From bcaad13616cb6a40dc2c153796c011b1f9a92d03 Mon Sep 17 00:00:00 2001 From: chenk Date: Sun, 14 Jan 2024 13:09:37 +0200 Subject: [PATCH] fix: ignore no init containers (#275) * fix: ignore no init containers Signed-off-by: chenk * fix: ignore no init containers Signed-off-by: chenk * fix: ignore no init containers Signed-off-by: chenk * fix: ignore no init containers Signed-off-by: chenk * fix: ignore no init containers Signed-off-by: chenk --------- Signed-off-by: chenk --- go.mod | 2 +- go.sum | 10 ++++++ pkg/artifacts/artifacts.go | 2 +- pkg/jobs/collector.go | 69 +++++++++++++++++++++++--------------- pkg/trivyk8s/trivyk8s.go | 8 +++++ 5 files changed, 62 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index 32d21fd..8f4cfc7 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/aquasecurity/trivy-kubernetes -go 1.20 +go 1.21 require ( github.com/aws/aws-sdk-go v1.49.16 diff --git a/go.sum b/go.sum index 451336e..060ee9b 100644 --- a/go.sum +++ b/go.sum @@ -12,6 +12,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -32,6 +33,7 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -68,6 +70,7 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -86,6 +89,7 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -108,7 +112,9 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -119,8 +125,10 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -143,6 +151,7 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= +go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= @@ -205,6 +214,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/artifacts/artifacts.go b/pkg/artifacts/artifacts.go index 6200226..48b2245 100644 --- a/pkg/artifacts/artifacts.go +++ b/pkg/artifacts/artifacts.go @@ -27,7 +27,7 @@ func FromResource(resource unstructured.Unstructured, serverAuths map[string]doc for _, t := range cTypes { cTypeImages, err := extractImages(resource, append(nestedKeys, t)) if err != nil { - return nil, err + continue } images = append(images, cTypeImages...) for _, im := range cTypeImages { diff --git a/pkg/jobs/collector.go b/pkg/jobs/collector.go index 513146c..dfe37f9 100644 --- a/pkg/jobs/collector.go +++ b/pkg/jobs/collector.go @@ -51,6 +51,7 @@ type jobCollector struct { imagePullSecrets []corev1.LocalObjectReference collectorTimeout time.Duration resourceRequirements *corev1.ResourceRequirements + nodeConfig bool } type CollectorOption func(*jobCollector) @@ -102,6 +103,12 @@ func WithName(name string) CollectorOption { } } +func WithNodeConfig(nodeConfig bool) CollectorOption { + return func(jc *jobCollector) { + jc.nodeConfig = nodeConfig + } +} + func WithImageRef(imageRef string) CollectorOption { return func(jc *jobCollector) { jc.imageRef = imageRef @@ -203,29 +210,30 @@ func (jb *jobCollector) ApplyAndCollect(ctx context.Context, nodeName string) (s } } } - cr, rb, sa, err := GetAuth(WithServiceAccountNamespace(jb.namespace)) - if err != nil { - return "", fmt.Errorf("running node-collector job: %w", err) - } - _, err = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoles().Create(ctx, cr, metav1.CreateOptions{}) - if err != nil { - return "", fmt.Errorf("creating cluster role: %w", err) - } - _, err = jb.cluster.GetK8sClientSet().CoreV1().ServiceAccounts(jb.namespace).Create(ctx, sa, metav1.CreateOptions{}) - if err != nil { - return "", fmt.Errorf("creating service account: %w", err) - } - _, err = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoleBindings().Create(ctx, rb, metav1.CreateOptions{}) - if err != nil { - return "", fmt.Errorf("creating role binding: %w", err) + if jb.nodeConfig { + cr, rb, sa, err := GetAuth(WithServiceAccountNamespace(jb.namespace)) + if err != nil { + return "", fmt.Errorf("running node-collector job: %w", err) + } + _, err = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoles().Create(ctx, cr, metav1.CreateOptions{}) + if err != nil { + return "", fmt.Errorf("creating cluster role: %w", err) + } + _, err = jb.cluster.GetK8sClientSet().CoreV1().ServiceAccounts(jb.namespace).Create(ctx, sa, metav1.CreateOptions{}) + if err != nil { + return "", fmt.Errorf("creating service account: %w", err) + } + _, err = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoleBindings().Create(ctx, rb, metav1.CreateOptions{}) + if err != nil { + return "", fmt.Errorf("creating role binding: %w", err) + } } - job, err := GetJob( + JobOptions := []JobOption{ WithTemplate(jb.templateName), WithNamespace(jb.namespace), WithNodeSelector(nodeName), WithAnnotation(jb.annotation), - WithJobServiceAccount(serviceAccount), WithLabels(jb.labels), WithJobTimeout(jb.collectorTimeout), withSecurityContext(jb.securityContext), @@ -242,7 +250,12 @@ func (jb *jobCollector) ApplyAndCollect(ctx context.Context, nodeName string) (s Kind: "Node-Info", Name: nodeName, Namespace: jb.namespace, - })))) + }))), + } + if jb.nodeConfig { + JobOptions = append(JobOptions, WithJobServiceAccount(serviceAccount)) + } + job, err := GetJob(JobOptions...) if err != nil { return "", fmt.Errorf("running node-collector job: %w", err) } @@ -253,15 +266,17 @@ func (jb *jobCollector) ApplyAndCollect(ctx context.Context, nodeName string) (s } defer func() { background := metav1.DeletePropagationBackground - _ = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoleBindings().Delete(ctx, roleBinding, metav1.DeleteOptions{ - PropagationPolicy: &background, - }) - _ = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoles().Delete(ctx, clusterRole, metav1.DeleteOptions{ - PropagationPolicy: &background, - }) - _ = jb.cluster.GetK8sClientSet().CoreV1().ServiceAccounts(job.Namespace).Delete(ctx, serviceAccount, metav1.DeleteOptions{ - PropagationPolicy: &background, - }) + if jb.nodeConfig { + _ = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoleBindings().Delete(ctx, roleBinding, metav1.DeleteOptions{ + PropagationPolicy: &background, + }) + _ = jb.cluster.GetK8sClientSet().RbacV1().ClusterRoles().Delete(ctx, clusterRole, metav1.DeleteOptions{ + PropagationPolicy: &background, + }) + _ = jb.cluster.GetK8sClientSet().CoreV1().ServiceAccounts(job.Namespace).Delete(ctx, serviceAccount, metav1.DeleteOptions{ + PropagationPolicy: &background, + }) + } _ = jb.cluster.GetK8sClientSet().BatchV1().Jobs(job.Namespace).Delete(ctx, job.Name, metav1.DeleteOptions{ PropagationPolicy: &background, }) diff --git a/pkg/trivyk8s/trivyk8s.go b/pkg/trivyk8s/trivyk8s.go index c63212a..fd77efa 100644 --- a/pkg/trivyk8s/trivyk8s.go +++ b/pkg/trivyk8s/trivyk8s.go @@ -53,6 +53,7 @@ type client struct { logger *zap.SugaredLogger excludeOwned bool scanJobParams scanJobParams + nodeConfig bool // feature flag to enable/disable node config collection } type K8sOption func(*client) @@ -200,6 +201,12 @@ func WithScanJobImageRef(imageRef string) NodeCollectorOption { } } +func WithNodeConfig(nodeConfig bool) NodeCollectorOption { + return func(c *client) { + c.nodeConfig = nodeConfig + } +} + // ListArtifacts returns kubernetes scannable artifacs. func (c *client) ListArtifactAndNodeInfo(ctx context.Context, opts ...NodeCollectorOption) ([]*artifacts.Artifact, error) { @@ -223,6 +230,7 @@ func (c *client) ListArtifactAndNodeInfo(ctx context.Context, jobs.WithJobLabels(labels), jobs.WithImageRef(c.scanJobParams.imageRef), jobs.WithJobTolerations(c.scanJobParams.toleration), + jobs.WithNodeConfig(c.nodeConfig), ) // delete trivy namespace defer jc.Cleanup(ctx)