Merge pull request #96 from snyk/feat/informer-api

Feat/informer api

Author: ivanstanev

package.json

@@ -4,7 +4,7 @@
   "main": "dist/index.js",
   "scripts": {
     "pretest": "./scripts/build-image.sh",
-    "test": "npm run lint && npm run test:unit && npm run test:integration",
+    "test": "npm run lint && npm run build && npm run test:unit && npm run test:integration",
     "test:unit": "./tap test/unit -R spec",
     "test:integration": "./tap test/integration -Rdot --timeout=600",
     "test:coverage": "npm run test:unit -- --coverage",

snyk-monitor-cluster-permissions.yaml

@@ -11,20 +11,24 @@ rules:
   resources:
   - pods
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
   - ""
   resources:
   - namespaces
   verbs:
+  - get
+  - list
   - watch
 - apiGroups:
   - ""
   resources:
   - replicationcontrollers
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - batch
@@ -33,6 +37,7 @@ rules:
   - jobs
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - apps
@@ -43,6 +48,7 @@ rules:
   - statefulsets
   verbs:
   - get
+  - list
   - watch
 ---
 kind: ServiceAccount

snyk-monitor-namespaced-permissions.yaml

@@ -11,6 +11,7 @@ rules:
   resources:
   - pods
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
@@ -19,6 +20,7 @@ rules:
   - replicationcontrollers
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - batch
@@ -27,6 +29,7 @@ rules:
   - jobs
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - apps
@@ -37,6 +40,7 @@ rules:
   - statefulsets
   verbs:
   - get
+  - list
   - watch
 ---
 kind: ServiceAccount

snyk-monitor/templates/clusterrole.yaml

@@ -14,20 +14,24 @@ rules:
   resources:
   - pods
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
   - ""
   resources:
   - namespaces
   verbs:
+  - get
+  - list
   - watch
 - apiGroups:
   - ""
   resources:
   - replicationcontrollers
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - batch
@@ -36,6 +40,7 @@ rules:
   - jobs
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - apps
@@ -46,5 +51,6 @@ rules:
   - statefulsets
   verbs:
   - get
+  - list
   - watch
 {{- end }}

snyk-monitor/templates/role.yaml

@@ -14,6 +14,7 @@ rules:
   resources:
   - pods
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
@@ -28,6 +29,7 @@ rules:
   - replicationcontrollers
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - batch
@@ -36,6 +38,7 @@ rules:
   - jobs
   verbs:
   - get
+  - list
   - watch
 - apiGroups:
   - apps
@@ -46,5 +49,6 @@ rules:
   - statefulsets
   verbs:
   - get
+  - list
   - watch
 {{- end }}

src/kube-scanner/watchers/handlers/cron-job.ts

@@ -1,14 +1,9 @@
 import { V1beta1CronJob } from '@kubernetes/client-node';
-import { WatchEventType } from '../types';
 import { deleteWorkload } from './index';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 
-export async function cronJobWatchHandler(eventType: string, cronJob: V1beta1CronJob) {
-  if (eventType !== WatchEventType.Deleted) {
-    return;
-  }
-
+export async function cronJobWatchHandler(cronJob: V1beta1CronJob) {
   if (!cronJob.metadata || !cronJob.spec || !cronJob.spec.jobTemplate.spec ||
       !cronJob.spec.jobTemplate.metadata || !cronJob.spec.jobTemplate.spec.template.spec) {
     // TODO(ivanstanev): possibly log this. It shouldn't happen but we should track it!

src/kube-scanner/watchers/handlers/daemon-set.ts

@@ -1,14 +1,9 @@
 import { V1DaemonSet } from '@kubernetes/client-node';
-import { WatchEventType } from '../types';
 import { deleteWorkload } from './index';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 
-export async function daemonSetWatchHandler(eventType: string, daemonSet: V1DaemonSet) {
-  if (eventType !== WatchEventType.Deleted) {
-    return;
-  }
-
+export async function daemonSetWatchHandler(daemonSet: V1DaemonSet) {
   if (!daemonSet.metadata || !daemonSet.spec || !daemonSet.spec.template.metadata ||
       !daemonSet.spec.template.spec) {
     // TODO(ivanstanev): possibly log this. It shouldn't happen but we should track it!

src/kube-scanner/watchers/handlers/deployment.ts

@@ -1,14 +1,9 @@
 import { V1Deployment } from '@kubernetes/client-node';
-import { WatchEventType } from '../types';
 import { deleteWorkload } from './index';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 
-export async function deploymentWatchHandler(eventType: string, deployment: V1Deployment) {
-  if (eventType !== WatchEventType.Deleted) {
-    return;
-  }
-
+export async function deploymentWatchHandler(deployment: V1Deployment) {
   if (!deployment.metadata || !deployment.spec || !deployment.spec.template.metadata ||
       !deployment.spec.template.spec) {
     // TODO(ivanstanev): possibly log this. It shouldn't happen but we should track it!

src/kube-scanner/watchers/handlers/index.ts

@@ -1,7 +1,117 @@
+import { makeInformer, ADD, DELETE, UPDATE, KubernetesObject } from '@kubernetes/client-node';
 import logger = require('../../../common/logger');
 import WorkloadWorker = require('../../../kube-scanner');
 import { buildWorkloadMetadata } from '../../metadata-extractor';
-import { KubeObjectMetadata } from '../../types';
+import { KubeObjectMetadata, WorkloadKind } from '../../types';
+import { podWatchHandler } from './pod';
+import { cronJobWatchHandler } from './cron-job';
+import { daemonSetWatchHandler } from './daemon-set';
+import { deploymentWatchHandler } from './deployment';
+import { jobWatchHandler } from './job';
+import { replicaSetWatchHandler } from './replica-set';
+import { replicationControllerWatchHandler } from './replication-controller';
+import { statefulSetWatchHandler } from './stateful-set';
+import { k8sApi, kubeConfig } from '../../cluster';
+import { IWorkloadWatchMetadata, FALSY_WORKLOAD_NAME_MARKER } from './types';
+
+/**
+ * This map is used in combination with the kubernetes-client Informer API
+ * to abstract which resources to watch, what their endpoint is, how to grab
+ * a list of the resources, and which watch actions to handle (e.g. a newly added resource).
+ *
+ * The Informer API is just a wrapper around Kubernetes watches that makes sure the watch
+ * gets restarted if it dies and it also efficiently tracks changes to the watched workloads
+ * by comparing their resourceVersion.
+ *
+ * The map is keyed by the "WorkloadKind" -- the type of resource we want to watch.
+ * Legal verbs for the "handlers" are pulled from '@kubernetes/client-node'. You can
+ * set a different handler for every verb.
+ * (e.g. ADD-ed workloads are processed differently than DELETE-d ones)
+ *
+ * The "listFunc" is a callback used by the kubernetes-client to grab the watched resource
+ * whenever Kubernetes fires a "workload changed" event and it uses the result to figure out
+ * if the workload actually changed (by inspecting the resourceVersion).
+ */
+const workloadWatchMetadata: Readonly<IWorkloadWatchMetadata> = {
+  [WorkloadKind.Pod]: {
+    endpoint: '/api/v1/namespaces/{namespace}/pods',
+    handlers: {
+      [ADD]: podWatchHandler,
+      [UPDATE]: podWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.coreClient.listNamespacedPod(namespace),
+  },
+  [WorkloadKind.ReplicationController]: {
+    endpoint: '/api/v1/watch/namespaces/{namespace}/replicationcontrollers',
+    handlers: {
+      [DELETE]: replicationControllerWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.coreClient.listNamespacedReplicationController(namespace),
+  },
+  [WorkloadKind.CronJob]: {
+    endpoint: '/apis/batch/v1beta1/watch/namespaces/{namespace}/cronjobs',
+    handlers: {
+      [DELETE]: cronJobWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.batchUnstableClient.listNamespacedCronJob(namespace),
+  },
+  [WorkloadKind.Job]: {
+    endpoint: '/apis/batch/v1/watch/namespaces/{namespace}/jobs',
+    handlers: {
+      [DELETE]: jobWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.batchClient.listNamespacedJob(namespace),
+  },
+  [WorkloadKind.DaemonSet]: {
+    endpoint: '/apis/apps/v1/watch/namespaces/{namespace}/daemonsets',
+    handlers: {
+      [DELETE]: daemonSetWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.appsClient.listNamespacedDaemonSet(namespace),
+  },
+  [WorkloadKind.Deployment]: {
+    endpoint: '/apis/apps/v1/watch/namespaces/{namespace}/deployments',
+    handlers: {
+      [DELETE]: deploymentWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.appsClient.listNamespacedDeployment(namespace),
+  },
+  [WorkloadKind.ReplicaSet]: {
+    endpoint: '/apis/apps/v1/watch/namespaces/{namespace}/replicasets',
+    handlers: {
+      [DELETE]: replicaSetWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.appsClient.listNamespacedReplicaSet(namespace),
+  },
+  [WorkloadKind.StatefulSet]: {
+    endpoint: '/apis/apps/v1/watch/namespaces/{namespace}/statefulsets',
+    handlers: {
+      [DELETE]: statefulSetWatchHandler,
+    },
+    listFactory: (namespace) => () => k8sApi.appsClient.listNamespacedStatefulSet(namespace),
+  },
+};
+
+export function setupInformer(namespace: string, workloadKind: WorkloadKind) {
+  const workloadMetadata = workloadWatchMetadata[workloadKind];
+  const namespacedEndpoint = workloadMetadata.endpoint.replace('{namespace}', namespace);
+
+  const informer = makeInformer<KubernetesObject>(kubeConfig, namespacedEndpoint,
+    workloadMetadata.listFactory(namespace));
+
+  for (const informerVerb of Object.keys(workloadMetadata.handlers)) {
+    informer.on(informerVerb, async (watchedWorkload) => {
+      try {
+        await workloadMetadata.handlers[informerVerb](watchedWorkload);
+      } catch (error) {
+        const name = watchedWorkload.metadata && watchedWorkload.metadata.name || FALSY_WORKLOAD_NAME_MARKER;
+        logger.warn({error, namespace, name, workloadKind}, 'could not execute the informer handler for a workload');
+      }
+    });
+  }
+
+  informer.start();
+}
 
 export async function deleteWorkload(kubernetesMetadata: KubeObjectMetadata, workloadName: string) {
   try {

src/kube-scanner/watchers/handlers/job.ts

@@ -1,14 +1,9 @@
 import { V1Job } from '@kubernetes/client-node';
-import { WatchEventType } from '../types';
 import { deleteWorkload } from './index';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 
-export async function jobWatchHandler(eventType: string, job: V1Job) {
-  if (eventType !== WatchEventType.Deleted) {
-    return;
-  }
-
+export async function jobWatchHandler(job: V1Job) {
   if (!job.metadata || !job.spec || !job.spec.template.metadata || !job.spec.template.spec) {
     // TODO(ivanstanev): possibly log this. It shouldn't happen but we should track it!
     return;