When testing the extension with Lens 4.1.0-alpha.1 release I've figured out that the list views are loading endless in case the starboard k8s resources are not yet installed.

OS: Mac OS 10.14.6 (Mojave)

I've excluded containers named config-reloader and init-config-reloader as follows:

config:
  exemptions:
  - containerNames:
    - config-reloader
    - init-config-reloader

The when I click on the ReplicaSet's ConfigAuditReport, I get the following error:

TypeError: Cannot read property 'length' of null
    at s.render (/path/to/.k8slens/extensions/aquasecurity--starboard-lens-extension/dist/renderer.js:21:5882)

My {Java,Type}Script is pretty rusty, but I suspect the issue is around here: https://github.com/aquasecurity/starboard-lens-extension/blob/v0.4.0/src/configauditreports/checks-list.tsx#L28-L31 Since checks is probably null, based on the YAML manifest of the ConfigAuditReport:

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  name: failing-example
report:
  containerChecks:
    config-reloader: null
    init-config-reloader: null

I assume !checks.length is the source of the crash.

Lens 6 is showing the latest build 0.12.0 as Incompatible

We display config audit summary for pod and each container of the given workload. However, the icon is always red. We should take into account the actual number of warnings or dangers and use appropriate colour, i.e. green, orange, red.

In workload details we display one to many VulnerabilityReports. Each report corresponds to the container defined in the pod template.
There's also a red box, which indicates if there are any vulnerabilities that can be fixed by upgrading the container image or uninstalling unnecessary packages.

Currently the status icon is alway red and the CSS class name is hardcoded. Instead, we should take into account vulnerability summary, and display green if there're no critical and high vulnerabilities.

It would be very useful to see the Age of each report on the list pages, just like kubectl output:

> k get vulnerabilityreport -A
NAMESPACE   NAME                                                              REPOSITORY                                       TAG       SCANNER   AGE
default     pod-insecure-nginx-nginx                                          library/nginx                                    1.16      Trivy     7d11h
telemetry   daemonset-mon-prometheus-node-exporter-node-exporter              prometheus/node-exporter                         v1.3.1    Trivy     28d
telemetry   replicaset-mon-grafana-5d574b47b7-grafana                         grafana/grafana                                  8.3.4     Trivy     28d

This should be added to the 3 current report pages:

• Vulnerability Reports
• Config Audit Reports
• CIS Kube Bench Reports

It would be much easier to scan the list of report results visually if the counts used the same color badges that are used on details pages. If a count is 0 we can skip the color badge, to make it more obvious where there are findings.

Here's an example I've implemented for the Vulnerability Reports page:

This works in both the Light and Dark themes, same as the other color badges.

This should be done on the following pages (I believe the others are not implemented yet):

• Vulnerability Reports
• Config Audit Reports
• CIS Kube Bench Reports

When testing the extension with Lens 4.1.0-alpha.1 release I've figured out that editing VulnerabilityReports sometimes causes app crash due to an uncaught error.

Issue can be reproduced with the following versions of Lens:

• Lens 4.0.8
• Lens 4.0.1-alpha.1
• Lens 4.0.1-alpha.2

Steps to reproduce

1. Install and Enable Starboard extension + Starboard Operator
2. Open a Starboard Vulnerability Report
3. App Crash (see screenshot)
4. Disable Starboard Extension
5. Close Lens
6. Open Lens From Menu Icon
7. Enable Starboard Extension
8. App Crash (see screenshot)
9. Goto step 4)

OS: Mac OS 10.14.6 (Mojave)

Starboard can perform pen tests by running kube-hunter. The scan report is saved or updated as a single instance of the kubebenchreport.aquasecurity.github.io named cluster.

You can generate a sample report by running kube-hunter via Starboard CLI:

$ starboard kube-hunter -v 3

And then display it with the kubectl get command:

$ kubectl get kubehunterreport.aquasecurity.github.io cluster -o yaml

Tasks

• Think about UX and where we should display such pen test reports
• Create TypeScript objects to represent and access instances of kubehunterreports.aqusecurity.github.io
• Create React components to render a kube-hunter report

https://docs.k8slens.dev/v4.0.5/extensions/testing-and-publishing/testing/

The Report List pages for Vulns, Config Audits and Kube Bench could make better use of the available space. Some columns always have long values that are truncated, while others just have a count but take up a large amount of space.

I'd like to propose a few changes:

• Use flex-grow styles to make some nicer default percentages for the columns
• Shorten the report names and image references to just the most necessary info for users to see (usually at the end of the long strings)
• Collapse the severity counts into a single column, with the names in tooltips instead
• Change sorting for counts to cascade from Crit > High > ... > Low (because that's what users would likely do anyway)

Here's a demo of the Vulnerabilities page with the solution I'm proposing:

This would make the Report List pages much easier to read and use, even on smaller monitors.

Doc says:

Lens 5 says:

Lens version info:

It it possible to add Lens features programmatically via extensions API. The currently added feature of Starboard, which is essentially doing the same thing as the Starboard CLI's init command probably doesn't make too much sense. Mainly because the extension works in the read-only mode. It does not run or control scan jobs.

Having that said, I think it would be great to allow users to deploy Starboard Operator and let them configure the target namespaces. This can be done with Helm chart or with templated static YAML descriptors. On the other hand, Lens integrates with Helm charts so theoretically we could install the operator by installing the Starboard Helm chart.

Hi guys !

When I try to see the config audit reports, I get this :

App crash at http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/extension/aquasecurity--starboard-lens-extension/configauditreports?lens-kube-details=%2Fapis%2Faquasecurity.github.io%2Fv1alpha1%2Fnamespaces%2Fdefault%2Fconfigauditreports%2Fdeployment-my-deployment

Component stack:
at s (/Users//.k8slens/extensions/aquasecurity--starboard-lens-extension/dist/renderer.js:17:3563)
at div
at i (/Users//.k8slens/extensions/aquasecurity--starboard-lens-extension/dist/renderer.js:1:5155)
at Details
at div
at div
at div
at Bp (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:7730252)
at Qd (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:7755712)
at sy (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:7876672)
at pa (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:7562375)
at t (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:193296)
at eT (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:8264227)

Error stack:
TypeError: Cannot convert undefined or null to object
at Function.keys ()
at s.render (/Users//.k8slens/extensions/aquasecurity--starboard-lens-extension/dist/renderer.js:17:3763)
at _s (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4545334)
at Os (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4545133)
at zo (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4586275)
at Cc (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4572231)
at wc (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4572159)
at yc (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4572022)
at hc (http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4569009)
at http://1585f8d9-a6de-4999-88b3-ed350c4cb30d.localhost:64917/build/Lens.js:2:4518678

Please tell me if you need anything more !

In the logs, I can quickly see things like this :

I0317 23:02:29.566448 1 request.go:621] Throttling request took 1.027018703s, request: GET:https://10.32.0.1:443/apis/admissionregistration.k8s.io/v1beta1?timeout=32s
{
"PolarisOutputVersion": "1.0",
"AuditTime": "2021-03-17T23:02:28Z",
"SourceType": "Workload",
"SourceName": "default/Deployment.apps/v1/<>",
"DisplayName": "default/Deployment.apps/v1/<>",
"ClusterInfo": {
"Version": "1.16",
"Nodes": 0,
"Pods": 1,
"Namespaces": 0,
"Controllers": 1
},
"Results": [
{
"Name": "<>",
"Namespace": "default",
"Kind": "Deployment.apps",
"Results": {},
"PodResult": {
"Name": "",
"Results": {
"hostIPCSet": {
"ID": "hostIPCSet",
"Message": "Host IPC is not configured",
"Success": true,
"Severity": "danger",
"Category": "Security"
},
"hostNetworkSet": {
"ID": "hostNetworkSet",
"Message": "Host network is not configured",
"Success": true,
"Severity": "warning",
"Category": "Security"
},
"hostPIDSet": {
"ID": "hostPIDSet",
"Message": "Host PID is not configured",
"Success": true,
"Severity": "danger",
"Category": "Security"
}
},
"ContainerResults": [
{
"Name": "<>",
"Results": {
"cpuLimitsMissing": {
"ID": "cpuLimitsMissing",
"Message": "CPU limits should be set",
"Success": false,
"Severity": "warning",
"Category": "Efficiency"
},
"cpuRequestsMissing": {
"ID": "cpuRequestsMissing",
"Message": "CPU requests are set",
"Success": true,
"Severity": "warning",
"Category": "Efficiency"
},
"dangerousCapabilities": {
"ID": "dangerousCapabilities",
"Message": "Container does not have any dangerous capabilities",
"Success": true,
"Severity": "danger",
"Category": "Security"
},
"hostPortSet": {
"ID": "hostPortSet",
"Message": "Host port is not configured",
"Success": true,
"Severity": "warning",
"Category": "Security"
},
"insecureCapabilities": {
"ID": "insecureCapabilities",
"Message": "Container does not have any insecure capabilities",
"Success": true,
"Severity": "warning",
"Category": "Security"
},
"livenessProbeMissing": {
"ID": "livenessProbeMissing",
"Message": "Liveness probe should be configured",
"Success": false,
"Severity": "warning",
"Category": "Reliability"
},
"memoryLimitsMissing": {
"ID": "memoryLimitsMissing",
"Message": "Memory limits are set",
"Success": true,
"Severity": "warning",
"Category": "Efficiency"
},
"memoryRequestsMissing": {
"ID": "memoryRequestsMissing",
"Message": "Memory requests are set",
"Success": true,
"Severity": "warning",
"Category": "Efficiency"
},
"notReadOnlyRootFilesystem": {
"ID": "notReadOnlyRootFilesystem",
"Message": "Filesystem should be read only",
"Success": false,
"Severity": "warning",
"Category": "Security"
},
"privilegeEscalationAllowed": {
"ID": "privilegeEscalationAllowed",
"Message": "Privilege escalation not allowed",
"Success": true,
"Severity": "danger",
"Category": "Security"
},
"readinessProbeMissing": {
"ID": "readinessProbeMissing",
"Message": "Readiness probe should be configured",
"Success": false,
"Severity": "warning",
"Category": "Reliability"
},
"runAsPrivileged": {
"ID": "runAsPrivileged",
"Message": "Not running as privileged",
"Success": true,
"Severity": "danger",
"Category": "Security"
},
"runAsRootAllowed": {
"ID": "runAsRootAllowed",
"Message": "Should not be allowed to run as root",
"Success": false,
"Severity": "warning",
"Category": "Security"
},
"tagNotSpecified": {
"ID": "tagNotSpecified",
"Message": "Image tag is specified",
"Success": true,
"Severity": "danger",
"Category": "Reliability"
}
}
}
]
},
"CreatedTime": "0001-01-01T00:00:00Z"
}
]

The Starboard Operator associates VulnerabilityReports with ReplicaSets controlled by the corresponding Deployment.
Currently the extension displays only VulnerabilityReports owned by the selected workload. However, we could lookup an active ReplicaSet and display it in the Deployment details.

Lens will allows users to install extensions from tarballs or by specifying the URL. In order to support this install mode we have to pack and release the Starboard extension.

Ideally we should perform each release on GitHub Actions runner whenever we create an annotated Git tag.

Whenever we display CVE identifier as plain text we could replace it with the link to Aqua vulnerability Database. For example, https://avd.aquasec.com/nvd/cve-2020-5766/

We started experimenting with the API by listing security reports stored as custom resources. After selecting a report we could navigate to the owning workload.

However, we should be able to select a workload and see if there're any security issue, i.e. use Kubernetes API and leverage Starboard labels to lookup corresponding reports.

When we display vulnerabilities in the vulnerability details pane or workload details pane they show up in random order. We should order them by severity.