Merge pull request #998 from snyk/feat/cluster-informers

Feat/cluster informers

Author: ivanstanev

package-lock.json

@@ -29,9 +29,10 @@
     "build": "tsc",
     "dev": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect .'",
     "debug": "tsc-watch --project tsconfig.json --onSuccess 'node --inspect-brk .'",
-    "lint": "npm run lint:commit && npm run lint:eslint",
+    "lint": "npm run lint:commit && npm run lint:eslint && npm run lint:circular",
     "lint:eslint": "eslint \"src/**/*.ts\" && (cd test && eslint \"**/*.ts\")",
     "lint:commit": "commitlint --from=$(git rev-parse origin/staging)",
+    "lint:circular": "fadge detect-cycles --allow-ignores=true \"./{src,test}/**/*.ts\"",
     "format": "prettier --write '{src,test}/**/*.{js,ts,json,yml}'",
     "format:check": "prettier --check '{src,test}/**/*.{js,ts,json,yml}'"
   },
@@ -67,6 +68,7 @@
     "eslint": "^7.32.0",
     "eslint-config-prettier": "^8.3.0",
     "eslint-plugin-prettier": "^3.4.1",
+    "fadge": "^0.0.1",
     "jest": "^26.6.3",
     "nock": "^13.0.11",
     "prettier": "^2.4.1",

package.json

@@ -2,6 +2,7 @@ import { KubernetesObject, V1Namespace } from '@kubernetes/client-node';
 import LruCache from 'lru-cache';
 
 import { config } from './common/config';
+import { extractNamespaceName } from './supervisor/watchers/internal-namespaces';
 
 const imagesLruCacheOptions: LruCache.Options<string, string> = {
   // limit cache size so we don't exceed memory limit
@@ -113,6 +114,16 @@ export function kubernetesObjectToWorkloadAlreadyScanned(
   return undefined;
 }
 
+export function storeNamespace(namespace: V1Namespace): void {
+  const namespaceName = extractNamespaceName(namespace);
+  state.watchedNamespaces[namespaceName] = namespace;
+}
+
+export function deleteNamespace(namespace: V1Namespace): void {
+  const namespaceName = extractNamespaceName(namespace);
+  delete state.watchedNamespaces[namespaceName];
+}
+
 export const state = {
   shutdownInProgress: false,
   imagesAlreadyScanned: new LruCache<string, string>(imagesLruCacheOptions),

src/state.ts

@@ -3,20 +3,27 @@ import {
   V1CronJobList,
   V1beta1CronJob,
   V1beta1CronJobList,
+  BatchV1Api,
+  BatchV1beta1Api,
 } from '@kubernetes/client-node';
-import { deleteWorkload, trimWorkload } from './workload';
+import { deleteWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
 import { k8sApi } from '../../cluster';
-import { paginatedList } from './pagination';
+import { paginatedClusterList, paginatedNamespacedList } from './pagination';
 import {
   deleteWorkloadAlreadyScanned,
   deleteWorkloadImagesAlreadyScanned,
   kubernetesObjectToWorkloadAlreadyScanned,
 } from '../../../state';
+import { logger } from '../../../common/logger';
+import { retryKubernetesApiRequest } from '../../kuberenetes-api-wrappers';
+import { trimWorkload } from '../../workload-sanitization';
 
-export async function paginatedCronJobList(namespace: string): Promise<{
+export async function paginatedNamespacedCronJobList(
+  namespace: string,
+): Promise<{
   response: IncomingMessage;
   body: V1CronJobList;
 }> {
@@ -25,14 +32,31 @@ export async function paginatedCronJobList(namespace: string): Promise<{
   v1CronJobList.kind = 'CronJobList';
   v1CronJobList.items = new Array<V1CronJob>();
 
-  return await paginatedList(
+  return await paginatedNamespacedList(
     namespace,
     v1CronJobList,
     k8sApi.batchClient.listNamespacedCronJob.bind(k8sApi.batchClient),
   );
 }
 
-export async function paginatedCronJobV1Beta1List(namespace: string): Promise<{
+export async function paginatedClusterCronJobList(): Promise<{
+  response: IncomingMessage;
+  body: V1CronJobList;
+}> {
+  const v1CronJobList = new V1CronJobList();
+  v1CronJobList.apiVersion = 'batch/v1';
+  v1CronJobList.kind = 'CronJobList';
+  v1CronJobList.items = new Array<V1CronJob>();
+
+  return await paginatedClusterList(
+    v1CronJobList,
+    k8sApi.batchClient.listCronJobForAllNamespaces.bind(k8sApi.batchClient),
+  );
+}
+
+export async function paginatedNamespacedCronJobV1Beta1List(
+  namespace: string,
+): Promise<{
   response: IncomingMessage;
   body: V1beta1CronJobList;
 }> {
@@ -41,7 +65,7 @@ export async function paginatedCronJobV1Beta1List(namespace: string): Promise<{
   cronJobList.kind = 'CronJobList';
   cronJobList.items = new Array<V1beta1CronJob>();
 
-  return await paginatedList(
+  return await paginatedNamespacedList(
     namespace,
     cronJobList,
     k8sApi.batchUnstableClient.listNamespacedCronJob.bind(
@@ -50,6 +74,23 @@ export async function paginatedCronJobV1Beta1List(namespace: string): Promise<{
   );
 }
 
+export async function paginatedClusterCronJobV1Beta1List(): Promise<{
+  response: IncomingMessage;
+  body: V1beta1CronJobList;
+}> {
+  const cronJobList = new V1beta1CronJobList();
+  cronJobList.apiVersion = 'batch/v1beta1';
+  cronJobList.kind = 'CronJobList';
+  cronJobList.items = new Array<V1beta1CronJob>();
+
+  return await paginatedClusterList(
+    cronJobList,
+    k8sApi.batchUnstableClient.listCronJobForAllNamespaces.bind(
+      k8sApi.batchUnstableClient,
+    ),
+  );
+}
+
 export async function cronJobWatchHandler(
   cronJob: V1CronJob | V1beta1CronJob,
 ): Promise<void> {
@@ -92,3 +133,91 @@ export async function cronJobWatchHandler(
     workloadName,
   );
 }
+
+export async function isNamespacedCronJobSupported(
+  workloadKind: WorkloadKind,
+  namespace: string,
+  client: BatchV1Api | BatchV1beta1Api,
+): Promise<boolean> {
+  try {
+    const pretty = undefined;
+    const allowWatchBookmarks = undefined;
+    const continueToken = undefined;
+    const fieldSelector = undefined;
+    const labelSelector = undefined;
+    const limit = 1; // Try to grab only a single object
+    const resourceVersion = undefined; // List anything in the cluster
+    const resourceVersionMatch = undefined;
+    const timeoutSeconds = 10; // Don't block the snyk-monitor indefinitely
+    const attemptedApiCall = await retryKubernetesApiRequest(() =>
+      client.listNamespacedCronJob(
+        namespace,
+        pretty,
+        allowWatchBookmarks,
+        continueToken,
+        fieldSelector,
+        labelSelector,
+        limit,
+        resourceVersion,
+        resourceVersionMatch,
+        timeoutSeconds,
+      ),
+    );
+    return (
+      attemptedApiCall !== undefined &&
+      attemptedApiCall.response !== undefined &&
+      attemptedApiCall.response.statusCode !== undefined &&
+      attemptedApiCall.response.statusCode >= 200 &&
+      attemptedApiCall.response.statusCode < 300
+    );
+  } catch (error) {
+    logger.debug(
+      { error, workloadKind: workloadKind },
+      'Failed on Kubernetes API call to list CronJob or v1beta1 CronJob',
+    );
+    return false;
+  }
+}
+
+export async function isClusterCronJobSupported(
+  workloadKind: WorkloadKind,
+  client: BatchV1Api | BatchV1beta1Api,
+): Promise<boolean> {
+  try {
+    const pretty = undefined;
+    const allowWatchBookmarks = undefined;
+    const continueToken = undefined;
+    const fieldSelector = undefined;
+    const labelSelector = undefined;
+    const limit = 1; // Try to grab only a single object
+    const resourceVersion = undefined; // List anything in the cluster
+    const resourceVersionMatch = undefined;
+    const timeoutSeconds = 10; // Don't block the snyk-monitor indefinitely
+    const attemptedApiCall = await retryKubernetesApiRequest(() =>
+      client.listCronJobForAllNamespaces(
+        allowWatchBookmarks,
+        continueToken,
+        fieldSelector,
+        labelSelector,
+        limit,
+        pretty,
+        resourceVersion,
+        resourceVersionMatch,
+        timeoutSeconds,
+      ),
+    );
+    return (
+      attemptedApiCall !== undefined &&
+      attemptedApiCall.response !== undefined &&
+      attemptedApiCall.response.statusCode !== undefined &&
+      attemptedApiCall.response.statusCode >= 200 &&
+      attemptedApiCall.response.statusCode < 300
+    );
+  } catch (error) {
+    logger.debug(
+      { error, workloadKind: workloadKind },
+      'Failed on Kubernetes API call to list CronJob or v1beta1 CronJob',
+    );
+    return false;
+  }
+}

src/supervisor/watchers/handlers/cron-job.ts

@@ -1,17 +1,20 @@
 import { V1DaemonSet, V1DaemonSetList } from '@kubernetes/client-node';
-import { deleteWorkload, trimWorkload } from './workload';
+import { deleteWorkload } from './workload';
 import { WorkloadKind } from '../../types';
 import { FALSY_WORKLOAD_NAME_MARKER } from './types';
 import { IncomingMessage } from 'http';
 import { k8sApi } from '../../cluster';
-import { paginatedList } from './pagination';
+import { paginatedClusterList, paginatedNamespacedList } from './pagination';
 import {
   deleteWorkloadAlreadyScanned,
   deleteWorkloadImagesAlreadyScanned,
   kubernetesObjectToWorkloadAlreadyScanned,
 } from '../../../state';
+import { trimWorkload } from '../../workload-sanitization';
 
-export async function paginatedDaemonSetList(namespace: string): Promise<{
+export async function paginatedNamespacedDaemonSetList(
+  namespace: string,
+): Promise<{
   response: IncomingMessage;
   body: V1DaemonSetList;
 }> {
@@ -20,13 +23,28 @@ export async function paginatedDaemonSetList(namespace: string): Promise<{
   v1DaemonSetList.kind = 'DaemonSetList';
   v1DaemonSetList.items = new Array<V1DaemonSet>();
 
-  return await paginatedList(
+  return await paginatedNamespacedList(
     namespace,
     v1DaemonSetList,
     k8sApi.appsClient.listNamespacedDaemonSet.bind(k8sApi.appsClient),
   );
 }
 
+export async function paginatedClusterDaemonSetList(): Promise<{
+  response: IncomingMessage;
+  body: V1DaemonSetList;
+}> {
+  const v1DaemonSetList = new V1DaemonSetList();
+  v1DaemonSetList.apiVersion = 'apps/v1';
+  v1DaemonSetList.kind = 'DaemonSetList';
+  v1DaemonSetList.items = new Array<V1DaemonSet>();
+
+  return await paginatedClusterList(
+    v1DaemonSetList,
+    k8sApi.appsClient.listDaemonSetForAllNamespaces.bind(k8sApi.appsClient),
+  );
+}
+
 export async function daemonSetWatchHandler(
   daemonSet: V1DaemonSet,
 ): Promise<void> {