[FEATURE] Allow include/exclude of Labels that should be converted to Tags as a regular expression #526
Labels
help wanted
Denotes an issue that needs help from a contributor.
kind/feature
Categorizes issue or PR as related to a new feature.
Greetings!
Background
we are happily using the sbom-operator with DependencyTrack in multiple Kubernetes (Kops & EKS) clusters. We want to scan as much workloads as possible so we keep our label selectors for the sbom-operator quite lose.
As of recently, we have noticed that our DependencyTrack instance was running quite slow and the connected database had a very high and constant CPU usage.
After investigating, we found that the number of
tags
in the corresponding tableTAGS
in DependencyTrack has grown to about 480 000 entries. As queries related to this table amount to almost all our CPU usage, we've analysed the content further and found that 2/3 of tags stored arecontroller-uid=SOME_UUI
and the rest is mostlyjob-name=SOME_KUBERNETES_JOB_NAME
. In our opinion, those two labels are created by several CronJobs we have running in our clusters. Each time a CronJob is triggered, it will create a new job (job-name
) and a new pod. This pod will then inherit both thejob-name
label as well as thecontroller-uid
from the new job.Since we want to know which images and dependencies are using in our CronJob, we want to keep scanning them if possible.
Suggestion
The sbom-operator currently appends all labels of a given pod to the tags of the project in DependencyTrack, as can be seen here: https://github.com/ckotzbauer/sbom-operator/blob/main/internal/target/dtrack/dtrack_target.go#L153
Our suggestion would be to add a new configuration that allows filtering of labels that get transformed to tags.
label-filter
(regular expression) - Allows filtering of labels that get converted to tags in the target system (e.g. DependencyTrack). This can be used to include only required labels or exclude noisy labels likecontroller-uid
on pods created by CronJobs. To excludecontroller-uid
as well asjob-name
, set the filter to:(?i:(controller-uid|job-name))
Implementation
If desired, we can create a Pull Request that implements this feature, otherwise we can also support in testing or reviewing it.
Thank you for your support and have a great day,
Florian.
The text was updated successfully, but these errors were encountered: