From 0dbc16934ef2977faf2403143ef0886ef733d6cd Mon Sep 17 00:00:00 2001 From: Yonah Dissen <47282577+yonahd@users.noreply.github.com> Date: Sun, 10 Sep 2023 12:51:56 +0300 Subject: [PATCH] Find Resources in init containers (#65) * find configmaps in init containers * Find used secrets in init containers --- pkg/kor/confimgmaps.go | 39 +++++++++++++++++++++++++++++---------- pkg/kor/secrets.go | 36 ++++++++++++++++++++++++++---------- 2 files changed, 55 insertions(+), 20 deletions(-) diff --git a/pkg/kor/confimgmaps.go b/pkg/kor/confimgmaps.go index 380f8c25..9fbf2b67 100644 --- a/pkg/kor/confimgmaps.go +++ b/pkg/kor/confimgmaps.go @@ -17,17 +17,18 @@ var exceptionconfigmaps = []ExceptionResource{ {ResourceName: "kube-root-ca.crt", Namespace: "*"}, } -func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, error) { - volumesCM := []string{} - volumesProjectedCM := []string{} - envCM := []string{} - envFromCM := []string{} - envFromContainerCM := []string{} +func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, []string, error) { + var volumesCM []string + var volumesProjectedCM []string + var envCM []string + var envFromCM []string + var envFromContainerCM []string + var envFromInitContainerCM []string // Retrieve pods in the specified namespace pods, err := kubeClient.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{}) if err != nil { - return nil, nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, nil, err } // Extract volume and environment information from pods @@ -61,6 +62,18 @@ func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]strin } } } + for _, initContainer := range pod.Spec.InitContainers { + for _, volume := range initContainer.VolumeMounts { + if volume.Name != "" && volume.MountPath != "" { + volumesCM = append(volumesCM, volume.Name) + } + } + for _, env := range initContainer.Env { + if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil { + envFromInitContainerCM = append(envFromInitContainerCM, env.ValueFrom.ConfigMapKeyRef.Name) + } + } + } } for _, resource := range exceptionconfigmaps { @@ -69,7 +82,7 @@ func retrieveUsedCM(kubeClient *kubernetes.Clientset, namespace string) ([]strin } } - return volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, nil + return volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM, nil } func retrieveConfigMapNames(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) { @@ -85,7 +98,7 @@ func retrieveConfigMapNames(kubeClient *kubernetes.Clientset, namespace string) } func processNamespaceCM(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) { - volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, err := retrieveUsedCM(kubeClient, namespace) + volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM, err := retrieveUsedCM(kubeClient, namespace) if err != nil { return nil, err } @@ -95,13 +108,19 @@ func processNamespaceCM(kubeClient *kubernetes.Clientset, namespace string) ([]s envCM = RemoveDuplicatesAndSort(envCM) envFromCM = RemoveDuplicatesAndSort(envFromCM) envFromContainerCM = RemoveDuplicatesAndSort(envFromContainerCM) + envFromInitContainerCM = RemoveDuplicatesAndSort(envFromInitContainerCM) configMapNames, err := retrieveConfigMapNames(kubeClient, namespace) if err != nil { return nil, err } - usedConfigMaps := append(append(append(append(volumesCM, volumesProjectedCM...), envCM...), envFromCM...), envFromContainerCM...) + var usedConfigMaps []string + slicesToAppend := [][]string{volumesCM, volumesProjectedCM, envCM, envFromCM, envFromContainerCM, envFromInitContainerCM} + + for _, slice := range slicesToAppend { + usedConfigMaps = append(usedConfigMaps, slice...) + } diff := CalculateResourceDifference(usedConfigMaps, configMapNames) return diff, nil diff --git a/pkg/kor/secrets.go b/pkg/kor/secrets.go index 0d238866..522332ec 100644 --- a/pkg/kor/secrets.go +++ b/pkg/kor/secrets.go @@ -37,16 +37,17 @@ func retrieveIngressTLS(clientset *kubernetes.Clientset, namespace string) ([]st } -func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, error) { - envSecrets := []string{} - envSecrets2 := []string{} - volumeSecrets := []string{} - pullSecrets := []string{} +func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, []string, []string, []string, []string, []string, error) { + var envSecrets []string + var envSecrets2 []string + var volumeSecrets []string + var pullSecrets []string + var initContainerEnvSecrets []string // Retrieve pods in the specified namespace pods, err := kubeClient.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{}) if err != nil { - return nil, nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, nil, err } // Extract volume and environment information from pods @@ -63,6 +64,15 @@ func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]s } } } + + for _, initContainer := range pod.Spec.InitContainers { + for _, env := range initContainer.Env { + if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil { + initContainerEnvSecrets = append(initContainerEnvSecrets, env.ValueFrom.SecretKeyRef.Name) + } + } + } + for _, volume := range pod.Spec.Volumes { if volume.Secret != nil { volumeSecrets = append(volumeSecrets, volume.Secret.SecretName) @@ -77,10 +87,10 @@ func retrieveUsedSecret(kubeClient *kubernetes.Clientset, namespace string) ([]s tlsSecrets, err := retrieveIngressTLS(kubeClient, namespace) if err != nil { - return nil, nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, nil, err } - return envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, nil + return envSecrets, envSecrets2, volumeSecrets, initContainerEnvSecrets, pullSecrets, tlsSecrets, nil } func retrieveSecretNames(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) { @@ -98,7 +108,7 @@ func retrieveSecretNames(kubeClient *kubernetes.Clientset, namespace string) ([] } func processNamespaceSecret(kubeClient *kubernetes.Clientset, namespace string) ([]string, error) { - envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, err := retrieveUsedSecret(kubeClient, namespace) + envSecrets, envSecrets2, volumeSecrets, initContainerEnvSecrets, pullSecrets, tlsSecrets, err := retrieveUsedSecret(kubeClient, namespace) if err != nil { return nil, err } @@ -106,6 +116,7 @@ func processNamespaceSecret(kubeClient *kubernetes.Clientset, namespace string) envSecrets = RemoveDuplicatesAndSort(envSecrets) envSecrets2 = RemoveDuplicatesAndSort(envSecrets2) volumeSecrets = RemoveDuplicatesAndSort(volumeSecrets) + initContainerEnvSecrets = RemoveDuplicatesAndSort(initContainerEnvSecrets) pullSecrets = RemoveDuplicatesAndSort(pullSecrets) tlsSecrets = RemoveDuplicatesAndSort(tlsSecrets) @@ -114,7 +125,12 @@ func processNamespaceSecret(kubeClient *kubernetes.Clientset, namespace string) return nil, err } - usedSecrets := append(append(append(append(envSecrets, envSecrets2...), volumeSecrets...), pullSecrets...), tlsSecrets...) + var usedSecrets []string + slicesToAppend := [][]string{envSecrets, envSecrets2, volumeSecrets, pullSecrets, tlsSecrets, initContainerEnvSecrets} + + for _, slice := range slicesToAppend { + usedSecrets = append(usedSecrets, slice...) + } diff := CalculateResourceDifference(usedSecrets, secretNames) return diff, nil