feat: allows excluded namespaces to be configurable

KatieArmstr · KatieArmstr · commit d0c28c093cbe · 2021-05-24T08:51:36.000+01:00
Users can configure their own list of namespaces that kubernetes monitor will ignore. This will overwrite the list of Kubernetes internal namespaces which are excluded by default
diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md
@@ -180,6 +180,20 @@ helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
   --set psp.enabled=true
 ```
 
+## Configuring excluded namespaces ##
+
+By default, `snyk-monitor` does not scan containers that are internal to Kubernetes, in the following namespaces:
+* `kube-node-lease`
+* `kube-public`
+* `kube-system`
+* `local-path-storage`
+
+If you prefer to override this, you can add your own list of namespaces to exclude by setting the `excludedNamespaces` to your own list.
+For example:
+```yaml
+--set excludedNamespaces={kube-node-lease,kube-public,local-path-storage,some_namespace}
+```
+
 ## Terms and conditions ##
 
 *The Snyk Container Kubernetes integration uses Red Hat UBI (Universal Base Image).*
diff --git a/snyk-monitor/templates/configmap.yaml b/snyk-monitor/templates/configmap.yaml
@@ -0,0 +1,11 @@
+{{ if .Values.excludedNamespaces }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-excluded-namespaces
+data:
+  excludedNamespaces: |-
+    {{- range .Values.excludedNamespaces }}
+    {{ . }}
+    {{- end }}
+{{ end }}
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -58,6 +58,10 @@ spec:
             readOnly: true
           - name: registries-conf
             mountPath: "/srv/app/.config/containers"
+           {{- if .Values.excludedNamespaces }}
+          - name: excluded-namespaces
+            mountPath: "/etc/config"
+          {{- end }}
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -129,6 +133,11 @@ spec:
           configMap:
             name: {{ .Values.registriesConfConfigMap }}
             optional: true
+        {{- if .Values.excludedNamespaces }}
+        - name: excluded-namespaces
+          configMap:
+            name: {{ .Release.Name }}-excluded-namespaces
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -88,3 +88,6 @@ nodeSelector: {}
 psp:
   enabled: false
   name: ""
+
+# Override the excluded namespaces
+excludedNamespaces:
diff --git a/src/common/config.ts b/src/common/config.ts
@@ -1,15 +1,29 @@
 import * as uuidv4 from 'uuid/v4';
 import { loadConfig } from 'snyk-config';
+import * as fs from 'fs';
 
 const config: Record<string, any> = loadConfig(__dirname + '/../..', {
   secretConfig: process.env.CONFIG_SECRET_FILE,
 });
 
+const namespacesFilePath = '/etc/config/excludedNamespaces';
+
+function loadExcludedNamespaces(): string[] | null {
+  try {
+    const data = fs.readFileSync(namespacesFilePath, 'UTF-8');
+    const namespaces: string[] = data.split(/\r?\n/);
+    return namespaces;
+  } catch (err) {
+    return null;
+  }
+}
+
 config.AGENT_ID = uuidv4();
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
 config.IMAGE_STORAGE_ROOT = '/var/tmp';
 config.POLICIES_STORAGE_ROOT = '/tmp/policies';
+config.EXCLUDED_NAMESPACES = loadExcludedNamespaces();
 
 /**
  * Important: we delete the following env vars because we don't want to proxy requests to the Kubernetes API server.
diff --git a/src/supervisor/watchers/index.ts b/src/supervisor/watchers/index.ts
@@ -8,7 +8,10 @@ import { ECONNRESET_ERROR_CODE } from './types';
 import { setupInformer } from './handlers';
 import { kubeConfig, k8sApi } from '../cluster';
 import * as kubernetesApiWrappers from '../kuberenetes-api-wrappers';
-import { kubernetesInternalNamespaces } from './internal-namespaces';
+import {
+  kubernetesInternalNamespaces,
+  openshiftInternalNamespaces,
+} from './internal-namespaces';
 
 /**
  * This map keeps track of all currently watched namespaces.
@@ -52,8 +55,14 @@ export function extractNamespaceName(namespace: V1Namespace): string {
   throw new Error('Namespace missing metadata.name');
 }
 
-export function isKubernetesInternalNamespace(namespace: string): boolean {
-  return kubernetesInternalNamespaces.has(namespace);
+export function isExcludedNamespace(namespace: string): boolean {
+  return (
+    (config.EXCLUDED_NAMESPACES
+      ? config.EXCLUDED_NAMESPACES.includes(namespace)
+      : kubernetesInternalNamespaces.has(namespace)) ||
+    // always check openshift excluded namespaces
+    openshiftInternalNamespaces.has(namespace)
+  );
 }
 
 async function setupWatchesForCluster(): Promise<void> {
@@ -90,8 +99,8 @@ async function setupWatchesForCluster(): Promise<void> {
   informer.on(ADD, async (namespace: V1Namespace) => {
     try {
       const namespaceName = extractNamespaceName(namespace);
-      if (isKubernetesInternalNamespace(namespaceName)) {
-        // disregard namespaces internal to kubernetes
+      if (isExcludedNamespace(namespaceName)) {
+        // disregard excluded namespaces
         logger.info({ namespaceName }, 'ignoring blacklisted namespace');
         return;
       }
diff --git a/src/supervisor/watchers/internal-namespaces.ts b/src/supervisor/watchers/internal-namespaces.ts
@@ -3,6 +3,9 @@ export const kubernetesInternalNamespaces = new Set([
   'kube-public',
   'kube-system',
   'local-path-storage',
+]);
+
+export const openshiftInternalNamespaces = new Set([
   'openshift',
   'openshift-apiserver',
   'openshift-apiserver-operator',
diff --git a/test/unit/supervisor/__snapshots__/watchers.spec.ts.snap b/test/unit/supervisor/__snapshots__/watchers.spec.ts.snap
@@ -1,11 +1,16 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`internal Kubernetes namespaces tests internal namespaces list against snapshot 1`] = `
+exports[`isExcludedNamespace() internal Kubernetes namespaces list against snapshot 1`] = `
 Set {
   "kube-node-lease",
   "kube-public",
   "kube-system",
   "local-path-storage",
+}
+`;
+
+exports[`isExcludedNamespace() openshift internal namespaces list against snapshot 1`] = `
+Set {
   "openshift",
   "openshift-apiserver",
   "openshift-apiserver-operator",
diff --git a/test/unit/supervisor/watchers.spec.ts b/test/unit/supervisor/watchers.spec.ts
@@ -1,30 +1,25 @@
 import { V1Namespace } from '@kubernetes/client-node';
+import { config } from '../../../src/common/config';
 
 import * as watchers from '../../../src/supervisor/watchers';
-import { kubernetesInternalNamespaces } from '../../../src/supervisor/watchers/internal-namespaces';
+import {
+  kubernetesInternalNamespaces,
+  openshiftInternalNamespaces,
+} from '../../../src/supervisor/watchers/internal-namespaces';
 
-describe('extractNamespaceName() tests', () => {
+describe('extractNamespaceName()', () => {
   test.each([
-    ['extractNamespaceName() throws on empty input', {} as V1Namespace],
-    [
-      'extractNamespaceName() throws on empty metadata',
-      { metadata: {} } as V1Namespace,
-    ],
-    [
-      'extractNamespaceName() throws on undefined name',
-      { metadata: { name: undefined } } as V1Namespace,
-    ],
-    [
-      'extractNamespaceName() throws on empty name',
-      { metadata: { name: '' } } as V1Namespace,
-    ],
-  ])('%s', (_testCaseName, input) => {
+    ['empty input', {} as V1Namespace],
+    ['empty metadata', { metadata: {} } as V1Namespace],
+    ['undefined name', { metadata: { name: undefined } } as V1Namespace],
+    ['empty name', { metadata: { name: '' } } as V1Namespace],
+  ])('throws on %s', (_testCaseName, input) => {
     expect(() => watchers.extractNamespaceName(input)).toThrowError(
       'Namespace missing metadata.name',
     );
   });
 
-  test('extractNamespaceName() returns namespace.metadata.name', () => {
+  test('returns namespace.metadata.name', () => {
     expect(
       watchers.extractNamespaceName({
         metadata: { name: 'literally anything else' },
@@ -33,18 +28,16 @@ describe('extractNamespaceName() tests', () => {
   });
 });
 
-describe('internal Kubernetes namespaces tests', () => {
-  test('internal namespaces list against snapshot', () => {
+describe('isExcludedNamespace() internal Kubernetes namespaces', () => {
+  test('list against snapshot', () => {
     expect(kubernetesInternalNamespaces).toMatchSnapshot();
   });
 
-  test('isKubernetesInternalNamespace(): internal Kubernetes namespaces are used', () => {
-    for (const internalNamespace of kubernetesInternalNamespaces) {
-      expect(watchers.isKubernetesInternalNamespace(internalNamespace)).toEqual(
-        true,
-      );
-    }
-  });
+  for (const internalNamespace of kubernetesInternalNamespaces) {
+    test(`isExcludedNamespace(${internalNamespace}) -> true`, () => {
+      expect(watchers.isExcludedNamespace(internalNamespace)).toEqual(true);
+    });
+  }
 
   test.each([
     ['kube-node-lease-'],
@@ -53,7 +46,59 @@ describe('internal Kubernetes namespaces tests', () => {
     ['egg'],
     [''],
     [(undefined as unknown) as string],
-  ])('isKubernetesInternalNamespace(%s) -> false', (input) => {
-    expect(watchers.isKubernetesInternalNamespace(input)).toEqual(false);
+  ])('isExcludedNamespace(%s) -> false', (input) => {
+    expect(watchers.isExcludedNamespace(input)).toEqual(false);
+  });
+});
+
+describe('isExcludedNamespace() openshift internal namespaces', () => {
+  test('list against snapshot', () => {
+    expect(openshiftInternalNamespaces).toMatchSnapshot();
+  });
+
+  for (const internalNamespace of openshiftInternalNamespaces) {
+    test(`isExcludedNamespace(${internalNamespace}) -> true`, () => {
+      expect(watchers.isExcludedNamespace(internalNamespace)).toEqual(true);
+    });
+  }
+
+  test.each([
+    ['openshif'],
+    ['openshift-'],
+    ['egg'],
+    [''],
+    [(undefined as unknown) as string],
+  ])('isExcludedNamespace(%s) -> false', (input) => {
+    expect(watchers.isExcludedNamespace(input)).toEqual(false);
+  });
+});
+
+describe('isExcludedNamespace() excluded namespaces from config', () => {
+  const excludedNamespacesFromConfig = ['one', 'two', 'three'];
+  beforeAll(() => {
+    config.EXCLUDED_NAMESPACES = excludedNamespacesFromConfig;
+  });
+
+  afterAll(() => {
+    config.EXCLUDED_NAMESPACES = null;
+  });
+
+  excludedNamespacesFromConfig.forEach((namespace) => {
+    test(`[excluded namespaces from config] isExcludedNamespace(${namespace}) -> true`, () => {
+      expect(watchers.isExcludedNamespace(namespace)).toEqual(true);
+    });
   });
+
+  for (const internalNamespace of openshiftInternalNamespaces) {
+    test(`[openshift internal namespaces] isExcludedNamespace(${internalNamespace}) -> true`, () => {
+      expect(watchers.isExcludedNamespace(internalNamespace)).toEqual(true);
+    });
+  }
+
+  test.each([['kube-system']['egg'], [''], [(undefined as unknown) as string]])(
+    'isExcludedNamespace(%s) -> false',
+    (input) => {
+      expect(watchers.isExcludedNamespace(input)).toEqual(false);
+    },
+  );
 });
