From 6d3b78674fae50bd124f50b5ac8c1fc836781890 Mon Sep 17 00:00:00 2001 From: Boris Shek Date: Mon, 27 Jan 2025 15:03:35 +0100 Subject: [PATCH 1/3] #2680 Grant delete permissions for scheduled scans in auto-discovery Add missing delete permissions for ScheduledScans in auto-discovery. Update `.helmignore` to exclude unused files, reducing Helm container size for local deployments. Signed-off-by: Boris Shek --- auto-discovery/kubernetes/.helmignore | 5 ++++- .../kubernetes/controllers/container_scan_controller.go | 2 +- .../kubernetes/controllers/service_scan_controller.go | 2 +- auto-discovery/kubernetes/templates/rbac/role.yaml | 1 + 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/auto-discovery/kubernetes/.helmignore b/auto-discovery/kubernetes/.helmignore index b688299bba..6c837dab31 100644 --- a/auto-discovery/kubernetes/.helmignore +++ b/auto-discovery/kubernetes/.helmignore @@ -15,4 +15,7 @@ main.go Makefile PROJECT auto-discovery-config.yaml -./tests/ \ No newline at end of file +./tests/ +docs/ +auto-discovery-kubernetes.tar +pull-secret-extractor/ diff --git a/auto-discovery/kubernetes/controllers/container_scan_controller.go b/auto-discovery/kubernetes/controllers/container_scan_controller.go index 129fd6e110..6f8de13b9b 100644 --- a/auto-discovery/kubernetes/controllers/container_scan_controller.go +++ b/auto-discovery/kubernetes/controllers/container_scan_controller.go @@ -47,7 +47,7 @@ type ContainerAutoDiscoveryTemplateArgs struct { } // +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scantypes,verbs=get;list;watch -// +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scheduledscans,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scheduledscans,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="execution.securecodebox.io/status",resources=scheduledscans,verbs=get;update;patch // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=services/status,verbs=get diff --git a/auto-discovery/kubernetes/controllers/service_scan_controller.go b/auto-discovery/kubernetes/controllers/service_scan_controller.go index 68a842d4d5..48487fbf97 100644 --- a/auto-discovery/kubernetes/controllers/service_scan_controller.go +++ b/auto-discovery/kubernetes/controllers/service_scan_controller.go @@ -48,7 +48,7 @@ type ServiceAutoDiscoveryTemplateArgs struct { const requeueInterval = 5 * time.Second // +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scantypes,verbs=get;list;watch -// +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scheduledscans,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scheduledscans,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="execution.securecodebox.io/status",resources=scheduledscans,verbs=get;update;patch // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=services/status,verbs=get diff --git a/auto-discovery/kubernetes/templates/rbac/role.yaml b/auto-discovery/kubernetes/templates/rbac/role.yaml index a2453f5d3d..6ca2877f7e 100644 --- a/auto-discovery/kubernetes/templates/rbac/role.yaml +++ b/auto-discovery/kubernetes/templates/rbac/role.yaml @@ -64,6 +64,7 @@ rules: - scheduledscans verbs: - create + - delete - get - list - patch From 6c9d08afdf9fce337edc3aa5585609bd66fb0fbb Mon Sep 17 00:00:00 2001 From: Boris Shek Date: Mon, 27 Jan 2025 15:49:08 +0100 Subject: [PATCH 2/3] #2680 Update auto-discovery tests snapshot Signed-off-by: Boris Shek --- .../kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap | 1 + 1 file changed, 1 insertion(+) diff --git a/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap b/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap index d959744251..447d69b0e8 100644 --- a/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap +++ b/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap @@ -263,6 +263,7 @@ matches the snapshot: - scheduledscans verbs: - create + - delete - get - list - patch From ccb82e7b3349f9306779eed1e9ff6102ee003735 Mon Sep 17 00:00:00 2001 From: Boris Shek Date: Tue, 28 Jan 2025 16:32:33 +0100 Subject: [PATCH 3/3] #2680 Handle missing ScheduledScan gracefully by auto-discovery Previously, the Container Auto-Discovery controller logged an error when trying to fetch a ScheduledScan that was already deleted. This change introduces a check for `IsNotFound` errors, treating them as expected behavior instead of logging them as errors. Now, if a ScheduledScan is not found, an informational log message is recorded instead of an error. This prevents unnecessary noise in logs. Signed-off-by: Boris Shek --- .../kubernetes/controllers/container_scan_controller.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/auto-discovery/kubernetes/controllers/container_scan_controller.go b/auto-discovery/kubernetes/controllers/container_scan_controller.go index 6f8de13b9b..b77b7d4c73 100644 --- a/auto-discovery/kubernetes/controllers/container_scan_controller.go +++ b/auto-discovery/kubernetes/controllers/container_scan_controller.go @@ -427,7 +427,11 @@ func (r *ContainerScanReconciler) getOrphanedScanImageIDs(ctx context.Context, p var scan executionv1.ScheduledScan err := r.Client.Get(ctx, types.NamespacedName{Name: scanName, Namespace: pod.Namespace}, &scan) if err != nil { - r.Log.Error(err, "Unable to fetch scan", "name", scanName) + if k8sErrors.IsNotFound(err) { + r.Log.Info("Scan was already deleted, nothing to do", "name", scanName) + } else { + r.Log.Error(err, "Unable to fetch scan", "name", scanName) + } } else if !r.containerIDInUse(ctx, pod, imageID) { result[cleanedImageID] = append(result[cleanedImageID], scanConfig) }