Merge pull request #21 from armosec/fix-labels-extraction

fix labels extraction
armosec · Feb 19, 2025 · 7b49b14 · 7b49b14
2 parents 0f29e39 + 5e4cd72
commit 7b49b14
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 3 deletions.
diff --git a/armometadata/k8sutils.go b/armometadata/k8sutils.go
@@ -115,6 +115,7 @@ type Metadata struct {
 	Kind                   string
 	ApiVersion             string
 	PodSelectorMatchLabels map[string]string
+	PodSpecLabels          map[string]string
 }
 
 // ExtractMetadataFromBytes extracts metadata from the JSON bytes of a Kubernetes object
@@ -124,6 +125,7 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
 		Annotations:            map[string]string{},
 		Labels:                 map[string]string{},
 		OwnerReferences:        map[string]string{},
+		PodSpecLabels:          map[string]string{},
 		PodSelectorMatchLabels: map[string]string{},
 	}
 	// ujson parsing
@@ -144,10 +146,14 @@ func ExtractMetadataFromJsonBytes(input []byte) (Metadata, error) {
 			m.ResourceVersion = unquote(value)
 		case strings.HasPrefix(jsonPath, "metadata.annotations."):
 			m.Annotations[unquote(key)] = unquote(value)
-		case strings.Contains(jsonPath, "metadata.labels."):
+		case strings.HasPrefix(jsonPath, "metadata.labels."):
 			m.Labels[unquote(key)] = unquote(value)
 		case strings.HasPrefix(jsonPath, "metadata.ownerReferences.."):
 			m.OwnerReferences[unquote(key)] = unquote(value)
+		case strings.HasPrefix(jsonPath, "spec.template.metadata.labels."):
+			m.PodSpecLabels[unquote(key)] = unquote(value)
+		case strings.HasPrefix(jsonPath, "spec.jobTemplate.spec.template.metadata.labels."):
+			m.PodSpecLabels[unquote(key)] = unquote(value)
 		case m.ApiVersion == "cilium.io/v2" && strings.HasPrefix(jsonPath, "spec.endpointSelector.matchLabels."):
 			addCiliumMatchLabels(m.PodSelectorMatchLabels, key, value)
 		case m.ApiVersion == "networking.k8s.io/v1" && strings.HasPrefix(jsonPath, "spec.podSelector.matchLabels."):

diff --git a/armometadata/k8sutils_test.go b/armometadata/k8sutils_test.go
@@ -134,21 +134,48 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 		kind                   string
 		apiVersion             string
 		podSelectorMatchLabels map[string]string
+		podSpecLabels          map[string]string
 	}{
+		{
+			name:        "testcronjob",
+			annotations: map[string]string{},
+			labels: map[string]string{
+				"app":         "backup-system",
+				"team":        "platform",
+				"cost-center": "platform-123",
+			},
+			ownerReferences:        map[string]string{},
+			creationTs:             "",
+			resourceVersion:        "",
+			kind:                   "CronJob",
+			apiVersion:             "batch/v1",
+			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels: map[string]string{
+				"app":         "backup-job",
+				"type":        "scheduled-backup",
+				"environment": "prod",
+				"component":   "database",
+				"version":     "v1.2",
+			},
+		},
 		{
 			name: "testdeployment",
 			annotations: map[string]string{
 				"deployment.kubernetes.io/revision": "1",
 			},
 			labels: map[string]string{
-				"app": "emailservice",
+				"label-key-1": "label-value-1",
 			},
 			ownerReferences:        map[string]string{},
 			creationTs:             "2024-07-18T19:58:44Z",
 			resourceVersion:        "6486",
 			kind:                   "Deployment",
 			apiVersion:             "apps/v1",
 			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels: map[string]string{
+				"app":           "emailservice",
+				"pod_label_key": "pod_label_value",
+			},
 		},
 		{
 			name:                   "networkpolicy_withoutmatching_labels",
@@ -160,6 +187,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "NetworkPolicy",
 			apiVersion:             "networking.k8s.io/v1",
 			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name:            "networkpolicy_withmatching_labels",
@@ -174,6 +202,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 				"role": "frontend",
 				"tier": "tier1",
 			},
+			podSpecLabels: map[string]string{},
 		},
 		{
 			name: "applicationactivity",
@@ -194,6 +223,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "ApplicationActivity",
 			apiVersion:             "spdx.softwarecomposition.kubescape.io/v1beta1",
 			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name: "pod",
@@ -225,6 +255,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "Pod",
 			apiVersion:             "v1",
 			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name: "sbom",
@@ -242,6 +273,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "SBOMSPDXv2p3",
 			apiVersion:             "spdx.softwarecomposition.kubescape.io/v1beta1",
 			podSelectorMatchLabels: map[string]string{},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name:                   "caliconetworkpolicy",
@@ -251,6 +283,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "NetworkPolicy",
 			apiVersion:             "projectcalico.org/v3",
 			podSelectorMatchLabels: map[string]string{"role": "database"},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name:                   "ciliumnetworkpolicy",
@@ -260,6 +293,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "CiliumNetworkPolicy",
 			apiVersion:             "cilium.io/v2",
 			podSelectorMatchLabels: map[string]string{"any:app": "frontend", "app": "frontend"},
+			podSpecLabels:          map[string]string{},
 		},
 		{
 			name:                   "istionetworkpolicy",
@@ -269,6 +303,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			kind:                   "AuthorizationPolicy",
 			apiVersion:             "security.istio.io/v1",
 			podSelectorMatchLabels: map[string]string{"app": "myapi"},
+			podSpecLabels:          map[string]string{},
 		},
 	}
 	for _, tt := range tests {
@@ -285,6 +320,7 @@ func TestExtractMetadataFromJsonBytes(t *testing.T) {
 			assert.Equal(t, tt.kind, m.Kind)
 			assert.Equal(t, tt.apiVersion, m.ApiVersion)
 			assert.Equal(t, tt.podSelectorMatchLabels, m.PodSelectorMatchLabels)
+			assert.Equal(t, tt.podSpecLabels, m.PodSpecLabels)
 		})
 	}
 }

diff --git a/armometadata/testdata/testcronjob.json b/armometadata/testdata/testcronjob.json
@@ -0,0 +1,54 @@
+{
+    "apiVersion": "batch/v1",
+    "kind": "CronJob",
+    "metadata": {
+      "name": "data-backup",
+      "labels": {
+        "app": "backup-system",
+        "team": "platform",
+        "cost-center": "platform-123"
+      }
+    },
+    "spec": {
+      "schedule": "0 * * * *",
+      "concurrencyPolicy": "Forbid",
+      "successfulJobsHistoryLimit": 3,
+      "failedJobsHistoryLimit": 1,
+      "jobTemplate": {
+        "metadata": {
+          "labels": {
+            "generated-by": "cronjob",
+            "type": "backup-job",
+            "criticality": "high"
+          }
+        },
+        "spec": {
+          "template": {
+            "metadata": {
+              "labels": {
+                "app": "backup-job",
+                "type": "scheduled-backup",
+                "environment": "prod",
+                "component": "database",
+                "version": "v1.2"
+              }
+            },
+            "spec": {
+              "containers": [
+                {
+                  "name": "backup-container",
+                  "image": "backup-image:v1",
+                  "command": [
+                    "/bin/sh",
+                    "-c",
+                    "echo performing backup"
+                  ]
+                }
+              ],
+              "restartPolicy": "OnFailure"
+            }
+          }
+        }
+      }
+    }
+  }
diff --git a/armometadata/testdata/testdeployment.json b/armometadata/testdata/testdeployment.json
@@ -5,6 +5,9 @@
         "annotations": {
             "deployment.kubernetes.io/revision": "1"
         },
+        "labels": {
+            "label-key-1": "label-value-1"
+        },
         "creationTimestamp": "2024-07-18T19:58:44Z",
         "generation": 1,
         "name": "emailservice",
@@ -32,7 +35,8 @@
             "metadata": {
                 "creationTimestamp": null,
                 "labels": {
-                    "app": "emailservice"
+                    "app": "emailservice",
+                    "pod_label_key": "pod_label_value"
                 }
             },
             "spec": {