Skip to content
This repository has been archived by the owner on Oct 14, 2020. It is now read-only.

Commit

Permalink
feat: Set ownerReferences for vulnerability reports created by the op…
Browse files Browse the repository at this point in the history 
…erator (#20)

Resolves: #19

Signed-off-by: Daniel Pacak <[email protected]>
  • Loading branch information
@danielpacak
danielpacak authored Jul 22, 2020
1 parent e9419c6 commit 4d7bceb
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 11 deletions.
3 changes: 1 addition & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,7 @@
| Name | Default | Description |
|-----------------------------------------|----------------------|-------------|
| `OPERATOR_STARBOARD_NAMESPACE` | `starboard` | The default namespace for Starboard |
| `OPERATOR_NAMESPACE` | `` | The namespace watched by the operator |
| `OPERATOR_STARBOARD_DEFAULT_RESYNC` | `10m` | The default resync period for shared informers used by the operator |
| `OPERATOR_NAMESPACE` | `default` | The namespace watched by the operator |
| `OPERATOR_SCANNER_TRIVY_ENABLED` | `true` | The flag to enable Trivy vulnerability scanner |
| `OPERATOR_SCANNER_TRIVY_VERSION` | `0.9.1` | The version of Trivy to be used |
| `OPERATOR_SCANNER_AQUA_CSP_ENABLED` | `false` | The flag to enable Aqua CSP vulnerability scanner |
Expand Down
9 changes: 6 additions & 3 deletions cmd/manager/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"errors"
"fmt"

appsv1 "k8s.io/api/apps/v1"

"github.com/aquasecurity/starboard-security-operator/pkg/reports"

"github.com/aquasecurity/starboard-security-operator/pkg/aqua/scanner"
Expand Down Expand Up @@ -35,6 +37,7 @@ var (
func init() {
_ = corev1.AddToScheme(scheme)
_ = batchv1.AddToScheme(scheme)
_ = appsv1.AddToScheme(scheme)
_ = starboardv1alpha1.AddToScheme(scheme)
}

Expand Down Expand Up @@ -74,13 +77,13 @@ func run() error {
return fmt.Errorf("unable to start manager: %w", err)
}

reportsStore := reports.NewStore(mgr.GetClient())
store := reports.NewStore(mgr.GetClient(), scheme)

if err = (&controllers.PodReconciler{
StarboardNamespace: config.Operator.StarboardNamespace,
Namespace: config.Operator.Namespace,
Client: mgr.GetClient(),
Store: reportsStore,
Store: store,
Scanner: scanner,
Log: ctrl.Log.WithName("controllers").WithName("pod"),
Scheme: mgr.GetScheme(),
Expand All @@ -91,7 +94,7 @@ func run() error {
if err = (&controllers.JobReconciler{
StarboardNamespace: config.Operator.StarboardNamespace,
Client: mgr.GetClient(),
Store: reportsStore,
Store: store,
Scanner: scanner,
Pods: pods,
Log: ctrl.Log.WithName("controllers").WithName("job"),
Expand Down
1 change: 0 additions & 1 deletion pkg/controllers/job_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"reflect"

"github.com/aquasecurity/starboard-security-operator/pkg/reports"

"github.com/aquasecurity/starboard/pkg/find/vulnerabilities"
"github.com/aquasecurity/starboard/pkg/kube"
pods "github.com/aquasecurity/starboard/pkg/kube/pod"
Expand Down
2 changes: 1 addition & 1 deletion pkg/etc/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ type Config struct {

type Operator struct {
StarboardNamespace string `env:"OPERATOR_STARBOARD_NAMESPACE" envDefault:"starboard"`
Namespace string `env:"OPERATOR_NAMESPACE" envDefault:""`
Namespace string `env:"OPERATOR_NAMESPACE" envDefault:"default"`
}

type ScannerTrivy struct {
Expand Down
60 changes: 56 additions & 4 deletions pkg/reports/store.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,18 @@ import (
"context"
"fmt"

batchv1 "k8s.io/api/batch/v1"
"k8s.io/api/batch/v1beta1"
corev1 "k8s.io/api/core/v1"

appsv1 "k8s.io/api/apps/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"

starboardv1alpha1 "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
"github.com/aquasecurity/starboard/pkg/find/vulnerabilities"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

"github.com/aquasecurity/starboard/pkg/kube"
"github.com/google/uuid"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -14,23 +24,30 @@ import (
)

type StoreInterface interface {
Write(ctx context.Context, workload kube.Object, vulnerabilities vulnerabilities.WorkloadVulnerabilities) error
Write(ctx context.Context, workload kube.Object, reports vulnerabilities.WorkloadVulnerabilities) error
Read(ctx context.Context, workload kube.Object) (vulnerabilities.WorkloadVulnerabilities, error)
}

type Store struct {
client client.Client
scheme *runtime.Scheme
}

func NewStore(client client.Client) *Store {
func NewStore(client client.Client, scheme *runtime.Scheme) *Store {
return &Store{
client: client,
scheme: scheme,
}
}

func (s *Store) Write(ctx context.Context, workload kube.Object, reports vulnerabilities.WorkloadVulnerabilities) error {
owner, err := s.getRuntimeObjectFor(ctx, workload)
if err != nil {
return err
}

for container, report := range reports {
err := s.client.Create(ctx, &starboardv1alpha1.Vulnerability{
vulnerabilityReport := &starboardv1alpha1.Vulnerability{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf(uuid.New().String()),
Namespace: workload.Namespace,
Expand All @@ -42,7 +59,13 @@ func (s *Store) Write(ctx context.Context, workload kube.Object, reports vulnera
},
},
Report: report,
})
}
err = controllerutil.SetOwnerReference(owner, vulnerabilityReport, s.scheme)
if err != nil {
return err
}

err := s.client.Create(ctx, vulnerabilityReport)
if err != nil {
return err
}
Expand Down Expand Up @@ -70,3 +93,32 @@ func (s *Store) Read(ctx context.Context, workload kube.Object) (vulnerabilities
}
return reports, nil
}

func (s *Store) getRuntimeObjectFor(ctx context.Context, workload kube.Object) (metav1.Object, error) {
var obj runtime.Object
switch workload.Kind {
case kube.KindPod:
obj = &corev1.Pod{}
case kube.KindReplicaSet:
obj = &appsv1.ReplicaSet{}
case kube.KindReplicationController:
obj = &corev1.ReplicationController{}
case kube.KindDeployment:
obj = &appsv1.Deployment{}
case kube.KindStatefulSet:
obj = &appsv1.StatefulSet{}
case kube.KindDaemonSet:
obj = &appsv1.DaemonSet{}
case kube.KindCronJob:
obj = &v1beta1.CronJob{}
case kube.KindJob:
obj = &batchv1.Job{}
default:
return nil, fmt.Errorf("unknown workload kind: %s", workload.Kind)
}
err := s.client.Get(ctx, types.NamespacedName{Name: workload.Name, Namespace: workload.Namespace}, obj)
if err != nil {
return nil, err
}
return obj.(metav1.Object), nil
}

0 comments on commit 4d7bceb

Please sign in to comment.