Merge pull request #253 from kubescape/sbom

add support for node-agent generated SBOMs

Author: matthyx

config/config.go

@@ -29,6 +29,7 @@ type Capabilities struct {
 	Otel                 string `json:"otel"`
 	Relevancy            string `json:"relevancy"`
 	RuntimeObservability string `json:"runtimeObservability"`
+	NodeSbomGeneration   string `json:"nodeSbomGeneration"`
 	Seccomp              string `json:"seccomp"`
 	VulnerabilityScan    string `json:"vulnerabilityScan"`
 	AdmissionController  string `json:"admissionController"`
@@ -116,7 +117,9 @@ type IConfig interface {
 	GatewayWebsocketURL() string
 	ConcurrencyWorkers() int
 	Components() Components
+	AdmissionControllerEnabled() bool
 	ContinuousScanEnabled() bool
+	NodeSbomGenerationEnabled() bool
 	CleanUpRoutineInterval() time.Duration
 	MatchingRulesFilename() string
 	TriggerSecurityFramework() bool
@@ -157,6 +160,10 @@ func (c *OperatorConfig) AdmissionControllerEnabled() bool {
 	return c.components.Capabilities.AdmissionController == "enable"
 }
 
+func (c *OperatorConfig) NodeSbomGenerationEnabled() bool {
+	return c.components.Capabilities.NodeSbomGeneration == "enable"
+}
+
 func (c *OperatorConfig) KubevulnURL() string {
 	return c.clusterConfig.KubevulnURL
 }

mainhandler/handlerequests.go

@@ -156,7 +156,7 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) {
 		logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err))
 	}
 	eventQueue := watcher.NewCooldownQueue()
-	watchHandler := watcher.NewWatchHandler(ctx, mainHandler.config, mainHandler.k8sAPI, ksStorageClient, eventQueue)
+	watchHandler := watcher.NewWatchHandler(mainHandler.config, mainHandler.k8sAPI, ksStorageClient, eventQueue)
 
 	commandWatchHandler := watcher.NewCommandWatchHandler(mainHandler.k8sAPI, mainHandler.config)
 	registryCommandsHandler := watcher.NewRegistryCommandsHandler(ctx, mainHandler.k8sAPI, commandWatchHandler, mainHandler.config)
@@ -168,7 +168,11 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) {
 	waitFunc(mainHandler.config)
 
 	// start watching
-	go watchHandler.PodWatch(ctx, mainHandler.eventWorkerPool)
+	if mainHandler.config.NodeSbomGenerationEnabled() {
+		go watchHandler.SBOMWatch(ctx, mainHandler.eventWorkerPool)
+	} else {
+		go watchHandler.PodWatch(ctx, mainHandler.eventWorkerPool)
+	}
 	go watchHandler.SBOMFilteredWatch(ctx, mainHandler.eventWorkerPool)
 	go commandWatchHandler.CommandWatch(ctx)
 }
@@ -240,7 +244,7 @@ func (actionHandler *ActionHandler) runCommand(ctx context.Context, sessionObj *
 	case apis.TypeScanImages:
 		return actionHandler.scanImage(ctx, sessionObj)
 	case utils.CommandScanFilteredSBOM:
-		actionHandler.scanFilteredSBOM(ctx, sessionObj)
+		return actionHandler.scanFilteredSBOM(ctx, sessionObj)
 	case apis.TypeRunKubescape, apis.TypeRunKubescapeJob:
 		return actionHandler.kubescapeScan(ctx)
 	case apis.TypeSetKubescapeCronJob:
@@ -368,7 +372,7 @@ func (mainHandler *MainHandler) HandleImageScanningScopedRequest(ctx context.Con
 		return
 	}
 
-	labels := sessionObj.Command.GetLabels()
+	lbls := sessionObj.Command.GetLabels()
 	fields := sessionObj.Command.GetFieldSelector()
 	namespaces, err := mainHandler.getNamespaces(ctx, sessionObj)
 	if err != nil {
@@ -377,12 +381,12 @@ func (mainHandler *MainHandler) HandleImageScanningScopedRequest(ctx context.Con
 		return
 	}
 
-	info := fmt.Sprintf("%s: id: '%s', namespaces: '%v', labels: '%v', fieldSelector: '%v'", sessionObj.Command.CommandName, sessionObj.Command.GetID(), namespaces, labels, fields)
+	info := fmt.Sprintf("%s: id: '%s', namespaces: '%v', labels: '%v', fieldSelector: '%v'", sessionObj.Command.CommandName, sessionObj.Command.GetID(), namespaces, lbls, fields)
 	logger.L().Info(info)
 	sessionObj.Reporter.SendDetails(info, mainHandler.sendReport)
 
 	listOptions := metav1.ListOptions{
-		LabelSelector: k8sinterface.SelectorToString(labels),
+		LabelSelector: k8sinterface.SelectorToString(lbls),
 		FieldSelector: k8sinterface.SelectorToString(fields),
 	}
 

mainhandler/vulnscan.go

@@ -438,10 +438,7 @@ func (actionHandler *ActionHandler) scanImage(ctx context.Context, sessionObj *u
 		return errors.New("kubevuln is not enabled")
 	}
 
-	pod, ok := actionHandler.command.Args[utils.ArgsPod].(*corev1.Pod)
-	if !ok || pod == nil {
-		return fmt.Errorf("failed to get pod for image %s", actionHandler.command.Args[utils.ArgsPod])
-	}
+	pod, _ := actionHandler.command.Args[utils.ArgsPod].(*corev1.Pod)
 
 	containerData, ok := actionHandler.command.Args[utils.ArgsContainerData].(*utils.ContainerData)
 	if !ok {
@@ -607,7 +604,9 @@ func sendWorkloadWithCredentials(ctx context.Context, scanUrl *url.URL, command
 	if !ok {
 		logger.L().Debug("Not an image scan command")
 	} else {
-		instanceID = *imageScanCommand.InstanceID
+		if imageScanCommand.InstanceID != nil {
+			instanceID = *imageScanCommand.InstanceID
+		}
 	}
 
 	if err != nil {

watcher/filteredsbomwatcher.go

@@ -19,16 +19,6 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 )
 
-const retryInterval = 1 * time.Second
-
-var (
-	ErrMissingWLID          = fmt.Errorf("missing WLID")
-	ErrMissingSlug          = fmt.Errorf("missing slug")
-	ErrMissingImageTag      = fmt.Errorf("missing image ID")
-	ErrMissingImageID       = fmt.Errorf("missing image tag")
-	ErrMissingContainerName = fmt.Errorf("missing container name")
-)
-
 // SBOMFilteredWatch watches and processes changes on Filtered SBOMs
 func (wh *WatchHandler) SBOMFilteredWatch(ctx context.Context, workerPool *ants.PoolWithFunc) {
 	inputEvents := make(chan watch.Event)
@@ -64,7 +54,7 @@ func (wh *WatchHandler) SBOMFilteredWatch(ctx context.Context, workerPool *ants.
 			}
 		case cmd, ok := <-cmdCh:
 			if ok {
-				utils.AddCommandToChannel(ctx, wh.cfg, cmd, workerPool)
+				_ = utils.AddCommandToChannel(ctx, wh.cfg, cmd, workerPool)
 			} else {
 				notifyWatcherDown(sbomWatcherUnavailable)
 			}

watcher/filteredsbomwatcher_test.go

@@ -20,52 +20,6 @@ import (
 	k8sfake "k8s.io/client-go/kubernetes/fake"
 )
 
-func TestNewWatchHandlerProducesValidResult(t *testing.T) {
-	tt := []struct {
-		imageIDsToWLIDSsMap map[string][]string
-		expectedIWMap       map[string][]string
-		name                string
-	}{
-		{
-			name:                "Creating with provided empty map returns matching empty map",
-			imageIDsToWLIDSsMap: map[string][]string{},
-			expectedIWMap:       map[string][]string{},
-		},
-		{
-			name:                "Creating with provided nil map returns matching empty map",
-			imageIDsToWLIDSsMap: nil,
-			expectedIWMap:       map[string][]string{},
-		},
-		{
-			name: "Creating with provided non-empty map returns matching map",
-			imageIDsToWLIDSsMap: map[string][]string{
-				"imageid-01": {"wlid-01"},
-			},
-			expectedIWMap: map[string][]string{
-				"imageid-01": {"wlid-01"},
-			},
-		},
-	}
-
-	for _, tc := range tt {
-		t.Run(tc.name, func(t *testing.T) {
-			ctx := context.TODO()
-			clusterConfig := utilsmetadata.ClusterConfig{}
-			cfg, err := config.LoadConfig("../configuration")
-			assert.NoError(t, err)
-			operatorConfig := config.NewOperatorConfig(config.CapabilitiesConfig{}, clusterConfig, &beUtils.Credentials{}, "", cfg)
-
-			k8sClient := k8sfake.NewSimpleClientset()
-			k8sAPI := utils.NewK8sInterfaceFake(k8sClient)
-			storageClient := kssfake.NewSimpleClientset()
-
-			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, nil)
-
-			assert.NotNilf(t, wh, "Constructing should create a non-nil object")
-		})
-	}
-}
-
 func TestHandleSBOMFilteredEvents(t *testing.T) {
 	tt := []struct {
 		name                      string
@@ -218,7 +172,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) {
 			cmdCh := make(chan *apis.Command)
 			errorCh := make(chan error)
 
-			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, nil)
+			wh := NewWatchHandler(operatorConfig, k8sAPI, storageClient, nil)
 
 			go wh.HandleSBOMFilteredEvents(inputEvents, cmdCh, errorCh)
 

watcher/podwatcher.go

@@ -2,55 +2,26 @@ package watcher
 
 import (
 	"context"
-	"errors"
 	"time"
 
-	mapset "github.com/deckarep/golang-set/v2"
 	"github.com/kubescape/k8s-interface/workloadinterface"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/pager"
 
 	"github.com/armosec/armoapi-go/apis"
-	"github.com/goradd/maps"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/instanceidhandler"
 	instanceidhandlerv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1"
 	"github.com/kubescape/k8s-interface/k8sinterface"
-	"github.com/kubescape/operator/config"
 	"github.com/kubescape/operator/utils"
-	kssc "github.com/kubescape/storage/pkg/generated/clientset/versioned"
 	"github.com/panjf2000/ants/v2"
 
 	core1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/watch"
 )
 
-var (
-	ErrUnsupportedObject = errors.New("unsupported object type")
-	ErrUnknownImageHash  = errors.New("unknown image hash")
-)
-
-type WatchHandler struct {
-	SlugToImageID  maps.SafeMap[string, string] // map of <Slug> : string <image ID>
-	WlidAndImageID mapset.Set[string]           // set of <wlid+imageID>
-	storageClient  kssc.Interface
-	cfg            config.IConfig
-	k8sAPI         *k8sinterface.KubernetesApi
-	eventQueue     *CooldownQueue
-}
-
-// NewWatchHandler creates a new WatchHandler, initializes the maps and returns it
-func NewWatchHandler(ctx context.Context, cfg config.IConfig, k8sAPI *k8sinterface.KubernetesApi, storageClient kssc.Interface, eventQueue *CooldownQueue) *WatchHandler {
-	return &WatchHandler{
-		storageClient:  storageClient,
-		k8sAPI:         k8sAPI,
-		cfg:            cfg,
-		WlidAndImageID: mapset.NewSet[string](),
-		eventQueue:     eventQueue,
-	}
-}
 func (wh *WatchHandler) PodWatch(ctx context.Context, workerPool *ants.PoolWithFunc) error {
 	watchOpts := v1.ListOptions{
 		Watch:         true,

watcher/podwatcher_test.go

@@ -113,7 +113,7 @@ func TestPodWatch(t *testing.T) {
 			k8sAPI.DynamicClient = dynClient
 
 			eventQueue := NewCooldownQueue()
-			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, eventQueue)
+			wh := NewWatchHandler(operatorConfig, k8sAPI, storageClient, eventQueue)
 
 			resourcesCreatedWg := &sync.WaitGroup{}
 			resourcesCreatedWg.Add(tc.numberOfExpectedCommands)
@@ -371,7 +371,7 @@ func Test_handlePodWatcher(t *testing.T) {
 			k8sAPI.DynamicClient = dynClient
 
 			eventQueue := NewCooldownQueue()
-			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, eventQueue)
+			wh := NewWatchHandler(operatorConfig, k8sAPI, storageClient, eventQueue)
 
 			resourcesCreatedWg := &sync.WaitGroup{}
 			resourcesCreatedWg.Add(len(tc.expectedCommands))
@@ -453,7 +453,7 @@ func Test_listPods(t *testing.T) {
 			storageClient := kssfake.NewSimpleClientset()
 			eventQueue := NewCooldownQueue()
 
-			wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, eventQueue)
+			wh := NewWatchHandler(operatorConfig, k8sAPI, storageClient, eventQueue)
 			resourcesCreatedWg := &sync.WaitGroup{}
 
 			for i := range tc.pods {