mondoohq · Chichichkin · Mar 6, 2025 · Mar 10, 2025 · Mar 20, 2025 · czunker
diff --git a/providers/k8s/connection/admission/connection.go b/providers/k8s/connection/admission/connection.go
@@ -79,6 +79,10 @@ func (c *Connection) InventoryConfig() *inventory.Config {
 	return c.asset.Connections[0]
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	return c.AssetId()
+}
+
 func (c *Connection) AssetId() (string, error) {
 	reviews, err := c.AdmissionReviews()
 	if err != nil {

diff --git a/providers/k8s/connection/api/connection.go b/providers/k8s/connection/api/connection.go
@@ -214,6 +214,10 @@ func (c *Connection) Platform() *inventory.Platform {
 	}
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	return shared.IdPrefix, nil
+}
+
 func (c *Connection) AssetId() (string, error) {
 	// we use "kube-system" namespace uid as identifier for the cluster
 	// use the internal resources function to make sure we can get the right namespace

diff --git a/providers/k8s/connection/manifest/connection.go b/providers/k8s/connection/manifest/connection.go
@@ -152,6 +152,14 @@ func (c *Connection) Asset() *inventory.Asset {
 	return c.asset
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	manifestHash, err := c.manifestHash()
+	if err != nil {
+		return "", err
+	}
+	return shared.IdPrefix + manifestHash, nil
+}
+
 func (c *Connection) AssetId() (string, error) {
 	// If we are doing an admission control scan, we have 1 resource in the manifest and it has a UID.
 	// Instead of using the file path to generate the ID, use the resource UID. We do this because for
@@ -168,6 +176,14 @@ func (c *Connection) AssetId() (string, error) {
 		}
 	}
 
+	manifestHash, err := c.manifestHash()
+	if err != nil {
+		return "", err
+	}
+	return shared.NewPlatformId(manifestHash), nil
+}
+
+func (c *Connection) manifestHash() (string, error) {
 	h := sha256.New()
 
 	// special handling for embedded content (e.g. piped in via stdin)
@@ -187,7 +203,7 @@ func (c *Connection) AssetId() (string, error) {
 	}
 
 	h.Write([]byte(absPath))
-	return shared.NewPlatformId(hex.EncodeToString(h.Sum(nil))), nil
+	return hex.EncodeToString(h.Sum(nil)), nil
 }
 
 func (c *Connection) InventoryConfig() *inventory.Config {

diff --git a/providers/k8s/connection/manifest/connection_test.go b/providers/k8s/connection/manifest/connection_test.go
@@ -97,7 +97,7 @@ func TestManifestDiscovery(t *testing.T) {
 	}
 	inv, err := resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 2)
+	require.Len(t, inv.Spec.Assets, 3)
 
 	conn.InventoryConfig().Discover.Targets = []string{"all"}
 	pluginRuntime = &plugin.Runtime{
@@ -108,7 +108,7 @@ func TestManifestDiscovery(t *testing.T) {
 	}
 	inv, err = resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 2)
+	require.Len(t, inv.Spec.Assets, 3)
 
 	conn.InventoryConfig().Discover.Targets = []string{"deployments"}
 	pluginRuntime = &plugin.Runtime{
@@ -153,7 +153,7 @@ func TestOperatorManifest(t *testing.T) {
 	}
 	inv, err := resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 3)
+	require.Len(t, inv.Spec.Assets, 4)
 
 	require.Len(t, inv.Spec.Assets[1].PlatformIds, 1)
 
@@ -175,7 +175,8 @@ func TestOperatorManifest(t *testing.T) {
 
 	require.NotEqual(t, inv.Spec.Assets[0].PlatformIds[0], inv.Spec.Assets[1].PlatformIds[0])
 	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash, inv.Spec.Assets[0].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/services/name/mondoo-operator-controller-manager-metrics-service", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[3].PlatformIds[0])
 }
 
 func TestOperatorManifestWithNamespaceFilter(t *testing.T) {
@@ -222,9 +223,17 @@ func TestOperatorManifestWithNamespaceFilter(t *testing.T) {
 		require.NoError(t, err)
 		require.NotEmpty(t, asset.PlatformIds[0])
 	}
+
+	h := sha256.New()
+	absPath, err := filepath.Abs(path)
+	require.NoError(t, err)
+	h.Write([]byte(absPath))
+	manifestHash := hex.EncodeToString(h.Sum(nil))
+	require.NoError(t, err)
+
 	require.NotEqual(t, inv.Spec.Assets[0].PlatformIds[0], inv.Spec.Assets[1].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/namespace/mondoo-operator", inv.Spec.Assets[0].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator", inv.Spec.Assets[0].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
 }
 
 func TestManifestNoObjects(t *testing.T) {
@@ -316,5 +325,5 @@ func TestManifestDir(t *testing.T) {
 	}
 	require.NotEmpty(t, inv.Spec.Assets[0].PlatformIds[0])
 	// we have the operator deployment twice
-	require.Equal(t, inv.Spec.Assets[1].PlatformIds[0], inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, inv.Spec.Assets[3].PlatformIds[0], inv.Spec.Assets[4].PlatformIds[0])
 }
diff --git a/providers/k8s/connection/manifest/testdata/no-discovered-objects.yaml b/providers/k8s/connection/manifest/testdata/no-discovered-objects.yaml
@@ -319,19 +319,3 @@ kind: ConfigMap
 metadata:
   name: mondoo-operator-manager-config
   namespace: mondoo-operator
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: mondoo-operator
-  name: mondoo-operator-controller-manager-metrics-service
-  namespace: mondoo-operator
-spec:
-  ports:
-  - name: metrics
-    port: 8080
-    protocol: TCP
-    targetPort: metrics
-  selector:
-    app.kubernetes.io/name: mondoo-operator
diff --git a/providers/k8s/connection/shared/connection.go b/providers/k8s/connection/shared/connection.go
@@ -26,7 +26,7 @@ const (
 	OPTION_OBJECT_KIND       = "object-kind"
 	OPTION_CONTEXT           = "context"
 	OPTION_KUBELOGIN         = "kubelogin"
-	idPrefix                 = "//platformid.api.mondoo.app/runtime/k8s/uid/"
+	IdPrefix                 = "//platformid.api.mondoo.app/runtime/k8s/uid/"
 )
 
 type ConnectionType string
@@ -44,6 +44,7 @@ type Connection interface {
 	Platform() *inventory.Platform
 	Asset() *inventory.Asset
 	AssetId() (string, error)
+	BasePlatformId() (string, error)
 
 	AdmissionReviews() ([]admissionv1.AdmissionReview, error)
 	Namespace(name string) (*v1.Namespace, error)
@@ -76,12 +77,12 @@ func sliceToPtrSlice[T any](items []T) []*T {
 }
 
 func NewPlatformId(assetId string) string {
-	return idPrefix + assetId
+	return IdPrefix + assetId
 }
 
-func NewWorkloadPlatformId(clusterIdentifier, workloadType, namespace, name, uid string) string {
+func NewWorkloadPlatformId(basePlatformId, clusterIdentifier, workloadType, namespace, name, uid string) string {
 	if workloadType == "namespace" {
-		return NewNamespacePlatformId(clusterIdentifier, name, uid)
+		return NewNamespacePlatformId(basePlatformId, name, uid)
 	}
 
 	platformIdentifier := clusterIdentifier
@@ -95,10 +96,6 @@ func NewWorkloadPlatformId(clusterIdentifier, workloadType, namespace, name, uid
 	return platformIdentifier
 }
 
-func NewNamespacePlatformId(clusterIdentifier, name, uid string) string {
-	if clusterIdentifier == "" {
-		return fmt.Sprintf("%snamespace/%s", idPrefix, name)
-	}
-
-	return fmt.Sprintf("%s/namespace/%s/uid/%s", clusterIdentifier, name, uid)
+func NewNamespacePlatformId(basePlatformId, name, uid string) string {
+	return fmt.Sprintf("%s%s/namespace/%s", basePlatformId, uid, name)
 }
diff --git a/providers/k8s/connection/shared/manifest_parser.go b/providers/k8s/connection/shared/manifest_parser.go
@@ -71,6 +71,9 @@ func (t *ManifestParser) Namespaces() ([]v1.Namespace, error) {
 		o, err := meta.Accessor(res)
 		if err == nil {
 			ns := o.GetNamespace()
+			if ns == "" {
+				continue
+			}
 			// There are types of resources that do not have meta data. Instead of erroring
 			// skip them.
 			namespaceMap[ns] = struct{}{}

diff --git a/providers/k8s/provider/provider.go b/providers/k8s/provider/provider.go
@@ -108,7 +108,7 @@ func (s *Service) ParseCLI(req *plugin.ParseCLIReq) (*plugin.ParseCLIRes, error)
 	return &res, nil
 }
 
-func (s *Service) MockConnect(req *plugin.ConnectReq, callback plugin.ProviderCallback) (*plugin.ConnectRes, error) {
+func (s *Service) MockConnect(_ *plugin.ConnectReq, _ plugin.ProviderCallback) (*plugin.ConnectRes, error) {
 	return nil, errors.New("mock connect not yet implemented")
 }
 
@@ -135,7 +135,7 @@ func (s *Service) Connect(req *plugin.ConnectReq, callback plugin.ProviderCallba
 	}
 
 	return &plugin.ConnectRes{
-		Id:        uint32(conn.ID()),
+		Id:        conn.ID(),
 		Name:      conn.Name(),
 		Asset:     req.Asset,
 		Inventory: inventory,