refactor: Do not use client-go (#30)

Signed-off-by: Daniel Pacak <[email protected]>

.github/workflows/build.yaml

@@ -20,7 +20,6 @@ jobs:
       - name: Upload code coverage
         uses: codecov/codecov-action@v1
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage.txt
       - name: Release snapshot
         uses: goreleaser/goreleaser-action@v2

README.md

@@ -8,43 +8,52 @@ This operator for Starboard automatically updates security report resources in r
 a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see the main
 [Starboard](https://github.com/aquasecurity/starboard) repo for more info about the Starboard project.
 
-## Getting Started
+## Getting started
 
-1. Define custom security resources used by Starboard:
+1. Run `make` to build operator binaries into Docker containers:
+   ```
+   $ make docker-build
+   ```
+1. Define Custom Security Resources used by Starboard:
    ```
    $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/vulnerabilities-crd.yaml \
      -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/configauditreports-crd.yaml \
      -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/ciskubebenchreports-crd.yaml \
      -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/kubehunterreports-crd.yaml
    ```
-2. Create the starboard namespace:
+2. Create the `starboard-operator` Namespace:
    ```
-   $ kubectl create ns starboard
+   $ kubectl create ns starboard-operator
    ```
 3. Create a Secret that holds configuration of the Aqua CSP scanner:
    ```
-   $ kubectl create secret generic starboard-scanner-aqua \
-     --namespace starboard \
-     --from-literal OPERATOR_SCANNER_AQUA_CSP_USER=$AQUA_CONSOLE_USERNAME \
+   $ kubectl create secret generic starboard-operator \
+     --namespace starboard-operator \
+     --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \
      --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \
      --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \
      --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080
    ```
-5. Create a Deployment for the Starboard Security Operator:
+5. Create a Deployment for the Starboard Operator:
    ```
-   $ kubectl apply -f deploy/starboard-security-operator.yaml
+   $ kubectl apply -f deploy/starboard-operator.yaml
    ```
 
 ## Configuration
 
 | Name                                    | Default              | Description |
 |-----------------------------------------|----------------------|-------------|
-| `OPERATOR_STARBOARD_NAMESPACE`          | `starboard`          | The default namespace for Starboard |
-| `OPERATOR_NAMESPACE`                    | `default`            | The namespace watched by the operator |
+| `OPERATOR_STARBOARD_NAMESPACE`          | `starboard-operator` | The default namespace for Starboard |
+| `OPERATOR_SUPERVISED_NAMESPACE`         | `default`            | The namespace watched by the operator |
+| `OPERATOR_SCAN_JOB_TIMEOUT`             | `5m`                 | The length of time to wait before giving up on a scan job |
 | `OPERATOR_SCANNER_TRIVY_ENABLED`        | `true`               | The flag to enable Trivy vulnerability scanner |
-| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.9.1`              | The version of Trivy to be used |
+| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.11.0`              | The version of Trivy to be used |
 | `OPERATOR_SCANNER_AQUA_CSP_ENABLED`     | `false`              | The flag to enable Aqua CSP vulnerability scanner |
-| `OPERATOR_SCANNER_AQUA_CSP_VERSION`     | `4.6`                | The version of Aqua CSP scannercli container image to be used |
+| `OPERATOR_SCANNER_AQUA_CSP_VERSION`     | `5.0`                | The version of Aqua CSP scannercli container image to be used |
+
+## How does it work?
+
+![](docs/starboard-operator.png)
 
 [release-img]: https://img.shields.io/github/release/aquasecurity/starboard-security-operator.svg?logo=github
 [release]: https://github.com/aquasecurity/starboard-security-operator/releases

cmd/operator/main.go

@@ -4,20 +4,20 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/aquasecurity/starboard-security-operator/pkg/logs"
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/aquasecurity/starboard-security-operator/pkg/aqua"
+
+	"github.com/aquasecurity/starboard-security-operator/pkg/scanner"
+	"github.com/aquasecurity/starboard-security-operator/pkg/trivy"
+
 	appsv1 "k8s.io/api/apps/v1"
 
 	"github.com/aquasecurity/starboard-security-operator/pkg/reports"
 
-	"github.com/aquasecurity/starboard-security-operator/pkg/aqua/scanner"
-
 	"github.com/aquasecurity/starboard-security-operator/pkg/controllers"
 	"github.com/aquasecurity/starboard-security-operator/pkg/etc"
-	"github.com/aquasecurity/starboard/pkg/find/vulnerabilities"
-	"github.com/aquasecurity/starboard/pkg/find/vulnerabilities/trivy"
-	"github.com/aquasecurity/starboard/pkg/kube"
-	pods "github.com/aquasecurity/starboard/pkg/kube/pod"
-	"k8s.io/client-go/kubernetes"
-
 	starboardv1alpha1 "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	batchv1 "k8s.io/api/batch/v1"
 
@@ -77,9 +77,8 @@ func run() error {
 	if err != nil {
 		return err
 	}
-	pods := pods.NewPodManager(kubernetesClientset)
 
-	scanner, err := getEnabledScanner(config, kubernetesClientset, pods)
+	scanner, err := getEnabledScanner(config)
 	if err != nil {
 		return err
 	}
@@ -95,25 +94,24 @@ func run() error {
 	store := reports.NewStore(mgr.GetClient(), scheme)
 
 	if err = (&controllers.PodReconciler{
-		StarboardNamespace: config.Operator.StarboardNamespace,
-		Namespace:          config.Operator.Namespace,
-		Client:             mgr.GetClient(),
-		Store:              store,
-		Scanner:            scanner,
-		Log:                ctrl.Log.WithName("controllers").WithName("pod"),
-		Scheme:             mgr.GetScheme(),
+		Config:  config.Operator,
+		Client:  mgr.GetClient(),
+		Store:   store,
+		Scanner: scanner,
+		Log:     ctrl.Log.WithName("controllers").WithName("pod"),
+		Scheme:  mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create pod controller: %w", err)
 	}
 
 	if err = (&controllers.JobReconciler{
-		StarboardNamespace: config.Operator.StarboardNamespace,
-		Client:             mgr.GetClient(),
-		Store:              store,
-		Scanner:            scanner,
-		Pods:               pods,
-		Log:                ctrl.Log.WithName("controllers").WithName("job"),
-		Scheme:             mgr.GetScheme(),
+		Config:     config.Operator,
+		LogsReader: logs.NewReader(kubernetesClientset),
+		Client:     mgr.GetClient(),
+		Store:      store,
+		Scanner:    scanner,
+		Log:        ctrl.Log.WithName("controllers").WithName("job"),
+		Scheme:     mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create job controller: %w", err)
 	}
@@ -126,7 +124,7 @@ func run() error {
 	return nil
 }
 
-func getEnabledScanner(config etc.Config, kubeClientset kubernetes.Interface, pods *pods.Manager) (vulnerabilities.ScannerAsync, error) {
+func getEnabledScanner(config etc.Config) (scanner.VulnerabilityScanner, error) {
 	if config.ScannerTrivy.Enabled && config.ScannerAquaCSP.Enabled {
 		return nil, fmt.Errorf("invalid configuration: multiple vulnerability scanners enabled")
 	}
@@ -135,11 +133,11 @@ func getEnabledScanner(config etc.Config, kubeClientset kubernetes.Interface, po
 	}
 	if config.ScannerTrivy.Enabled {
 		setupLog.Info("Using Trivy as vulnerability scanner", "version", config.ScannerTrivy.Version)
-		return trivy.NewScanner(kube.ScannerOpts{}, kubeClientset), nil
+		return trivy.NewScanner(), nil
 	}
 	if config.ScannerAquaCSP.Enabled {
 		setupLog.Info("Using Aqua CSP as vulnerability scanner", "version", config.ScannerAquaCSP.Version)
-		return scanner.NewScanner(versionInfo, config, &scanner.RandomNamesGenerator{}, pods), nil
+		return aqua.NewScanner(versionInfo, config.ScannerAquaCSP), nil
 	}
 	return nil, errors.New("invalid configuration: unhandled vulnerability scanners config")
 }

deploy/examples/aqua-scan-job.yaml

@@ -6,11 +6,11 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: scan-job
-  namespace: starboard
+  namespace: starboard-operator
 spec:
   template:
     spec:
-      serviceAccountName: starboard-scanner-aqua
+      serviceAccountName: starboard-operator
       volumes:
         - name: scannercli
           emptyDir: {}
@@ -20,7 +20,7 @@ spec:
             path: "/var/run/docker.sock"
       initContainers:
         - name: download
-          image: aquasec/scanner:4.6
+          image: aquasec/scanner:5.0
           command:
             - cp
             - "/opt/aquasec/scannercli"
@@ -38,21 +38,21 @@ spec:
             - "/usr/local/bin/scanner --host $(OPERATOR_SCANNER_AQUA_CSP_HOST) --user $(OPERATOR_SCANNER_AQUA_CSP_USER) --password $(OPERATOR_SCANNER_AQUA_CSP_PASSWORD) $(IMAGE_REF) 2> /dev/termination-log"
           env:
             - name: IMAGE_REF
-              value: core.harbor.domain/library/nginx:1.17
+              value: nginx:1.16
             - name: OPERATOR_SCANNER_AQUA_CSP_HOST
               valueFrom:
                 secretKeyRef:
-                  name: starboard-scanner-aqua
+                  name: starboard-operator
                   key: OPERATOR_SCANNER_AQUA_CSP_HOST
             - name: OPERATOR_SCANNER_AQUA_CSP_USER
               valueFrom:
                 secretKeyRef:
-                  name: starboard-scanner-aqua
+                  name: starboard-operator
                   key: OPERATOR_SCANNER_AQUA_CSP_USER
             - name: OPERATOR_SCANNER_AQUA_CSP_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: starboard-scanner-aqua
+                  name: starboard-operator
                   key: OPERATOR_SCANNER_AQUA_CSP_PASSWORD
           volumeMounts:
             - name: scannercli

deploy/starboard-security-operator.yaml → deploy/starboard-operator.yaml

@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: starboard-security-operator
-  namespace: starboard
+  name: starboard-operator
+  namespace: starboard-operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: starboard-security-operator
+  name: starboard-operator
 rules:
   - apiGroups:
       - ""
@@ -19,6 +19,13 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+      - list
   - apiGroups:
       - batch
     resources:
@@ -42,34 +49,34 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: starboard-security-operator
+  name: starboard-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: starboard-security-operator
+  name: starboard-operator
 subjects:
   - kind: ServiceAccount
-    name: starboard-security-operator
-    namespace: starboard
+    name: starboard-operator
+    namespace: starboard-operator
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: starboard-security-operator
-  namespace: starboard
+  name: starboard-operator
+  namespace: starboard-operator
   labels:
-    app: starboard-security-operator
+    app: starboard-operator
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: starboard-security-operator
+      app: starboard-operator
   template:
     metadata:
       labels:
-        app: starboard-security-operator
+        app: starboard-operator
     spec:
-      serviceAccountName: starboard-security-operator
+      serviceAccountName: starboard-operator
       securityContext:
         runAsNonRoot: true
         runAsUser: 10000
@@ -85,11 +92,26 @@ spec:
             - name: OPERATOR_SCANNER_TRIVY_ENABLED
               value: "true"
             - name: OPERATOR_SCANNER_TRIVY_VERSION
-              value: "0.9.1"
+              value: "0.11.0"
             - name: OPERATOR_SCANNER_AQUA_CSP_ENABLED
               value: "false"
             - name: OPERATOR_SCANNER_AQUA_CSP_VERSION
               valueFrom:
                 secretKeyRef:
-                  name: starboard-scanner-aqua
+                  name: starboard-operator
                   key: OPERATOR_SCANNER_AQUA_CSP_VERSION
+            - name: OPERATOR_SCANNER_AQUA_CSP_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: starboard-operator
+                  key: OPERATOR_SCANNER_AQUA_CSP_HOST
+            - name: OPERATOR_SCANNER_AQUA_CSP_USER
+              valueFrom:
+                secretKeyRef:
+                  name: starboard-operator
+                  key: OPERATOR_SCANNER_AQUA_CSP_USERNAME
+            - name: OPERATOR_SCANNER_AQUA_CSP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: starboard-operator
+                  key: OPERATOR_SCANNER_AQUA_CSP_PASSWORD