monitor', async (t) => {
   t.plan(1);
 
-  const isStaticAnalysis = true;
-  integrationId = await deployMonitor(isStaticAnalysis);
+  integrationId = await deployMonitor();
 
   t.pass('successfully deployed the snyk-monitor');
 });