Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[operator] Cannot create vulnerability report because name is too long #288

Closed
pcheliniy opened this issue Dec 22, 2020 · 4 comments · Fixed by #773
Closed

[operator] Cannot create vulnerability report because name is too long #288

pcheliniy opened this issue Dec 22, 2020 · 4 comments · Fixed by #773
Assignees
@danielpacak
Labels
🚀 enhancement New feature or request
Milestone
Release v0.13.0

Comments

@pcheliniy
Copy link

What steps did you take and what happened:
We widely use various public helm charts and sometimes helpers in charts can generate very long resource names :)
Unfortunately, it leads to the following problem:

2020-12-21T09:47:39.168Z        DEBUG   controller.pod  Resolving workload properties   {"pod": "core/core-competency-matrix-production-prometheus-redis-exportejdkgp", "owner": {"Kind":"ReplicaSet","Name":"core-competency-matrix-production-prometheus-redis-exporter-5f9d846544","Namespace":"core"}, "hash": "5c4f744665", "containerImages": {"prometheus-redis-exporter":"oliver006/redis_exporter:v1.3.4"}}
2020-12-21T09:47:39.169Z        INFO    controller.pod  Checking scan jobs limit        {"pod": "core/core-competency-matrix-production-prometheus-redis-exportejdkgp", "count": 2, "limit": 3}
2020-12-21T09:47:39.172Z        ERROR   controller      Reconciler error        {"reconcilerGroup": "", "reconcilerKind": "Pod", "controller": "pod", "name": "core-competency-matrix-production-prometheus-redis-exportejdkgp", "namespace": "core", "error": "creating job: Job.batch \"cceaa8f9-8f8b-42e9-a5b3-673c7c62f2e4\" is invalid: [metadata.labels: Invalid value: \"core-competency-matrix-production-prometheus-redis-exporter-5f9d846544\": must be no more than 63 characters, spec.template.labels: Invalid value: \"core-competency-matrix-production-prometheus-redis-exporter-5f9d846544\": must be no more than 63 characters]"}

github.com/go-logr/zapr.(*zapLogger).Error /go/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
  /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:246
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
  /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
  /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
  k8s.io/apimachinery/pkg/util/wait.BackoffUntil
/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:156
  k8s.io/apimachinery/pkg/util/wait.JitterUntil
/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:133
  k8s.io/apimachinery/pkg/util/wait.Until
/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:90

Environment:

  • Starboard operator version: 0.7.1
  • Kubernetes version: 1.18.9
@danielpacak danielpacak added the 🚀 enhancement New feature or request label Dec 22, 2020
@danielpacak
Copy link
Contributor

danielpacak commented Dec 22, 2020
edited
Loading

👋 @pcheliniy We're aware of this limitation and actually we plan to change the way we name and store VulnerabilityReports.

TL;DR; We're thinking about naming VulnerabilityReports by image digest. By doing that we'll eliminate the problem that you encountered. What's more, we'll store reports in more efficient way in case multiple workloads in the same namespace use the same image digest:

starboard-scan-by-image-digest

@pcheliniy
Copy link
Author

That's a really good idea.
I've checked our installation and if you realize your proposal we would halve the number of our reports.

@danielpacak
Copy link
Contributor

Related to #280

@danielpacak danielpacak mentioned this issue Aug 6, 2021
Open
@robinAwallace robinAwallace mentioned this issue Sep 9, 2021
Closed
@danielpacak danielpacak self-assigned this Oct 22, 2021
@danielpacak danielpacak added this to the Release v0.13.0 milestone Oct 22, 2021
@danielpacak danielpacak mentioned this issue Oct 25, 2021
Merged
@danielpacak danielpacak changed the title [operator] Cannot create report because name too long [operator] Cannot create vulnerability report because name is too long Oct 25, 2021
@danielpacak
Copy link
Contributor

danielpacak commented Oct 26, 2021
edited
Loading

We do have scan by image digest on our roadmap. However, we can provide a short term solution, which is similar to what we did for configuration auditing.

The idea was to fallback to the starboard.resourece.name-hash label instead of using starboard.resource.name which might have too long or invalid value.

In the reported case the vulnerability report will look as follows:

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  annotations:
    starboard.resource.name: core-competency-matrix-production-prometheus-redis-exporter-6c4765756
  creationTimestamp: "2021-10-26T08:22:52Z"
  generation: 1
  labels:
    resource-spec-hash: 55cc76fd7f
    starboard.container.name: redis-exporter-dbc86
    starboard.resource.kind: ReplicaSet
    starboard.resource.name-hash: 7d4f75bb65
    starboard.resource.namespace: default
  name: replicaset-5f4f96cd55
  namespace: default
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: false
    controller: true
    kind: ReplicaSet
    name: core-competency-matrix-production-prometheus-redis-exporter-6c4765756
    uid: 933f84ad-d14c-4c84-a1fd-1f4dace4d0e7
  resourceVersion: "16301"
  uid: 8d066286-f53b-431a-a3db-6a05b638b510
report:
  artifact:
    repository: oliver006/redis_exporter
    tag: v1.29.0
  registry:
    server: index.docker.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.20.0
  summary:
    criticalCount: 0
    highCount: 0
    lowCount: 0
    mediumCount: 0
    noneCount: 0
    unknownCount: 0
  updateTimestamp: "2021-10-26T08:22:52Z"
  vulnerabilities: []

danielpacak added a commit that referenced this issue Oct 26, 2021
@danielpacak
fix: cannot create vulnerability report because name is too long (#773)
418c863 
Resolves: #288

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielpacak danielpacak

Labels
🚀 enhancement New feature or request
Projects
None yet
Milestone
Release v0.13.0
Development

Successfully merging a pull request may close this issue.

fix: cannot create vulnerability report because name is too long
2 participants
@danielpacak @pcheliniy