Find Resources in init containers (#65)

* find configmaps in init containers * Find used secrets in init containers
yonahd · Sep 10, 2023 · 0dbc169 · 0dbc169
1 parent cf47842
commit 0dbc169
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 20 deletions.
diff --git a/pkg/kor/confimgmaps.go b/pkg/kor/confimgmaps.go
@@ -17,17 +17,18 @@ var exceptionconfigmaps = []ExceptionResource{
 	{ResourceName: "kube-root-ca.crt", Namespace: "*"},
 }
 
-func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, error) {
-	volumesCM := []string{}
-	volumesProjectedCM := []string{}
-	envCM := []string{}
-	envFromCM := []string{}
-	envFromContainerCM := []string{}
+func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, []string, error) {
+	var volumesCM []string
+	var volumesProjectedCM []string
+	var envCM []string
+	var envFromCM []string
+	var envFromContainerCM []string
+	var envFromInitContainerCM []string
 
 	// Retrieve pods in the specified namespace
 	pods, err := kubeClient.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
-		return nil, nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, nil, err
 	}
 
 	// Extract volume and environment information from pods
@@ -61,6 +62,18 @@ func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]strin
 				}
 			}
 		}
+		for _, initContainer := range pod.Spec.InitContainers {
+			for _, volume := range initContainer.VolumeMounts {
+				if volume.Name != "" && volume.MountPath != "" {
+					volumesCM = append(volumesCM, volume.Name)
+				}
+			}
+			for _, env := range initContainer.Env {
+				if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil {
+					envFromInitContainerCM = append(envFromInitContainerCM, env.ValueFrom.ConfigMapKeyRef.Name)
+				}
+			}
+		}
 	}
 
 	for _, resource := range exceptionconfigmaps {
@@ -69,7 +82,7 @@ func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]strin
 		}
 	}
 
-	return volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, nil
+	return volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM, nil
 }
 
 func retrieveConfigMapNames(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) {
@@ -85,7 +98,7 @@ func retrieveConfigMapNames(kubeClient *kubernetes.Clientset, namespace string)
 }
 
 func processNamespaceCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) {
-	volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, err := retrieveUsedCM(kubeClient, namespace)
+	volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM, err := retrieveUsedCM(kubeClient, namespace)
 	if err != nil {
 		return nil, err
 	}
@@ -95,13 +108,19 @@ func processNamespaceCM(kubeClient *kubernetes.Clientset, namespace string) ([]s
 	envCM = RemoveDuplicatesAndSort(envCM)
 	envFromCM = RemoveDuplicatesAndSort(envFromCM)
 	envFromContainerCM = RemoveDuplicatesAndSort(envFromContainerCM)
+	envFromInitContainerCM = RemoveDuplicatesAndSort(envFromInitContainerCM)
 
 	configMapNames, err := retrieveConfigMapNames(kubeClient, namespace)
 	if err != nil {
 		return nil, err
 	}
 
-	usedConfigMaps := append(append(append(append(volumesCM, volumesProjectedCM...), envCM...), envFromCM...), envFromContainerCM...)
+	var usedConfigMaps []string
+	slicesToAppend := [][]string{volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM}
+
+	for _, slice := range slicesToAppend {
+		usedConfigMaps = append(usedConfigMaps, slice...)
+	}
 	diff := CalculateResourceDifference(usedConfigMaps, configMapNames)
 	return diff, nil
 

diff --git a/pkg/kor/secrets.go b/pkg/kor/secrets.go
@@ -37,16 +37,17 @@ func retrieveIngressTLS(clientset *kubernetes.Clientset, namespace string) ([]st
 
 }
 
-func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, error) {
-	envSecrets := []string{}
-	envSecrets2 := []string{}
-	volumeSecrets := []string{}
-	pullSecrets := []string{}
+func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, []string, error) {
+	var envSecrets []string
+	var envSecrets2 []string
+	var volumeSecrets []string
+	var pullSecrets []string
+	var initContainerEnvSecrets []string
 
 	// Retrieve pods in the specified namespace
 	pods, err := kubeClient.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
-		return nil, nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, nil, err
 	}
 
 	// Extract volume and environment information from pods
@@ -63,6 +64,15 @@ func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]s
 				}
 			}
 		}
+
+		for _, initContainer := range pod.Spec.InitContainers {
+			for _, env := range initContainer.Env {
+				if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
+					initContainerEnvSecrets = append(initContainerEnvSecrets, env.ValueFrom.SecretKeyRef.Name)
+				}
+			}
+		}
+
 		for _, volume := range pod.Spec.Volumes {
 			if volume.Secret != nil {
 				volumeSecrets = append(volumeSecrets, volume.Secret.SecretName)
@@ -77,10 +87,10 @@ func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]s
 
 	tlsSecrets, err := retrieveIngressTLS(kubeClient, namespace)
 	if err != nil {
-		return nil, nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, nil, err
 	}
 
-	return envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, nil
+	return envSecrets, envSecrets2, volumeSecrets, initContainerEnvSecrets, pullSecrets, tlsSecrets, nil
 }
 
 func retrieveSecretNames(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) {
@@ -98,14 +108,15 @@ func retrieveSecretNames(kubeClient *kubernetes.Clientset, namespace string) ([]
 }
 
 func processNamespaceSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) {
-	envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, err := retrieveUsedSecret(kubeClient, namespace)
+	envSecrets, envSecrets2, volumeSecrets, initContainerEnvSecrets, pullSecrets, tlsSecrets, err := retrieveUsedSecret(kubeClient, namespace)
 	if err != nil {
 		return nil, err
 	}
 
 	envSecrets = RemoveDuplicatesAndSort(envSecrets)
 	envSecrets2 = RemoveDuplicatesAndSort(envSecrets2)
 	volumeSecrets = RemoveDuplicatesAndSort(volumeSecrets)
+	initContainerEnvSecrets = RemoveDuplicatesAndSort(initContainerEnvSecrets)
 	pullSecrets = RemoveDuplicatesAndSort(pullSecrets)
 	tlsSecrets = RemoveDuplicatesAndSort(tlsSecrets)
 
@@ -114,7 +125,12 @@ func processNamespaceSecret(kubeClient *kubernetes.Clientset, namespace string)
 		return nil, err
 	}
 
-	usedSecrets := append(append(append(append(envSecrets, envSecrets2...), volumeSecrets...), pullSecrets...), tlsSecrets...)
+	var usedSecrets []string
+	slicesToAppend := [][]string{envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, initContainerEnvSecrets}
+
+	for _, slice := range slicesToAppend {
+		usedSecrets = append(usedSecrets, slice...)
+	}
 	diff := CalculateResourceDifference(usedSecrets, secretNames)
 	return diff, nil