[tools] Add tools subcommand with falco audit rules converter

Signed-off-by: Maxim Vasilenko <[email protected]>

Author: mvasl

cmd/tools.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import "github.com/deckhouse/deckhouse-cli/internal/tools"
+
+func init() {
+	rootCmd.AddCommand(tools.NewCommand())
+}

go.mod

@@ -8,9 +8,11 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.0
 	github.com/deckhouse/virtualization/src/cli v0.0.0-20250617111832-70fdc2799bf3
 	github.com/google/go-containerregistry v0.20.0
+	github.com/gosimple/slug v1.15.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/vault v1.14.8
+	github.com/iancoleman/strcase v0.3.0
 	github.com/int128/kubelogin v1.28.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.47.0
@@ -26,13 +28,13 @@ require (
 	go.cypherpunks.ru/gogost/v5 v5.13.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/term v0.30.0
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.33.0
 	k8s.io/apiextensions-apiserver v0.33.0
 	k8s.io/apimachinery v0.33.0
 	k8s.io/cli-runtime v0.29.3
 	k8s.io/client-go v0.33.0
 	k8s.io/component-base v0.33.0
-	k8s.io/klog v1.0.0
 	k8s.io/kubectl v0.29.3
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/controller-runtime v0.21.0
@@ -252,6 +254,7 @@ require (
 	github.com/gophercloud/gophercloud v0.1.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/gosimple/unidecode v1.0.1 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
@@ -575,9 +578,9 @@ require (
 	gopkg.in/resty.v1 v1.12.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiserver v0.33.0 // indirect
 	k8s.io/component-helpers v0.29.3 // indirect
+	k8s.io/klog v1.0.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/metrics v0.29.3 // indirect

go.sum

@@ -792,6 +792,10 @@ github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo=
+github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ=
+github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o=
+github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc=
 github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
@@ -997,6 +1001,8 @@ github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
 github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
+github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=

internal/tools/farconverter/convert.go

@@ -0,0 +1,182 @@
+package farconverter
+
+import (
+	"bytes"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/gosimple/slug"
+	"github.com/iancoleman/strcase"
+	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v3"
+)
+
+// RawRule represents decoded rules in Falco format.
+type RawRule map[string]any
+
+// FalcoAuditRule is a structure to encode FalcoAuditRules custom resources.
+type FalcoAuditRule struct {
+	ApiVersion string `yaml:"apiVersion"`
+	Kind       string
+	Metadata   Metadata
+	Spec       FalcoAuditRuleSpec
+}
+
+type FalcoAuditRuleSpecRule struct {
+	Rule  Rule  `yaml:"rule,omitempty"`
+	Macro Macro `yaml:"macro,omitempty"`
+	List  List  `yaml:"list,omitempty"`
+}
+
+type FalcoAuditRuleSpec struct {
+	RequiredEngineVersion         int                      `yaml:"requiredEngineVersion,omitempty"`
+	RequiredK8sAuditPluginVersion string                   `yaml:"requiredK8sAuditPluginVersion,omitempty"`
+	Rules                         []FalcoAuditRuleSpecRule `yaml:"rules"`
+}
+
+type Metadata struct {
+	Name string
+}
+
+type Rule struct {
+	Name      string `yaml:"name"`
+	Condition string `yaml:"condition"`
+	Desc      string `yaml:"desc"`
+	Output    string `yaml:"output"`
+	Priority  string `yaml:"priority"`
+	Enabled   bool   `yaml:"enabled,omitempty"`
+	Tags      []any  `yaml:"tags,omitempty"`
+	Source    string `yaml:"source,omitempty"`
+}
+
+type Macro struct {
+	Name      string `yaml:"name"`
+	Condition string `yaml:"condition"`
+}
+
+type List struct {
+	Name  string `yaml:"name"`
+	Items []any  `yaml:"items"`
+}
+
+func Convert(cmd *cobra.Command, args []string) error {
+	input := args[0]
+	var rules []RawRule
+	log.Printf("Convert rules from %q", input)
+
+	data, err := os.ReadFile(input)
+	if err != nil {
+		return err
+	}
+
+	err = yaml.Unmarshal(data, &rules)
+	if err != nil {
+		return err
+	}
+
+	buf := bytes.Buffer{}
+	enc := yaml.NewEncoder(&buf)
+	enc.SetIndent(2)
+
+	if err := enc.Encode(convert(input, rules)); err != nil {
+		return err
+	}
+
+	io.Copy(os.Stdout, &buf)
+	return nil
+}
+
+func convert(path string, rules []RawRule) FalcoAuditRule {
+	result := FalcoAuditRule{
+		ApiVersion: "deckhouse.io/v1alpha1",
+		Kind:       "FalcoAuditRules",
+		Metadata: Metadata{
+			Name: nameFromPath(path),
+		},
+		Spec: FalcoAuditRuleSpec{},
+	}
+
+	for _, r := range rules {
+		if v, ok := r["required_engine_version"]; ok {
+			result.Spec.RequiredEngineVersion = v.(int)
+			continue
+		}
+
+		if v, ok := r["required_plugin_versions"]; ok {
+			for _, p := range v.([]any) {
+				plugin := p.(map[string]any)
+				if plugin["name"].(string) == "k8saudit" {
+					result.Spec.RequiredK8sAuditPluginVersion = plugin["version"].(string)
+				}
+			}
+			continue
+		}
+
+		if _, ok := r["macro"]; ok {
+			result.Spec.Rules = append(result.Spec.Rules, FalcoAuditRuleSpecRule{
+				Macro: Macro{
+					Name:      r["macro"].(string),
+					Condition: r["condition"].(string),
+				},
+			})
+			continue
+		}
+
+		if _, ok := r["list"]; ok {
+			result.Spec.Rules = append(result.Spec.Rules, FalcoAuditRuleSpecRule{
+				List: List{
+					Name:  r["list"].(string),
+					Items: r["items"].([]any),
+				},
+			})
+			continue
+		}
+
+		if _, ok := r["rule"]; ok {
+			ruleToAdd := Rule{
+				Name:      r["rule"].(string),
+				Condition: r["condition"].(string),
+				Desc:      r["desc"].(string),
+				Output:    r["output"].(string),
+				Priority:  strcase.ToCamel(strings.ToLower(r["priority"].(string))),
+			}
+
+			if tags, ok := r["tags"]; ok {
+				ruleToAdd.Tags = tags.([]any)
+			}
+
+			if enabled, ok := r["enabled"]; ok {
+				ruleToAdd.Enabled = enabled.(bool)
+			}
+
+			if source, ok := r["source"]; ok {
+				switch strings.ToLower(source.(string)) {
+				case "k8s_audit":
+					ruleToAdd.Source = "K8sAudit"
+				case "syscall":
+					ruleToAdd.Source = "Syscall"
+				}
+			}
+
+			if _, ok := r["exceptions"]; ok {
+				log.Printf("[WARNING] Exceptions are not supported (found in %q rule)", ruleToAdd.Name)
+			}
+
+			result.Spec.Rules = append(result.Spec.Rules, FalcoAuditRuleSpecRule{Rule: ruleToAdd})
+			continue
+		}
+	}
+
+	return result
+}
+
+func nameFromPath(path string) string {
+	path = filepath.Base(path)
+	path, _, _ = strings.Cut(path, ".")
+	path = slug.Make(path)
+	path = strcase.ToKebab(path)
+	return path
+}

internal/tools/farconverter/far-convert.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package farconverter
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+var convertLong = templates.LongDesc(`
+Converts files with Falco rules to FalcoAuditRules CRD format.
+
+© Flant JSC 2025`)
+
+func NewCommand() *cobra.Command {
+	convertCmd := &cobra.Command{
+		Use:   "far-convert",
+		Short: "Converts files with Falco rules to FalcoAuditRules CRD format",
+		Long:  convertLong,
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return fmt.Errorf("this command requires exactly 1 argument, got %d", len(args))
+			}
+
+			s, err := os.Stat(args[0])
+			if err != nil {
+				return fmt.Errorf("Invalid path to rules file: %w", err)
+			}
+
+			if !s.Mode().IsRegular() {
+				return fmt.Errorf("Argument must point to the rules YAML file")
+			}
+
+			return nil
+		},
+		RunE: Convert,
+	}
+
+	return convertCmd
+}

internal/tools/tools.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tools
+
+import (
+	"github.com/deckhouse/deckhouse-cli/internal/tools/farconverter"
+	"github.com/spf13/cobra"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+var toolsLong = templates.LongDesc(`
+Various useful tools for operating in The Deckhouse Ecosystem.
+
+© Flant JSC 2025`)
+
+func NewCommand() *cobra.Command {
+	toolsCmd := &cobra.Command{
+		Use:   "tools",
+		Short: "Various useful tools for operating in The Deckhouse Ecosystem.",
+		// TODO(mvasl) p and platform are old names of this commands and are left as aliases for backwards compatibility
+		//  with our docs until we update them to use s or system.
+		Aliases: []string{"t"},
+		Long:    toolsLong,
+	}
+
+	toolsCmd.AddCommand(farconverter.NewCommand())
+
+	return toolsCmd
+}