feat: add workload labels on the scan job (#80)

statnett · Jan 17, 2023 · 0faade8 · 0faade8
1 parent c2761b4
commit 0faade8
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 10 deletions.
diff --git a/api/v1alpha1/labels.go b/api/v1alpha1/labels.go
@@ -5,6 +5,9 @@ const (
 	LabelK8SAppManagedBy             = "app.kubernetes.io/managed-by"
 	LabelStatnettControllerNamespace = "controller.statnett.no/namespace"
 	LabelStatnettControllerUID       = "controller.statnett.no/uid"
+	LabelStatnettWorkloadKind        = "workload.statnett.no/kind"
+	LabelStatnettWorkloadName        = "workload.statnett.no/name"
+	LabelStatnettWorkloadNamespace   = "workload.statnett.no/namespace"
 
 	AppNameImageScanner = "image-scanner"
 	AppNameTrivy        = "trivy"

diff --git a/controllers/testdata/scan-job/cis.yaml b/controllers/testdata/scan-job/cis.yaml
@@ -7,3 +7,6 @@ metadata:
 spec:
   digest: 'sha256:6da1811b094adbea1eb34c3e48fc2833b1a11a351ec7b36cc390e740a64fbae4'
   name: docker.io/nginxinc/nginx-unprivileged
+  workload:
+    kind: Pod
+    name: echo
diff --git a/controllers/testdata/scan-job/expected-scan-job.yaml b/controllers/testdata/scan-job/expected-scan-job.yaml
@@ -10,8 +10,11 @@ metadata:
     app.kubernetes.io/name: trivy
     controller.statnett.no/namespace: replica-set
     controller.statnett.no/uid: <CIS-UID>
+    workload.statnett.no/kind: Pod
+    workload.statnett.no/name: echo
+    workload.statnett.no/namespace: replica-set
   namespace: image-scanner-jobs
-  name: echo-6bdfc76c56-8ae43-b4cf9
+  name: echo-6bdfc76c56-8ae43-2693c
 spec:
   activeDeadlineSeconds: 3600
   backoffLimit: 3

diff --git a/internal/trivy/scan_job.go b/internal/trivy/scan_job.go
@@ -18,15 +18,16 @@ import (
 )
 
 const (
-	FsScanSharedVolumeMountPath = "/var/run/image-scanner"
-	FsScanSharedVolumeName      = "image-scanner"
-	FsScanTrivyBinaryPath       = FsScanSharedVolumeMountPath + "/trivy"
-	JobNameSpecHashPartLength   = 5
-	KubernetesJobNameMaxLength  = validation.DNS1123LabelMaxLength
-	ScanJobContainerName        = "scan-image"
-	ScanJobTimeout              = 1 * time.Hour
-	TempVolumeName              = "tmp"
-	TempVolumeMountPath         = "/tmp"
+	FsScanSharedVolumeMountPath   = "/var/run/image-scanner"
+	FsScanSharedVolumeName        = "image-scanner"
+	FsScanTrivyBinaryPath         = FsScanSharedVolumeMountPath + "/trivy"
+	JobNameSpecHashPartLength     = 5
+	KubernetesJobNameMaxLength    = validation.DNS1123LabelMaxLength
+	KubernetesLabelValueMaxLength = validation.DNS1123LabelMaxLength
+	ScanJobContainerName          = "scan-image"
+	ScanJobTimeout                = 1 * time.Hour
+	TempVolumeName                = "tmp"
+	TempVolumeMountPath           = "/tmp"
 )
 
 var (
@@ -73,11 +74,22 @@ func (f *filesystemScanJobBuilder) ForCIS(cis *stasv1alpha1.ContainerImageScan)
 		stasv1alpha1.LabelK8SAppManagedBy:             stasv1alpha1.AppNameImageScanner,
 		stasv1alpha1.LabelStatnettControllerNamespace: cis.Namespace,
 		stasv1alpha1.LabelStatnettControllerUID:       string(cis.UID),
+		stasv1alpha1.LabelStatnettWorkloadKind:        cis.Spec.Workload.Kind,
+		stasv1alpha1.LabelStatnettWorkloadName:        truncateString(cis.Spec.Workload.Name, KubernetesLabelValueMaxLength),
+		stasv1alpha1.LabelStatnettWorkloadNamespace:   cis.Namespace,
 	}
 
 	return job, nil
 }
 
+func truncateString(name string, length int) string {
+	if len(name) > length {
+		return name[0 : length-1]
+	} else {
+		return name
+	}
+}
+
 func scanJobName(cis *stasv1alpha1.ContainerImageScan) string {
 	hashPart := hash.NewString(cis.Spec, cis.Namespace)[0:JobNameSpecHashPartLength]
 	nameFn := func(cisName string) string {