feat(k8s): add filter for ignoring TLS secrets without client certificates

- Introduce IgnoreTLSSecretsContainingNonClientCertificates filter
- Update dynamic gatherer config to support resource filters via YAML
- Apply filters when adding resources to cache to exclude non-client TLS secrets

Signed-off-by: Richard Wall <richard.wall@cyberark.com>

Author: wallrj-cyberark

deploy/charts/cyberark-disco-agent/templates/configmap.yaml

@@ -30,6 +30,8 @@ data:
         - type!=kubernetes.io/dockerconfigjson
         - type!=bootstrap.kubernetes.io/token
         - type!=helm.sh/release.v1
+        filters:
+        - IgnoreTLSSecretsContainingNonClientCertificates
     - kind: k8s-dynamic
       name: ark/serviceaccounts
       config:

examples/machinehub.yaml

@@ -28,6 +28,8 @@ data-gatherers:
     - type!=kubernetes.io/dockerconfigjson
     - type!=bootstrap.kubernetes.io/token
     - type!=helm.sh/release.v1
+    filters:
+    - IgnoreTLSSecretsContainingNonClientCertificates
 
 # Gather Kubernetes service accounts
 - name: ark/serviceaccounts

pkg/datagatherer/k8s/cache.go

@@ -1,11 +1,16 @@
 package k8s
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/pmylund/go-cache"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/jetstack/preflight/api"
@@ -39,9 +44,141 @@ func logCacheUpdateFailure(log logr.Logger, obj interface{}, operation string) {
 	log.Error(err, "Cache update failure", "operation", operation)
 }
 
+// cacheFilterFunction is a function that takes an object and returns true if the
+// object should not be added to the cache, false otherwise.
+// This can be used to filter out objects that are not relevant for the data gatherer.
+type cacheFilterFunction func(logr.Logger, interface{}) bool
+
+// IgnoreTLSSecretsContainingNonClientCertificates filters out all TLS secrets that do not
+// contain a client certificate in the `tls.crt` key.
+// Secrets are obtained by a DynamicClient, so they have type
+// *unstructured.Unstructured.
+func IgnoreTLSSecretsContainingNonClientCertificates(log logr.Logger, obj interface{}) bool {
+	_, ok := obj.(cacheResource)
+	if !ok {
+		log.V(4).Info("Object is not a cacheResource", "type", fmt.Sprintf("%T", obj))
+		return false
+	}
+	// Check if the object is a Unstructured
+	unstructuredObj, ok := obj.(*unstructured.Unstructured)
+	if !ok {
+		log.V(4).Info("Object is not a Unstructured", "type", fmt.Sprintf("%T", obj))
+		return false
+	}
+
+	// Check if the object is a Secret
+	if unstructuredObj.GetKind() != "Secret" {
+		log.V(4).Info("Object is not a Secret", "kind", unstructuredObj.GetKind())
+		return false
+	}
+	if unstructuredObj.GetAPIVersion() != "v1" {
+		log.V(4).Info("Object is not a v1 Secret", "apiVersion", unstructuredObj.GetAPIVersion())
+		return false
+	}
+	secretType, found, err := unstructured.NestedString(unstructuredObj.Object, "type")
+	if err != nil || !found || secretType != string(corev1.SecretTypeTLS) {
+		log.V(4).Info("Object is not a TLS Secret", "type", secretType)
+		return false
+	}
+
+	// Get the Secret data
+	var secret corev1.Secret
+	err = runtime.DefaultUnstructuredConverter.FromUnstructured(unstructuredObj.Object, &secret)
+	if err != nil {
+		log.V(4).Info("failed to convert Unstructured to Secret", "error", err.Error())
+		return true
+	}
+
+	// Check if the secret contains the `tls.crt` key
+	data, found := secret.Data[corev1.TLSCertKey]
+	if !found || len(data) == 0 {
+		log.V(4).Info("TLS Secret does not contain tls.crt key")
+		return true
+	}
+
+	// Try to parse the data as a PEM encoded X.509 certificate chain
+	certs, err := parsePEMCertificateChain(data)
+	if err != nil {
+		log.V(4).Info("Failed to parse tls.crt as PEM encoded X.509 certificate chain", "error", err.Error())
+		return true
+	}
+
+	if len(certs) == 0 {
+		log.V(4).Info("No certificates found in tls.crt")
+		return true
+	}
+
+	// Check if the leaf certificate is a client certificate
+	if isClientCertificate(certs[0]) {
+		log.V(4).Info("TLS Secret contains a client certificate", "name", secret.Name, "namespace", secret.Namespace)
+		return false
+	}
+
+	log.V(4).Info("TLS Secret does not contain a client certificate", "name", secret.Name, "namespace", secret.Namespace)
+	return true
+}
+
+// isClientCertificate checks if the given certificate is a client certificate
+// by checking if it has the ClientAuth EKU.
+func isClientCertificate(cert *x509.Certificate) bool {
+	if cert == nil {
+		return false
+	}
+	// Check if the certificate has the ClientAuth EKU
+	for _, eku := range cert.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageClientAuth {
+			return true
+		}
+	}
+	return false
+}
+
+// parsePEMCertificateChain parses a PEM encoded certificate chain and returns
+// a slice of x509.Certificate pointers. It returns an error if the data cannot
+// be parsed as a certificate chain.
+// The supplied data can contain multiple PEM blocks, the function will parse
+// all of them and return a slice of certificates.
+func parsePEMCertificateChain(data []byte) ([]*x509.Certificate, error) {
+	// Parse the PEM encoded certificate chain
+	var certs []*x509.Certificate
+	var block *pem.Block
+	rest := data
+	for {
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" || len(block.Bytes) == 0 {
+			continue
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse certificate: %w", err)
+		}
+		certs = append(certs, cert)
+	}
+	if len(certs) == 0 {
+		return nil, fmt.Errorf("no certificates found")
+	}
+	return certs, nil
+}
+
 // onAdd handles the informer creation events, adding the created runtime.Object
 // to the data gatherer's cache. The cache key is the uid of the object
-func onAdd(log logr.Logger, obj interface{}, dgCache *cache.Cache) {
+// The object is wrapped in a GatheredResource struct.
+// If the object is already present in the cache, it gets replaced.
+// The cache key is the uid of the object
+// The supplied filter functions can be used to filter out objects that
+// should not be added to the cache.
+// If multiple filter functions are supplied, the object is filtered out
+// if any of the filter functions returns true.
+func onAdd(log logr.Logger, obj interface{}, dgCache *cache.Cache, filters ...cacheFilterFunction) {
+	for _, filter := range filters {
+		if filter != nil && filter(log, obj) {
+			return
+		}
+	}
+
 	item, ok := obj.(cacheResource)
 	if ok {
 		cacheObject := &api.GatheredResource{

pkg/datagatherer/k8s/dynamic.go

@@ -43,6 +43,12 @@ type ConfigDynamic struct {
 	IncludeNamespaces []string `yaml:"include-namespaces"`
 	// FieldSelectors is a list of field selectors to use when listing this resource
 	FieldSelectors []string `yaml:"field-selectors"`
+	// Filters is a list of filter functions to apply to the resources before adding them to the cache.
+	// Each filter function should return true if the resource should be excluded, false otherwise.
+	// Available filter functions:
+	// - IgnoreTLSSecretsContainingNonClientCertificates: ignores all TLS
+	//   secrets that do not contain client certificates
+	Filters []cacheFilterFunction `yaml:"filters"`
 }
 
 // UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.
@@ -57,6 +63,7 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		ExcludeNamespaces []string `yaml:"exclude-namespaces"`
 		IncludeNamespaces []string `yaml:"include-namespaces"`
 		FieldSelectors    []string `yaml:"field-selectors"`
+		Filters           []string `yaml:"filters"`
 	}{}
 	err := unmarshal(&aux)
 	if err != nil {
@@ -71,6 +78,15 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	c.IncludeNamespaces = aux.IncludeNamespaces
 	c.FieldSelectors = aux.FieldSelectors
 
+	for _, filterName := range aux.Filters {
+		switch filterName {
+		case "IgnoreTLSSecretsContainingNonClientCertificates":
+			c.Filters = append(c.Filters, IgnoreTLSSecretsContainingNonClientCertificates)
+		default:
+			return fmt.Errorf("filters contains an unknown filter function: %s. Must be one of: IgnoreTLSSecretsContainingNonClientCertificates", filterName)
+		}
+	}
+
 	return nil
 }
 
@@ -107,6 +123,9 @@ type sharedInformerFunc func(informers.SharedInformerFactory) k8scache.SharedInd
 
 // kubernetesNativeResources map of the native kubernetes resources, linking each resource to a sharedInformerFunc for that resource.
 // secrets are still treated as unstructured rather than corev1.Secret, for a faster unmarshaling
+//
+// TODO(wallrj): What does "faster unmarshaling" mean in this context? Is it
+// actually faster? If so, how much faster? Is it worth the loss of type safety?
 var kubernetesNativeResources = map[schema.GroupVersionResource]sharedInformerFunc{
 	corev1.SchemeGroupVersion.WithResource("pods"): func(sharedFactory informers.SharedInformerFactory) k8scache.SharedIndexInformer {
 		return sharedFactory.Core().V1().Pods().Informer()
@@ -144,6 +163,16 @@ var kubernetesNativeResources = map[schema.GroupVersionResource]sharedInformerFu
 }
 
 // NewDataGatherer constructs a new instance of the generic K8s data-gatherer for the provided
+// configuration. Returns an error if the configuration is invalid or
+// the data-gatherer cannot be constructed.
+// If the GroupVersionResource is a native Kubernetes resource, the data gatherer will use
+// a typed clientset and SharedInformerFactory, otherwise it will use a dynamic client and
+// dynamic informer factory.
+// Secret is a special case, it is a native resource but it will be treated as unstructured
+// rather than corev1.Secret, for a faster unmarshaling.
+//
+// TODO(wallrj): What does "faster unmarshaling" mean in this context? Is it
+// actually faster? If so, how much faster? Is it worth the loss of type safety?
 func (c *ConfigDynamic) NewDataGatherer(ctx context.Context) (datagatherer.DataGatherer, error) {
 	if isNativeResource(c.GroupVersionResource) {
 		clientset, err := NewClientSet(c.KubeConfigPath)
@@ -167,6 +196,7 @@ func (c *ConfigDynamic) newDataGathererWithClient(ctx context.Context, cl dynami
 	if err := c.validate(); err != nil {
 		return nil, err
 	}
+
 	// init shared informer for selected namespaces
 	fieldSelector := generateExcludedNamespacesFieldSelector(c.ExcludeNamespaces)
 
@@ -218,7 +248,7 @@ func (c *ConfigDynamic) newDataGathererWithClient(ctx context.Context, cl dynami
 
 	registration, err := newDataGatherer.informer.AddEventHandlerWithOptions(k8scache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
-			onAdd(log, obj, dgCache)
+			onAdd(log, obj, dgCache, c.Filters...)
 		},
 		UpdateFunc: func(oldObj, newObj interface{}) {
 			onUpdate(log, oldObj, newObj, dgCache)

pkg/datagatherer/k8s/dynamic_test.go

@@ -24,6 +24,8 @@ import (
 	"k8s.io/client-go/informers"
 	fakeclientset "k8s.io/client-go/kubernetes/fake"
 	k8scache "k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
 
 	"github.com/jetstack/preflight/api"
 )
@@ -217,6 +219,8 @@ include-namespaces:
 - default
 field-selectors:
 - type!=kubernetes.io/service-account-token
+filters:
+- IgnoreTLSSecretsContainingNonClientCertificates
 `
 
 	expectedGVR := schema.GroupVersionResource{
@@ -259,6 +263,9 @@ field-selectors:
 	if got, want := cfg.FieldSelectors, expectedFieldSelectors; !reflect.DeepEqual(got, want) {
 		t.Errorf("FieldSelectors does not match: got=%+v want=%+v", got, want)
 	}
+	// Can't compare functions, so just check that one filter was loaded.
+	// See https://go.dev/ref/spec#Comparison_operators
+	assert.Equal(t, 1, len(cfg.Filters), "unexpected number of filters")
 }
 
 func TestConfigDynamicValidate(t *testing.T) {
@@ -588,6 +595,25 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 				},
 			},
 		},
+		"Secret of type kubernetes.io/tls should be filterable": {
+			config: ConfigDynamic{
+				IncludeNamespaces:    []string{""},
+				GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"},
+				Filters:              []cacheFilterFunction{IgnoreTLSSecretsContainingNonClientCertificates},
+			},
+			addObjects: []runtime.Object{
+				getSecret("testsecret", "testns1", map[string]interface{}{
+					"tls.key": "secretValue",
+					"tls.crt": "value",
+					"ca.crt":  "value",
+				}, true, true),
+				getSecret("anothertestsecret", "testns2", map[string]interface{}{
+					"example.key": "secretValue",
+					"example.crt": "value",
+				}, true, true),
+			},
+			expected: []*api.GatheredResource{},
+		},
 		"excluded annotations are removed for unstructured-based gatherers such as secrets": {
 			config: ConfigDynamic{GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}},
 
@@ -636,8 +662,9 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
+			log := ktesting.NewLogger(t, ktesting.DefaultConfig)
+			ctx := klog.NewContext(t.Context(), log)
 			var wg sync.WaitGroup
-			ctx := t.Context()
 			gvrToListKind := map[schema.GroupVersionResource]string{
 				{Group: "foobar", Version: "v1", Resource: "foos"}:      "UnstructuredList",
 				{Group: "apps", Version: "v1", Resource: "deployments"}: "UnstructuredList",