Allow to ignore namespaces for image scan (#273)

castai · May 21, 2024 · b204bff · b204bff
1 parent b3572a2
commit b204bff
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 8 deletions.
diff --git a/cmd/agent/daemon/daemon.go b/cmd/agent/daemon/daemon.go
@@ -53,7 +53,9 @@ func NewRunCommand(version string) *cobra.Command {
 		signatureEngineInputEventChanSize  = pflag.Int("signature-engine-input-queue-size", 1000, "Input queue size for the signature engine.")
 		signatureEngineOutputEventChanSize = pflag.Int("signature-engine-output-queue-size", 1000, "Output queue size for the signature engine.")
 
-		mutedNamespaces = pflag.StringArray("mute-namespace", []string{"kube-system", "calico", "calico-system"}, "List of namespaces to ignore tracing events for. To mute multiple namespaces, provide this flag multiple times.")
+		mutedNamespaces = pflag.StringSlice("ignored-namespaces", []string{"kube-system", "calico", "calico-system"},
+			"List of namespaces to ignore tracing events for. To ignore multiple namespaces, separate by comma or pass flag multiple times."+
+				" For example: --ignored-namespaces=kube-system,calico-system")
 
 		fileHashEnrichedEnabled           = pflag.Bool("file-hash-enricher-enabled", false, "Enables the file has event enricher for exec events")
 		ttyDetectionSignatureEnabled      = pflag.Bool("signature-tty-detection-enabled", false, "Enables the tty detection signature")

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -68,6 +68,8 @@ var (
 	imageScanMemoryLimit           = pflag.String("image-scan-memory-limit", "2Gi", "Image scan memory limit")
 	imageScanProfileProfileEnabled = pflag.Bool("image-profile-enabled", false, "Image scan pprof and pyroscope")
 	imageScanBlobsCacheURL         = pflag.String("image-scan-blobs-cache-url", "http://castai-kvisor-controller.castai-agent", "Image scan blobs cache server url")
+	imageScanIgnoredNamespaces     = pflag.StringSlice("image-scan-ignored-namespaces", []string{},
+		"Image scan ignored namespaces. For example: --image-scan-ignored-namespaces=kube-system,my-namespace")
 
 	kubeBenchEnabled            = pflag.Bool("kube-bench-enabled", false, "Kube Bench enabled")
 	kubeBenchScanInterval       = pflag.Duration("kube-bench-scan-interval", 5*time.Minute, "Kube bench scan interval")
@@ -202,6 +204,7 @@ func main() {
 			CastaiGrpcInsecure:        *castaiServerInsecure,
 			ImageScanBlobsCacheURL:    *imageScanBlobsCacheURL,
 			CloudProvider:             cloudProviderVal,
+			IgnoredNamespaces:         *imageScanIgnoredNamespaces,
 		},
 		Linter: kubelinter.Config{
 			Enabled:      *kubeLinterEnabled,

diff --git a/cmd/controller/state/imagescan/controller.go b/cmd/controller/state/imagescan/controller.go
@@ -47,6 +47,7 @@ type Config struct {
 	CastaiGrpcInsecure        bool
 	ImageScanBlobsCacheURL    string
 	CloudProvider             string
+	IgnoredNamespaces         []string
 }
 
 type ImageScanImage struct {
@@ -61,11 +62,16 @@ func NewController(
 	kubeController kubeClient,
 ) *Controller {
 	log = log.WithField("component", "imagescan")
+	ignoredNamespaces := make(map[string]struct{}, len(cfg.IgnoredNamespaces))
+	for _, ns := range cfg.IgnoredNamespaces {
+		ignoredNamespaces[ns] = struct{}{}
+	}
+
 	return &Controller{
 		imageScanner:      imageScanner,
 		client:            client,
 		kubeController:    kubeController,
-		delta:             newDeltaState(kubeController),
+		delta:             newDeltaState(kubeController, ignoredNamespaces),
 		log:               log,
 		cfg:               cfg,
 		timeGetter:        timeGetter(),

diff --git a/cmd/controller/state/imagescan/delta.go b/cmd/controller/state/imagescan/delta.go
@@ -34,16 +34,18 @@ func newImage() *image {
 	}
 }
 
-func newDeltaState(kubeClient kubeClient) *deltaState {
+func newDeltaState(kubeClient kubeClient, ignoredNamespaces map[string]struct{}) *deltaState {
 	return &deltaState{
-		kubeClient: kubeClient,
-		images:     map[string]*image{},
-		nodes:      map[string]*corev1.Node{},
+		kubeClient:        kubeClient,
+		images:            map[string]*image{},
+		nodes:             map[string]*corev1.Node{},
+		ignoredNamespaces: ignoredNamespaces,
 	}
 }
 
 type deltaState struct {
-	kubeClient kubeClient
+	kubeClient        kubeClient
+	ignoredNamespaces map[string]struct{}
 
 	mu sync.Mutex
 
@@ -152,6 +154,10 @@ func (d *deltaState) setImageScanned(scannedImg *castaipb.Image) {
 }
 
 func (d *deltaState) handlePodUpdate(v *corev1.Pod) {
+	if _, found := d.ignoredNamespaces[v.Namespace]; found {
+		return
+	}
+
 	if v.Status.Phase == corev1.PodSucceeded {
 		d.handlePodDelete(v)
 	}

diff --git a/cmd/controller/state/imagescan/delta_test.go b/cmd/controller/state/imagescan/delta_test.go
@@ -160,8 +160,53 @@ func TestDelta(t *testing.T) {
 		img, found = delta.images["testidamd64test"]
 		r.False(found)
 	})
+
+	t.Run("skip ignored namespaces", func(t *testing.T) {
+		r := require.New(t)
+		delta := newTestDelta()
+		delta.ignoredNamespaces = map[string]struct{}{
+			"kube-system": {},
+		}
+		pod := &corev1.Pod{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Pod",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				UID:       "123",
+				Namespace: "kube-system",
+			},
+			Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{
+						Name:  "test",
+						Image: "test",
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceCPU:    resource.MustParse("1"),
+								corev1.ResourceMemory: resource.MustParse("2Gi"),
+							},
+						},
+					},
+				},
+				NodeName: "node1",
+			},
+			Status: corev1.PodStatus{
+				Phase: corev1.PodRunning,
+				ContainerStatuses: []corev1.ContainerStatus{
+					{
+						Name:    "test",
+						ImageID: "testid",
+					},
+				},
+			},
+		}
+		delta.Upsert(pod)
+
+		r.Len(delta.images, 0)
+	})
 }
 
 func newTestDelta() *deltaState {
-	return newDeltaState(&mockKubeController{})
+	return newDeltaState(&mockKubeController{}, make(map[string]struct{}))
 }