feat: PodSpec is now read from Pods instead of the workloads

ivanstanev · ivanstanev · commit 5e4599ccf8eb · 2020-11-18T13:13:34.000Z
This is a workaround for cases where the workload is a Custom Resource, which snyk-monitor today does not support and cannot read them.
There are situations where we will misreport the securityContext because we tried to read it from the wrong workload.

The Pod's spec is an identical copy to the one defined in the workload, so we can use it for collecting the workload information that we need - this way we can track workload security configuration even if the Pods are managed by a Custom Resource.
diff --git a/src/supervisor/metadata-extractor.ts b/src/supervisor/metadata-extractor.ts
@@ -1,4 +1,4 @@
-import { V1OwnerReference, V1Pod, V1Container, V1ContainerStatus } from '@kubernetes/client-node';
+import { V1OwnerReference, V1Pod, V1Container, V1ContainerStatus, V1PodSpec } from '@kubernetes/client-node';
 import { IWorkload, ILocalWorkloadLocator } from '../transmitter/types';
 import { currentClusterName } from './cluster';
 import { IKubeObjectMetadata } from './types';
@@ -53,6 +53,7 @@ export function buildImageMetadata(
 }
 
 async function findParentWorkload(
+  podSpec: V1PodSpec,
   ownerRefs: V1OwnerReference[] | undefined,
   namespace: string,
 ): Promise<IKubeObjectMetadata | undefined> {
@@ -69,9 +70,14 @@ async function findParentWorkload(
     }
 
     const workloadReader = getWorkloadReader(supportedWorkload.kind);
-    let nextParentMetadata: IKubeObjectMetadata | undefined;
     try {
-      nextParentMetadata = await workloadReader(supportedWorkload.name, namespace);
+      const workloadMetadata = await workloadReader(supportedWorkload.name, namespace);
+      if (workloadMetadata === undefined) {
+        // Could not extract data for the next parent, so return whatever we have so far.
+        return parentMetadata;
+      }
+      parentMetadata = { ...workloadMetadata, podSpec };
+      ownerReferences = parentMetadata.ownerRefs;
     } catch (err) {
       if (
         err &&
@@ -87,14 +93,6 @@ async function findParentWorkload(
       }
       throw err;
     }
-
-    if (nextParentMetadata === undefined) {
-      // Could not extract data for the next parent, so return whatever we have so far.
-      return parentMetadata;
-    }
-
-    parentMetadata = nextParentMetadata;
-    ownerReferences = parentMetadata.ownerRefs;
   }
 
   return undefined;
@@ -151,7 +149,7 @@ export async function buildMetadataForWorkload(pod: V1Pod): Promise<IWorkload[]
   }
 
   const podOwner: IKubeObjectMetadata | undefined = await findParentWorkload(
-    pod.metadata.ownerReferences, pod.metadata.namespace);
+    pod.spec, pod.metadata.ownerReferences, pod.metadata.namespace);
 
   if (podOwner === undefined) {
     logger.info({pod}, 'pod associated with owner, but owner not found. not building metadata.');
diff --git a/src/supervisor/workload-reader.ts b/src/supervisor/workload-reader.ts
@@ -5,10 +5,11 @@ import { k8sApi } from './cluster';
 import { IKubeObjectMetadata, WorkloadKind } from './types';
 import logger = require('../common/logger');
 
+type IKubeObjectMetadataWithoutPodSpec = Omit<IKubeObjectMetadata, 'podSpec'>;
 type IWorkloadReaderFunc = (
   workloadName: string,
   namespace: string,
-) => Promise<IKubeObjectMetadata | undefined>;
+) => Promise<IKubeObjectMetadataWithoutPodSpec | undefined>;
 
 const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
   const deploymentResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
@@ -22,14 +23,14 @@ const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.Deployment,
     objectMeta: deployment.metadata,
     specMeta: deployment.spec.template.metadata,
     ownerRefs: deployment.metadata.ownerReferences,
     revision: deployment.status.observedGeneration,
-    podSpec: deployment.spec.template.spec,
   };
+  return metadata;
 };
 
 const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -44,14 +45,14 @@ const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.ReplicaSet,
     objectMeta: replicaSet.metadata,
     specMeta: replicaSet.spec.template.metadata,
     ownerRefs: replicaSet.metadata.ownerReferences,
     revision: replicaSet.status.observedGeneration,
-    podSpec: replicaSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -66,14 +67,14 @@ const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.StatefulSet,
     objectMeta: statefulSet.metadata,
     specMeta: statefulSet.spec.template.metadata,
     ownerRefs: statefulSet.metadata.ownerReferences,
     revision: statefulSet.status.observedGeneration,
-    podSpec: statefulSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -88,14 +89,14 @@ const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.DaemonSet,
     objectMeta: daemonSet.metadata,
     specMeta: daemonSet.spec.template.metadata,
     ownerRefs: daemonSet.metadata.ownerReferences,
     revision: daemonSet.status.observedGeneration,
-    podSpec: daemonSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -109,13 +110,13 @@ const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.Job,
     objectMeta: job.metadata,
     specMeta: job.spec.template.metadata,
     ownerRefs: job.metadata.ownerReferences,
-    podSpec: job.spec.template.spec,
   };
+  return metadata;
 };
 
 // Keep an eye on this! We need v1beta1 API for CronJobs.
@@ -133,13 +134,13 @@ const cronJobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.CronJob,
     objectMeta: cronJob.metadata,
     specMeta: cronJob.spec.jobTemplate.metadata,
     ownerRefs: cronJob.metadata.ownerReferences,
-    podSpec: cronJob.spec.jobTemplate.spec.template.spec,
   };
+  return metadata;
 };
 
 const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -155,14 +156,14 @@ const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, na
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.ReplicationController,
     objectMeta: replicationController.metadata,
     specMeta: replicationController.spec.template.metadata,
     ownerRefs: replicationController.metadata.ownerReferences,
     revision: replicationController.status.observedGeneration,
-    podSpec: replicationController.spec.template.spec,
   };
+  return metadata;
 };
 
 function logIncompleteWorkload(workloadName: string, namespace: string): void {
