[FEATURE] Allow include/exclude of Labels that should be converted to Tags as a regular expression #526
Labels
help wanted
Denotes an issue that needs help from a contributor.
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
fbuchmeier-abi
changed the title
|
Thanks for your suggestion. This sounds good, I would be happy if you can create a PR for that! |
ckotzbauer
added
the
kind/feature
ckotzbauer
added
the
help wanted
|
This issue is stale because it has been open 90 days with no activity. Remove stale label with |
github-actions
bot
added
the
lifecycle/stale
ckotzbauer
removed
the
lifecycle/stale
|
This issue is stale because it has been open 90 days with no activity. Remove stale label with |
github-actions
bot
added
the
lifecycle/stale
ckotzbauer
removed
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Greetings!
Background
we are happily using the sbom-operator with DependencyTrack in multiple Kubernetes (Kops & EKS) clusters. We want to scan as much workloads as possible so we keep our label selectors for the sbom-operator quite lose.
As of recently, we have noticed that our DependencyTrack instance was running quite slow and the connected database had a very high and constant CPU usage.
After investigating, we found that the number of
tagsin the corresponding tableTAGSin DependencyTrack has grown to about 480 000 entries. As queries related to this table amount to almost all our CPU usage, we've analysed the content further and found that 2/3 of tags stored arecontroller-uid=SOME_UUIand the rest is mostlyjob-name=SOME_KUBERNETES_JOB_NAME. In our opinion, those two labels are created by several CronJobs we have running in our clusters. Each time a CronJob is triggered, it will create a new job (job-name) and a new pod. This pod will then inherit both thejob-namelabel as well as thecontroller-uidfrom the new job.Since we want to know which images and dependencies are using in our CronJob, we want to keep scanning them if possible.
Suggestion
The sbom-operator currently appends all labels of a given pod to the tags of the project in DependencyTrack, as can be seen here: https://github.com/ckotzbauer/sbom-operator/blob/main/internal/target/dtrack/dtrack_target.go#L153
Our suggestion would be to add a new configuration that allows filtering of labels that get transformed to tags.
label-filter(regular expression) - Allows filtering of labels that get converted to tags in the target system (e.g. DependencyTrack). This can be used to include only required labels or exclude noisy labels likecontroller-uidon pods created by CronJobs. To excludecontroller-uidas well asjob-name, set the filter to:(?i:(controller-uid|job-name))Implementation
If desired, we can create a Pull Request that implements this feature, otherwise we can also support in testing or reviewing it.
Thank you for your support and have a great day,
Florian.
The text was updated successfully, but these errors were encountered: