Merge pull request #822 from snyk/fix/track-watched-namespaces

fix: internally track/cache watched namespaces

Author: ivanstanev

src/state.ts

@@ -1,3 +1,4 @@
+import { V1Namespace } from '@kubernetes/client-node';
 import * as LruCache from 'lru-cache';
 
 import { config } from './common/config';
@@ -26,6 +27,7 @@ const state = {
   workloadsAlreadyScanned: new LruCache<string, string>(
     workloadsLruCacheOptions,
   ),
+  watchedNamespaces: {} as Record<string, V1Namespace>,
 };
 
 export { state };

src/supervisor/watchers/index.ts

@@ -12,22 +12,18 @@ import {
   kubernetesInternalNamespaces,
   openshiftInternalNamespaces,
 } from './internal-namespaces';
+import { state } from '../../state';
 
-/**
- * This map keeps track of all currently watched namespaces.
- * Prevents duplicate watches being created if the same namespace is deleted
- * and then re-created. Once a watch is set up once, it doesn't have to be
- * tracked anymore as the kubernetes-client Informer API handles this internally.
- */
-const watchedNamespaces = new Set<string>();
+async function setupWatchesForNamespace(namespace: V1Namespace): Promise<void> {
+  const namespaceName = extractNamespaceName(namespace);
 
-async function setupWatchesForNamespace(namespace: string): Promise<void> {
-  if (watchedNamespaces.has(namespace)) {
+  if (state.watchedNamespaces[namespaceName] !== undefined) {
     logger.info({ namespace }, 'already set up namespace watch, skipping');
     return;
   }
+  state.watchedNamespaces[namespaceName] = namespace;
 
-  logger.info({ namespace }, 'setting up namespace watch');
+  logger.info({ namespace: namespaceName }, 'setting up namespace watch');
 
   for (const workloadKind of Object.values(WorkloadKind)) {
     // Disable handling events for k8s Jobs for debug purposes
@@ -36,16 +32,14 @@ async function setupWatchesForNamespace(namespace: string): Promise<void> {
     }
 
     try {
-      await setupInformer(namespace, workloadKind);
+      await setupInformer(namespaceName, workloadKind);
     } catch (error) {
       logger.warn(
         { namespace, workloadKind },
         'could not setup workload watch, skipping',
       );
     }
   }
-
-  watchedNamespaces.add(namespace);
 }
 
 export function extractNamespaceName(namespace: V1Namespace): string {
@@ -105,7 +99,7 @@ async function setupWatchesForCluster(): Promise<void> {
         return;
       }
 
-      await setupWatchesForNamespace(namespaceName);
+      await setupWatchesForNamespace(namespace);
     } catch (err) {
       logger.error({ err, namespace }, 'error handling a namespace event');
       return;
@@ -121,7 +115,11 @@ export async function beginWatchingWorkloads(): Promise<void> {
       { namespace: config.WATCH_NAMESPACE },
       'kubernetes-monitor restricted to specific namespace',
     );
-    await setupWatchesForNamespace(config.WATCH_NAMESPACE);
+    const namespaceResponse = await k8sApi.coreClient.readNamespace(
+      config.WATCH_NAMESPACE,
+    );
+    const namespace = namespaceResponse.body;
+    await setupWatchesForNamespace(namespace);
     return;
   }
 

src/transmitter/payload.ts

@@ -13,6 +13,7 @@ import {
   IDependencyGraphPayload,
   IWorkloadEventsPolicyPayload,
 } from './types';
+import { state } from '../state';
 
 export function constructDepGraph(
   scannedImages: IScanResult[],
@@ -99,6 +100,8 @@ export function constructWorkloadMetadata(
     specLabels: workload.specLabels,
     annotations: workload.annotations,
     specAnnotations: workload.specAnnotations,
+    namespaceAnnotations:
+      state.watchedNamespaces[workload.namespace]?.metadata?.annotations,
     revision: workload.revision,
     podSpec: workload.podSpec,
   };

src/transmitter/types.ts

@@ -22,6 +22,7 @@ export interface IWorkloadMetadata {
   specLabels: StringMap | undefined;
   annotations: StringMap | undefined;
   specAnnotations: StringMap | undefined;
+  namespaceAnnotations: StringMap | undefined;
   revision: number | undefined;
   podSpec: V1PodSpec;
 }