diff --git a/README.md b/README.md index 64e4bc9..8e8ae12 100644 --- a/README.md +++ b/README.md @@ -44,8 +44,7 @@ | Name | Default | Description | |-----------------------------------------|----------------------|-------------| | `OPERATOR_STARBOARD_NAMESPACE` | `starboard` | The default namespace for Starboard | -| `OPERATOR_NAMESPACE` | `` | The namespace watched by the operator | -| `OPERATOR_STARBOARD_DEFAULT_RESYNC` | `10m` | The default resync period for shared informers used by the operator | +| `OPERATOR_NAMESPACE` | `default` | The namespace watched by the operator | | `OPERATOR_SCANNER_TRIVY_ENABLED` | `true` | The flag to enable Trivy vulnerability scanner | | `OPERATOR_SCANNER_TRIVY_VERSION` | `0.9.1` | The version of Trivy to be used | | `OPERATOR_SCANNER_AQUA_CSP_ENABLED` | `false` | The flag to enable Aqua CSP vulnerability scanner | diff --git a/cmd/manager/main.go b/cmd/manager/main.go index bc6ab74..0f66fa3 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -4,6 +4,8 @@ import ( "errors" "fmt" + appsv1 "k8s.io/api/apps/v1" + "github.com/aquasecurity/starboard-security-operator/pkg/reports" "github.com/aquasecurity/starboard-security-operator/pkg/aqua/scanner" @@ -35,6 +37,7 @@ var ( func init() { _ = corev1.AddToScheme(scheme) _ = batchv1.AddToScheme(scheme) + _ = appsv1.AddToScheme(scheme) _ = starboardv1alpha1.AddToScheme(scheme) } @@ -74,13 +77,13 @@ func run() error { return fmt.Errorf("unable to start manager: %w", err) } - reportsStore := reports.NewStore(mgr.GetClient()) + store := reports.NewStore(mgr.GetClient(), scheme) if err = (&controllers.PodReconciler{ StarboardNamespace: config.Operator.StarboardNamespace, Namespace: config.Operator.Namespace, Client: mgr.GetClient(), - Store: reportsStore, + Store: store, Scanner: scanner, Log: ctrl.Log.WithName("controllers").WithName("pod"), Scheme: mgr.GetScheme(), @@ -91,7 +94,7 @@ func run() error { if err = (&controllers.JobReconciler{ StarboardNamespace: config.Operator.StarboardNamespace, Client: mgr.GetClient(), - Store: reportsStore, + Store: store, Scanner: scanner, Pods: pods, Log: ctrl.Log.WithName("controllers").WithName("job"), diff --git a/pkg/controllers/job_controller.go b/pkg/controllers/job_controller.go index 0fa430f..d47cc33 100644 --- a/pkg/controllers/job_controller.go +++ b/pkg/controllers/job_controller.go @@ -6,7 +6,6 @@ import ( "reflect" "github.com/aquasecurity/starboard-security-operator/pkg/reports" - "github.com/aquasecurity/starboard/pkg/find/vulnerabilities" "github.com/aquasecurity/starboard/pkg/kube" pods "github.com/aquasecurity/starboard/pkg/kube/pod" diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 946b7c3..d69f6cf 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -12,7 +12,7 @@ type Config struct { type Operator struct { StarboardNamespace string `env:"OPERATOR_STARBOARD_NAMESPACE" envDefault:"starboard"` - Namespace string `env:"OPERATOR_NAMESPACE" envDefault:""` + Namespace string `env:"OPERATOR_NAMESPACE" envDefault:"default"` } type ScannerTrivy struct { diff --git a/pkg/reports/store.go b/pkg/reports/store.go index 38aa3fa..dcc14c9 100644 --- a/pkg/reports/store.go +++ b/pkg/reports/store.go @@ -4,8 +4,18 @@ import ( "context" "fmt" + batchv1 "k8s.io/api/batch/v1" + "k8s.io/api/batch/v1beta1" + corev1 "k8s.io/api/core/v1" + + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + starboardv1alpha1 "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1" "github.com/aquasecurity/starboard/pkg/find/vulnerabilities" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + "github.com/aquasecurity/starboard/pkg/kube" "github.com/google/uuid" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -14,23 +24,30 @@ import ( ) type StoreInterface interface { - Write(ctx context.Context, workload kube.Object, vulnerabilities vulnerabilities.WorkloadVulnerabilities) error + Write(ctx context.Context, workload kube.Object, reports vulnerabilities.WorkloadVulnerabilities) error Read(ctx context.Context, workload kube.Object) (vulnerabilities.WorkloadVulnerabilities, error) } type Store struct { client client.Client + scheme *runtime.Scheme } -func NewStore(client client.Client) *Store { +func NewStore(client client.Client, scheme *runtime.Scheme) *Store { return &Store{ client: client, + scheme: scheme, } } func (s *Store) Write(ctx context.Context, workload kube.Object, reports vulnerabilities.WorkloadVulnerabilities) error { + owner, err := s.getRuntimeObjectFor(ctx, workload) + if err != nil { + return err + } + for container, report := range reports { - err := s.client.Create(ctx, &starboardv1alpha1.Vulnerability{ + vulnerabilityReport := &starboardv1alpha1.Vulnerability{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf(uuid.New().String()), Namespace: workload.Namespace, @@ -42,7 +59,13 @@ func (s *Store) Write(ctx context.Context, workload kube.Object, reports vulnera }, }, Report: report, - }) + } + err = controllerutil.SetOwnerReference(owner, vulnerabilityReport, s.scheme) + if err != nil { + return err + } + + err := s.client.Create(ctx, vulnerabilityReport) if err != nil { return err } @@ -70,3 +93,32 @@ func (s *Store) Read(ctx context.Context, workload kube.Object) (vulnerabilities } return reports, nil } + +func (s *Store) getRuntimeObjectFor(ctx context.Context, workload kube.Object) (metav1.Object, error) { + var obj runtime.Object + switch workload.Kind { + case kube.KindPod: + obj = &corev1.Pod{} + case kube.KindReplicaSet: + obj = &appsv1.ReplicaSet{} + case kube.KindReplicationController: + obj = &corev1.ReplicationController{} + case kube.KindDeployment: + obj = &appsv1.Deployment{} + case kube.KindStatefulSet: + obj = &appsv1.StatefulSet{} + case kube.KindDaemonSet: + obj = &appsv1.DaemonSet{} + case kube.KindCronJob: + obj = &v1beta1.CronJob{} + case kube.KindJob: + obj = &batchv1.Job{} + default: + return nil, fmt.Errorf("unknown workload kind: %s", workload.Kind) + } + err := s.client.Get(ctx, types.NamespacedName{Name: workload.Name, Namespace: workload.Namespace}, obj) + if err != nil { + return nil, err + } + return obj.(metav1.Object), nil +}