feat: agent id is now stable and sent only once on start up

Best effort attempt to grab the Agent ID using the snyk-monitor's Deployment UID. This UID is stable and does not change on application upgrades unless the Deployment object is deleted from Kubernetes.

Author: ivanstanev

snyk-monitor-deployment.yaml

@@ -49,6 +49,12 @@ spec:
                 name: snyk-monitor
                 key: namespace
                 optional: true
+          - name: SNYK_DEPLOYMENT_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SNYK_DEPLOYMENT_NAME
+            value: snyk-monitor
           - name: SNYK_INTEGRATION_API
             valueFrom:
               configMapKeyRef:

snyk-monitor/templates/deployment.yaml

@@ -72,6 +72,12 @@ spec:
                 key: integrationId
           - name: SNYK_WATCH_NAMESPACE
             value: {{ include "snyk-monitor.scope" . }}
+          - name: SNYK_DEPLOYMENT_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: SNYK_DEPLOYMENT_NAME
+            value: {{ include "snyk-monitor.name" . }}
           - name: SNYK_INTEGRATION_API
             value: {{ .Values.integrationApi }}
           - name: SNYK_CLUSTER_NAME

src/common/config.ts

@@ -18,7 +18,9 @@ function loadExcludedNamespaces(): string[] | null {
   }
 }
 
+// NOTE: The agent identifier is replaced with a stable identifier once snyk-monitor starts up
 config.AGENT_ID = uuidv4();
+
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
 config.IMAGE_STORAGE_ROOT = '/var/tmp';

src/index.ts

@@ -9,6 +9,7 @@ import { currentClusterName } from './supervisor/cluster';
 import { beginWatchingWorkloads } from './supervisor/watchers';
 import { loadAndSendWorkloadEventsPolicy } from './common/policy';
 import { sendClusterMetadata } from './transmitter';
+import { setSnykMonitorAgentId } from './supervisor/agent';
 
 process.on('uncaughtException', (err) => {
   if (state.shutdownInProgress) {
@@ -63,6 +64,7 @@ cleanUpTempStorage();
 
 // Allow running in an async context
 setImmediate(async function setUpAndMonitor(): Promise<void> {
+  await setSnykMonitorAgentId();
   await sendClusterMetadata();
   await loadAndSendWorkloadEventsPolicy();
   await monitor();

src/supervisor/agent.ts

@@ -0,0 +1,34 @@
+import { config } from '../common/config';
+import { logger } from '../common/logger';
+import { k8sApi } from './cluster';
+import { retryKubernetesApiRequest } from './kuberenetes-api-wrappers';
+
+export async function setSnykMonitorAgentId(): Promise<void> {
+  const name = config.DEPLOYMENT_NAME;
+  const namespace = config.DEPLOYMENT_NAMESPACE;
+
+  const agentId = await getSnykMonitorDeploymentUid(name, namespace);
+  if (agentId === undefined) {
+    return;
+  }
+
+  config.AGENT_ID = agentId;
+}
+
+async function getSnykMonitorDeploymentUid(
+  name: string,
+  namespace: string,
+): Promise<string | undefined> {
+  try {
+    const attemptedApiCall = await retryKubernetesApiRequest(() =>
+      k8sApi.appsClient.readNamespacedDeployment(name, namespace),
+    );
+    return attemptedApiCall.body.metadata?.uid;
+  } catch (error) {
+    logger.error(
+      { error, namespace, name },
+      'could not read the snyk-monitor deployment unique id',
+    );
+    return undefined;
+  }
+}

src/transmitter/payload.ts

@@ -9,7 +9,6 @@ import {
   IWorkloadMetadataPayload,
   IWorkloadMetadata,
   IWorkloadLocator,
-  IKubernetesMonitorMetadata,
   ScanResultsPayload,
   IDependencyGraphPayload,
   IWorkloadEventsPolicyPayload,
@@ -38,17 +37,10 @@ export function constructDepGraph(
       name,
     };
 
-    const monitorMetadata: IKubernetesMonitorMetadata = {
-      agentId: config.AGENT_ID,
-      namespace: config.WATCH_NAMESPACE,
-      version: config.MONITOR_VERSION,
-    };
-
     return {
       imageLocator,
       agentId: config.AGENT_ID,
       dependencyGraph: JSON.stringify(scannedImage.pluginResult),
-      metadata: monitorMetadata,
     };
   });
 
@@ -78,17 +70,10 @@ export function constructScanResults(
       name,
     };
 
-    const monitorMetadata: IKubernetesMonitorMetadata = {
-      agentId: config.AGENT_ID,
-      namespace: config.WATCH_NAMESPACE,
-      version: config.MONITOR_VERSION,
-    };
-
     return {
       imageLocator,
       agentId: config.AGENT_ID,
       scanResults: scannedImage.scanResults,
-      metadata: monitorMetadata,
     };
   });
 }

src/transmitter/types.ts

@@ -31,25 +31,16 @@ export interface IImageLocator extends IWorkloadLocator {
   imageWithDigest?: string;
 }
 
-export interface IKubernetesMonitorMetadata {
-  agentId: string;
-  version: string;
-  namespace?: string;
-}
-
 export interface IDependencyGraphPayload {
   imageLocator: IImageLocator;
   agentId: string;
   dependencyGraph?: string;
-  metadata: IKubernetesMonitorMetadata;
 }
 
 export interface ScanResultsPayload {
   imageLocator: IImageLocator;
   agentId: string;
   scanResults: ScanResult[];
-  /** @deprecated TODO: This should be sent in a separate API. */
-  metadata: IKubernetesMonitorMetadata;
 }
 
 export interface IWorkloadMetadataPayload {

test/system/kind.spec.ts

@@ -3,6 +3,7 @@ import * as nock from 'nock';
 import { copyFile, readFile, mkdir, exists } from 'fs';
 import { promisify } from 'util';
 import { resolve as resolvePath } from 'path';
+import { v4 as uuid } from 'uuid';
 
 import * as kubectl from '../helpers/kubectl';
 import * as kind from '../setup/platforms/kind';
@@ -25,6 +26,7 @@ const existsAsync = promisify(exists);
  *   Error: Client network socket disconnected before secure TLS connection was established
  */
 import { state as kubernetesMonitorState } from '../../src/state';
+import * as kubernetesApiWrappers from '../../src/supervisor/kuberenetes-api-wrappers';
 
 async function tearDown() {
   console.log('Begin removing the snyk-monitor...');
@@ -38,6 +40,8 @@ async function tearDown() {
 
 beforeAll(tearDown);
 afterAll(async () => {
+  jest.restoreAllMocks();
+
   kubernetesMonitorState.shutdownInProgress = true;
   await tearDown();
   // TODO cleanup the images we saved to /var/tmp?
@@ -48,6 +52,17 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
     .spyOn(fsExtra, 'emptyDirSync')
     .mockReturnValue({});
 
+  const agentId = uuid();
+  const retryKubernetesApiRequestMock = jest
+    .spyOn(kubernetesApiWrappers, 'retryKubernetesApiRequest')
+    .mockResolvedValueOnce({
+      body: {
+        metadata: {
+          uid: agentId,
+        },
+      },
+    });
+
   try {
     await exec('which skopeo');
     console.log('Skopeo already installed :tada:');
@@ -102,7 +117,7 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
           expect(
             requestBody,
           ).toEqual<transmitterTypes.IWorkloadEventsPolicyPayload>({
-            agentId: expect.any(String),
+            agentId,
             cluster: expect.any(String),
             userLocator: expect.any(String),
             policy: regoPolicyContents,
@@ -123,7 +138,7 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
           expect(requestBody).toEqual<
             Partial<transmitterTypes.IClusterMetadataPayload>
           >({
-            agentId: expect.any(String),
+            agentId,
             cluster: expect.any(String),
             userLocator: expect.any(String),
             // also should have version here but due to test limitation it is undefined
@@ -199,7 +214,7 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
                 ]),
               }),
             }),
-            agentId: expect.any(String),
+            agentId,
           });
         } catch (error) {
           jestDoneCallback(error);
@@ -230,8 +245,7 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
     .reply(500, (uri, requestBody: transmitterTypes.ScanResultsPayload) => {
       try {
         expect(requestBody).toEqual<transmitterTypes.ScanResultsPayload>({
-          metadata: expect.any(Object),
-          agentId: expect.any(String),
+          agentId,
           imageLocator: expect.objectContaining({
             imageId: expect.any(String),
           }),
@@ -277,7 +291,7 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
         try {
           expect(requestBody).toEqual<transmitterTypes.IDependencyGraphPayload>(
             {
-              agentId: expect.any(String),
+              agentId,
               dependencyGraph: expect.stringContaining('docker-image|java'),
               imageLocator: {
                 userLocator: expect.any(String),
@@ -288,11 +302,10 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
                 type: expect.any(String),
                 imageWithDigest: expect.any(String),
               },
-              metadata: expect.objectContaining({
-                agentId: expect.any(String),
-              }),
             },
           );
+
+          expect(retryKubernetesApiRequestMock).toHaveBeenCalled();
           jestDoneCallback();
         } catch (error) {
           jestDoneCallback(error);

test/unit/transmitter-payload.spec.ts

@@ -125,11 +125,6 @@ describe('transmitter payload tests', () => {
         type: 'type',
       }),
     );
-    expect(firstPayload.metadata).toEqual({
-      agentId: config.AGENT_ID,
-      namespace: 'b7',
-      version: '1.2.3',
-    });
 
     config.WATCH_NAMESPACE = backups.namespace;
     config.MONITOR_VERSION = backups.version;