Merge pull request aws-samples#10 from aws-samples/report-output

Report output
joshkurz · Jan 2, 2023 · a8a3a3e · a8a3a3e
2 parents 2ce2488 + 9fda7be
commit a8a3a3e
Show file tree

Hide file tree

Showing 19 changed files with 247 additions and 253 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -43,7 +43,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install tox tox-gh-actions
+        python -m pip install tox-gh-actions
    
     - name: Test with tox
       run: tox

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## v0.7.0 (2023-01-02)
+
+### Feat
+
+- Add option to export the report as html or txt
+
 ## v0.6.0 (2022-12-15)
 
 ### Feat

diff --git a/README.md b/README.md
@@ -32,6 +32,8 @@ hardeneks [OPTIONS]
 * `--cluster TEXT`: EKS Cluster name
 * `--namespace TEXT`: Namespace to be checked (default is all namespaces)
 * `--config TEXT`: Path to a hardeneks config file
+* `--export-txt TEXT`: Export the report in txt format
+* `--export-html TEXT`: Export the report in html format
 * `--insecure-skip-tls-verify`: Skip TLS verification
 * `--help`: Show this message and exit.
 

diff --git a/hardeneks/__init__.py b/hardeneks/__init__.py
@@ -19,6 +19,7 @@
 
 
 app = typer.Typer()
+console = Console(record=True)
 
 
 def _config_callback(value: str):
@@ -101,6 +102,14 @@ def run_hardeneks(
         callback=_config_callback,
         help="Path to a hardeneks config file.",
     ),
+    export_txt: str = typer.Option(
+        default=None,
+        help="Export the report in txt format",
+    ),
+    export_html: str = typer.Option(
+        default=None,
+        help="Export the report in html format",
+    ),
     insecure_skip_tls_verify: bool = typer.Option(
         False,
         "--insecure-skip-tls-verify",
@@ -115,6 +124,8 @@ def run_hardeneks(
         cluster (str): Cluster name
         namespace (str): Specific namespace to be checked
         config (str): Path to hardeneks config file
+        export-txt (str): Export the report in txt format
+        export-html (str): Export the report in html format
         insecure-skip-tls-verify (str): Skip tls verification
 
     Returns:
@@ -134,7 +145,6 @@ def run_hardeneks(
     if not region:
         region = _get_region()
 
-    console = Console()
     console.rule("[b]HARDENEKS", characters="*  ")
     console.print(f"You are operating at {region}")
     console.print(f"You context is {context}")
@@ -153,7 +163,7 @@ def run_hardeneks(
     rules = config["rules"]
 
     console.rule("[b]Checking cluster wide rules", characters="- ")
-    print()
+    console.print()
 
     resources = Resources(region, context, cluster, namespaces)
     resources.set_resources()
@@ -168,3 +178,8 @@ def run_hardeneks(
         resources.set_resources()
         harden(resources, rules, "namespace_based")
         console.print()
+
+    if export_txt:
+        console.save_text(export_txt)
+    if export_html:
+        console.save_html(export_html)
diff --git a/hardeneks/cluster_wide/reliability/applications.py b/hardeneks/cluster_wide/reliability/applications.py
@@ -1,8 +1,7 @@
 from kubernetes import client
-from rich import print
 from rich.panel import Panel
-from rich.console import Console
 
+from hardeneks import console
 from ...resources import Resources
 
 
@@ -12,12 +11,10 @@ def check_metrics_server_is_running(resources: Resources):
         for i in client.CoreV1Api().list_service_for_all_namespaces().items
     ]
 
-    console = Console()
-
     if "metrics-server" in services:
         return True
     else:
-        print(
+        console.print(
             Panel(
                 "[red]Deploy metrics server.",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#run-kubernetes-metrics-server]Click to see the guide[/link]",
@@ -33,12 +30,10 @@ def check_vertical_pod_autoscaler_exists(resources: Resources):
         for i in client.AppsV1Api().list_deployment_for_all_namespaces().items
     ]
 
-    console = Console()
-
     if "vpa-recommender" in deployments:
         return True
     else:
-        print(
+        console.print(
             Panel(
                 "[red]Deploy vertical pod autoscaler if needed.",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#vertical-pod-autoscaler-vpa]Click to see the guide[/link]",

diff --git a/hardeneks/cluster_wide/security/detective_controls.py b/hardeneks/cluster_wide/security/detective_controls.py
@@ -1,13 +1,9 @@
 import boto3
-from rich import print
 from rich.panel import Panel
-from rich.console import Console
-
 
+from hardeneks import console
 from ...resources import Resources
 
-console = Console()
-
 
 def check_logs_are_enabled(resources: Resources):
     client = boto3.client("eks", region_name=resources.region)
@@ -16,7 +12,7 @@ def check_logs_are_enabled(resources: Resources):
         "enabled"
     ]
     if not logs:
-        print(
+        console.print(
             Panel(
                 "[red]Enable control plane logs for auditing",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/detective/#enable-audit-logs]Click to see the guide[/link]",

diff --git a/hardeneks/cluster_wide/security/iam.py b/hardeneks/cluster_wide/security/iam.py
@@ -1,14 +1,11 @@
 import boto3
 from kubernetes import client
-from rich import print
 from rich.panel import Panel
-from rich.console import Console
 
+from hardeneks import console
 from ...resources import Resources
 from ...report import print_role_table, print_instance_metadata_table
 
-console = Console()
-
 
 def restrict_wildcard_for_cluster_roles(resources: Resources):
     offenders = []
@@ -37,7 +34,7 @@ def check_endpoint_public_access(resources: Resources):
         "endpointPublicAccess"
     ]
     if endpoint_access:
-        print(
+        console.print(
             Panel(
                 "[red]EKS Cluster Endpoint is not Private",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/iam/#make-the-eks-cluster-endpoint-private]Click to see the guide[/link]",
@@ -55,7 +52,7 @@ def check_aws_node_daemonset_service_account(resources: Resources):
     )
 
     if daemonset.spec.template.spec.service_account_name == "aws-node":
-        print(
+        console.print(
             Panel(
                 "[red]Update the aws-node daemonset to use IRSA",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/iam/#update-the-aws-node-daemonset-to-use-irsa]Click to see the guide[/link]",

diff --git a/hardeneks/cluster_wide/security/infrastructure_security.py b/hardeneks/cluster_wide/security/infrastructure_security.py
@@ -1,15 +1,11 @@
 import boto3
-from rich.console import Console
 from rich.panel import Panel
-from rich import print
 
+from hardeneks import console
 from ...resources import Resources
 from ...report import print_instance_public_table
 
 
-console = Console()
-
-
 def deploy_workers_onto_private_subnets(resources: Resources):
     client = boto3.client("ec2", region_name=resources.region)
 
@@ -56,7 +52,7 @@ def make_sure_inspector_is_enabled(resources: Resources):
     ecr_status = resource_state["ecr"]["status"]
 
     if ec2_status != "ENABLED" and ecr_status != "ENABLED":
-        print(
+        console.print(
             Panel(
                 "[red]Enable Amazon Inspector for ec2 and ecr",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/hosts/#run-amazon-inspector-to-assess-hosts-for-exposure-vulnerabilities-and-deviations-from-best-practices]Click to see the guide[/link]",

diff --git a/hardeneks/cluster_wide/security/multi_tenancy.py b/hardeneks/cluster_wide/security/multi_tenancy.py
@@ -1,13 +1,9 @@
-from rich.console import Console
-
 from ...resources import Resources
 
 from ...report import (
     print_namespace_table,
 )
 
-console = Console()
-
 
 def ensure_namespace_quotas_exist(resources: Resources):
 

diff --git a/hardeneks/cluster_wide/security/network_security.py b/hardeneks/cluster_wide/security/network_security.py
@@ -1,17 +1,12 @@
 import boto3
 from kubernetes import client
-from rich.console import Console
 from rich.panel import Panel
-from rich import print
-
 
+from hardeneks import console
 from ...resources import Resources
 from ...report import print_namespace_table
 
 
-console = Console()
-
-
 def check_vpc_flow_logs(resources: Resources):
     client = boto3.client("eks", region_name=resources.region)
     cluster_metadata = client.describe_cluster(name=resources.cluster)
@@ -24,7 +19,7 @@ def check_vpc_flow_logs(resources: Resources):
     )["FlowLogs"]
 
     if not flow_logs:
-        print(
+        console.print(
             Panel(
                 "[red]Enable flow logs for your VPC.",
                 subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/network/#log-network-traffic-metadata]Click to see the guide[/link]",
@@ -40,7 +35,7 @@ def check_awspca_exists(resources: Resources):
         if service.metadata.name.startswith("aws-privateca-issuer"):
             return True
 
-    print(
+    console.print(
         Panel(
             "[red]Install aws privateca issuer for your certificates.",
             subtitle="[link=https://aws.github.io/aws-eks-best-practices/security/docs/network/#acm-private-ca-with-cert-manager]Click to see the guide[/link]",

diff --git a/hardeneks/harden.py b/hardeneks/harden.py
@@ -1,7 +1,5 @@
 from importlib import import_module
 
-from rich import print
-
 
 def harden(resources, config, _type):
     config = config[_type]

diff --git a/hardeneks/namespace_based/security/iam.py b/hardeneks/namespace_based/security/iam.py
@@ -1,7 +1,5 @@
 from collections import Counter
 
-from rich.console import Console
-
 from ...resources import NamespacedResources
 from ...report import (
     print_role_table,
@@ -10,9 +8,6 @@
 )
 
 
-console = Console()
-
-
 def restrict_wildcard_for_roles(resources: NamespacedResources):
     offenders = []
 

diff --git a/hardeneks/namespace_based/security/network_security.py b/hardeneks/namespace_based/security/network_security.py
@@ -1,14 +1,9 @@
-from rich.console import Console
-
 from ...report import (
     print_service_table,
 )
 from hardeneks.resources import NamespacedResources
 
 
-console = Console()
-
-
 def use_encryption_with_aws_load_balancers(
     namespaced_resources: NamespacedResources,
 ):

diff --git a/hardeneks/namespace_based/security/pod_security.py b/hardeneks/namespace_based/security/pod_security.py
@@ -1,14 +1,9 @@
-from rich.console import Console
-
 from ...report import (
     print_pod_table,
 )
 from ...resources import NamespacedResources
 
 
-console = Console()
-
-
 def disallow_container_socket_mount(namespaced_resources: NamespacedResources):
     offenders = []
 

diff --git a/hardeneks/namespace_based/security/runtime_security.py b/hardeneks/namespace_based/security/runtime_security.py
@@ -1,5 +1,4 @@
-from rich import print
-
+from hardeneks import console
 from ...resources import NamespacedResources
 from ...report import print_pod_table
 
@@ -33,8 +32,8 @@ def disallow_linux_capabilities(namespaced_resources: NamespacedResources):
                     offenders.append(pod)
 
     if offenders:
-        print()
-        print(allowed_list)
+        console.print()
+        console.print(allowed_list)
         print_pod_table(
             offenders,
             """