feat: exclude init containers (#1438)

* feat: exclude init containers Signed-off-by: chenk <hen.keinan@gmail.com> * feat: exclude init containers Signed-off-by: chenk <hen.keinan@gmail.com> * feat: exclude init containers Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Aug 15, 2023 · d2825cd · d2825cd
1 parent 478ec85
commit d2825cd
Show file tree

Hide file tree

Showing 9 changed files with 29 additions and 6 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -151,6 +151,7 @@ Keeps security report resources updated
 | trivyOperator.scanJobPodTemplateLabels | string | `""` | scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` |
 | trivyOperator.scanJobPodTemplatePodSecurityContext | object | `{}` | scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with. Example:   RunAsUser: 10000   RunAsGroup: 10000   RunAsNonRoot: true |
 | trivyOperator.scanJobTolerations | list | `[]` | scanJobTolerations tolerations to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints |
+| trivyOperator.skipInitContainers | bool | `false` | skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods |
 | trivyOperator.skipResourceByLabels | string | `""` | skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels |
 | trivyOperator.vulnerabilityReportsPlugin | string | `"Trivy"` | vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy` |
 | volumeMounts | list | `[]` |  |

diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -22,6 +22,9 @@ data:
   {{- with .Values.trivyOperator.scanJobAutomountServiceAccountToken }}
   scanJob.automountServiceAccountToken: {{ . | quote }}
   {{- end }}
+  {{- with .Values.trivyOperator.skipInitContainers }}
+  scanJob.skipInitContainers: {{ . | quote }}
+  {{- end }}
   {{- with .Values.nodeCollector.excludeNodes }}
   nodeCollector.excludeNodes: {{ . | quote }}
   {{- end }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -201,6 +201,9 @@ trivyOperator:
   # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
   scanJobPodTemplateLabels: ""
 
+  # -- skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods
+  skipInitContainers: false
+
   # -- scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with.
   # Example:
   #   RunAsUser: 10000

diff --git a/docs/getting-started/installation/configuration.md b/docs/getting-started/installation/configuration.md
@@ -65,6 +65,7 @@ To change the target namespace from all namespaces to the `default` namespace ed
 | `nodeCollector.volumes`| see helm/values.yaml | node-collector pod volumes definition for collecting config files information                                                                       |
 | `scanJob.nodeSelector`| N/A| JSON representation of the [nodeSelector] to be applied to the scanner pods so that they can run on nodes with matching labels. Example: `'{"example.com/node-type":"worker", "cpu-type": "sandylake"}'`                                                                                        |
 | `scanJob.automountServiceAccountToken`         | `"false"`   | the flag to enable automount for service account token on scan job. Set `"true"` to enable.                                                                                                                                                                                                     |
+| `scanJob.skipInitContainers`         | `"false"`   | when this flag is set to true, the initContainers will be skipped for the scanner and node collector pod. Set `"true"` to enable.                                                                                                                                                                                                     |
 | `report.additionalLabels`         | `""`   |  additionalReportLabels comma-separated representation of the labels which the user wants the reports to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`                                                                                                                                                                                                     |
 | `scanJob.annotations`| N/A| One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`                                                             |
 | `scanJob.templateLabel`| N/A| One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`                                                                 |

diff --git a/pkg/kube/resources.go b/pkg/kube/resources.go
@@ -16,10 +16,13 @@ const KubeSystemNamespace = "kube-system"
 
 // GetContainerImagesFromPodSpec returns a map of container names
 // to container images from the specified v1.PodSpec.
-func GetContainerImagesFromPodSpec(spec corev1.PodSpec) ContainerImages {
+func GetContainerImagesFromPodSpec(spec corev1.PodSpec, skipInitContainers bool) ContainerImages {
 	images := ContainerImages{}
-
-	containers := append(spec.Containers, spec.InitContainers...)
+	containers := make([]corev1.Container, 0)
+	containers = append(containers, spec.Containers...)
+	if !skipInitContainers {
+		containers = append(containers, spec.InitContainers...)
+	}
 	for _, container := range containers {
 		images[container.Name] = container.Image
 	}

diff --git a/pkg/kube/resources_test.go b/pkg/kube/resources_test.go
@@ -42,7 +42,7 @@ func TestGetContainerImagesFromPodSpec(t *testing.T) {
 				},
 			},
 		},
-	})
+	}, false)
 	assert.Equal(t, kube.ContainerImages{
 		"nginx":   "nginx:1.16",
 		"sidecar": "sidecar:1.32.7",

diff --git a/pkg/trivyoperator/config.go b/pkg/trivyoperator/config.go
@@ -68,6 +68,7 @@ const (
 	keyScanJobAnnotations                = "scanJob.annotations"
 	//nolint
 	keyscanJobAutomountServiceAccountToken = "scanJob.automountServiceAccountToken"
+	keySkipInitContainers                  = "scanJob.skipInitContainers"
 	KeyScanJobContainerSecurityContext     = "scanJob.podTemplateContainerSecurityContext"
 	keyScanJobPodSecurityContext           = "scanJob.podTemplatePodSecurityContext"
 	keyScanJobPodTemplateLabels            = "scanJob.podTemplateLabels"
@@ -243,6 +244,10 @@ func (c ConfigData) GetScanJobAutomountServiceAccountToken() bool {
 	return c.getBoolKey(keyscanJobAutomountServiceAccountToken)
 }
 
+func (c ConfigData) GetSkipInitContainers() bool {
+	return c.getBoolKey(keySkipInitContainers)
+}
+
 func (c ConfigData) GetScanJobAnnotations() (map[string]string, error) {
 	scanJobAnnotationsStr, found := c[keyScanJobAnnotations]
 	if !found || strings.TrimSpace(scanJobAnnotationsStr) == "" {

diff --git a/pkg/vulnerabilityreport/builder.go b/pkg/vulnerabilityreport/builder.go
@@ -35,6 +35,7 @@ type ScanJobBuilder struct {
 	podSecurityContext       *corev1.PodSecurityContext
 	containerSecurityContext *corev1.SecurityContext
 	podPriorityClassName     string
+	skipInitContainers       bool
 }
 
 func NewScanJobBuilder() *ScanJobBuilder {
@@ -61,6 +62,11 @@ func (s *ScanJobBuilder) WithTTL(ttl *time.Duration) *ScanJobBuilder {
 	return s
 }
 
+func (s *ScanJobBuilder) WithSkipInitContainers(skipInitContainers bool) *ScanJobBuilder {
+	s.skipInitContainers = skipInitContainers
+	return s
+}
+
 func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder {
 	s.object = object
 	return s
@@ -126,7 +132,7 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 
 	templateSpec.NodeSelector = s.nodeSelector
 
-	containerImagesAsJSON, err := kube.GetContainerImagesFromPodSpec(spec).AsJSON()
+	containerImagesAsJSON, err := kube.GetContainerImagesFromPodSpec(spec, s.skipInitContainers).AsJSON()
 	if err != nil {
 		return nil, nil, err
 	}

diff --git a/pkg/vulnerabilityreport/controller/workload.go b/pkg/vulnerabilityreport/controller/workload.go
@@ -145,7 +145,7 @@ func (r *WorkloadController) reconcileWorkload(workloadKind kube.Kind) reconcile
 			return ctrl.Result{}, err
 		}
 
-		containerImages := kube.GetContainerImagesFromPodSpec(podSpec)
+		containerImages := kube.GetContainerImagesFromPodSpec(podSpec, r.GetSkipInitContainers())
 		hash := kube.ComputeHash(podSpec)
 
 		log = log.WithValues("podSpecHash", hash)
@@ -302,6 +302,7 @@ func (r *WorkloadController) submitScanJob(ctx context.Context, owner client.Obj
 		WithNodeSelector(scanJobNodeSelector).
 		WithPodSecurityContext(scanJobSecurityContext).
 		WithSecurityContext(scanJobContainerSecurityContext).
+		WithSkipInitContainers(r.GetSkipInitContainers()).
 		WithPodTemplateLabels(scanJobPodTemplateLabels).
 		WithCredentials(credentials).
 		WithPodPriorityClassName(scanJobPodPriorityClassName).