/
scanner.go
192 lines (161 loc) · 5.81 KB
/
scanner.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
package vulnerabilities
import (
"context"
"fmt"
"io"
"github.com/aquasecurity/starboard/pkg/resources"
"github.com/aquasecurity/starboard/pkg/ext"
"github.com/aquasecurity/starboard/pkg/trivy"
"github.com/aquasecurity/starboard/pkg/vulnerabilityreport"
"k8s.io/apimachinery/pkg/runtime"
"github.com/aquasecurity/starboard/pkg/starboard"
"github.com/aquasecurity/starboard/pkg/scanners"
"k8s.io/klog"
"github.com/aquasecurity/starboard/pkg/kube"
"github.com/aquasecurity/starboard/pkg/runner"
sec "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
"github.com/aquasecurity/starboard/pkg/kube/pod"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/utils/pointer"
)
// NewScanner constructs a new vulnerability Scanner with the specified options and Kubernetes client Interface.
func NewScanner(scheme *runtime.Scheme, config starboard.TrivyConfig, opts kube.ScannerOpts, clientset kubernetes.Interface) *Scanner {
idGenerator := ext.NewGoogleUUIDGenerator()
return &Scanner{
scheme: scheme,
config: config,
opts: opts,
clientset: clientset,
pods: pod.NewPodManager(clientset),
converter: trivy.NewConverter(config),
idGenerator: idGenerator,
delegate: trivy.NewScanner(idGenerator, config),
}
}
type Scanner struct {
scheme *runtime.Scheme
config starboard.TrivyConfig
opts kube.ScannerOpts
clientset kubernetes.Interface
pods *pod.Manager
converter trivy.Converter
idGenerator ext.IDGenerator
delegate vulnerabilityreport.Scanner
}
func (s *Scanner) Scan(ctx context.Context, workload kube.Object) ([]sec.VulnerabilityReport, error) {
klog.V(3).Infof("Getting Pod template for workload: %v", workload)
podSpec, owner, err := s.pods.GetPodSpecByWorkload(ctx, workload)
if err != nil {
return nil, fmt.Errorf("getting Pod template: %w", err)
}
reports, err := s.ScanByPodSpec(ctx, workload, podSpec, owner)
if err != nil {
return nil, err
}
return reports, nil
}
func (s *Scanner) ScanByPodSpec(ctx context.Context, workload kube.Object, spec corev1.PodSpec, owner metav1.Object) ([]sec.VulnerabilityReport, error) {
klog.V(3).Infof("Scanning with options: %+v", s.opts)
job, err := s.PrepareScanJob(workload, spec)
if err != nil {
return nil, fmt.Errorf("preparing scan job: %w", err)
}
err = runner.New().Run(ctx, kube.NewRunnableJob(s.clientset, job))
if err != nil {
s.pods.LogRunnerErrors(ctx, job)
return nil, fmt.Errorf("running scan job: %w", err)
}
defer func() {
if !s.opts.DeleteScanJob {
klog.V(3).Infof("Skipping scan job deletion: %s/%s", job.Namespace, job.Name)
return
}
klog.V(3).Infof("Deleting scan job: %s/%s", job.Namespace, job.Name)
background := metav1.DeletePropagationBackground
_ = s.clientset.BatchV1().Jobs(job.Namespace).Delete(ctx, job.Name, metav1.DeleteOptions{
PropagationPolicy: &background,
})
}()
klog.V(3).Infof("Scan job completed: %s/%s", job.Namespace, job.Name)
job, err = s.clientset.BatchV1().Jobs(job.Namespace).Get(ctx, job.Name, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("getting scan job: %w", err)
}
return s.GetVulnerabilityReportsByScanJob(ctx, job, owner)
}
func (s *Scanner) PrepareScanJob(workload kube.Object, spec corev1.PodSpec) (*batchv1.Job, error) {
templateSpec, err := s.delegate.GetPodSpec(spec)
if err != nil {
return nil, err
}
templateSpec.ServiceAccountName = starboard.ServiceAccountName
containerImagesAsJSON, err := resources.GetContainerImagesFromPodSpec(spec).AsJSON()
if err != nil {
return nil, err
}
return &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: s.idGenerator.GenerateID(),
Namespace: starboard.NamespaceName,
Labels: map[string]string{
kube.LabelResourceKind: string(workload.Kind),
kube.LabelResourceName: workload.Name,
kube.LabelResourceNamespace: workload.Namespace,
},
Annotations: map[string]string{
kube.AnnotationContainerImages: containerImagesAsJSON,
},
},
Spec: batchv1.JobSpec{
BackoffLimit: pointer.Int32Ptr(0),
Completions: pointer.Int32Ptr(1),
ActiveDeadlineSeconds: scanners.GetActiveDeadlineSeconds(s.opts.ScanJobTimeout),
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{
kube.LabelResourceKind: string(workload.Kind),
kube.LabelResourceName: workload.Name,
kube.LabelResourceNamespace: workload.Namespace,
},
},
Spec: templateSpec,
},
},
}, nil
}
func (s *Scanner) GetVulnerabilityReportsByScanJob(ctx context.Context, job *batchv1.Job, owner metav1.Object) ([]sec.VulnerabilityReport, error) {
var reports []sec.VulnerabilityReport
var containerImagesAsJSON string
var ok bool
if containerImagesAsJSON, ok = job.Annotations[kube.AnnotationContainerImages]; !ok {
return nil, fmt.Errorf("scan job does not have required annotation: %s", kube.AnnotationContainerImages)
}
containerImages := kube.ContainerImages{}
err := containerImages.FromJSON(containerImagesAsJSON)
if err != nil {
return nil, fmt.Errorf("reading scan job annotation: %s: %w", kube.AnnotationContainerImages, err)
}
for _, c := range job.Spec.Template.Spec.Containers {
klog.V(3).Infof("Getting logs for %s container in job: %s/%s", c.Name, job.Namespace, job.Name)
var logReader io.ReadCloser
logReader, err = s.pods.GetContainerLogsByJob(ctx, job, c.Name)
if err != nil {
return nil, err
}
result, err := s.converter.Convert(containerImages[c.Name], logReader)
report, err := vulnerabilityreport.NewBuilder(s.scheme).
Owner(owner).
Container(c.Name).
Result(result).
PodSpecHash("").Get()
if err != nil {
return nil, err
}
reports = append(reports, report)
_ = logReader.Close()
}
return reports, nil
}