package org.eclipse.jkube.enricher.generic;

import io.fabric8.kubernetes.api.builder.TypedVisitor;
import io.fabric8.kubernetes.api.builder.Visitor;
import io.fabric8.kubernetes.api.model.Container;
import io.fabric8.kubernetes.api.model.ContainerBuilder;
import io.fabric8.kubernetes.api.model.ContainerFluent;
import io.fabric8.kubernetes.api.model.KubernetesListBuilder;
import io.fabric8.kubernetes.api.model.PodSpecBuilder;
import org.eclipse.jkube.kit.config.resource.PlatformMode;
import org.eclipse.jkube.kit.enricher.api.BaseEnricher;
import org.eclipse.jkube.kit.enricher.api.EnricherContext;

/* loaded from: input_file:org/eclipse/jkube/enricher/generic/SecurityHardeningEnricher.class */
public class SecurityHardeningEnricher extends BaseEnricher {

    /* loaded from: input_file:org/eclipse/jkube/enricher/generic/SecurityHardeningEnricher$ContainerSecurityHardeningVisitor.class */
    private static final class ContainerSecurityHardeningVisitor extends TypedVisitor<ContainerBuilder> {
        private ContainerSecurityHardeningVisitor() {
        }

        public void visit(ContainerBuilder containerBuilder) {
            ((ContainerFluent.SecurityContextNested) ((ContainerFluent.SecurityContextNested) containerBuilder.editOrNewSecurityContext().withPrivileged(false).withAllowPrivilegeEscalation(false).withRunAsUser(10000L).withRunAsNonRoot(true).editOrNewSeccompProfile().withType("RuntimeDefault").endSeccompProfile()).editOrNewCapabilities().addToDrop(new String[]{"NET_RAW"}).addToDrop(new String[]{"ALL"}).endCapabilities()).endSecurityContext();
        }
    }

    /* loaded from: input_file:org/eclipse/jkube/enricher/generic/SecurityHardeningEnricher$ContainerSecurityWarningVisitor.class */
    private static final class ContainerSecurityWarningVisitor extends TypedVisitor<ContainerBuilder> {
        private final EnricherContext enricherContext;

        public ContainerSecurityWarningVisitor(EnricherContext enricherContext) {
            this.enricherContext = enricherContext;
        }

        public void visit(ContainerBuilder containerBuilder) {
            Container build = containerBuilder.build();
            if (this.enricherContext.getProject().isSnapshot() || build.getImage() == null || !build.getImage().endsWith(":latest")) {
                return;
            }
            this.enricherContext.getLog().warn("Container %s has an image with tag 'latest', it's recommended to use a fixed tag or a digest instead", new Object[]{build.getName()});
        }
    }

    /* loaded from: input_file:org/eclipse/jkube/enricher/generic/SecurityHardeningEnricher$PodSpecBuilderSecurityHardeningVisitor.class */
    private static final class PodSpecBuilderSecurityHardeningVisitor extends TypedVisitor<PodSpecBuilder> {
        private PodSpecBuilderSecurityHardeningVisitor() {
        }

        public void visit(PodSpecBuilder podSpecBuilder) {
            podSpecBuilder.withAutomountServiceAccountToken(false);
        }
    }

    public SecurityHardeningEnricher(EnricherContext enricherContext) {
        super(enricherContext, "jkube-security-hardening");
    }

    public void enrich(PlatformMode platformMode, KubernetesListBuilder kubernetesListBuilder) {
        kubernetesListBuilder.accept(new Visitor[]{new PodSpecBuilderSecurityHardeningVisitor(), new ContainerSecurityHardeningVisitor(), new ContainerSecurityWarningVisitor(getContext())});
    }
}
