Merge pull request #298 from kubescape/pullsec

add pullsecrets from pod for scanAP

Author: matthyx

admission/exporter/http_exporter.go

@@ -9,11 +9,10 @@ import (
 	"sync"
 	"time"
 
+	apitypes "github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/operator/admission/rules"
-
-	apitypes "github.com/armosec/armoapi-go/armotypes"
 )
 
 type HTTPExporterConfig struct {

admission/rulebinding/cache/cache.go

@@ -4,24 +4,20 @@ import (
 	"context"
 	"strings"
 
-	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
-	"github.com/kubescape/node-agent/pkg/watcher"
-	"k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/kubescape/node-agent/pkg/k8sclient"
-
-	"github.com/kubescape/node-agent/pkg/rulebindingmanager"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/labels"
-
 	"github.com/goradd/maps"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/node-agent/pkg/k8sclient"
+	"github.com/kubescape/node-agent/pkg/rulebindingmanager"
+	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
+	"github.com/kubescape/node-agent/pkg/watcher"
 	"github.com/kubescape/operator/admission/rulebinding"
 	"github.com/kubescape/operator/admission/rules"
 	rulesv1 "github.com/kubescape/operator/admission/rules/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
 )
 
 const (

admission/rulebinding/cache/cache_test.go

@@ -4,10 +4,9 @@ import (
 	"context"
 	"testing"
 
-	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
-
 	"github.com/goradd/maps"
 	"github.com/kubescape/k8s-interface/k8sinterface"
+	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
 	"github.com/kubescape/operator/admission/rules"
 	"github.com/kubescape/operator/utils"
 	"github.com/stretchr/testify/assert"

admission/rulebinding/cache/helpers.go

@@ -4,12 +4,10 @@ import (
 	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
 	"github.com/kubescape/node-agent/pkg/utils"
 	"github.com/kubescape/node-agent/pkg/watcher"
-
-	k8sruntime "k8s.io/apimachinery/pkg/runtime"
-
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 )
 
 func uniqueName(obj metav1.Object) string {

admission/rulebinding/cache/helpers_test.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1"
-
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

admission/rules/v1/helpers.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -22,7 +22,7 @@ func GetControllerDetails(event admission.Attributes, clientset kubernetes.Inter
 
 	pod, err := GetPodDetails(clientset, podName, namespace)
 	if err != nil {
-		return "", "", "", "", fmt.Errorf("failed to get pod details: %v", err)
+		return "", "", "", "", fmt.Errorf("failed to get pod details: %w", err)
 	}
 
 	workloadKind, workloadName, workloadNamespace := ExtractPodOwner(pod, clientset)
@@ -32,16 +32,16 @@ func GetControllerDetails(event admission.Attributes, clientset kubernetes.Inter
 }
 
 // GetPodDetails returns the pod details from the Kubernetes API server.
-func GetPodDetails(clientset kubernetes.Interface, podName, namespace string) (*v1.Pod, error) {
+func GetPodDetails(clientset kubernetes.Interface, podName, namespace string) (*corev1.Pod, error) {
 	pod, err := clientset.CoreV1().Pods(namespace).Get(context.TODO(), podName, metav1.GetOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("failed to get pod: %v", err)
+		return nil, fmt.Errorf("failed to get pod: %w", err)
 	}
 	return pod, nil
 }
 
 // ExtractPodOwner returns the kind, name, and namespace of the controller that owns the pod.
-func ExtractPodOwner(pod *v1.Pod, clientset kubernetes.Interface) (string, string, string) {
+func ExtractPodOwner(pod *corev1.Pod, clientset kubernetes.Interface) (string, string, string) {
 	for _, ownerRef := range pod.OwnerReferences {
 		switch ownerRef.Kind {
 		case "ReplicaSet":
@@ -91,9 +91,9 @@ func GetContainerNameFromExecToPodEvent(event admission.Attributes) (string, err
 		return "", fmt.Errorf("object is not of type *unstructured.Unstructured")
 	}
 
-	podExecOptions := &v1.PodExecOptions{}
+	podExecOptions := &corev1.PodExecOptions{}
 	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructuredObj.Object, podExecOptions); err != nil {
-		return "", fmt.Errorf("failed to decode PodExecOptions: %v", err)
+		return "", fmt.Errorf("failed to decode PodExecOptions: %w", err)
 	}
 
 	return podExecOptions.Container, nil

admission/rules/v1/r2000_exec_to_pod.go

@@ -4,16 +4,14 @@ import (
 	"fmt"
 	"time"
 
+	apitypes "github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/operator/admission/rules"
 	"github.com/kubescape/operator/objectcache"
-
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
-
-	apitypes "github.com/armosec/armoapi-go/armotypes"
 )
 
 const (

admission/rules/v1/r2001_portforward.go

@@ -4,16 +4,14 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/kubescape/operator/admission/rules"
-	"github.com/kubescape/operator/objectcache"
-
+	apitypes "github.com/armosec/armoapi-go/armotypes"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/operator/admission/rules"
+	"github.com/kubescape/operator/objectcache"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
-
-	apitypes "github.com/armosec/armoapi-go/armotypes"
 )
 
 const (

admission/rules/v1/rule.go

@@ -1,9 +1,8 @@
 package rules
 
 import (
-	"github.com/kubescape/operator/admission/rules"
-
 	"github.com/goradd/maps"
+	"github.com/kubescape/operator/admission/rules"
 )
 
 const (

admission/webhook/server.go

@@ -12,10 +12,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/kubescape/node-agent/pkg/watcher"
-
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/node-agent/pkg/watcher"
 	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -393,7 +392,7 @@ func parseRequest(r *http.Request) (*admissionv1.AdmissionReview, error) {
 	var admissionReview admissionv1.AdmissionReview
 
 	if err := json.Unmarshal(body, &admissionReview); err != nil {
-		return nil, fmt.Errorf("could not parse admission review request: %v", err)
+		return nil, fmt.Errorf("could not parse admission review request: %w", err)
 	}
 
 	if admissionReview.Request == nil {