feat: add DeploymentConfig support for OpenShift

The snyk-monitor will do a best-effort attempt to set up a Watch/Informer for DeploymentConfigs in the apps.openshift.io/v1 API. If this does not succeed, scanning will proceed as normal while printing a warning.

Author: ivanstanev

snyk-monitor/templates/clusterrole.yaml

@@ -53,6 +53,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
+  - list
+  - watch
 {{- if .Values.psp.enabled }}
 - apiGroups:
   - policy

snyk-monitor/templates/role.yaml

@@ -51,6 +51,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
+  - list
+  - watch
 {{- if .Values.psp.enabled }}
 - apiGroups:
   - policy

snyk-operator/deploy/olm-catalog/snyk-operator/0.0.0/snyk-operator.v0.0.0.clusterserviceversion.yaml

@@ -221,6 +221,12 @@ spec:
                 - "*"
               verbs:
                 - "*"
+            - apiGroups:
+                - apps.openshift.io
+              resources:
+                - deploymentconfigs
+              verbs:
+                - "*"
           serviceAccountName: snyk-operator
       deployments:
         - name: snyk-operator

src/index.ts

@@ -47,10 +47,10 @@ function cleanUpTempStorage() {
   }
 };
 
-function monitor(): void {
+async function monitor(): Promise<void> {
   try {
     logger.info({cluster: currentClusterName}, 'starting to monitor');
-    beginWatchingWorkloads();
+    await beginWatchingWorkloads();
   } catch (error) {
     logger.error({error}, 'an error occurred while monitoring the cluster');
     process.exit(1);
@@ -63,5 +63,5 @@ cleanUpTempStorage();
 // Allow running in an async context
 setImmediate(async function setUpAndMonitor(): Promise<void> {
   await loadAndSendWorkloadAutoImportPolicy();
-  monitor();
+  await monitor();
 });

src/supervisor/types.ts

@@ -1,6 +1,15 @@
-import { IncomingMessage }  from 'http';
-import { AppsV1Api, BatchV1Api, BatchV1beta1Api, CoreV1Api, KubeConfig,
-  V1ObjectMeta, V1OwnerReference, V1PodSpec } from '@kubernetes/client-node';
+import { IncomingMessage } from 'http';
+import {
+  AppsV1Api,
+  BatchV1Api,
+  BatchV1beta1Api,
+  CoreV1Api,
+  CustomObjectsApi,
+  KubeConfig,
+  V1ObjectMeta,
+  V1OwnerReference,
+  V1PodSpec,
+} from '@kubernetes/client-node';
 
 export enum WorkloadKind {
   Deployment = 'Deployment',
@@ -11,6 +20,7 @@ export enum WorkloadKind {
   CronJob = 'CronJob',
   ReplicationController = 'ReplicationController',
   Pod = 'Pod',
+  DeploymentConfig = 'DeploymentConfig',
 }
 
 export interface IRequestError {
@@ -32,6 +42,7 @@ export interface IK8sClients {
   readonly coreClient: CoreV1Api;
   readonly batchClient: BatchV1Api;
   readonly batchUnstableClient: BatchV1beta1Api;
+  readonly customObjectsClient: CustomObjectsApi;
 }
 
 export class K8sClients implements IK8sClients {
@@ -41,12 +52,17 @@ export class K8sClients implements IK8sClients {
   // TODO: Keep an eye on this! We need v1beta1 API for CronJobs.
   // https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning
   // CronJobs will appear in v2 API, but for now there' only v2alpha1, so it's a bad idea to use it.
+  // TODO: https://kubernetes.io/blog/2021/04/09/kubernetes-release-1.21-cronjob-ga/
+  // CronJobs are now GA in Kubernetes 1.21 in the batch/v1 API, we should add support for it!
   public readonly batchUnstableClient: BatchV1beta1Api;
+  /** This client is used to access Custom Resources in the cluster, e.g. DeploymentConfig on OpenShift. */
+  public readonly customObjectsClient: CustomObjectsApi;
 
   constructor(config: KubeConfig) {
     this.appsClient = config.makeApiClient(AppsV1Api);
     this.coreClient = config.makeApiClient(CoreV1Api);
     this.batchClient = config.makeApiClient(BatchV1Api);
     this.batchUnstableClient = config.makeApiClient(BatchV1beta1Api);
+    this.customObjectsClient = config.makeApiClient(CustomObjectsApi);
   }
 }

src/supervisor/watchers/handlers/deployment-config.ts

@@ -0,0 +1,32 @@
+import { deleteWorkload } from './workload';
+import { WorkloadKind } from '../../types';
+import { FALSY_WORKLOAD_NAME_MARKER, V1DeploymentConfig } from './types';
+
+export async function deploymentConfigWatchHandler(
+  deploymentConfig: V1DeploymentConfig,
+): Promise<void> {
+  if (
+    !deploymentConfig.metadata ||
+    !deploymentConfig.spec ||
+    !deploymentConfig.spec.template.metadata ||
+    !deploymentConfig.spec.template.spec ||
+    !deploymentConfig.status
+  ) {
+    return;
+  }
+
+  const workloadName =
+    deploymentConfig.metadata.name || FALSY_WORKLOAD_NAME_MARKER;
+
+  await deleteWorkload(
+    {
+      kind: WorkloadKind.DeploymentConfig,
+      objectMeta: deploymentConfig.metadata,
+      specMeta: deploymentConfig.spec.template.metadata,
+      ownerRefs: deploymentConfig.metadata.ownerReferences,
+      revision: deploymentConfig.status.observedGeneration,
+      podSpec: deploymentConfig.spec.template.spec,
+    },
+    workloadName,
+  );
+}

src/supervisor/watchers/handlers/index.ts

@@ -1,4 +1,5 @@
 import { makeInformer, ADD, DELETE, ERROR, UPDATE, KubernetesObject } from '@kubernetes/client-node';
+
 import { logger } from '../../../common/logger';
 import { WorkloadKind } from '../../types';
 import { podWatchHandler, podDeletedHandler } from './pod';
@@ -9,6 +10,7 @@ import { jobWatchHandler } from './job';
 import { replicaSetWatchHandler } from './replica-set';
 import { replicationControllerWatchHandler } from './replication-controller';
 import { statefulSetWatchHandler } from './stateful-set';
+import { deploymentConfigWatchHandler } from './deployment-config';
 import { k8sApi, kubeConfig } from '../../cluster';
 import * as kubernetesApiWrappers from '../../kuberenetes-api-wrappers';
 import { IWorkloadWatchMetadata, FALSY_WORKLOAD_NAME_MARKER } from './types';
@@ -91,9 +93,74 @@ const workloadWatchMetadata: Readonly<IWorkloadWatchMetadata> = {
     },
     listFactory: (namespace) => () => k8sApi.appsClient.listNamespacedStatefulSet(namespace),
   },
+  [WorkloadKind.DeploymentConfig]: {
+    /** https://docs.openshift.com/container-platform/4.7/rest_api/workloads_apis/deploymentconfig-apps-openshift-io-v1.html */
+    endpoint: '/apis/apps.openshift.io/v1/watch/namespaces/{namespace}/deploymentconfigs',
+    handlers: {
+      [DELETE]: deploymentConfigWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.customObjectsClient.listNamespacedCustomObject('apps.openshift.io', 'v1', namespace, 'deploymentconfigs'),
+  },
 };
 
-export function setupInformer(namespace: string, workloadKind: WorkloadKind) {
+async function isSupportedWorkload(
+  namespace: string,
+  workloadKind: WorkloadKind,
+): Promise<boolean> {
+  if (workloadKind !== WorkloadKind.DeploymentConfig) {
+    return true;
+  }
+
+  try {
+    const pretty = undefined;
+    const continueToken = undefined;
+    const fieldSelector = undefined;
+    const labelSelector = undefined;
+    const limit = 1; // Try to grab only a single object
+    const resourceVersion = undefined; // List anything in the cluster
+    const timeoutSeconds = 10; // Don't block the snyk-monitor indefinitely
+    const attemptedApiCall = await kubernetesApiWrappers.retryKubernetesApiRequest(
+      () =>
+        k8sApi.customObjectsClient.listNamespacedCustomObject(
+          'apps.openshift.io',
+          'v1',
+          namespace,
+          'deploymentconfigs',
+          pretty,
+          continueToken,
+          fieldSelector,
+          labelSelector,
+          limit,
+          resourceVersion,
+          timeoutSeconds,
+        ),
+    );
+    return (
+      attemptedApiCall !== undefined &&
+      attemptedApiCall.response !== undefined &&
+      attemptedApiCall.response.statusCode !== undefined &&
+      attemptedApiCall.response.statusCode >= 200 &&
+      attemptedApiCall.response.statusCode < 300
+    );
+  } catch (error) {
+    logger.info(
+      { error, workloadKind },
+      'Failed on Kubernetes API call to list DeploymentConfig',
+    );
+    return false;
+  }
+}
+
+export async function setupInformer(namespace: string, workloadKind: WorkloadKind): Promise<void> {
+  const isSupported = await isSupportedWorkload(namespace, workloadKind);
+  if (!isSupported) {
+    logger.info(
+      { namespace, workloadKind },
+      'The Kubernetes cluster does not support this workload',
+    );
+    return;
+  }
+
   const workloadMetadata = workloadWatchMetadata[workloadKind];
   const namespacedEndpoint = workloadMetadata.endpoint.replace('{namespace}', namespace);
 
@@ -103,7 +170,10 @@ export function setupInformer(namespace: string, workloadKind: WorkloadKind) {
       return await kubernetesApiWrappers.retryKubernetesApiRequest(
         () => listMethod());
     } catch (err) {
-      logger.error({err, namespace, workloadKind}, 'error while listing entities on namespace');
+      logger.error(
+        { err, namespace, workloadKind },
+        'error while listing entities on namespace',
+      );
       throw err;
     }
   };
@@ -113,11 +183,11 @@ export function setupInformer(namespace: string, workloadKind: WorkloadKind) {
   informer.on(ERROR, (err) => {
     // Types from client library insists that callback is of type KubernetesObject
     if ((err as any).code === ECONNRESET_ERROR_CODE) {
-      logger.debug(`informer ${ECONNRESET_ERROR_CODE} occurred, restarting informer`);
+      logger.debug({}, `informer ${ECONNRESET_ERROR_CODE} occurred, restarting informer`);
 
       // Restart informer after 1sec
-      setTimeout(() => {
-        informer.start();
+      setTimeout(async () => {
+        await informer.start();
       }, 1000);
     } else {
       logger.error({ err }, 'unexpected informer error event occurred');
@@ -135,5 +205,5 @@ export function setupInformer(namespace: string, workloadKind: WorkloadKind) {
     });
   }
 
-  informer.start();
+  await informer.start();
 }

src/supervisor/watchers/handlers/types.ts

@@ -1,3 +1,5 @@
+import { V1ObjectMeta, V1PodTemplateSpec } from "@kubernetes/client-node";
+
 export const FALSY_WORKLOAD_NAME_MARKER = 'falsy workload name';
 
 type WorkloadHandlerFunc = (workload: any) => Promise<void>;
@@ -16,3 +18,19 @@ export interface IWorkloadWatchMetadata {
     listFactory: ListWorkloadFunctionFactory;
   };
 }
+
+export interface V1DeploymentConfig {
+  apiVersion?: string;
+  kind?: string;
+  metadata?: V1ObjectMeta;
+  spec?: V1DeploymentConfigSpec;
+  status?: V1DeploymentConfigStatus;
+}
+
+export interface V1DeploymentConfigSpec {
+  template: V1PodTemplateSpec;
+}
+
+export interface V1DeploymentConfigStatus {
+  observedGeneration?: number;
+}

src/supervisor/watchers/index.ts

@@ -18,7 +18,7 @@ import { kubernetesInternalNamespaces } from './internal-namespaces';
  */
 const watchedNamespaces = new Set<string>();
 
-function setupWatchesForNamespace(namespace: string): void {
+async function setupWatchesForNamespace(namespace: string): Promise<void> {
   if (watchedNamespaces.has(namespace)) {
     logger.info({namespace}, 'already set up namespace watch, skipping');
     return;
@@ -33,7 +33,7 @@ function setupWatchesForNamespace(namespace: string): void {
     }
 
     try {
-      setupInformer(namespace, workloadKind);
+      await setupInformer(namespace, workloadKind);
     } catch (error) {
       logger.warn({namespace, workloadKind}, 'could not setup workload watch, skipping');
     }
@@ -53,7 +53,7 @@ export function isKubernetesInternalNamespace(namespace: string): boolean {
   return kubernetesInternalNamespaces.has(namespace);
 }
 
-function setupWatchesForCluster(): void {
+async function setupWatchesForCluster(): Promise<void> {
   const informer = makeInformer(
     kubeConfig,
     '/api/v1/namespaces',
@@ -74,15 +74,15 @@ function setupWatchesForCluster(): void {
       logger.debug(`namespace informer ${ECONNRESET_ERROR_CODE} occurred, restarting informer`);
 
       // Restart informer after 1sec
-      setTimeout(() => {
-        informer.start();
+      setTimeout(async () => {
+        await informer.start();
       }, 1000);
     } else {
       logger.error({ err }, 'unexpected namespace informer error event occurred');
     }
   });
 
-  informer.on(ADD, (namespace: V1Namespace) => {
+  informer.on(ADD, async (namespace: V1Namespace) => {
     try {
       const namespaceName = extractNamespaceName(namespace);
       if (isKubernetesInternalNamespace(namespaceName)) {
@@ -91,23 +91,23 @@ function setupWatchesForCluster(): void {
         return;
       }
 
-      setupWatchesForNamespace(namespaceName);
+      await setupWatchesForNamespace(namespaceName);
     } catch (err) {
       logger.error({err, namespace}, 'error handling a namespace event');
       return;
     }
   });
 
-  informer.start();
+  await informer.start();
 }
 
-export function beginWatchingWorkloads(): void {
+export async function beginWatchingWorkloads(): Promise<void> {
   if (config.NAMESPACE) {
     logger.info({namespace: config.NAMESPACE}, 'kubernetes-monitor restricted to specific namespace');
-    setupWatchesForNamespace(config.NAMESPACE);
+    await setupWatchesForNamespace(config.NAMESPACE);
     return;
   }
 
-  setupWatchesForCluster();
+  await setupWatchesForCluster();
 }