get local running again; minor changes (m9sweeper#342)

* small things

* small change

* get local working agian; ignore vendor node_modules

* move error listing k8s namespaces to the controller

* remove unnecessary comments

* remove post-upgrade in job-init.yaml

dash/.gitignore

@@ -51,6 +51,7 @@ Thumbs.db
 /frontend/ng
 /frontend/node_modules/
 /backend/node_modules/
+/frontend/vendor/**/node_modules
 /backend/vendor/**/node_modules
 /backend/build/
 /frontend/.angular

dash/backend/package.json

@@ -16,7 +16,8 @@
     "start": "nest start",
     "start:watch": "nest start -b swc --watch",
     "start:debug": "nest start -b swc --debug --watch",
-    "start:local": "npm run start:watch",
+    "start:local": "nest start --watch",
+    "start:local:debug": "nest start --debug --watch",
     "start:local:dev-db": "cp dev-db.env .env && npm run start:local",
     "start:dev-config": "cp dev-db.env .env && nest start --watch",
     "start:prod:simulate": "node dist/main",

dash/backend/src/modules/command-line/services/kubernetes-api.service.ts

@@ -34,8 +34,8 @@ export class KubernetesApiService {
             verbs: ['get', 'watch', 'list', 'create']
         }),
 
-        /* WE SHOULD NOT NEED PRIVILEGES FOR SERVICE ACCOUNTS/CLUSTER ROLES AFTER INSTALL, 
-           SO LETS NOT GIVE OURSELVES THESE PRIVILEGES 
+        /* WE SHOULD NOT NEED PRIVILEGES FOR SERVICE ACCOUNTS/CLUSTER ROLES AFTER INSTALL,
+           SO LETS NOT GIVE OURSELVES THESE PRIVILEGES
         Object.assign(new V1PolicyRule(), {
             apiGroups: [''],
             resources: ['serviceaccounts'],
@@ -127,9 +127,6 @@ export class KubernetesApiService {
         return coreV1Config?.listNamespace().then(res => {
             const namespaceList = res.body;
             return namespaceList;
-        }).catch(err => {
-            console.log(err);
-            return null;
         });
     }
 
@@ -274,7 +271,7 @@ export class KubernetesApiService {
 
     /** Retrieves a namespace's token from a cluster & decodes it*/
     async getServiceAccountToken(coreApi: CoreV1Api, serviceAccountName: string, namespaceName: string): Promise<string | null> {
-        try {           
+        try {
             //const secretName = (await coreApi.readNamespacedServiceAccount(serviceAccountName, namespaceName)).body.secrets[0].name;
             const secretName = "m9sweeper"
             const rawToken = (await coreApi.readNamespacedSecret(secretName, namespaceName)).body.data['token'];
@@ -341,7 +338,7 @@ export class KubernetesApiService {
             serviceAccountNamespace = m9sweeperSystemNamespaceName;
         } else if (serviceAccountInM9sweeperSystem.length) {
             // exists in m9sweeper system namespace, so use that one
-            // note: m9sweeper system namespace takes precedence so that you could install m9sweeper multiple times 
+            // note: m9sweeper system namespace takes precedence so that you could install m9sweeper multiple times
             // in same cluster using different releaseNamespace.serviceAccountNamespace
             newServiceAccount = false;
             existingServiceAccount = serviceAccountInM9sweeperSystem[0];
@@ -350,7 +347,7 @@ export class KubernetesApiService {
             // exists in default namespace, so lets use that one
             newServiceAccount = false;
             existingServiceAccount = serviceAccountInDefault[0];
-        } 
+        }
 
         // create/get service account
         let serviceAccount = existingServiceAccount; // defaults to existing one (if it exists)
@@ -387,14 +384,14 @@ export class KubernetesApiService {
         secret.metadata.name = "m9sweeper";
         secret.type = "kubernetes.io/service-account-token"
         secret.metadata.namespace = serviceAccountNamespace;
-        secret.metadata.annotations={'kubernetes.io/service-account.name': "m9sweeper"};     
+        secret.metadata.annotations={'kubernetes.io/service-account.name': "m9sweeper"};
         const secretResponse = await this.applyK8sObject(secret, config)
         if (!secretResponse){
             console.log("secret response", secretResponse);
-            
+
         }
 
-        // Build the clusterRole w/the rules 
+        // Build the clusterRole w/the rules
         console.log(`Creating a cluster role in ${serviceAccountNamespace}`);
         const clusterRole: V1ClusterRole = new V1ClusterRole();
         clusterRole.apiVersion = 'rbac.authorization.k8s.io/v1';

dash/backend/src/modules/kubesec/controllers/kubesec.controller.ts

@@ -1,4 +1,4 @@
-import {Body, Controller, Get, Param, Post, Query, UploadedFile, UseGuards, UseInterceptors} from '@nestjs/common';
+import {Body, Controller, Get, InternalServerErrorException, Param, Post, Query, UploadedFile, UseGuards, UseInterceptors} from '@nestjs/common';
 import {KubesecService} from "../services/kubesec.service";
 import {AllowedAuthorityLevels} from "../../../decorators/allowed-authority-levels.decorator";
 import {Authority} from "../../user/enum/Authority";
@@ -19,7 +19,10 @@ export class KubesecController {
     @AllowedAuthorityLevels(Authority.SUPER_ADMIN, Authority.ADMIN, Authority.READ_ONLY)
     @UseGuards(AuthGuard, AuthorityGuard)
     async listNamespaces(@Query('cluster') clusterId: number): Promise<V1NamespaceList> {
-        return await this.kubesecService.listNamespaces(clusterId);
+        return await this.kubesecService.listNamespaces(clusterId).catch((err) => {
+            console.log(err);
+            throw new InternalServerErrorException();
+        });
     }
 
     @Get('/listpods')

dash/backend/src/modules/security-audit-report/services/security-audit-kube-bench.service.ts

@@ -65,7 +65,7 @@ export class SecurityAuditKubeBenchService implements IAuditReportSectionService
       {
         style: 'body',
         text: [
-          'Kube-Bench compares your cluster’s configuration against the Center for Internet Security’s ',
+          'kube-bench compares your cluster’s configuration against the Center for Internet Security’s ',
           'best practices for running a Kubernetes Cluster. It runs as an application with elevated privileges in your cluster ',
           'and then attempts to see whether the cluster is configured securely.',
         ]
@@ -85,7 +85,7 @@ export class SecurityAuditKubeBenchService implements IAuditReportSectionService
 
       // Outer loop over the high level sections (ex: 3. Worker Node Security Configuration), and appears in Table of Contents
       for (const section of results.Controls) {
-        body.push(this.pdfHelpers.buildSubHeader(`${section.id}. ${section.text} (${section.version} v${section.detected_version})`, {
+        body.push(this.pdfHelpers.buildSubHeader(`Section ${section.id}: ${section.text} (${section.version} v${section.detected_version})`, {
           level: 2,
           style: ['h3', 'bold']
         }));
@@ -144,7 +144,7 @@ export class SecurityAuditKubeBenchService implements IAuditReportSectionService
       {
         style: 'body',
         text: [
-          'Kube-Bench compares your cluster\'s configuration against the Center for Internet Security\'s best practices for running a Kubernetes Cluster. ',
+          'kube-bench compares your cluster\'s configuration against the Center for Internet Security\'s best practices for running a Kubernetes Cluster. ',
           'It runs as an application with elevated privileges in your cluster and then attempts to see whether the cluster is configured correctly. '
         ]
       },
@@ -153,4 +153,4 @@ export class SecurityAuditKubeBenchService implements IAuditReportSectionService
 
     return content;
   }
-}
+}

dash/frontend/src/app/modules/private/pages/cluster/kubesec/kubesec.component.ts

@@ -83,6 +83,8 @@ export class KubesecComponent implements OnInit, OnDestroy {
       } else {
         this.alertService.danger('Could not get namespaces');
       }
+    }, error => {
+      this.alertService.danger('Could not get namespaces');
     });
   }
 

trawler/.gitignore

@@ -40,3 +40,4 @@ hs_err_pid*
 .DS_Store
 
 .env
+local.env