fix: scanning control plane resources

Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
aquasecurity · Jul 25, 2022 · 3e0a883 · 3e0a883
1 parent 79488fb
commit 3e0a883
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 8 deletions.
diff --git a/pkg/k8s/k8s.go b/pkg/k8s/k8s.go
@@ -2,6 +2,7 @@ package k8s
 
 import (
 	"k8s.io/apimachinery/pkg/api/meta"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/dynamic"
@@ -10,10 +11,14 @@ import (
 )
 
 const (
-	KindPod        = "Pod"
-	KindJob        = "Job"
-	KindCronJob    = "CronJob"
-	KindReplicaSet = "ReplicaSet"
+	KindPod                   = "Pod"
+	KindJob                   = "Job"
+	KindCronJob               = "CronJob"
+	KindReplicaSet            = "ReplicaSet"
+	KindReplicationController = "ReplicationController"
+	KindStatefulSet           = "StatefulSet"
+	KindDaemonSet             = "DaemonSet"
+	KindDeployment            = "Deployment"
 
 	Deployments            = "deployments"
 	ReplicaSets            = "replicasets"
@@ -165,6 +170,19 @@ func IsClusterResource(gvr schema.GroupVersionResource) bool {
 	return false
 }
 
+// IsBuiltInWorkload returns true if the specified v1.OwnerReference
+// is a built-in Kubernetes workload, false otherwise.
+func IsBuiltInWorkload(resource *v1.OwnerReference) bool {
+	return resource != nil &&
+		(resource.Kind == string(KindReplicaSet) ||
+			resource.Kind == string(KindReplicationController) ||
+			resource.Kind == string(KindStatefulSet) ||
+			resource.Kind == string(KindDeployment) ||
+			resource.Kind == string(KindCronJob) ||
+			resource.Kind == string(KindDaemonSet) ||
+			resource.Kind == string(KindJob))
+}
+
 func getClusterResources() []string {
 	return []string{
 		ClusterRoles,

diff --git a/pkg/trivyk8s/trivyk8s.go b/pkg/trivyk8s/trivyk8s.go
@@ -12,6 +12,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+
 	"k8s.io/client-go/dynamic"
 
 	// import auth plugins
@@ -145,10 +146,8 @@ func (c *client) ignoreResource(resource unstructured.Unstructured) bool {
 		return false
 	}
 
-	switch resource.GetKind() {
-	case k8s.KindPod, k8s.KindJob, k8s.KindReplicaSet:
-		metadata := resource.GetOwnerReferences()
-		if metadata != nil {
+	for _, owner := range resource.GetOwnerReferences() {
+		if k8s.IsBuiltInWorkload(&owner) {
 			return true
 		}
 	}