Merge pull request #939 from snyk/feat/cache-control

fix: trim workload metadata everywhere we read workloads

Author: ivanstanev

src/supervisor/watchers/handlers/cron-job.ts

@@ -1,5 +1,5 @@
 import { V1beta1CronJob, V1beta1CronJobList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -32,6 +32,8 @@ export async function paginatedCronJobList(namespace: string): Promise<{
 export async function cronJobWatchHandler(
   cronJob: V1beta1CronJob,
 ): Promise<void> {
+  cronJob = trimWorkload(cronJob);
+
   if (
     !cronJob.metadata ||
     !cronJob.spec ||

src/supervisor/watchers/handlers/daemon-set.ts

@@ -1,5 +1,5 @@
 import { V1DaemonSet, V1DaemonSetList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -30,6 +30,8 @@ export async function paginatedDaemonSetList(namespace: string): Promise<{
 export async function daemonSetWatchHandler(
   daemonSet: V1DaemonSet,
 ): Promise<void> {
+  daemonSet = trimWorkload(daemonSet);
+
   if (
     !daemonSet.metadata ||
     !daemonSet.spec ||

src/supervisor/watchers/handlers/deployment-config.ts

@@ -1,5 +1,5 @@
 import { IncomingMessage } from 'http';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import {
   FALSY_WORKLOAD_NAME_MARKER,
@@ -54,6 +54,8 @@ export async function paginatedDeploymentConfigList(
 export async function deploymentConfigWatchHandler(
   deploymentConfig: V1DeploymentConfig,
 ): Promise<void> {
+  deploymentConfig = trimWorkload(deploymentConfig);
+
   if (
     !deploymentConfig.metadata ||
     !deploymentConfig.spec ||

src/supervisor/watchers/handlers/deployment.ts

@@ -1,5 +1,5 @@
 import { V1Deployment, V1DeploymentList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -30,6 +30,8 @@ export async function paginatedDeploymentList(namespace: string): Promise<{
 export async function deploymentWatchHandler(
   deployment: V1Deployment,
 ): Promise<void> {
+  deployment = trimWorkload(deployment);
+
   if (
     !deployment.metadata ||
     !deployment.spec ||

src/supervisor/watchers/handlers/job.ts

@@ -1,5 +1,5 @@
 import { V1Job, V1JobList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -28,6 +28,8 @@ export async function paginatedJobList(namespace: string): Promise<{
 }
 
 export async function jobWatchHandler(job: V1Job): Promise<void> {
+  job = trimWorkload(job);
+
   if (
     !job.metadata ||
     !job.spec ||

src/supervisor/watchers/handlers/pagination.ts

@@ -5,6 +5,7 @@ import type {
   KubernetesObject,
 } from '@kubernetes/client-node';
 
+import { trimWorkloads } from './workload';
 import { calculateSleepSeconds } from '../../kuberenetes-api-wrappers';
 import { V1NamespacedList } from './types';
 import type { IRequestError } from '../../types';
@@ -53,7 +54,7 @@ export async function paginatedList<
       list.metadata = listCall.body.metadata;
 
       if (Array.isArray(listCall.body.items)) {
-        const trimmedItems = trimItems(listCall.body.items);
+        const trimmedItems = trimWorkloads(listCall.body.items);
         list.items.push(...trimmedItems);
       }
 
@@ -98,29 +99,3 @@ export async function paginatedList<
     body: list,
   };
 }
-
-/**
- * Pick only the minimum relevant data from the workload. Sometimes the workload
- * spec may be bloated with server-side information that is not necessary for vulnerability analysis.
- * This ensures that any data we hold in memory is minimal, which in turn allows us to hold more workloads to scan.
- */
-function trimItems<
-  T extends KubernetesObject & Partial<{ status: unknown; spec: unknown }>,
->(items: T[]): KubernetesObject[] {
-  return items.map((item) => ({
-    apiVersion: item.apiVersion,
-    kind: item.kind,
-    metadata: {
-      name: item.metadata?.name,
-      namespace: item.metadata?.namespace,
-      annotations: item.metadata?.annotations,
-      labels: item.metadata?.labels,
-      ownerReferences: item.metadata?.ownerReferences,
-      uid: item.metadata?.uid,
-      resourceVersion: item.metadata?.resourceVersion,
-      generation: item.metadata?.generation,
-    },
-    spec: item.spec,
-    status: item.status,
-  }));
-}

src/supervisor/watchers/handlers/pod.ts

@@ -21,7 +21,7 @@ import {
 } from '../../../state';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { WorkloadKind } from '../../types';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { k8sApi } from '../../cluster';
 import { paginatedList } from './pagination';
 
@@ -147,6 +147,8 @@ export async function podWatchHandler(pod: V1Pod): Promise<void> {
     return;
   }
 
+  pod = trimWorkload(pod);
+
   const podName =
     pod.metadata && pod.metadata.name
       ? pod.metadata.name

src/supervisor/watchers/handlers/replica-set.ts

@@ -1,5 +1,5 @@
 import { V1ReplicaSet, V1ReplicaSetList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -30,6 +30,8 @@ export async function paginatedReplicaSetList(namespace: string): Promise<{
 export async function replicaSetWatchHandler(
   replicaSet: V1ReplicaSet,
 ): Promise<void> {
+  replicaSet = trimWorkload(replicaSet);
+
   if (
     !replicaSet.metadata ||
     !replicaSet.spec ||

src/supervisor/watchers/handlers/replication-controller.ts

@@ -2,7 +2,7 @@ import {
   V1ReplicationController,
   V1ReplicationControllerList,
 } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -37,6 +37,8 @@ export async function paginatedReplicationControllerList(
 export async function replicationControllerWatchHandler(
   replicationController: V1ReplicationController,
 ): Promise<void> {
+  replicationController = trimWorkload(replicationController);
+
   if (
     !replicationController.metadata ||
     !replicationController.spec ||

src/supervisor/watchers/handlers/stateful-set.ts

@@ -1,5 +1,5 @@
 import { V1StatefulSet, V1StatefulSetList } from '@kubernetes/client-node';
-import { deleteWorkload } from './workload';
+import { deleteWorkload, trimWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
@@ -30,6 +30,8 @@ export async function paginatedStatefulSetList(namespace: string): Promise<{
 export async function statefulSetWatchHandler(
   statefulSet: V1StatefulSet,
 ): Promise<void> {
+  statefulSet = trimWorkload(statefulSet);
+
   if (
     !statefulSet.metadata ||
     !statefulSet.spec ||