Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add using include/exclude kinds and namespaces #395

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix: add using include/exclude kinds and namespaces #395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ea611f5
fix: add using include/exclude kinds and namespaces
afdesk Aug 26, 2024
638827c
feat: add excluding namespaces
afdesk Nov 27, 2024
3cee92f
test: add struct field names
afdesk Nov 28, 2024
f318548
chore: add an error message about perms for list namespaces
afdesk Dec 3, 2024
065e723
fix: typo
afdesk Dec 3, 2024
eed731d
chore: update the comment
afdesk Dec 4, 2024
75fd906
chore: add unit test for getNamespaces
afdesk Dec 4, 2024
812bbfc
Merge branch 'main' of github.com:afdesk/trivy-kubernetes into fix/perms
afdesk Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pkg/k8s/k8s.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,10 @@ func IsBuiltInWorkload(resource *metav1.OwnerReference) bool {
resource.Kind == string(KindJob))
}

func GetAllResources() []string {
return append(getClusterResources(), getNamespaceResources()...)
}

func getClusterResources() []string {
return []string{
ClusterRoles,
Expand Down
93 changes: 83 additions & 10 deletions pkg/trivyk8s/trivyk8s.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,90 @@ func (c client) GetIncludeKinds() []string {
return c.includeKinds
}

// initResourceList collects scannable resources.
func (c *client) initResourceList() {
// skip if resources are already created
if len(c.resources) > 0 {
return
}

// collect only included kinds
if len(c.includeKinds) != 0 {
// a customer can input resources in different cases: Pods, deployments etc.
// `includeKinds` are already low cased, so we can just assign the values
c.resources = c.includeKinds
return
}
// if there are no included and excluded kinds - don't collect resources
if len(c.excludeKinds) == 0 {
return
}
// skip excluded resources
for _, kind := range k8s.GetAllResources() {
if slices.Contains(c.excludeKinds, kind) {
continue
}
c.resources = append(c.resources, kind)
}
}

// getNamespaces collects scannable namespaces
func (c *client) getNamespaces() ([]string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function seems untested, can we add some tests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done 75fd906

if len(c.includeNamespaces) > 0 {
return c.includeNamespaces, nil
}

result := []string{}
if len(c.excludeNamespaces) == 0 {
return result, nil
}
namespaceGVR := schema.GroupVersionResource{
Group: "",
Version: "v1",
Resource: "namespaces",
}
dClient := c.getDynamicClient(namespaceGVR)
namespaces, err := dClient.List(context.TODO(), v1.ListOptions{})
if err != nil {
if errors.IsForbidden(err) {
return result, fmt.Errorf("'exclude namespaces' option requires a cluster role with permissions to list namespaces")
}
Comment on lines +209 to +211
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can occur if a user passes in --include-namespaces and they don't have cluster level permissions as well right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can occur if a user passes in --include-namespaces and they don't have cluster level permissions as well right?

no, it can occur only if len(c.excludeNamespaces) != 0
also a cluster role isn't required for --include-namespaces

return result, fmt.Errorf("unable to list namespaces: %w", err)
}
for _, ns := range namespaces.Items {
if slices.Contains(c.excludeNamespaces, ns.GetName()) {
continue
}
result = append(result, ns.GetName())
}
return result, nil
}

// ListArtifacts returns kubernetes scannable artifacs.
func (c *client) ListArtifacts(ctx context.Context) ([]*artifacts.Artifact, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some tests for this too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it.
ListArtifacts consists from several functions, which already tested: c.initResourceList() and c.getNamespaces().

c.ListSpecificArtifacts(ctx) had no tests, and I suggest to do it in a separated PR. wdyt?

c.initResourceList()
namespaces, err := c.getNamespaces()
if err != nil {
return nil, err
}
if len(namespaces) == 0 {
return c.ListSpecificArtifacts(ctx)
}
artifactList := make([]*artifacts.Artifact, 0)

for _, namespace := range namespaces {
c.namespace = namespace
arts, err := c.ListSpecificArtifacts(ctx)
if err != nil {
return nil, err
}
artifactList = append(artifactList, arts...)
}
return artifactList, nil
}

// ListSpecificArtifacts returns kubernetes scannable artifacs for a specific namespace or a cluster
func (c *client) ListSpecificArtifacts(ctx context.Context) ([]*artifacts.Artifact, error) {
artifactList := make([]*artifacts.Artifact, 0)

namespaced := isNamespaced(c.namespace, c.allNamespaces)
Expand Down Expand Up @@ -195,15 +277,6 @@ func (c *client) ListArtifacts(ctx context.Context) ([]*artifacts.Artifact, erro
if c.excludeOwned && c.hasOwner(resource) {
continue
}
// filter resources by kind
if FilterResources(c.includeKinds, c.excludeKinds, resource.GetKind()) {
continue
}

// filter resources by namespace
if FilterResources(c.includeNamespaces, c.excludeNamespaces, resource.GetNamespace()) {
continue
}

lastAppliedResource := resource
if jsonManifest, ok := resource.GetAnnotations()["kubectl.kubernetes.io/last-applied-configuration"]; ok { // required for outdated-api when k8s convert resources
Expand Down Expand Up @@ -470,7 +543,7 @@ func rawResource(resource interface{}) (map[string]interface{}, error) {
func (c *client) getDynamicClient(gvr schema.GroupVersionResource) dynamic.ResourceInterface {
dclient := c.cluster.GetDynamicClient()

// don't use namespace if it is a cluster levle resource,
// don't use namespace if it is a cluster level resource,
// or namespace is empty
if k8s.IsClusterResource(gvr) || len(c.namespace) == 0 {
return dclient.Resource(gvr)
Expand Down
Loading
Loading