feat(cli): Add pod template hash to vulnerability report (#599)

Signed-off-by: Daniel Pacak <[email protected]>
aquasecurity · May 25, 2021 · 431bdd5 · 431bdd5
1 parent 01a2700
commit 431bdd5
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 28 deletions.
diff --git a/itest/matcher/matcher.go b/itest/matcher/matcher.go
@@ -64,7 +64,7 @@ func (m *vulnerabilityReportMatcher) Match(actual interface{}) (bool, error) {
 
 	matcher := MatchFields(IgnoreExtras, Fields{
 		"ObjectMeta": MatchFields(IgnoreExtras, Fields{
-			"Labels": MatchAllKeys(Keys{
+			"Labels": MatchKeys(IgnoreExtras, Keys{
 				starboard.LabelContainerName:     Equal(m.containerName),
 				starboard.LabelResourceKind:      Equal(gvk.Kind),
 				starboard.LabelResourceName:      Equal(m.owner.GetName()),

diff --git a/pkg/operator/controller/vulnerabilityreport.go b/pkg/operator/controller/vulnerabilityreport.go
@@ -161,7 +161,7 @@ func (r *VulnerabilityReportReconciler) reconcileWorkload(workloadKind kube.Kind
 			return ctrl.Result{RequeueAfter: r.Config.ScanJobRetryAfter}, nil
 		}
 
-		return ctrl.Result{}, r.submitScanJob(ctx, podSpec, workloadPartial, containerImages, hash)
+		return ctrl.Result{}, r.submitScanJob(ctx, podSpec, workloadObj, containerImages, hash)
 	}
 }
 
@@ -205,8 +205,8 @@ func (r *VulnerabilityReportReconciler) hasActiveScanJob(ctx context.Context, ow
 	return false, nil, nil
 }
 
-func (r *VulnerabilityReportReconciler) submitScanJob(ctx context.Context, spec corev1.PodSpec, owner kube.Object, images kube.ContainerImages, hash string) error {
-	credentials, err := r.getCredentials(ctx, spec, owner.Namespace)
+func (r *VulnerabilityReportReconciler) submitScanJob(ctx context.Context, spec corev1.PodSpec, owner client.Object, images kube.ContainerImages, hash string) error {
+	credentials, err := r.getCredentials(ctx, spec, owner.GetNamespace())
 	if err != nil {
 		return err
 	}
@@ -242,20 +242,20 @@ func (r *VulnerabilityReportReconciler) submitScanJob(ctx context.Context, spec
 		}
 	}
 
-	jobName := fmt.Sprintf("scan-vulnerabilityreport-%s", kube.ComputeHash(owner))
+	labels := map[string]string{
+		starboard.LabelResourceKind:               owner.GetObjectKind().GroupVersionKind().Kind,
+		starboard.LabelResourceName:               owner.GetName(),
+		starboard.LabelResourceNamespace:          owner.GetNamespace(),
+		starboard.LabelPodSpecHash:                hash,
+		starboard.LabelK8SAppManagedBy:            starboard.AppStarboard,
+		starboard.LabelVulnerabilityReportScanner: "true",
+	}
 
 	scanJob := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      jobName,
+			Name:      vulnerabilityreport.GetScanJobName(owner),
 			Namespace: r.Config.Namespace,
-			Labels: map[string]string{
-				starboard.LabelResourceKind:               string(owner.Kind),
-				starboard.LabelResourceName:               owner.Name,
-				starboard.LabelResourceNamespace:          owner.Namespace,
-				starboard.LabelPodSpecHash:                hash,
-				starboard.LabelK8SAppManagedBy:            starboard.AppStarboard,
-				starboard.LabelVulnerabilityReportScanner: "true",
-			},
+			Labels:    labels,
 			Annotations: map[string]string{
 				starboard.AnnotationContainerImages: containerImagesAsJSON,
 			},
@@ -266,14 +266,7 @@ func (r *VulnerabilityReportReconciler) submitScanJob(ctx context.Context, spec
 			ActiveDeadlineSeconds: kube.GetActiveDeadlineSeconds(r.Config.ScanJobTimeout),
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Labels: map[string]string{
-						starboard.LabelResourceKind:               string(owner.Kind),
-						starboard.LabelResourceName:               owner.Name,
-						starboard.LabelResourceNamespace:          owner.Namespace,
-						starboard.LabelPodSpecHash:                hash,
-						starboard.LabelK8SAppManagedBy:            starboard.AppStarboard,
-						starboard.LabelVulnerabilityReportScanner: "true",
-					},
+					Labels:      labels,
 					Annotations: scanJobAnnotations,
 				},
 				Spec: templateSpec,

diff --git a/pkg/vulnerabilityreport/scanner.go b/pkg/vulnerabilityreport/scanner.go
@@ -140,11 +140,13 @@ func (s *Scanner) prepareScanJob(workload client.Object, spec corev1.PodSpec, cr
 		return nil, nil, err
 	}
 
+	podSpecHash := kube.ComputeHash(spec)
+
 	labels := map[string]string{
-		starboard.LabelResourceKind:      workload.GetObjectKind().GroupVersionKind().Kind,
-		starboard.LabelResourceName:      workload.GetName(),
-		starboard.LabelResourceNamespace: workload.GetNamespace(),
-		// TODO Add pod-spec-hash or resource-spec-hash
+		starboard.LabelResourceKind:               workload.GetObjectKind().GroupVersionKind().Kind,
+		starboard.LabelResourceName:               workload.GetName(),
+		starboard.LabelResourceNamespace:          workload.GetNamespace(),
+		starboard.LabelPodSpecHash:                podSpecHash,
 		starboard.LabelK8SAppManagedBy:            starboard.AppStarboard,
 		starboard.LabelVulnerabilityReportScanner: "true",
 	}
@@ -187,6 +189,11 @@ func (s *Scanner) getVulnerabilityReportsByScanJob(ctx context.Context, job *bat
 		return nil, fmt.Errorf("getting container images: %w", err)
 	}
 
+	podSpecHash, ok := job.Labels[starboard.LabelPodSpecHash]
+	if !ok {
+		return nil, fmt.Errorf("expected label %s not set", starboard.LabelPodSpecHash)
+	}
+
 	for containerName, containerImage := range containerImages {
 		klog.V(3).Infof("Getting logs for %s container in job: %s/%s", containerName, job.Namespace, job.Name)
 		logsStream, err := s.logsReader.GetLogsByJobAndContainerName(ctx, job, containerName)
@@ -201,8 +208,7 @@ func (s *Scanner) getVulnerabilityReportsByScanJob(ctx context.Context, job *bat
 			Controller(owner).
 			Container(containerName).
 			Data(result).
-			// TODO Add pod template hash like we do in the Operator
-			PodSpecHash("").
+			PodSpecHash(podSpecHash).
 			Get()
 		if err != nil {
 			return nil, err