refactor: Cleanup polaris package (#335)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

pkg/cmd/scan_configaudit.go

@@ -4,7 +4,8 @@ import (
 	"context"
 
 	"github.com/aquasecurity/starboard/pkg/configauditreport"
-	starboardapi "github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
+	"github.com/aquasecurity/starboard/pkg/ext"
+	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
 	"github.com/aquasecurity/starboard/pkg/polaris"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	"github.com/spf13/cobra"
@@ -60,15 +61,17 @@ func ScanConfigAuditReports(cf *genericclioptions.ConfigFlags) func(cmd *cobra.C
 		if err != nil {
 			return err
 		}
-		plugin := polaris.NewPlugin(config)
-		report, err := polaris.NewScanner(starboard.NewScheme(), kubeClientset, opts, plugin).Scan(ctx, workload, gvk)
+		plugin := polaris.NewPlugin(ext.NewSystemClock(), config)
+		scanner := configauditreport.NewScanner(starboard.NewScheme(), kubeClientset, opts, plugin)
+		report, err := scanner.Scan(ctx, workload, gvk)
 		if err != nil {
 			return err
 		}
-		starboardClientset, err := starboardapi.NewForConfig(kubeConfig)
+		starboardClientset, err := versioned.NewForConfig(kubeConfig)
 		if err != nil {
 			return nil
 		}
-		return configauditreport.NewReadWriter(starboardClientset).Write(ctx, report)
+		writer := configauditreport.NewReadWriter(starboardClientset)
+		return writer.Write(ctx, report)
 	}
 }

pkg/configauditreport/doc.go

@@ -0,0 +1,2 @@
+// This package provides primitives for working with Kubernetes workload configuration checkers.
+package configauditreport

pkg/configauditreport/plugin.go

@@ -16,5 +16,7 @@ import (
 type Plugin interface {
 	GetScanJobSpec(workload kube.Object, gvk schema.GroupVersionKind) (corev1.PodSpec, error)
 
+	GetContainerName() string
+
 	ParseConfigAuditResult(logsReader io.ReadCloser) (v1alpha1.ConfigAuditResult, error)
 }

pkg/configauditreport/scanner.go

@@ -0,0 +1,132 @@
+package configauditreport
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/starboard/pkg/ext"
+	"github.com/aquasecurity/starboard/pkg/kube"
+	"github.com/aquasecurity/starboard/pkg/kube/pod"
+	"github.com/aquasecurity/starboard/pkg/runner"
+	"github.com/aquasecurity/starboard/pkg/scanners"
+	"github.com/aquasecurity/starboard/pkg/starboard"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog"
+	"k8s.io/utils/pointer"
+)
+
+type Scanner struct {
+	scheme    *runtime.Scheme
+	clientset kubernetes.Interface
+	opts      kube.ScannerOpts
+	pods      *pod.Manager
+	plugin    Plugin
+	ext.IDGenerator
+}
+
+func NewScanner(
+	scheme *runtime.Scheme,
+	clientset kubernetes.Interface,
+	opts kube.ScannerOpts,
+	plugin Plugin,
+) *Scanner {
+	return &Scanner{
+		scheme:      scheme,
+		clientset:   clientset,
+		opts:        opts,
+		plugin:      plugin,
+		pods:        pod.NewPodManager(clientset),
+		IDGenerator: ext.NewGoogleUUIDGenerator(),
+	}
+}
+
+func (s *Scanner) Scan(ctx context.Context, workload kube.Object, gvk schema.GroupVersionKind) (v1alpha1.ConfigAuditReport, error) {
+	klog.V(3).Infof("Getting Pod template for workload: %v", workload)
+
+	_, owner, err := s.pods.GetPodSpecByWorkload(ctx, workload)
+	if err != nil {
+		return v1alpha1.ConfigAuditReport{}, err
+	}
+
+	klog.V(3).Infof("Scanning with options: %+v", s.opts)
+	job, err := s.getScanJob(workload, gvk)
+	if err != nil {
+		return v1alpha1.ConfigAuditReport{}, err
+	}
+
+	err = runner.New().Run(ctx, kube.NewRunnableJob(s.scheme, s.clientset, job))
+	if err != nil {
+		s.pods.LogRunnerErrors(ctx, job)
+		return v1alpha1.ConfigAuditReport{}, fmt.Errorf("running scan job: %w", err)
+	}
+
+	defer func() {
+		if !s.opts.DeleteScanJob {
+			klog.V(3).Infof("Skipping scan job deletion: %s/%s", job.Namespace, job.Name)
+			return
+		}
+		klog.V(3).Infof("Deleting scan job: %s/%s", job.Namespace, job.Name)
+		background := metav1.DeletePropagationBackground
+		_ = s.clientset.BatchV1().Jobs(job.Namespace).Delete(ctx, job.Name, metav1.DeleteOptions{
+			PropagationPolicy: &background,
+		})
+	}()
+
+	containerName := s.plugin.GetContainerName()
+
+	klog.V(3).Infof("Getting logs for %s container in job: %s/%s", containerName,
+		job.Namespace, job.Name)
+	logsReader, err := s.pods.GetContainerLogsByJob(ctx, job, containerName)
+	if err != nil {
+		return v1alpha1.ConfigAuditReport{}, fmt.Errorf("getting logs: %w", err)
+	}
+
+	result, err := s.plugin.ParseConfigAuditResult(logsReader)
+	defer func() {
+		_ = logsReader.Close()
+	}()
+
+	return NewBuilder(s.scheme).
+		Owner(owner).
+		Result(result).
+		Get()
+}
+
+func (s *Scanner) getScanJob(workload kube.Object, gvk schema.GroupVersionKind) (*batchv1.Job, error) {
+	jobSpec, err := s.plugin.GetScanJobSpec(workload, gvk)
+	if err != nil {
+		return nil, err
+	}
+	return &batchv1.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      s.GenerateID(),
+			Namespace: starboard.NamespaceName,
+			Labels: map[string]string{
+				kube.LabelResourceKind:      string(workload.Kind),
+				kube.LabelResourceName:      workload.Name,
+				kube.LabelResourceNamespace: workload.Namespace,
+			},
+		},
+		Spec: batchv1.JobSpec{
+			BackoffLimit:          pointer.Int32Ptr(0),
+			Completions:           pointer.Int32Ptr(1),
+			ActiveDeadlineSeconds: scanners.GetActiveDeadlineSeconds(s.opts.ScanJobTimeout),
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						kube.LabelResourceKind:      string(workload.Kind),
+						kube.LabelResourceName:      workload.Name,
+						kube.LabelResourceNamespace: workload.Namespace,
+					},
+				},
+				Spec: jobSpec,
+			},
+		},
+	}, nil
+}

pkg/configauditreport/scanner_test.go

@@ -0,0 +1 @@
+package configauditreport_test

pkg/configauditreport/writer.go

@@ -3,28 +3,27 @@ package configauditreport
 import (
 	"context"
 
-	clientset "github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
+	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
+	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned"
+	"github.com/aquasecurity/starboard/pkg/kube"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog"
-
-	starboard "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
-	"github.com/aquasecurity/starboard/pkg/kube"
 )
 
 // Write is the interface that wraps basic methods for persisting ConfigAudit reports.
 //
 // Write persists the given ConfigAuditReport report.
 type Writer interface {
-	Write(ctx context.Context, report starboard.ConfigAuditReport) error
+	Write(ctx context.Context, report v1alpha1.ConfigAuditReport) error
 }
 
 // Reader is the interface that wraps basic methods for reading ConfigAudit reports.
 //
 // Read will return a single ConfigAuditReport that match a specific workload
 type Reader interface {
-	FindByOwner(ctx context.Context, owner kube.Object) (*starboard.ConfigAuditReport, error)
+	FindByOwner(ctx context.Context, owner kube.Object) (*v1alpha1.ConfigAuditReport, error)
 }
 
 type ReadWriter interface {
@@ -33,17 +32,17 @@ type ReadWriter interface {
 }
 
 type readWriter struct {
-	client clientset.Interface
+	clientset versioned.Interface
 }
 
-func NewReadWriter(client clientset.Interface) ReadWriter {
+func NewReadWriter(clientset versioned.Interface) ReadWriter {
 	return &readWriter{
-		client: client,
+		clientset: clientset,
 	}
 }
 
-func (w *readWriter) Write(ctx context.Context, report starboard.ConfigAuditReport) error {
-	existing, err := w.client.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
+func (w *readWriter) Write(ctx context.Context, report v1alpha1.ConfigAuditReport) error {
+	existing, err := w.clientset.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
 		Get(ctx, report.Name, metav1.GetOptions{})
 
 	if err == nil {
@@ -52,23 +51,23 @@ func (w *readWriter) Write(ctx context.Context, report starboard.ConfigAuditRepo
 		deepCopy.Labels = report.Labels
 		deepCopy.Report = report.Report
 
-		_, err = w.client.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
+		_, err = w.clientset.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
 			Update(ctx, deepCopy, metav1.UpdateOptions{})
 		return err
 	}
 
 	if errors.IsNotFound(err) {
 		klog.V(3).Infof("Creating ConfigAuditReport %q", report.Namespace+"/"+report.Name)
-		_, err = w.client.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
+		_, err = w.clientset.AquasecurityV1alpha1().ConfigAuditReports(report.Namespace).
 			Create(ctx, &report, metav1.CreateOptions{})
 		return err
 	}
 
 	return err
 }
 
-func (w *readWriter) FindByOwner(ctx context.Context, workload kube.Object) (*starboard.ConfigAuditReport, error) {
-	list, err := w.client.AquasecurityV1alpha1().ConfigAuditReports(workload.Namespace).List(ctx, metav1.ListOptions{
+func (w *readWriter) FindByOwner(ctx context.Context, workload kube.Object) (*v1alpha1.ConfigAuditReport, error) {
+	list, err := w.clientset.AquasecurityV1alpha1().ConfigAuditReports(workload.Namespace).List(ctx, metav1.ListOptions{
 		LabelSelector: labels.Set{
 			kube.LabelResourceKind:      string(workload.Kind),
 			kube.LabelResourceName:      workload.Name,

pkg/configauditreport/writer_test.go

@@ -4,12 +4,11 @@ import (
 	"context"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/configauditreport"
 	"github.com/aquasecurity/starboard/pkg/generated/clientset/versioned/fake"
 	"github.com/aquasecurity/starboard/pkg/kube"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )