Merge pull request #602 from snyk/feat/podspec-from-pods

Feat/podspec from pods

Author: ivanstanev

src/supervisor/metadata-extractor.ts

@@ -1,4 +1,4 @@
-import { V1OwnerReference, V1Pod, V1Container, V1ContainerStatus } from '@kubernetes/client-node';
+import { V1OwnerReference, V1Pod, V1Container, V1ContainerStatus, V1PodSpec } from '@kubernetes/client-node';
 import { IWorkload, ILocalWorkloadLocator } from '../transmitter/types';
 import { currentClusterName } from './cluster';
 import { IKubeObjectMetadata } from './types';
@@ -53,6 +53,7 @@ export function buildImageMetadata(
 }
 
 async function findParentWorkload(
+  podSpec: V1PodSpec,
   ownerRefs: V1OwnerReference[] | undefined,
   namespace: string,
 ): Promise<IKubeObjectMetadata | undefined> {
@@ -69,9 +70,14 @@ async function findParentWorkload(
     }
 
     const workloadReader = getWorkloadReader(supportedWorkload.kind);
-    let nextParentMetadata: IKubeObjectMetadata | undefined;
     try {
-      nextParentMetadata = await workloadReader(supportedWorkload.name, namespace);
+      const workloadMetadata = await workloadReader(supportedWorkload.name, namespace);
+      if (workloadMetadata === undefined) {
+        // Could not extract data for the next parent, so return whatever we have so far.
+        return parentMetadata;
+      }
+      parentMetadata = { ...workloadMetadata, podSpec };
+      ownerReferences = parentMetadata.ownerRefs;
     } catch (err) {
       if (
         err &&
@@ -87,14 +93,6 @@ async function findParentWorkload(
       }
       throw err;
     }
-
-    if (nextParentMetadata === undefined) {
-      // Could not extract data for the next parent, so return whatever we have so far.
-      return parentMetadata;
-    }
-
-    parentMetadata = nextParentMetadata;
-    ownerReferences = parentMetadata.ownerRefs;
   }
 
   return undefined;
@@ -151,7 +149,7 @@ export async function buildMetadataForWorkload(pod: V1Pod): Promise<IWorkload[]
   }
 
   const podOwner: IKubeObjectMetadata | undefined = await findParentWorkload(
-    pod.metadata.ownerReferences, pod.metadata.namespace);
+    pod.spec, pod.metadata.ownerReferences, pod.metadata.namespace);
 
   if (podOwner === undefined) {
     logger.info({pod}, 'pod associated with owner, but owner not found. not building metadata.');

src/supervisor/watchers/internal-namespaces.ts

@@ -2,6 +2,7 @@ export const kubernetesInternalNamespaces = [
   'kube-node-lease',
   'kube-public',
   'kube-system',
+  'local-path-storage',
   'openshift',
   'openshift-apiserver',
   'openshift-apiserver-operator',

src/supervisor/workload-reader.ts

@@ -5,10 +5,11 @@ import { k8sApi } from './cluster';
 import { IKubeObjectMetadata, WorkloadKind } from './types';
 import logger = require('../common/logger');
 
+type IKubeObjectMetadataWithoutPodSpec = Omit<IKubeObjectMetadata, 'podSpec'>;
 type IWorkloadReaderFunc = (
   workloadName: string,
   namespace: string,
-) => Promise<IKubeObjectMetadata | undefined>;
+) => Promise<IKubeObjectMetadataWithoutPodSpec | undefined>;
 
 const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
   const deploymentResult = await kubernetesApiWrappers.retryKubernetesApiRequest(
@@ -22,14 +23,14 @@ const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.Deployment,
     objectMeta: deployment.metadata,
     specMeta: deployment.spec.template.metadata,
     ownerRefs: deployment.metadata.ownerReferences,
     revision: deployment.status.observedGeneration,
-    podSpec: deployment.spec.template.spec,
   };
+  return metadata;
 };
 
 const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -44,14 +45,14 @@ const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.ReplicaSet,
     objectMeta: replicaSet.metadata,
     specMeta: replicaSet.spec.template.metadata,
     ownerRefs: replicaSet.metadata.ownerReferences,
     revision: replicaSet.status.observedGeneration,
-    podSpec: replicaSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -66,14 +67,14 @@ const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.StatefulSet,
     objectMeta: statefulSet.metadata,
     specMeta: statefulSet.spec.template.metadata,
     ownerRefs: statefulSet.metadata.ownerReferences,
     revision: statefulSet.status.observedGeneration,
-    podSpec: statefulSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -88,14 +89,14 @@ const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.DaemonSet,
     objectMeta: daemonSet.metadata,
     specMeta: daemonSet.spec.template.metadata,
     ownerRefs: daemonSet.metadata.ownerReferences,
     revision: daemonSet.status.observedGeneration,
-    podSpec: daemonSet.spec.template.spec,
   };
+  return metadata;
 };
 
 const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -109,13 +110,13 @@ const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.Job,
     objectMeta: job.metadata,
     specMeta: job.spec.template.metadata,
     ownerRefs: job.metadata.ownerReferences,
-    podSpec: job.spec.template.spec,
   };
+  return metadata;
 };
 
 // Keep an eye on this! We need v1beta1 API for CronJobs.
@@ -133,13 +134,13 @@ const cronJobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.CronJob,
     objectMeta: cronJob.metadata,
     specMeta: cronJob.spec.jobTemplate.metadata,
     ownerRefs: cronJob.metadata.ownerReferences,
-    podSpec: cronJob.spec.jobTemplate.spec.template.spec,
   };
+  return metadata;
 };
 
 const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
@@ -155,14 +156,14 @@ const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, na
     return undefined;
   }
 
-  return {
+  const metadata: IKubeObjectMetadataWithoutPodSpec = {
     kind: WorkloadKind.ReplicationController,
     objectMeta: replicationController.metadata,
     specMeta: replicationController.spec.template.metadata,
     ownerRefs: replicationController.metadata.ownerReferences,
     revision: replicationController.status.observedGeneration,
-    podSpec: replicationController.spec.template.spec,
   };
+  return metadata;
 };
 
 function logIncompleteWorkload(workloadName: string, namespace: string): void {

test/fixtures/java-deployment.yaml

@@ -21,4 +21,12 @@ spec:
         name: java
         command: ['/bin/sleep']
         args: ['9999999']
-      securityContext: {}
+        securityContext:
+          privileged: false
+          capabilities:
+            drop:
+              - ALL
+        resources:
+            limits:
+              cpu: '1'
+              memory: '1Gi'

test/system/kind.test.ts

@@ -105,6 +105,14 @@ tap.test('Kubernetes-Monitor with KinD', async (t) => {
         'all properties are present in the workload metadata',
       );
       t.ok('agentId' in requestBody, 'agent ID is present in workload payload');
+      
+      const podSpec = requestBody.workloadMetadata.podSpec;
+      const resources = podSpec.containers[0].resources;
+      t.same(resources?.limits, { cpu: '1', memory: '1Gi' });
+
+      const securityContext = podSpec.containers[0].securityContext;
+      t.same(securityContext?.privileged, false);
+      t.same(securityContext?.capabilities?.drop, ['ALL']);
     });
 
   nock('https://kubernetes-upstream.snyk.io')

test/unit/supervisor/watchers.test.ts

@@ -32,6 +32,8 @@ tap.test('isKubernetesInternalNamespace', async (t) => {
     'kube-public is a k8s internal namespace');
   t.ok(watchers.isKubernetesInternalNamespace('kube-system'),
     'kube-system is a k8s internal namespace');
+  t.ok(watchers.isKubernetesInternalNamespace('local-path-storage'),
+    'local-path-storage is a k8s internal namespace');
   t.ok(watchers.isKubernetesInternalNamespace('openshift-apiserver'),
     'openshift-apiserver is a k8s internal namespace');
   t.ok(watchers.isKubernetesInternalNamespace('openshift-apiserver-operator'),