feat: Support AllNamespaces install mode (#37)

Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · Sep 24, 2020 · c28cfe1 · c28cfe1
1 parent fec3474
commit c28cfe1
Show file tree

Hide file tree

Showing 10 changed files with 357 additions and 67 deletions.
diff --git a/NOTICE b/NOTICE
@@ -0,0 +1,4 @@
+starboard-operator
+Copyright 2019-2020 Aqua Security Software Ltd.
+
+This product includes software developed by Aqua Security (https://aquasec.com).
diff --git a/README.md b/README.md
@@ -3,31 +3,71 @@
 [![GitHub Release][release-img]][release]
 [![GitHub Build Actions][build-action-img]][actions]
 [![Coverage Status][cov-img]][cov]
+[![Go Report Card][report-card-img]][report-card]
+[![License][license-img]][license]
 ![Docker Pulls][docker-pulls]
 
 This operator for Starboard automatically updates security report resources in response to workload and other changes on
 a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see the main
 [Starboard][starboard] repo for more info about the Starboard project.
 
+## Table of Contents
+
+- [Configuration](#configuration)
+- [Install modes](#install-modes)
+- [Vulnerability scanners](#vulnerability-scanners)
+- [Contributing](#configuration)
+- [How does it work?](#how-does-it-work)
+
+## Configuration
+
+Configuration of the operator is done via environment variables at startup.
+
+| NAME                                    | DEFAULT  | DESCRIPTION |
+| --------------------------------------- | -------- | ----------- |
+| `OPERATOR_NAMESPACE`                    | N/A      | See [Install modes](#install-modes) |
+| `OPERATOR_TARGET_NAMESPACES`            | N/A      | See [Install modes](#install-modes) |
+| `OPERATOR_SCAN_JOB_TIMEOUT`             | `5m`     | The length of time to wait before giving up on a scan job |
+| `OPERATOR_SCANNER_TRIVY_ENABLED`        | `true`   | The flag to enable Trivy vulnerability scanner |
+| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.11.0` | The version of Trivy to be used |
+| `OPERATOR_SCANNER_AQUA_CSP_ENABLED`     | `false`  | The flag to enable Aqua CSP vulnerability scanner |
+| `OPERATOR_SCANNER_AQUA_CSP_VERSION`     | `5.0`    | The version of Aqua CSP scannercli container image to be used |
+
+## Install modes
+
+The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determine the install mode,
+which in turn determines the multitenancy support of the operator.
+
+| MODE            | OPERATOR_NAMESPACE | OPERATOR_TARGET_NAMESPACES | DESCRIPTION |
+| --------------- | ------------------ | -------------------------- | ----------- |
+| OwnNamespace    | `operators`        | `operators`                | The operator can be configured to watch events in the namespace it is deployed in. |
+| SingleNamespace | `operators`        | `foo`                      | The operator can be configured to watch for events in a single namespace that the operator is not deployed in. |
+| MultiNamespace  | `operators`        | `foo,bar,baz`              | The operator can be configured to watch for events in more than one namespace. |
+| AllNamespaces   | `operators`        |                            | The operator can be configured to watch for events in all namespaces. |
+
+## Vulnerability scanners
+
+To enable Aqua CSP as vulnerability scanner set the value of the `OPERATOR_SCANNER_AQUA_CSP_ENABLED` to `true` and
+disable the default Trivy scanner by setting `OPERATOR_SCANNER_TRIVY_ENABLED` to `false`.
+
+To configure the Aqua CSP scanner create the `starboard-operator` secret in the `operators` namespace:
+
+```
+$ kubectl create secret generic starboard-operator \
+ --namespace operators \
+ --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \
+ --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \
+ --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \
+ --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080
+```
+
 ## Contributing
 
 Thanks for taking the time to join our community and start contributing!
 
 - See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your development environment and deploying the operator.
 - Check out the [open issues](https://github.com/aquasecurity/starboard-operator/issues).
 
-## Configuration
-
-| Name                                    | Default              | Description |
-|-----------------------------------------|----------------------|-------------|
-| `OPERATOR_NAMESPACE`                    | N/A                  | The namespace the operator is running in. |
-| `OPERATOR_TARGET_NAMESPACES`            | N/A                  | The namespace the operator should be watching for changes. This can be a comma separated list of names to watch multiple namespaces (e.g. `ns1,ns2`). |
-| `OPERATOR_SCAN_JOB_TIMEOUT`             | `5m`                 | The length of time to wait before giving up on a scan job |
-| `OPERATOR_SCANNER_TRIVY_ENABLED`        | `true`               | The flag to enable Trivy vulnerability scanner |
-| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.11.0`             | The version of Trivy to be used |
-| `OPERATOR_SCANNER_AQUA_CSP_ENABLED`     | `false`              | The flag to enable Aqua CSP vulnerability scanner |
-| `OPERATOR_SCANNER_AQUA_CSP_VERSION`     | `5.0`                | The version of Aqua CSP scannercli container image to be used |
-
 ## How does it work?
 
 ![](docs/starboard-operator.png)
@@ -38,6 +78,10 @@ Thanks for taking the time to join our community and start contributing!
 [actions]: https://github.com/aquasecurity/starboard-operator/actions
 [cov-img]: https://codecov.io/github/aquasecurity/starboard-operator/branch/master/graph/badge.svg
 [cov]: https://codecov.io/github/aquasecurity/starboard-operator
+[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/starboard-operator
+[report-card]: https://goreportcard.com/report/github.com/aquasecurity/starboard-operator
+[license-img]: https://img.shields.io/github/license/aquasecurity/starboard-operator.svg
+[license]: https://github.com/aquasecurity/starboard-operator/blob/master/LICENSE
 [docker-pulls]: https://img.shields.io/docker/pulls/aquasec/starboard-operator?logo=docker
 
 [starboard]: https://github.com/aquasecurity/starboard
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -74,25 +74,22 @@ func run() error {
 	}
 
 	// Validate configured namespaces
-	operatorNamespace, err := config.GetOperatorNamespace()
+	operatorNamespace, err := config.Operator.GetOperatorNamespace()
 	if err != nil {
 		return fmt.Errorf("getting operator namespace: %w", err)
 	}
 
-	targetNamespaces, err := config.GetTargetNamespaces()
-	if err != nil {
-		return fmt.Errorf("getting target namespaces: %w", err)
-	}
+	targetNamespaces := config.Operator.GetTargetNamespaces()
 
 	setupLog.Info("Resolving multitenancy support",
 		"operatorNamespace", operatorNamespace,
 		"targetNamespaces", targetNamespaces)
 
-	mode, err := etc.ResolveInstallMode(operatorNamespace, targetNamespaces)
+	installMode, err := etc.ResolveInstallMode(operatorNamespace, targetNamespaces)
 	if err != nil {
 		return fmt.Errorf("resolving install mode: %w", err)
 	}
-	setupLog.Info("Resolving install mode", "mode", mode)
+	setupLog.Info("Resolving install mode", "mode", installMode)
 
 	// Set the default manager options.
 	options := manager.Options{
@@ -103,14 +100,17 @@ func run() error {
 		// Add support for OwnNamespace set in STARBOARD_TARGET_NAMESPACES (e.g. ns1).
 		setupLog.Info("Constructing single-namespaced cache", "namespace", targetNamespaces[0])
 		options.Namespace = targetNamespaces[0]
-	} else {
+	} else if len(targetNamespaces) > 0 {
 		// Add support for SingleNamespace and MultiNamespace set in STARBOARD_TARGET_NAMESPACES (e.g. ns1,ns2).
 		// Note that we may face performance issues when using this with a high number of namespaces.
 		// More: https://godoc.org/github.com/kubernetes-sigs/controller-runtime/pkg/cache#MultiNamespacedCacheBuilder
 		cachedNamespaces := append(targetNamespaces, operatorNamespace)
 		setupLog.Info("Constructing multi-namespaced cache", "namespaces", cachedNamespaces)
 		options.Namespace = ""
 		options.NewCache = cache.MultiNamespacedCacheBuilder(cachedNamespaces)
+	} else if len(targetNamespaces) == 0 {
+		setupLog.Info("Disabling cache and watching all namespaces")
+		options.Namespace = ""
 	}
 
 	kubernetesConfig, err := ctrl.GetConfig()

diff --git a/deploy/examples/aqua-scan-job.yaml b/deploy/examples/aqua-scan-job.yaml
@@ -1,7 +1,7 @@
 ## This is an example scan Job that is scheduled to scan the specified image with Aqua CSP scanner.
 ## It attempts to fetch the vulnerability report with the Aqua API. If the vulnerability reports
 ## is not found, it runs the `scannercli scan` command.
-## Finally, it outputs the vulnerability reports as JSON to the stdout.
+## Finally, it outputs the vulnerability report as JSON to the stdout.
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -30,7 +30,7 @@ spec:
               mountPath: /downloads
       containers:
         - name: scanner
-          image: docker.io/aquasec/starboard-scanner-aqua:0.0.1-alpha.4
+          image: docker.io/aquasec/starboard-scanner-aqua:0.0.1
           imagePullPolicy: IfNotPresent
           command:
             - "/bin/sh"