Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: fix issue caused by ownerIsBuiltIn being true by default #216

Merged
merged 2 commits into from
Aug 30, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions examples/trivy.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,33 +30,34 @@ func main() {

fmt.Println("Current namespace:", cluster.GetCurrentNamespace())

trivyk8sCopy := trivyk8s.New(cluster, logger.Sugar(), trivyk8s.WithExcludeOwned(true))
trivyk8s := trivyk8s.New(cluster, logger.Sugar(), trivyk8s.WithExcludeOwned(true))

fmt.Println("Scanning kind 'pods' with exclude-owned=true")
artifacts, err := trivyk8s.Resources("pod").AllNamespaces().ListArtifacts(ctx)
fmt.Println("Scanning cluster")

//trivy k8s #cluster
artifacts, err := trivyk8s.ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
printArtifacts(artifacts)

fmt.Println("Scanning cluster")

//trivy k8s #cluster
artifacts, err = trivyk8s.ListArtifacts(ctx)
fmt.Println("Scanning kind 'pods' with exclude-owned=true")
artifacts, err = trivyk8s.Resources("pod").AllNamespaces().ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
printArtifacts(artifacts)

fmt.Println("Scanning namespace 'default'")
//trivy k8s --namespace default
artifacts, err = trivyk8s.Namespace("default").ListArtifacts(ctx)
artifacts, err = trivyk8sCopy.Namespace("default").ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
printArtifacts(artifacts)
fmt.Println("Scanning all namespaces ")
artifacts, err = trivyk8s.AllNamespaces().ListArtifacts(ctx)
artifacts, err = trivyk8sCopy.AllNamespaces().ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
Expand All @@ -65,7 +66,7 @@ func main() {
fmt.Println("Scanning namespace 'default', resource 'deployment/orion'")

//trivy k8s --namespace default deployment/orion
artifact, err := trivyk8s.Namespace("default").GetArtifact(ctx, "deploy", "orion")
artifact, err := trivyk8sCopy.Namespace("default").GetArtifact(ctx, "deploy", "orion")
if err != nil {
log.Fatal(err)
}
Expand All @@ -74,15 +75,15 @@ func main() {
fmt.Println("Scanning 'deployments'")

//trivy k8s deployment
artifacts, err = trivyk8s.Namespace("default").Resources("deployment").ListArtifacts(ctx)
artifacts, err = trivyk8sCopy.Namespace("default").Resources("deployment").ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
printArtifacts(artifacts)

fmt.Println("Scanning 'cm,pods'")
//trivy k8s clusterroles,pods
artifacts, err = trivyk8s.Namespace("default").Resources("cm,pods").ListArtifacts(ctx)
artifacts, err = trivyk8sCopy.Namespace("default").Resources("cm,pods").ListArtifacts(ctx)
if err != nil {
log.Fatal(err)
}
Expand Down Expand Up @@ -112,7 +113,7 @@ func main() {
}

// collect node info
ar, err := trivyk8s.ListArtifactAndNodeInfo(ctx, "trivy-temp", map[string]string{"chen": "test"}, tolerations...)
ar, err := trivyk8sCopy.ListArtifactAndNodeInfo(ctx, "trivy-temp", map[string]string{"chen": "test"}, tolerations...)
if err != nil {
log.Fatal(err)
}
Expand Down
8 changes: 5 additions & 3 deletions pkg/trivyk8s/trivyk8s.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,10 +138,12 @@ func (c *client) ListArtifacts(ctx context.Context) ([]*artifacts.Artifact, erro
if c.ignoreResource(resource) {
continue
}

// assume that the owner doesn't exists by default
ownerExists := false
// assume that the owner is a built-in workload by default
ownerIsBuiltIn := true
if len(resource.GetOwnerReferences()) > 0 {
ownerExists = true
// if the resource has an owner, we check if it is a built-in workload
// this ensures that we don't skip resources that are owned by custom resources
for _, owner := range resource.GetOwnerReferences() {
Expand All @@ -152,8 +154,8 @@ func (c *client) ListArtifacts(ctx context.Context) ([]*artifacts.Artifact, erro
}
}

// if excludeOwned is enabled and workload is a built-in workload, we skip it
if c.excludeOwned && ownerIsBuiltIn {
// if excludeOwned is enabled and workload is a built-in workload and if ownerExists, we skip it
if c.excludeOwned && ownerIsBuiltIn && ownerExists {
thapabishwa marked this conversation as resolved.
Show resolved Hide resolved
continue
}

Expand Down