Merge pull request #1174 from snyk/fix/return-pod-image-metadata-for-unsupported-workload-kind

fix: return pod image metadata for unsupported workload

Author: minsiyang

src/scanner/images/index.ts

@@ -23,27 +23,30 @@ const statAsync = promisify(stat);
 */
 async function pullImageBySkopeoRepo(
   imageToPull: IPullableImage,
+  workloadName: string,
 ): Promise<IPullableImage> {
   // Scan image by digest if exists, other way fallback tag
   const scanId = imageToPull.imageWithDigest ?? imageToPull.imageName;
   await skopeoCopy(
     scanId,
     imageToPull.fileSystemPath,
     imageToPull.skopeoRepoType,
+    workloadName,
   );
   return imageToPull;
 }
 
 export async function pullImages(
   images: IPullableImage[],
+  workloadName: string,
 ): Promise<IPullableImage[]> {
   const pulledImages: IPullableImage[] = [];
   for (const image of images) {
     if (!image.fileSystemPath) {
       continue;
     }
     try {
-      const pulledImage = await pullImageBySkopeoRepo(image);
+      const pulledImage = await pullImageBySkopeoRepo(image, workloadName);
       pulledImages.push(pulledImage);
     } catch (error) {
       logger.error(

src/scanner/images/skopeo.ts

@@ -36,6 +36,7 @@ export async function pull(
   image: string,
   destination: string,
   skopeoRepoType: SkopeoRepositoryType,
+  workloadName: string,
 ): Promise<void> {
   const creds = await credentials.getSourceCredentials(image);
   const credentialsParameters = getCredentialParameters(creds);
@@ -56,12 +57,13 @@ export async function pull(
     sanitise: false,
   });
 
-  await pullWithRetry(args, destination);
+  await pullWithRetry(args, destination, workloadName);
 }
 
 async function pullWithRetry(
   args: Array<processWrapper.IProcessArgument>,
   destination: string,
+  workloadName: string,
 ): Promise<void> {
   const MAX_ATTEMPTS = 10;
   const RETRY_INTERVAL_SEC = 0.2;
@@ -77,7 +79,7 @@ async function pullWithRetry(
         }
       } catch (deleteErr) {
         logger.warn(
-          { error: deleteErr, destination },
+          { workloadName, error: deleteErr, destination },
           'could not clean up the Skopeo-copy archive',
         );
       }

src/scanner/index.ts

@@ -41,7 +41,7 @@ export async function processWorkload(
   );
   const imagesWithFileSystemPath = getImagesWithFileSystemPath(uniqueImages);
   const imagePullStartTimestampMs = Date.now();
-  const pulledImages = await pullImages(imagesWithFileSystemPath);
+  const pulledImages = await pullImages(imagesWithFileSystemPath, workloadName);
   const imagePullDurationMs = Date.now() - imagePullStartTimestampMs;
   if (pulledImages.length === 0) {
     logger.info(

src/supervisor/metadata-extractor.ts

@@ -26,12 +26,14 @@ export function buildImageMetadata(
   const { name, namespace, labels, annotations, uid } = objectMeta;
 
   const containerNameToSpec: { [key: string]: V1Container } = {};
-  for (const container of podSpec.containers) {
-    delete container.args;
-    delete container.env;
-    delete container.command;
-    //! would container.envFrom also include sensitive data?
-    containerNameToSpec[container.name] = container;
+  if (podSpec.containers) {
+    for (const container of podSpec.containers) {
+      delete container.args;
+      delete container.env;
+      delete container.command;
+      //! would container.envFrom also include sensitive data?
+      containerNameToSpec[container.name] = container;
+    }
   }
 
   const containerNameToStatus: { [key: string]: V1ContainerStatus } = {};
@@ -212,6 +214,29 @@ export async function buildMetadataForWorkload(
     pod.metadata.namespace,
   );
 
+  const hasNodeOwnerRef = pod.metadata?.ownerReferences?.find(
+    (owner) => owner.kind === 'Node',
+  );
+
+  if (hasNodeOwnerRef && podOwner === undefined) {
+    logger.info(
+      { podMetadata: pod.metadata },
+      'pod associated with owner, but owner not found. returning pod metadata.',
+    );
+    return buildImageMetadata(
+      {
+        kind: 'Pod', // Reading pod.kind may be undefined, so use this
+        objectMeta: pod.metadata,
+        // Notice the pod.metadata repeats; this is because pods
+        // do not have the "template" property.
+        specMeta: pod.metadata,
+        ownerRefs: [],
+        podSpec: pod.spec,
+      },
+      pod.status.containerStatuses,
+    );
+  }
+
   if (podOwner === undefined) {
     logger.info(
       { podMetadata: pod.metadata },