fix: add new OpenShift internal namespaces

ivanstanev · ivanstanev · commit 287cb5b2ebe7 · 2021-04-15T09:56:02.000+01:00
Exclude several new OpenShift internal namespaces from container scanning.

Additionally changed the following:
- using a Set instead of Array to check the internal namespaces, getting O(1) instead of O(n) performance
- switch the related test to Jest instead of Tap
diff --git a/src/supervisor/watchers/index.ts b/src/supervisor/watchers/index.ts
@@ -50,7 +50,7 @@ export function extractNamespaceName(namespace: V1Namespace): string {
 }
 
 export function isKubernetesInternalNamespace(namespace: string): boolean {
-  return kubernetesInternalNamespaces.includes(namespace);
+  return kubernetesInternalNamespaces.has(namespace);
 }
 
 function setupWatchesForCluster(): void {
diff --git a/src/supervisor/watchers/internal-namespaces.ts b/src/supervisor/watchers/internal-namespaces.ts
@@ -1,33 +1,45 @@
-export const kubernetesInternalNamespaces = [
+export const kubernetesInternalNamespaces = new Set([
   'kube-node-lease',
   'kube-public',
   'kube-system',
   'local-path-storage',
   'openshift',
   'openshift-apiserver',
   'openshift-apiserver-operator',
+  'openshift-aqua',
   'openshift-authentication',
   'openshift-authentication-operator',
+  'openshift-backplane',
+  'openshift-backplane-cee',
+  'openshift-backplane-srep',
+  'openshift-build-test',
   'openshift-cloud-credential-operator',
+  'openshift-cloud-ingress-operator',
+  'openshift-cluster-csi-drivers',
   'openshift-cluster-machine-approver',
   'openshift-cluster-node-tuning-operator',
   'openshift-cluster-samples-operator',
   'openshift-cluster-storage-operator',
   'openshift-cluster-version',
+  'openshift-codeready-workspaces',
   'openshift-config',
   'openshift-config-managed',
   'openshift-config-operator',
   'openshift-console',
   'openshift-console-operator',
+  'openshift-console-user-settings',
   'openshift-controller-manager',
   'openshift-controller-manager-operator',
+  'openshift-custom-domains-operator',
+  'openshift-customer-monitoring',
   'openshift-dns',
   'openshift-dns-operator',
   'openshift-etcd',
   'openshift-etcd-operator',
   'openshift-image-registry',
   'openshift-infra',
   'openshift-ingress',
+  'openshift-ingress-canary',
   'openshift-ingress-operator',
   'openshift-insights',
   'openshift-kni-infra',
@@ -39,23 +51,40 @@ export const kubernetesInternalNamespaces = [
   'openshift-kube-scheduler-operator',
   'openshift-kube-storage-version-migrator',
   'openshift-kube-storage-version-migrator-operator',
+  'openshift-kubevirt-infra',
+  'openshift-logging',
   'openshift-machine-api',
   'openshift-machine-config-operator',
+  'openshift-managed-upgrade-operator',
   'openshift-marketplace',
   'openshift-monitoring',
   'openshift-multus',
+  'openshift-must-gather-operator',
+  'openshift-network-diagnostics',
   'openshift-network-operator',
   'openshift-node',
+  'openshift-oauth-apiserver',
   'openshift-openstack-infra',
   'openshift-operator-lifecycle-manager',
   'openshift-operators',
+  'openshift-operators-redhat',
+  'openshift-osd-metrics',
   'openshift-ovirt-infra',
+  'openshift-rbac-permissions',
+  'openshift-route-monitor-operator',
   'openshift-sdn',
+  'openshift-security',
   'openshift-service-ca',
   'openshift-service-ca-operator',
   'openshift-service-catalog-apiserver-operator',
   'openshift-service-catalog-controller-manager-operator',
   'openshift-service-catalog-removed',
+  'openshift-splunk-forwarder-operator',
+  'openshift-sre-pruning',
+  'openshift-sre-sshd',
+  'openshift-strimzi',
   'openshift-user-workload-monitoring',
+  'openshift-validation-webhook',
+  'openshift-velero',
   'openshift-vsphere-infra',
-];
+]);
diff --git a/test/unit/supervisor/__snapshots__/watchers.spec.ts.snap b/test/unit/supervisor/__snapshots__/watchers.spec.ts.snap
@@ -0,0 +1,94 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`internal Kubernetes namespaces tests internal namespaces list against snapshot 1`] = `
+Set {
+  "kube-node-lease",
+  "kube-public",
+  "kube-system",
+  "local-path-storage",
+  "openshift",
+  "openshift-apiserver",
+  "openshift-apiserver-operator",
+  "openshift-aqua",
+  "openshift-authentication",
+  "openshift-authentication-operator",
+  "openshift-backplane",
+  "openshift-backplane-cee",
+  "openshift-backplane-srep",
+  "openshift-build-test",
+  "openshift-cloud-credential-operator",
+  "openshift-cloud-ingress-operator",
+  "openshift-cluster-csi-drivers",
+  "openshift-cluster-machine-approver",
+  "openshift-cluster-node-tuning-operator",
+  "openshift-cluster-samples-operator",
+  "openshift-cluster-storage-operator",
+  "openshift-cluster-version",
+  "openshift-codeready-workspaces",
+  "openshift-config",
+  "openshift-config-managed",
+  "openshift-config-operator",
+  "openshift-console",
+  "openshift-console-operator",
+  "openshift-console-user-settings",
+  "openshift-controller-manager",
+  "openshift-controller-manager-operator",
+  "openshift-custom-domains-operator",
+  "openshift-customer-monitoring",
+  "openshift-dns",
+  "openshift-dns-operator",
+  "openshift-etcd",
+  "openshift-etcd-operator",
+  "openshift-image-registry",
+  "openshift-infra",
+  "openshift-ingress",
+  "openshift-ingress-canary",
+  "openshift-ingress-operator",
+  "openshift-insights",
+  "openshift-kni-infra",
+  "openshift-kube-apiserver",
+  "openshift-kube-apiserver-operator",
+  "openshift-kube-controller-manager",
+  "openshift-kube-controller-manager-operator",
+  "openshift-kube-scheduler",
+  "openshift-kube-scheduler-operator",
+  "openshift-kube-storage-version-migrator",
+  "openshift-kube-storage-version-migrator-operator",
+  "openshift-kubevirt-infra",
+  "openshift-logging",
+  "openshift-machine-api",
+  "openshift-machine-config-operator",
+  "openshift-managed-upgrade-operator",
+  "openshift-marketplace",
+  "openshift-monitoring",
+  "openshift-multus",
+  "openshift-must-gather-operator",
+  "openshift-network-diagnostics",
+  "openshift-network-operator",
+  "openshift-node",
+  "openshift-oauth-apiserver",
+  "openshift-openstack-infra",
+  "openshift-operator-lifecycle-manager",
+  "openshift-operators",
+  "openshift-operators-redhat",
+  "openshift-osd-metrics",
+  "openshift-ovirt-infra",
+  "openshift-rbac-permissions",
+  "openshift-route-monitor-operator",
+  "openshift-sdn",
+  "openshift-security",
+  "openshift-service-ca",
+  "openshift-service-ca-operator",
+  "openshift-service-catalog-apiserver-operator",
+  "openshift-service-catalog-controller-manager-operator",
+  "openshift-service-catalog-removed",
+  "openshift-splunk-forwarder-operator",
+  "openshift-sre-pruning",
+  "openshift-sre-sshd",
+  "openshift-strimzi",
+  "openshift-user-workload-monitoring",
+  "openshift-validation-webhook",
+  "openshift-velero",
+  "openshift-vsphere-infra",
+}
+`;
diff --git a/test/unit/supervisor/watchers.spec.ts b/test/unit/supervisor/watchers.spec.ts
@@ -0,0 +1,59 @@
+import { V1Namespace } from '@kubernetes/client-node';
+
+import * as watchers from '../../../src/supervisor/watchers';
+import { kubernetesInternalNamespaces } from '../../../src/supervisor/watchers/internal-namespaces';
+
+describe('extractNamespaceName() tests', () => {
+  test.each([
+    ['extractNamespaceName() throws on empty input', {} as V1Namespace],
+    [
+      'extractNamespaceName() throws on empty metadata',
+      { metadata: {} } as V1Namespace,
+    ],
+    [
+      'extractNamespaceName() throws on undefined name',
+      { metadata: { name: undefined } } as V1Namespace,
+    ],
+    [
+      'extractNamespaceName() throws on empty name',
+      { metadata: { name: '' } } as V1Namespace,
+    ],
+  ])('%s', (_testCaseName, input) => {
+    expect(() => watchers.extractNamespaceName(input)).toThrowError(
+      'Namespace missing metadata.name',
+    );
+  });
+
+  test('extractNamespaceName() returns namespace.metadata.name', () => {
+    expect(
+      watchers.extractNamespaceName({
+        metadata: { name: 'literally anything else' },
+      }),
+    ).toEqual('literally anything else');
+  });
+});
+
+describe('internal Kubernetes namespaces tests', () => {
+  test('internal namespaces list against snapshot', () => {
+    expect(kubernetesInternalNamespaces).toMatchSnapshot();
+  });
+
+  test('isKubernetesInternalNamespace(): internal Kubernetes namespaces are used', () => {
+    for (const internalNamespace of kubernetesInternalNamespaces) {
+      expect(watchers.isKubernetesInternalNamespace(internalNamespace)).toEqual(
+        true,
+      );
+    }
+  });
+
+  test.each([
+    ['kube-node-lease-'],
+    ['node-lease'],
+    ['snyk-monitor'],
+    ['egg'],
+    [''],
+    [(undefined as unknown) as string],
+  ])('isKubernetesInternalNamespace(%s) -> false', (input) => {
+    expect(watchers.isKubernetesInternalNamespace(input)).toEqual(false);
+  });
+});
diff --git a/test/unit/supervisor/watchers.test.ts b/test/unit/supervisor/watchers.test.ts

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ export function extractNamespaceName(namespace: V1Namespace): string {`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`export function isKubernetesInternalNamespace(namespace: string): boolean {`
`53`		`- return kubernetesInternalNamespaces.includes(namespace);`
	`53`	`+ return kubernetesInternalNamespaces.has(namespace);`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`function setupWatchesForCluster(): void {`