feat(cli): make regexp for included namespace configurable (#157)

statnett · Jan 30, 2023 · 4b145ca · 4b145ca
1 parent 9a50838
commit 4b145ca
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 0 deletions.
diff --git a/config/e2e-test/kustomization.yaml b/config/e2e-test/kustomization.yaml
@@ -3,6 +3,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../default
+configMapGenerator:
+  - name: config
+    behavior: merge
+    literals:
+      # Only include kuttl namespace pattern to reduce resource waste running e2e tests
+      - SCAN_NAMESPACE_INCLUDE_REGEXP=^kuttl-.*
 patches:
   # FIXME: Somehow sessionAffinity does not work when running e2e tests in some environments
   # Disable trivy server sessionAffinity; not really needed when running a single replica

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -16,6 +16,7 @@ type Config struct {
 	ScanJobServiceAccount      string         `mapstructure:"scan-job-service-account"`
 	ScanNamespaces             []string       `mapstructure:"namespaces"`
 	ScanNamespaceExcludeRegexp *regexp.Regexp `mapstructure:"scan-namespace-exclude-regexp"`
+	ScanNamespaceIncludeRegexp *regexp.Regexp `mapstructure:"scan-namespace-include-regexp"`
 	ScanWorkloadResources      []string       `mapstructure:"scan-workload-resources"`
 	TrivyImage                 string         `mapstructure:"trivy-image"`
 	Zap                        zap.Options    `mapstructure:"-"`

diff --git a/internal/controller/stas/containerimagescan_controller.go b/internal/controller/stas/containerimagescan_controller.go
@@ -67,6 +67,10 @@ func (r *ContainerImageScanReconciler) SetupWithManager(mgr ctrl.Manager) error
 		predicates = append(predicates, predicate.Not(namespaceMatchRegexp(r.ScanNamespaceExcludeRegexp)))
 	}
 
+	if r.ScanNamespaceIncludeRegexp != nil {
+		predicates = append(predicates, namespaceMatchRegexp(r.ScanNamespaceIncludeRegexp))
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&stasv1alpha1.ContainerImageScan{},
 			builder.WithPredicates(

diff --git a/internal/controller/stas/workload_controller.go b/internal/controller/stas/workload_controller.go
@@ -69,6 +69,10 @@ func (r *PodReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		predicates = append(predicates, predicate.Not(namespaceMatchRegexp(r.ScanNamespaceExcludeRegexp)))
 	}
 
+	if r.ScanNamespaceIncludeRegexp != nil {
+		predicates = append(predicates, namespaceMatchRegexp(r.ScanNamespaceIncludeRegexp))
+	}
+
 	bldr := ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Pod{},
 			builder.WithPredicates(

diff --git a/internal/operator/operator.go b/internal/operator/operator.go
@@ -61,6 +61,7 @@ func (o Operator) BindFlags(cfg *config.Config, fs *flag.FlagSet) error {
 	fs.String("scan-job-service-account", "default", "The service account used to run scan jobs.")
 	fs.String("scan-workload-resources", "", "comma-separated list of workload resources to scan")
 	fs.String("scan-namespace-exclude-regexp", "^(kube-|openshift-).*", "regexp for namespace to exclude from scanning")
+	fs.String("scan-namespace-include-regexp", "", "regexp for namespace to include for scanning")
 	fs.String("trivy-image", "", "The image used for obtaining the trivy binary.")
 	fs.Bool("help", false, "print out usage and a summary of options")