diff --git a/api/v1alpha1/labels.go b/api/v1alpha1/labels.go index 2aaee5d6..0ee94adc 100644 --- a/api/v1alpha1/labels.go +++ b/api/v1alpha1/labels.go @@ -5,6 +5,9 @@ const ( LabelK8SAppManagedBy = "app.kubernetes.io/managed-by" LabelStatnettControllerNamespace = "controller.statnett.no/namespace" LabelStatnettControllerUID = "controller.statnett.no/uid" + LabelStatnettWorkloadKind = "workload.statnett.no/kind" + LabelStatnettWorkloadName = "workload.statnett.no/name" + LabelStatnettWorkloadNamespace = "workload.statnett.no/namespace" AppNameImageScanner = "image-scanner" AppNameTrivy = "trivy" diff --git a/controllers/testdata/scan-job/cis.yaml b/controllers/testdata/scan-job/cis.yaml index 8e56f7c6..41b73ec5 100644 --- a/controllers/testdata/scan-job/cis.yaml +++ b/controllers/testdata/scan-job/cis.yaml @@ -7,3 +7,6 @@ metadata: spec: digest: 'sha256:6da1811b094adbea1eb34c3e48fc2833b1a11a351ec7b36cc390e740a64fbae4' name: docker.io/nginxinc/nginx-unprivileged + workload: + kind: Pod + name: echo diff --git a/controllers/testdata/scan-job/expected-scan-job.yaml b/controllers/testdata/scan-job/expected-scan-job.yaml index 79a53572..49ba6331 100644 --- a/controllers/testdata/scan-job/expected-scan-job.yaml +++ b/controllers/testdata/scan-job/expected-scan-job.yaml @@ -10,8 +10,11 @@ metadata: app.kubernetes.io/name: trivy controller.statnett.no/namespace: replica-set controller.statnett.no/uid: + workload.statnett.no/kind: Pod + workload.statnett.no/name: echo + workload.statnett.no/namespace: replica-set namespace: image-scanner-jobs - name: echo-6bdfc76c56-8ae43-b4cf9 + name: echo-6bdfc76c56-8ae43-2693c spec: activeDeadlineSeconds: 3600 backoffLimit: 3 diff --git a/internal/trivy/scan_job.go b/internal/trivy/scan_job.go index 2f37cdab..7efa7539 100644 --- a/internal/trivy/scan_job.go +++ b/internal/trivy/scan_job.go @@ -18,15 +18,16 @@ import ( ) const ( - FsScanSharedVolumeMountPath = "/var/run/image-scanner" - FsScanSharedVolumeName = "image-scanner" - FsScanTrivyBinaryPath = FsScanSharedVolumeMountPath + "/trivy" - JobNameSpecHashPartLength = 5 - KubernetesJobNameMaxLength = validation.DNS1123LabelMaxLength - ScanJobContainerName = "scan-image" - ScanJobTimeout = 1 * time.Hour - TempVolumeName = "tmp" - TempVolumeMountPath = "/tmp" + FsScanSharedVolumeMountPath = "/var/run/image-scanner" + FsScanSharedVolumeName = "image-scanner" + FsScanTrivyBinaryPath = FsScanSharedVolumeMountPath + "/trivy" + JobNameSpecHashPartLength = 5 + KubernetesJobNameMaxLength = validation.DNS1123LabelMaxLength + KubernetesLabelValueMaxLength = validation.DNS1123LabelMaxLength + ScanJobContainerName = "scan-image" + ScanJobTimeout = 1 * time.Hour + TempVolumeName = "tmp" + TempVolumeMountPath = "/tmp" ) var ( @@ -73,11 +74,22 @@ func (f *filesystemScanJobBuilder) ForCIS(cis *stasv1alpha1.ContainerImageScan) stasv1alpha1.LabelK8SAppManagedBy: stasv1alpha1.AppNameImageScanner, stasv1alpha1.LabelStatnettControllerNamespace: cis.Namespace, stasv1alpha1.LabelStatnettControllerUID: string(cis.UID), + stasv1alpha1.LabelStatnettWorkloadKind: cis.Spec.Workload.Kind, + stasv1alpha1.LabelStatnettWorkloadName: truncateString(cis.Spec.Workload.Name, KubernetesLabelValueMaxLength), + stasv1alpha1.LabelStatnettWorkloadNamespace: cis.Namespace, } return job, nil } +func truncateString(name string, length int) string { + if len(name) > length { + return name[0 : length-1] + } else { + return name + } +} + func scanJobName(cis *stasv1alpha1.ContainerImageScan) string { hashPart := hash.NewString(cis.Spec, cis.Namespace)[0:JobNameSpecHashPartLength] nameFn := func(cisName string) string {