Add fields for scanner volume mounts

Signed-off-by: Zhecheng Li <zhechengli@microsoft.com>

api/unversioned/config/config.go

@@ -5,9 +5,11 @@ import (
 	"sync"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+
 	"github.com/eraser-dev/eraser/api/unversioned"
 	"github.com/eraser-dev/eraser/version"
-	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 var defaultScannerConfig = `
@@ -106,7 +108,9 @@ func Default() *unversioned.EraserConfig {
 					"eraser.sh/cleanup.filter",
 				},
 			},
-			AdditionalPodLabels: map[string]string{},
+			AdditionalPodLabels:      map[string]string{},
+			ExtraScannerVolumes:      []v1.Volume{},
+			ExtraScannerVolumeMounts: []v1.VolumeMount{},
 		},
 		Components: unversioned.Components{
 			Collector: unversioned.OptionalContainerConfig{

api/unversioned/eraserconfig_types.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -156,16 +157,18 @@ type ContainerConfig struct {
 }
 
 type ManagerConfig struct {
-	Runtime             RuntimeSpec       `json:"runtime,omitempty"`
-	OTLPEndpoint        string            `json:"otlpEndpoint,omitempty"`
-	LogLevel            string            `json:"logLevel,omitempty"`
-	Scheduling          ScheduleConfig    `json:"scheduling,omitempty"`
-	Profile             ProfileConfig     `json:"profile,omitempty"`
-	ImageJob            ImageJobConfig    `json:"imageJob,omitempty"`
-	PullSecrets         []string          `json:"pullSecrets,omitempty"`
-	NodeFilter          NodeFilterConfig  `json:"nodeFilter,omitempty"`
-	PriorityClassName   string            `json:"priorityClassName,omitempty"`
-	AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"`
+	Runtime                  RuntimeSpec          `json:"runtime,omitempty"`
+	OTLPEndpoint             string               `json:"otlpEndpoint,omitempty"`
+	LogLevel                 string               `json:"logLevel,omitempty"`
+	Scheduling               ScheduleConfig       `json:"scheduling,omitempty"`
+	Profile                  ProfileConfig        `json:"profile,omitempty"`
+	ImageJob                 ImageJobConfig       `json:"imageJob,omitempty"`
+	PullSecrets              []string             `json:"pullSecrets,omitempty"`
+	NodeFilter               NodeFilterConfig     `json:"nodeFilter,omitempty"`
+	PriorityClassName        string               `json:"priorityClassName,omitempty"`
+	AdditionalPodLabels      map[string]string    `json:"additionalPodLabels,omitempty"`
+	ExtraScannerVolumes      []corev1.Volume      `json:"extraScannerVolumes,omitempty"`
+	ExtraScannerVolumeMounts []corev1.VolumeMount `json:"extraScannerVolumeMounts,omitempty"`
 }
 
 type ScheduleConfig struct {

api/v1alpha3/eraserconfig_types.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -156,16 +157,18 @@ type ContainerConfig struct {
 }
 
 type ManagerConfig struct {
-	Runtime             RuntimeSpec       `json:"runtime,omitempty"`
-	OTLPEndpoint        string            `json:"otlpEndpoint,omitempty"`
-	LogLevel            string            `json:"logLevel,omitempty"`
-	Scheduling          ScheduleConfig    `json:"scheduling,omitempty"`
-	Profile             ProfileConfig     `json:"profile,omitempty"`
-	ImageJob            ImageJobConfig    `json:"imageJob,omitempty"`
-	PullSecrets         []string          `json:"pullSecrets,omitempty"`
-	NodeFilter          NodeFilterConfig  `json:"nodeFilter,omitempty"`
-	PriorityClassName   string            `json:"priorityClassName,omitempty"`
-	AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"`
+	Runtime                  RuntimeSpec          `json:"runtime,omitempty"`
+	OTLPEndpoint             string               `json:"otlpEndpoint,omitempty"`
+	LogLevel                 string               `json:"logLevel,omitempty"`
+	Scheduling               ScheduleConfig       `json:"scheduling,omitempty"`
+	Profile                  ProfileConfig        `json:"profile,omitempty"`
+	ImageJob                 ImageJobConfig       `json:"imageJob,omitempty"`
+	PullSecrets              []string             `json:"pullSecrets,omitempty"`
+	NodeFilter               NodeFilterConfig     `json:"nodeFilter,omitempty"`
+	PriorityClassName        string               `json:"priorityClassName,omitempty"`
+	AdditionalPodLabels      map[string]string    `json:"additionalPodLabels,omitempty"`
+	ExtraScannerVolumes      []corev1.Volume      `json:"extraScannerVolumes,omitempty"`
+	ExtraScannerVolumeMounts []corev1.VolumeMount `json:"extraScannerVolumeMounts,omitempty"`
 }
 
 type ScheduleConfig struct {

config/manager/controller_manager_config.yaml

@@ -20,6 +20,8 @@ manager:
   pullSecrets: [] # image pull secrets for collector/scanner/eraser
   priorityClassName: "" # priority class name for collector/scanner/eraser
   additionalPodLabels: {}
+  extraScannerVolumes: {}
+  extraScannerVolumeMounts: {}
   nodeFilter:
     type: exclude # must be either exclude|include
     selectors:

controllers/imagecollector/imagecollector_controller.go

@@ -448,6 +448,11 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) {
 				},
 			},
 		}
+
+		log.Info("extra mount for scanner starts")
+		jobTemplate.Spec.Volumes = append(jobTemplate.Spec.Volumes, mgrCfg.ExtraScannerVolumes...)
+		scannerContainer.VolumeMounts = append(scannerContainer.VolumeMounts, mgrCfg.ExtraScannerVolumeMounts...)
+
 		jobTemplate.Spec.Containers = append(jobTemplate.Spec.Containers, scannerContainer)
 	}
 

docs/docs/customization.md

@@ -105,6 +105,8 @@ manager:
   pullSecrets: [] # image pull secrets for collector/scanner/remover
   priorityClassName: "" # priority class name for collector/scanner/remover
   additionalPodLabels: {}
+  extraScannerVolumes: {}
+  extraScannerVolumeMounts: {}
   nodeFilter:
     type: exclude # must be either exclude|include
     selectors:
@@ -211,6 +213,8 @@ timeout:
 | manager.pullSecrets | The image pull secrets to use for collector, scanner, and remover containers. | [] |
 | manager.priorityClassName | The priority class to use for collector, scanner, and remover containers. | "" |
 | manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` |
+| manager.extraScannerVolumes | Extra volumes for scanner. | `{}` |
+| manager.extraScannerVolumeMounts | Extra volume mounts for scanner. | `{}` |
 | manager.nodeFilter.type | The type of node filter to use. Must be either "exclude" or "include". | exclude |
 | manager.nodeFilter.selectors | A list of selectors used to filter nodes. | [] |
 | components.collector.enabled | Whether to enable the collector component. | true |

go.mod

@@ -6,8 +6,8 @@ require (
 	github.com/aquasecurity/trivy v0.35.0
 	github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63 // indirect
 	github.com/go-logr/logr v1.2.3
-	github.com/onsi/ginkgo/v2 v2.6.0
-	github.com/onsi/gomega v1.24.1
+	github.com/onsi/ginkgo/v2 v2.9.1
+	github.com/onsi/gomega v1.27.4
 	github.com/stretchr/testify v1.8.4
 	go.opentelemetry.io/otel v1.14.0
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.34.0
@@ -18,14 +18,14 @@ require (
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
 	golang.org/x/sys v0.18.0
 	google.golang.org/grpc v1.58.3
-	k8s.io/api v0.26.11
-	k8s.io/apimachinery v0.26.11
-	k8s.io/client-go v0.26.11
+	k8s.io/api v0.27.16
+	k8s.io/apimachinery v0.27.16
+	k8s.io/client-go v0.27.16
 	// keeping this on 0.25 as updating to 0.26 will remove CRI v1alpha2 version
 	k8s.io/cri-api v0.25.5
 	k8s.io/klog/v2 v2.100.1
-	k8s.io/kubernetes v1.26.11
-	k8s.io/utils v0.0.0-20230115233650-391b47cb4029
+	k8s.io/kubernetes v1.27.16
+	k8s.io/utils v0.0.0-20230209194617-a36077c30491
 	oras.land/oras-go v1.2.2
 	sigs.k8s.io/controller-runtime v0.14.1
 	sigs.k8s.io/e2e-framework v0.0.8
@@ -60,16 +60,18 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-containerregistry v0.14.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
@@ -108,14 +110,14 @@ require (
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/goleak v1.2.1 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -126,46 +128,46 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.11 // indirect
-	k8s.io/apiserver v0.26.11 // indirect
-	k8s.io/component-base v0.26.11 // indirect
-	k8s.io/component-helpers v0.26.11 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
+	k8s.io/apiextensions-apiserver v0.27.16 // indirect
+	k8s.io/apiserver v0.27.16 // indirect
+	k8s.io/component-base v0.27.16 // indirect
+	k8s.io/component-helpers v0.27.16 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/kube-scheduler v0.0.0 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
 replace (
 	// v0.3.1-0.20230104082527-d6f58551be3f is taken from github.com/moby/buildkit v0.11.0
 	// spdx logic write on v0.3.0 and incompatible with v0.3.1-0.20230104082527-d6f58551be3f
 	github.com/spdx/tools-golang => github.com/spdx/tools-golang v0.3.0
-	k8s.io/api => k8s.io/api v0.26.11
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.26.11
-	k8s.io/apimachinery => k8s.io/apimachinery v0.26.11
-	k8s.io/apiserver => k8s.io/apiserver v0.26.11
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.26.11
-	k8s.io/client-go => k8s.io/client-go v0.26.11
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.26.11
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.26.11
-	k8s.io/code-generator => k8s.io/code-generator v0.26.11
-	k8s.io/component-base => k8s.io/component-base v0.26.11
-	k8s.io/component-helpers => k8s.io/component-helpers v0.26.11
-	k8s.io/controller-manager => k8s.io/controller-manager v0.26.11
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.11
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.11
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.11
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.11
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.26.11
-	k8s.io/kubectl => k8s.io/kubectl v0.26.11
-	k8s.io/kubelet => k8s.io/kubelet v0.26.11
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.26.11
-	k8s.io/metrics => k8s.io/metrics v0.26.11
-	k8s.io/mount-utils => k8s.io/mount-utils v0.26.11
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.26.11
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.26.11
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.26.11
-	k8s.io/sample-controller => k8s.io/sample-controller v0.26.11
+	k8s.io/api => k8s.io/api v0.27.16
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.27.16
+	k8s.io/apimachinery => k8s.io/apimachinery v0.27.16
+	k8s.io/apiserver => k8s.io/apiserver v0.27.16
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.27.16
+	k8s.io/client-go => k8s.io/client-go v0.27.16
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.27.16
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.27.16
+	k8s.io/code-generator => k8s.io/code-generator v0.27.16
+	k8s.io/component-base => k8s.io/component-base v0.27.16
+	k8s.io/component-helpers => k8s.io/component-helpers v0.27.16
+	k8s.io/controller-manager => k8s.io/controller-manager v0.27.16
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.27.16
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.27.16
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.27.16
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.27.16
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.27.16
+	k8s.io/kubectl => k8s.io/kubectl v0.27.16
+	k8s.io/kubelet => k8s.io/kubelet v0.27.16
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.27.16
+	k8s.io/metrics => k8s.io/metrics v0.27.16
+	k8s.io/mount-utils => k8s.io/mount-utils v0.27.16
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.27.16
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.27.16
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.27.16
+	k8s.io/sample-controller => k8s.io/sample-controller v0.27.16
 	// v1.2.0 is taken from github.com/open-policy-agent/opa v0.42.0
 	// v1.2.0 incompatible with github.com/docker/docker v23.0.0-rc.1+incompatible
 	oras.land/oras-go => oras.land/oras-go v1.1.1