refactor: Delete *pod.Manager (#429)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

pkg/cmd/scan_configaudit.go

@@ -66,7 +66,7 @@ func ScanConfigAuditReports(buildInfo starboard.BuildInfo, cf *genericclioptions
 		if err != nil {
 			return err
 		}
-		scanner := configauditreport.NewScanner(scheme, kubeClientset, opts, instance)
+		scanner := configauditreport.NewScanner(kubeClientset, kubeClient, opts, instance)
 		report, err := scanner.Scan(ctx, workload, gvk)
 		if err != nil {
 			return err

pkg/cmd/scan_vulnerabilities.go

@@ -102,11 +102,8 @@ func ScanVulnerabilityReports(buildInfo starboard.BuildInfo, cf *genericclioptio
 		if err != nil {
 			return err
 		}
-		reports, err := vulnerabilityreport.NewScanner(
-			scheme,
-			kubeClientset,
-			opts,
-			instance).Scan(ctx, workload)
+		scanner := vulnerabilityreport.NewScanner(kubeClientset, kubeClient, opts, instance)
+		reports, err := scanner.Scan(ctx, workload)
 		if err != nil {
 			return err
 		}

pkg/configauditreport/scanner.go

@@ -7,7 +7,6 @@ import (
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/ext"
 	"github.com/aquasecurity/starboard/pkg/kube"
-	"github.com/aquasecurity/starboard/pkg/kube/pod"
 	"github.com/aquasecurity/starboard/pkg/runner"
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	batchv1 "k8s.io/api/batch/v1"
@@ -22,36 +21,36 @@ import (
 )
 
 type Scanner struct {
-	scheme     *runtime.Scheme
-	clientset  kubernetes.Interface
-	opts       kube.ScannerOpts
-	pods       *pod.Manager
-	logsReader kube.LogsReader
-	plugin     Plugin
+	scheme         *runtime.Scheme
+	clientset      kubernetes.Interface
+	opts           kube.ScannerOpts
+	objectResolver *kube.ObjectResolver
+	logsReader     kube.LogsReader
+	plugin         Plugin
 	ext.IDGenerator
 }
 
 func NewScanner(
-	scheme *runtime.Scheme,
 	clientset kubernetes.Interface,
+	client client.Client,
 	opts kube.ScannerOpts,
 	plugin Plugin,
 ) *Scanner {
 	return &Scanner{
-		scheme:      scheme,
-		clientset:   clientset,
-		opts:        opts,
-		plugin:      plugin,
-		pods:        pod.NewPodManager(clientset),
-		logsReader:  kube.NewLogsReader(clientset),
-		IDGenerator: ext.NewGoogleUUIDGenerator(),
+		scheme:         client.Scheme(),
+		clientset:      clientset,
+		opts:           opts,
+		plugin:         plugin,
+		objectResolver: &kube.ObjectResolver{Client: client},
+		logsReader:     kube.NewLogsReader(clientset),
+		IDGenerator:    ext.NewGoogleUUIDGenerator(),
 	}
 }
 
 func (s *Scanner) Scan(ctx context.Context, workload kube.Object, gvk schema.GroupVersionKind) (v1alpha1.ConfigAuditReport, error) {
 	klog.V(3).Infof("Getting Pod template for workload: %v", workload)
 
-	_, owner, err := s.pods.GetPodSpecByWorkload(ctx, workload)
+	owner, err := s.objectResolver.GetObjectFromPartialObject(ctx, workload)
 	if err != nil {
 		return v1alpha1.ConfigAuditReport{}, err
 	}

pkg/kube/object.go

@@ -1,15 +1,22 @@
 package kube
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"strings"
 
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 )
 
@@ -100,3 +107,65 @@ func KindForObject(object metav1.Object, scheme *runtime.Scheme) (string, error)
 	}
 	return gvk.Kind, nil
 }
+
+func GetPartialObjectFromKindAndNamespacedName(kind Kind, name types.NamespacedName) Object {
+	return Object{
+		Kind:      kind,
+		Name:      name.Name,
+		Namespace: name.Namespace,
+	}
+}
+
+func GetPodSpec(obj client.Object) (corev1.PodSpec, error) {
+	switch t := obj.(type) {
+	case *corev1.Pod:
+		return (obj.(*corev1.Pod)).Spec, nil
+	case *appsv1.Deployment:
+		return (obj.(*appsv1.Deployment)).Spec.Template.Spec, nil
+	case *appsv1.ReplicaSet:
+		return (obj.(*appsv1.ReplicaSet)).Spec.Template.Spec, nil
+	case *corev1.ReplicationController:
+		return (obj.(*corev1.ReplicationController)).Spec.Template.Spec, nil
+	case *appsv1.StatefulSet:
+		return (obj.(*appsv1.StatefulSet)).Spec.Template.Spec, nil
+	case *appsv1.DaemonSet:
+		return (obj.(*appsv1.DaemonSet)).Spec.Template.Spec, nil
+	case *batchv1beta1.CronJob:
+		return (obj.(*batchv1beta1.CronJob)).Spec.JobTemplate.Spec.Template.Spec, nil
+	default:
+		return corev1.PodSpec{}, fmt.Errorf("unsupported workload %T", t)
+	}
+}
+
+type ObjectResolver struct {
+	client.Client
+}
+
+func (o *ObjectResolver) GetObjectFromPartialObject(ctx context.Context, workload Object) (client.Object, error) {
+	var obj client.Object
+	switch workload.Kind {
+	case KindPod:
+		obj = &corev1.Pod{}
+	case KindReplicaSet:
+		obj = &appsv1.ReplicaSet{}
+	case KindReplicationController:
+		obj = &corev1.ReplicationController{}
+	case KindDeployment:
+		obj = &appsv1.Deployment{}
+	case KindStatefulSet:
+		obj = &appsv1.StatefulSet{}
+	case KindDaemonSet:
+		obj = &appsv1.DaemonSet{}
+	case KindCronJob:
+		obj = &batchv1beta1.CronJob{}
+	case KindJob:
+		obj = &batchv1.Job{}
+	default:
+		return nil, fmt.Errorf("unknown kind: %s", workload.Kind)
+	}
+	err := o.Client.Get(ctx, types.NamespacedName{Name: workload.Name, Namespace: workload.Namespace}, obj)
+	if err != nil {
+		return nil, err
+	}
+	return obj, nil
+}

pkg/kube/secrets.go

@@ -7,7 +7,6 @@ import (
 	"github.com/aquasecurity/starboard/pkg/docker"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -103,74 +102,18 @@ type SecretsReader interface {
 	ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error)
 }
 
-// NewSecretsReader constructs a new SecretsReader which is using the client-go
-// module for interacting with the Kubernetes API server.
-func NewSecretsReader(clientset kubernetes.Interface) SecretsReader {
-	return &reader{
-		clientset: clientset,
-	}
-}
-
-type reader struct {
-	clientset kubernetes.Interface
-}
-
-func (r *reader) ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error) {
-	secrets, err := r.ListByLocalObjectReferences(ctx, spec.ImagePullSecrets, ns)
-	if err != nil {
-		return nil, err
-	}
-
-	serviceAccountName := spec.ServiceAccountName
-	if serviceAccountName == "" {
-		serviceAccountName = serviceAccountDefault
-	}
-
-	serviceAccountSecrets, err := r.ListByServiceAccount(ctx, serviceAccountName, ns)
-	if err != nil {
-		return nil, err
-	}
-
-	return append(secrets, serviceAccountSecrets...), nil
-}
-
-func (r *reader) ListByServiceAccount(ctx context.Context, name string, ns string) ([]corev1.Secret, error) {
-	sa, err := r.clientset.CoreV1().ServiceAccounts(ns).
-		Get(ctx, name, metav1.GetOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("getting service account by name: %s/%s: %w", ns, name, err)
-	}
-
-	return r.ListByLocalObjectReferences(ctx, sa.ImagePullSecrets, ns)
-}
-
-func (r *reader) ListByLocalObjectReferences(ctx context.Context, refs []corev1.LocalObjectReference, ns string) ([]corev1.Secret, error) {
-	secrets := make([]corev1.Secret, 0)
-
-	for _, secretRef := range refs {
-		secret, err := r.clientset.CoreV1().Secrets(ns).
-			Get(ctx, secretRef.Name, metav1.GetOptions{})
-		if err != nil {
-			return nil, fmt.Errorf("getting secret by name: %s/%s: %w", ns, secretRef.Name, err)
-		}
-		secrets = append(secrets, *secret)
-	}
-
-	return secrets, nil
-}
-
-// NewControllerRuntimeSecretsReader constructs a new SecretsReader which is
-// using the client package provided by the controller-runtime libraries for
-// interacting with the Kubernetes API server.
-func NewControllerRuntimeSecretsReader(client client.Client) SecretsReader {
-	return &crReader{client: client}
+// NewSecretsReader constructs a new SecretsReader which is using the client
+// package provided by the controller-runtime libraries for interacting with
+// the Kubernetes API server.
+func NewSecretsReader(client client.Client) SecretsReader {
+	return &secretsReader{client: client}
 }
 
-type crReader struct {
+type secretsReader struct {
 	client client.Client
 }
 
-func (r *crReader) ListByLocalObjectReferences(ctx context.Context, refs []corev1.LocalObjectReference, ns string) ([]corev1.Secret, error) {
+func (r *secretsReader) ListByLocalObjectReferences(ctx context.Context, refs []corev1.LocalObjectReference, ns string) ([]corev1.Secret, error) {
 	secrets := make([]corev1.Secret, 0)
 
 	for _, secretRef := range refs {
@@ -185,7 +128,7 @@ func (r *crReader) ListByLocalObjectReferences(ctx context.Context, refs []corev
 	return secrets, nil
 }
 
-func (r *crReader) ListByServiceAccount(ctx context.Context, name string, ns string) ([]corev1.Secret, error) {
+func (r *secretsReader) ListByServiceAccount(ctx context.Context, name string, ns string) ([]corev1.Secret, error) {
 	var sa corev1.ServiceAccount
 
 	err := r.client.Get(ctx, client.ObjectKey{Name: name, Namespace: ns}, &sa)
@@ -196,7 +139,7 @@ func (r *crReader) ListByServiceAccount(ctx context.Context, name string, ns str
 	return r.ListByLocalObjectReferences(ctx, sa.ImagePullSecrets, ns)
 }
 
-func (r *crReader) ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error) {
+func (r *secretsReader) ListImagePullSecretsByPodSpec(ctx context.Context, spec corev1.PodSpec, ns string) ([]corev1.Secret, error) {
 	secrets, err := r.ListByLocalObjectReferences(ctx, spec.ImagePullSecrets, ns)
 	if err != nil {
 		return nil, err