Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: refining resource exclusion logic based on built-in or custom ownership #215

Merged
merged 1 commit into from
Aug 30, 2023

Conversation

thapabishwa
Copy link
Contributor

@thapabishwa thapabishwa commented Aug 29, 2023

Description

This pull request centers around an enhancement to the exclusion logic based on resource ownership. If the resource is owned by built-in workloads then the resource should be excluded.

This change ensures that resources owned by custom owners(Like CRDs) are not mistakenly excluded, while ensuring that resources owned by built-in workloads are excluded.

For example, consider the scenario where there are two pods: one named my-pod, which doesn't have any owners, and another named pod-with-crd-owner, which is created and managed by a custom owner(acid.postgres.com/v1/postgresql), and other regular pods owned by built-in workload kinds.

kubectl get pods -o custom-columns="NAME:.metadata.name,OWNER:.metadata.ownerReferences[*].kind"
NAME                                  OWNER
my-pod                                <none>
aws-for-fluent-bit-m46xg              DaemonSet
coredns-655c69d4f4-fg82d              ReplicaSet
coredns-655c69d4f4-kmx6c              ReplicaSet
ebs-csi-controller-846b7ddddb-nj6ks   ReplicaSet
ebs-csi-controller-846b7ddddb-tbl88   ReplicaSet
pod-with-crd-owner                    acid.postgres.com/v1

Before

Since we currently do not verify whether the owner of the resource is a built-in workload, pod with custom owner is not listed when calling ListArtifact function as per PR #214.

go run example/trivy.go
Name: my-pod, Kind: Pod, Namespace: default, Images: [nginx:latest]

After

Once we start validating the resource's owner, the pod with custom owner becomes visible in the listing when calling ListArtifact function.

go run example/trivy.go
Name: my-pod, Kind: Pod, Namespace: default, Images: [nginx:latest]
Name: pod-with-crd-owner, Kind: Pod, Namespace: kube-system, Images: [nginx:latest]

@thapabishwa thapabishwa force-pushed the custom-resource-check branch from b53b403 to 594c51c Compare August 29, 2023 18:10
@thapabishwa thapabishwa changed the title feat: refining resource exclusion logic based on ownership feat: refining resource exclusion logic based on built-in or custom ownership Aug 29, 2023
@chen-keinan
Copy link
Contributor

lgtm 🚀

@chen-keinan chen-keinan merged commit 95e88d5 into aquasecurity:main Aug 30, 2023
@thapabishwa thapabishwa deleted the custom-resource-check branch August 30, 2023 05:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants