Merge pull request #154 from snyk/feat/workload-config-meta

Tal Kaptsan · web-flow · commit 19aea3a2fee1 · 2019-10-29T10:49:26.000Z
Feat/workload config meta
diff --git a/src/kube-scanner/metadata-extractor.ts b/src/kube-scanner/metadata-extractor.ts
@@ -13,11 +13,11 @@ export function buildImageMetadata(
   workloadMeta: KubeObjectMetadata,
   containerStatuses: V1ContainerStatus[],
   ): IWorkload[] {
-  const { kind, objectMeta, specMeta, containers, revision } = workloadMeta;
+  const { kind, objectMeta, specMeta, revision, podSpec } = workloadMeta;
   const { name, namespace, labels, annotations, uid } = objectMeta;
 
   const containerNameToSpec: {[key: string]: V1Container} = {};
-  for (const container of containers) {
+  for (const container of podSpec.containers) {
     containerNameToSpec[container.name] = container;
   }
 
@@ -40,6 +40,7 @@ export function buildImageMetadata(
       imageId: containerNameToStatus[containerName].imageID,
       cluster: currentClusterName,
       revision,
+      podSpec,
     } as IWorkload),
   );
   return images;
@@ -113,7 +114,7 @@ export async function buildMetadataForWorkload(pod: V1Pod): Promise<IWorkload[]
       // do not have the "template" property.
       specMeta: pod.metadata,
       ownerRefs: [],
-      containers: pod.spec.containers,
+      podSpec: pod.spec,
     },
     pod.status.containerStatuses,
     );
diff --git a/src/kube-scanner/types.ts b/src/kube-scanner/types.ts
@@ -1,5 +1,5 @@
 import { AppsV1Api, BatchV1Api, BatchV1beta1Api, CoreV1Api, KubeConfig,
-  V1Container, V1ObjectMeta, V1OwnerReference } from '@kubernetes/client-node';
+  V1ObjectMeta, V1OwnerReference, V1PodSpec } from '@kubernetes/client-node';
 
 export enum WorkloadKind {
   Deployment = 'Deployment',
@@ -35,7 +35,7 @@ export interface KubeObjectMetadata {
   kind: string;
   objectMeta: V1ObjectMeta;
   specMeta: V1ObjectMeta;
-  containers: V1Container[];
+  podSpec: V1PodSpec;
   ownerRefs: V1OwnerReference[] | undefined;
   revision?: number;
 }
diff --git a/src/kube-scanner/watchers/handlers/cron-job.ts b/src/kube-scanner/watchers/handlers/cron-job.ts
@@ -16,7 +16,7 @@ export async function cronJobWatchHandler(cronJob: V1beta1CronJob) {
     kind: WorkloadKind.CronJob,
     objectMeta: cronJob.metadata,
     specMeta: cronJob.spec.jobTemplate.metadata,
-    containers: cronJob.spec.jobTemplate.spec.template.spec.containers,
     ownerRefs: cronJob.metadata.ownerReferences,
+    podSpec: cronJob.spec.jobTemplate.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/daemon-set.ts b/src/kube-scanner/watchers/handlers/daemon-set.ts
@@ -16,8 +16,8 @@ export async function daemonSetWatchHandler(daemonSet: V1DaemonSet) {
     kind: WorkloadKind.DaemonSet,
     objectMeta: daemonSet.metadata,
     specMeta: daemonSet.spec.template.metadata,
-    containers: daemonSet.spec.template.spec.containers,
     ownerRefs: daemonSet.metadata.ownerReferences,
     revision: daemonSet.status.observedGeneration,
+    podSpec: daemonSet.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/deployment.ts b/src/kube-scanner/watchers/handlers/deployment.ts
@@ -16,8 +16,8 @@ export async function deploymentWatchHandler(deployment: V1Deployment) {
     kind: WorkloadKind.Deployment,
     objectMeta: deployment.metadata,
     specMeta: deployment.spec.template.metadata,
-    containers: deployment.spec.template.spec.containers,
     ownerRefs: deployment.metadata.ownerReferences,
     revision: deployment.status.observedGeneration,
+    podSpec: deployment.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/job.ts b/src/kube-scanner/watchers/handlers/job.ts
@@ -15,7 +15,7 @@ export async function jobWatchHandler(job: V1Job) {
     kind: WorkloadKind.Job,
     objectMeta: job.metadata,
     specMeta: job.spec.template.metadata,
-    containers: job.spec.template.spec.containers,
     ownerRefs: job.metadata.ownerReferences,
+    podSpec: job.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/replica-set.ts b/src/kube-scanner/watchers/handlers/replica-set.ts
@@ -16,8 +16,8 @@ export async function replicaSetWatchHandler(replicaSet: V1ReplicaSet) {
     kind: WorkloadKind.ReplicaSet,
     objectMeta: replicaSet.metadata,
     specMeta: replicaSet.spec.template.metadata,
-    containers: replicaSet.spec.template.spec.containers,
     ownerRefs: replicaSet.metadata.ownerReferences,
     revision: replicaSet.status.observedGeneration,
+    podSpec: replicaSet.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/replication-controller.ts b/src/kube-scanner/watchers/handlers/replication-controller.ts
@@ -17,8 +17,8 @@ export async function replicationControllerWatchHandler(replicationController: V
     kind: WorkloadKind.ReplicationController,
     objectMeta: replicationController.metadata,
     specMeta: replicationController.spec.template.metadata,
-    containers: replicationController.spec.template.spec.containers,
     ownerRefs: replicationController.metadata.ownerReferences,
     revision: replicationController.status.observedGeneration,
+    podSpec: replicationController.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/watchers/handlers/stateful-set.ts b/src/kube-scanner/watchers/handlers/stateful-set.ts
@@ -16,8 +16,8 @@ export async function statefulSetWatchHandler(statefulSet: V1StatefulSet) {
     kind: WorkloadKind.StatefulSet,
     objectMeta: statefulSet.metadata,
     specMeta: statefulSet.spec.template.metadata,
-    containers: statefulSet.spec.template.spec.containers,
     ownerRefs: statefulSet.metadata.ownerReferences,
     revision: statefulSet.status.observedGeneration,
+    podSpec: statefulSet.spec.template.spec,
   }, workloadName);
 }
diff --git a/src/kube-scanner/workload-reader.ts b/src/kube-scanner/workload-reader.ts
@@ -22,9 +22,9 @@ const deploymentReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     kind: WorkloadKind.Deployment,
     objectMeta: deployment.metadata,
     specMeta: deployment.spec.template.metadata,
-    containers: deployment.spec.template.spec.containers,
     ownerRefs: deployment.metadata.ownerReferences,
     revision: deployment.status.observedGeneration,
+    podSpec: deployment.spec.template.spec,
   };
 };
 
@@ -43,9 +43,9 @@ const replicaSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     kind: WorkloadKind.ReplicaSet,
     objectMeta: replicaSet.metadata,
     specMeta: replicaSet.spec.template.metadata,
-    containers: replicaSet.spec.template.spec.containers,
     ownerRefs: replicaSet.metadata.ownerReferences,
     revision: replicaSet.status.observedGeneration,
+    podSpec: replicaSet.spec.template.spec,
   };
 };
 
@@ -64,9 +64,9 @@ const statefulSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =
     kind: WorkloadKind.StatefulSet,
     objectMeta: statefulSet.metadata,
     specMeta: statefulSet.spec.template.metadata,
-    containers: statefulSet.spec.template.spec.containers,
     ownerRefs: statefulSet.metadata.ownerReferences,
     revision: statefulSet.status.observedGeneration,
+    podSpec: statefulSet.spec.template.spec,
   };
 };
 
@@ -85,9 +85,9 @@ const daemonSetReader: IWorkloadReaderFunc = async (workloadName, namespace) =>
     kind: WorkloadKind.DaemonSet,
     objectMeta: daemonSet.metadata,
     specMeta: daemonSet.spec.template.metadata,
-    containers: daemonSet.spec.template.spec.containers,
     ownerRefs: daemonSet.metadata.ownerReferences,
     revision: daemonSet.status.observedGeneration,
+    podSpec: daemonSet.spec.template.spec,
   };
 };
 
@@ -105,8 +105,8 @@ const jobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     kind: WorkloadKind.Job,
     objectMeta: job.metadata,
     specMeta: job.spec.template.metadata,
-    containers: job.spec.template.spec.containers,
     ownerRefs: job.metadata.ownerReferences,
+    podSpec: job.spec.template.spec,
   };
 };
 
@@ -128,8 +128,8 @@ const cronJobReader: IWorkloadReaderFunc = async (workloadName, namespace) => {
     kind: WorkloadKind.CronJob,
     objectMeta: cronJob.metadata,
     specMeta: cronJob.spec.jobTemplate.metadata,
-    containers: cronJob.spec.jobTemplate.spec.template.spec.containers,
     ownerRefs: cronJob.metadata.ownerReferences,
+    podSpec: cronJob.spec.jobTemplate.spec.template.spec,
   };
 };
 
@@ -149,9 +149,9 @@ const replicationControllerReader: IWorkloadReaderFunc = async (workloadName, na
     kind: WorkloadKind.ReplicationController,
     objectMeta: replicationController.metadata,
     specMeta: replicationController.spec.template.metadata,
-    containers: replicationController.spec.template.spec.containers,
     ownerRefs: replicationController.metadata.ownerReferences,
     revision: replicationController.status.observedGeneration,
+    podSpec: replicationController.spec.template.spec,
   };
 };
 
diff --git a/src/transmitter/payload.ts b/src/transmitter/payload.ts
@@ -58,6 +58,7 @@ export function constructHomebaseWorkloadMetadataPayload(workload: IWorkload): I
     annotations: workload.annotations,
     specAnnotations: workload.specAnnotations,
     revision: workload.revision,
+    podSpec: workload.podSpec,
   };
   return { workloadLocator, agentId: config.AGENT_ID, workloadMetadata };
 }
diff --git a/src/transmitter/types.ts b/src/transmitter/types.ts
@@ -1,3 +1,5 @@
+import { V1PodSpec } from '@kubernetes/client-node';
+
 interface StringMap { [key: string]: string; }
 
 export interface ILocalWorkloadLocator {
@@ -17,6 +19,7 @@ export interface IWorkloadMetadata {
   annotations: StringMap | undefined;
   specAnnotations: StringMap | undefined;
   revision: number | undefined;
+  podSpec: V1PodSpec;
 }
 
 export interface IImageLocator extends IWorkloadLocator {
@@ -54,4 +57,5 @@ export interface IWorkload {
   imageName: string;
   imageId: string;
   cluster: string;
+  podSpec: V1PodSpec;
 }
diff --git a/test/fixtures/pod-spec.json b/test/fixtures/pod-spec.json
@@ -0,0 +1,114 @@
+{
+  "containers": [
+    {
+      "env": [
+        {
+          "name": "SNYK_INTEGRATION_ID",
+          "valueFrom": {
+            "secretKeyRef": {
+              "key": "integrationId",
+              "name": "snyk-monitor"
+            }
+          }
+        },
+        {
+          "name": "SNYK_NAMESPACE"
+        },
+        {
+          "name": "SNYK_INTEGRATION_API"
+        },
+        {
+          "name": "SNYK_CLUSTER_NAME",
+          "value": "Production cluster"
+        },
+        {
+          "name": "SNYK_STATIC_ANALYSIS",
+          "value": "true"
+        }
+      ],
+      "image": "snyk/kubernetes-monitor:1.8.5",
+      "imagePullPolicy": "Always",
+      "name": "snyk-monitor",
+      "resources": {
+        "limits": {
+          "cpu": "1",
+          "memory": "2Gi"
+        },
+        "requests": {
+          "cpu": "250m",
+          "memory": "400Mi"
+        }
+      },
+      "terminationMessagePath": "/dev/termination-log",
+      "terminationMessagePolicy": "File",
+      "volumeMounts": [
+        {
+          "mountPath": "/root/.docker",
+          "name": "docker-config",
+          "readOnly": true
+        },
+        {
+          "mountPath": "/snyk-monitor",
+          "name": "temporary-storage"
+        },
+        {
+          "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
+          "name": "snyk-monitor-token-ncps2",
+          "readOnly": true
+        }
+      ]
+    }
+  ],
+  "dnsPolicy": "ClusterFirst",
+  "enableServiceLinks": true,
+  "nodeName": "gke-test-node-123456",
+  "priority": 0,
+  "restartPolicy": "Always",
+  "schedulerName": "default-scheduler",
+  "securityContext": {},
+  "serviceAccount": "snyk-monitor",
+  "serviceAccountName": "snyk-monitor",
+  "terminationGracePeriodSeconds": 30,
+  "tolerations": [
+    {
+      "effect": "NoExecute",
+      "key": "node.kubernetes.io/not-ready",
+      "operator": "Exists",
+      "tolerationSeconds": 300
+    },
+    {
+      "effect": "NoExecute",
+      "key": "node.kubernetes.io/unreachable",
+      "operator": "Exists",
+      "tolerationSeconds": 300
+    }
+  ],
+  "volumes": [
+    {
+      "name": "docker-config",
+      "secret": {
+        "defaultMode": 420,
+        "items": [
+          {
+            "key": "dockercfg.json",
+            "path": "config.json"
+          }
+        ],
+        "secretName": "snyk-monitor"
+      }
+    },
+    {
+      "emptyDir": {
+        "sizeLimit": "50Gi"
+      },
+      "name": "temporary-storage"
+    },
+    {
+      "name": "snyk-monitor-token-test",
+      "secret": {
+        "defaultMode": 420,
+        "secretName": "snyk-monitor-token-test"
+      }
+    }
+  ]
+}
diff --git a/test/integration/kubernetes.test.ts b/test/integration/kubernetes.test.ts
@@ -87,7 +87,8 @@ tap.test('snyk-monitor sends data to homebase', async (t) => {
 
   const metaValidator: WorkloadMetadataValidator = (workloadInfo) => {
     return workloadInfo !== undefined && 'revision' in workloadInfo && 'labels' in workloadInfo &&
-      'specLabels' in workloadInfo && 'annotations' in workloadInfo && 'specAnnotations' in workloadInfo;
+      'specLabels' in workloadInfo && 'annotations' in workloadInfo && 'specAnnotations' in workloadInfo &&
+      'podSpec' in workloadInfo;
   };
 
   // We don't want to spam Homebase with requests; do it infrequently
diff --git a/test/unit/transmitter-payload.test.ts b/test/unit/transmitter-payload.test.ts
@@ -3,6 +3,7 @@ import * as tap from 'tap';
 import imageScanner = require('../../src/kube-scanner/image-scanner');
 import payload = require('../../src/transmitter/payload');
 import transmitterTypes = require('../../src/transmitter/types');
+const podSpecFixture = require('../fixtures/pod-spec.json');
 
 tap.test('constructHomebaseDepGraphPayloads breaks when workloadMetadata is missing items', async (t) => {
   const scannedImages: imageScanner.IScanResult[] = [
@@ -33,6 +34,7 @@ tap.test('constructHomebaseDepGraphPayloads breaks when workloadMetadata is miss
       imageId: 'does this matter?',
       cluster: 'grapefruit',
       revision: undefined,
+      podSpec: podSpecFixture,
     },
   ];
 
@@ -64,6 +66,7 @@ tap.test('constructHomebaseDepGraphPayloads happy flow', async (t) => {
       imageId: 'does this matter?',
       cluster: 'grapefruit',
       revision: 1,
+      podSpec: podSpecFixture,
     },
   ];
 
@@ -92,6 +95,7 @@ tap.test('constructHomebaseWorkloadMetadataPayload happy flow', async (t) => {
     imageId: 'does this matter?',
     cluster: 'grapefruit',
     revision: 1,
+    podSpec: podSpecFixture,
   };
 
   const workloadMetadataPayload = payload.constructHomebaseWorkloadMetadataPayload(workloadWithImages);
@@ -101,6 +105,11 @@ tap.test('constructHomebaseWorkloadMetadataPayload happy flow', async (t) => {
   t.equals(workloadMetadataPayload.workloadLocator.name, 'workloadName', 'workload name present in payload');
   t.equals(workloadMetadataPayload.workloadLocator.type, 'type', 'workload type present in payload');
   t.equals(workloadMetadataPayload.workloadMetadata.revision, 1, 'revision present in metadata');
+  t.ok('podSpec' in workloadMetadataPayload.workloadMetadata, 'podSpec present in metadata');
+  t.equals(workloadMetadataPayload.workloadMetadata.podSpec.containers[0].resources!.limits!.memory!, '2Gi',
+   'memory limit present in metadata');
+  t.equals(workloadMetadataPayload.workloadMetadata.podSpec.serviceAccountName, 'snyk-monitor',
+   'service account name present in metadata');
   t.ok('annotations' in workloadMetadataPayload.workloadMetadata, 'annotations present in metadata');
   t.ok('specAnnotations' in workloadMetadataPayload.workloadMetadata, 'specAnnotations present in metadata');
   t.ok('labels' in workloadMetadataPayload.workloadMetadata, 'labels present in metadata');

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ export async function cronJobWatchHandler(cronJob: V1beta1CronJob) {`
`16`	`16`	`kind: WorkloadKind.CronJob,`
`17`	`17`	`objectMeta: cronJob.metadata,`
`18`	`18`	`specMeta: cronJob.spec.jobTemplate.metadata,`
`19`		`- containers: cronJob.spec.jobTemplate.spec.template.spec.containers,`
`20`	`19`	`ownerRefs: cronJob.metadata.ownerReferences,`
	`20`	`+ podSpec: cronJob.spec.jobTemplate.spec.template.spec,`
`21`	`21`	`}, workloadName);`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ export async function jobWatchHandler(job: V1Job) {`
`15`	`15`	`kind: WorkloadKind.Job,`
`16`	`16`	`objectMeta: job.metadata,`
`17`	`17`	`specMeta: job.spec.template.metadata,`
`18`		`- containers: job.spec.template.spec.containers,`
`19`	`18`	`ownerRefs: job.metadata.ownerReferences,`
	`19`	`+ podSpec: job.spec.template.spec,`
`20`	`20`	`}, workloadName);`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ export function constructHomebaseWorkloadMetadataPayload(workload: IWorkload): I`
`58`	`58`	`annotations: workload.annotations,`
`59`	`59`	`specAnnotations: workload.specAnnotations,`
`60`	`60`	`revision: workload.revision,`
	`61`	`+ podSpec: workload.podSpec,`
`61`	`62`	`};`
`62`	`63`	`return { workloadLocator, agentId: config.AGENT_ID, workloadMetadata };`
`63`	`64`	`}`