fix: render node inventory in init container

Author: MaxRink

controllers/nodes/resources.go

@@ -12,6 +12,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/yaml"
@@ -57,7 +58,6 @@ func CronJob(image string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOp
 			cmd = append(cmd, "--api-proxy", *apiProxy)
 		}
 	}
-	cmd = renderNodeInventoryCommand(cmd)
 
 	var proxyEnvVars []corev1.EnvVar
 	if !cfg.Spec.SkipProxyForCnspec {
@@ -105,6 +105,9 @@ func CronJob(image string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOp
 							// The node scanning does not use the Kubernetes API at all, therefore the service account token
 							// should not be mounted at all.
 							AutomountServiceAccountToken: ptr.To(false),
+							InitContainers: []corev1.Container{
+								renderNodeInventoryInitContainer(node.Name),
+							},
 							Containers: []corev1.Container{
 								{
 									Image:     image,
@@ -206,7 +209,6 @@ func DaemonSet(m v1alpha2.MondooAuditConfig, isOpenshift bool, image string, cfg
 			cmd = append(cmd, "--api-proxy", *apiProxy)
 		}
 	}
-	cmd = renderNodeInventoryCommand(cmd)
 
 	var proxyEnvVars []corev1.EnvVar
 	if !cfg.Spec.SkipProxyForCnspec {
@@ -240,6 +242,9 @@ func DaemonSet(m v1alpha2.MondooAuditConfig, isOpenshift bool, image string, cfg
 					// should not be mounted at all.
 					AutomountServiceAccountToken: ptr.To(false),
 					Tolerations:                  tolerations,
+					InitContainers: []corev1.Container{
+						renderNodeInventoryInitContainer(""),
+					},
 					Containers: []corev1.Container{
 						{
 							Image:     image,
@@ -426,21 +431,51 @@ func Inventory(integrationMRN, clusterUID string, m v1alpha2.MondooAuditConfig)
 	return string(invBytes), nil
 }
 
-func renderNodeInventoryCommand(cnspecArgs []string) []string {
+func renderNodeInventoryInitContainer(nodeName string) corev1.Container {
 	render := fmt.Sprintf("sed \"s#%s#${NODE_NAME}#g\" %s > %s",
 		nodeInventoryNodeNamePlaceholder,
 		shellQuote(nodeInventoryTemplatePath),
 		shellQuote(nodeInventoryRenderedPath),
 	)
-	return []string{"/bin/sh", "-ec", render + "\nexec " + shellJoin(cnspecArgs)}
-}
+	env := []corev1.EnvVar{{
+		Name: "NODE_NAME",
+		ValueFrom: &corev1.EnvVarSource{
+			FieldRef: &corev1.ObjectFieldSelector{FieldPath: "spec.nodeName"},
+		},
+	}}
+	if nodeName != "" {
+		env[0].ValueFrom = nil
+		env[0].Value = nodeName
+	}
 
-func shellJoin(args []string) string {
-	quoted := make([]string, 0, len(args))
-	for _, arg := range args {
-		quoted = append(quoted, shellQuote(arg))
+	return corev1.Container{
+		Name:            "render-node-inventory",
+		Image:           constants.BusyBoxImage,
+		ImagePullPolicy: corev1.PullIfNotPresent,
+		Command:         []string{"/bin/sh", "-ec", render},
+		Env:             env,
+		Resources: corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("10m"),
+				corev1.ResourceMemory: resource.MustParse("16Mi"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("50m"),
+				corev1.ResourceMemory: resource.MustParse("64Mi"),
+			},
+		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.To(false),
+			ReadOnlyRootFilesystem:   ptr.To(true),
+			RunAsNonRoot:             ptr.To(true),
+			RunAsUser:                ptr.To(int64(65532)),
+			Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+		},
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: "config", ReadOnly: true, MountPath: "/etc/opt/"},
+			{Name: "temp", MountPath: "/tmp"},
+		},
 	}
-	return strings.Join(quoted, " ")
 }
 
 func shellQuote(arg string) string {

controllers/nodes/resources_test.go

@@ -295,14 +295,28 @@ func TestCronJob_UsesInventoryFileFlag(t *testing.T) {
 	mac := testMondooAuditConfig()
 
 	cj := CronJob("test123", testNode, mac, false, v1alpha2.MondooOperatorConfig{})
-	command := strings.Join(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command, " ")
-
-	assert.Contains(t, command, "/bin/sh -ec")
-	assert.Contains(t, command, "sed")
-	assert.Contains(t, command, nodeInventoryNodeNamePlaceholder)
-	assert.Contains(t, command, "--inventory-file")
-	assert.Contains(t, command, nodeInventoryRenderedPath)
-	assert.NotContains(t, command, "--inventory-template")
+	mainCommand := strings.Join(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command, " ")
+
+	assert.Contains(t, mainCommand, "cnspec scan local")
+	assert.Contains(t, mainCommand, "--inventory-file")
+	assert.Contains(t, mainCommand, nodeInventoryRenderedPath)
+	assert.NotContains(t, mainCommand, "/bin/sh")
+	assert.NotContains(t, mainCommand, "sed")
+	assert.NotContains(t, mainCommand, "--inventory-template")
+
+	initContainers := cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers
+	require.Len(t, initContainers, 1)
+	init := initContainers[0]
+	assert.Equal(t, "render-node-inventory", init.Name)
+	assert.Equal(t, constants.BusyBoxImage, init.Image)
+	initCommand := strings.Join(init.Command, " ")
+	assert.Contains(t, initCommand, "/bin/sh -ec")
+	assert.Contains(t, initCommand, "sed")
+	assert.Contains(t, initCommand, nodeInventoryNodeNamePlaceholder)
+	assert.Contains(t, initCommand, nodeInventoryTemplatePath)
+	assert.Contains(t, initCommand, nodeInventoryRenderedPath)
+	envMap := envToMap(init.Env)
+	assert.Equal(t, "test-node-name", envMap["NODE_NAME"])
 }
 
 func TestCronJob_SkipProxyForCnspec(t *testing.T) {
@@ -368,14 +382,30 @@ func TestDaemonSet_UsesInventoryFileFlag(t *testing.T) {
 	mac := *testMondooAuditConfig()
 
 	ds := DaemonSet(mac, false, "test123", v1alpha2.MondooOperatorConfig{}, nil)
-	command := strings.Join(ds.Spec.Template.Spec.Containers[0].Command, " ")
-
-	assert.Contains(t, command, "/bin/sh -ec")
-	assert.Contains(t, command, "sed")
-	assert.Contains(t, command, nodeInventoryNodeNamePlaceholder)
-	assert.Contains(t, command, "--inventory-file")
-	assert.Contains(t, command, nodeInventoryRenderedPath)
-	assert.NotContains(t, command, "--inventory-template")
+	mainCommand := strings.Join(ds.Spec.Template.Spec.Containers[0].Command, " ")
+
+	assert.Contains(t, mainCommand, "cnspec serve")
+	assert.Contains(t, mainCommand, "--inventory-file")
+	assert.Contains(t, mainCommand, nodeInventoryRenderedPath)
+	assert.NotContains(t, mainCommand, "/bin/sh")
+	assert.NotContains(t, mainCommand, "sed")
+	assert.NotContains(t, mainCommand, "--inventory-template")
+
+	initContainers := ds.Spec.Template.Spec.InitContainers
+	require.Len(t, initContainers, 1)
+	init := initContainers[0]
+	assert.Equal(t, "render-node-inventory", init.Name)
+	assert.Equal(t, constants.BusyBoxImage, init.Image)
+	initCommand := strings.Join(init.Command, " ")
+	assert.Contains(t, initCommand, "/bin/sh -ec")
+	assert.Contains(t, initCommand, "sed")
+	assert.Contains(t, initCommand, nodeInventoryNodeNamePlaceholder)
+	assert.Contains(t, initCommand, nodeInventoryTemplatePath)
+	assert.Contains(t, initCommand, nodeInventoryRenderedPath)
+	require.Len(t, init.Env, 1)
+	require.NotNil(t, init.Env[0].ValueFrom)
+	require.NotNil(t, init.Env[0].ValueFrom.FieldRef)
+	assert.Equal(t, "spec.nodeName", init.Env[0].ValueFrom.FieldRef.FieldPath)
 }
 
 func TestDaemonSet_SkipProxyForCnspec(t *testing.T) {

docs/user-manual.md

@@ -1181,6 +1181,8 @@ spec:
     enable: true
 ```
 
+Node scanning pods include a lightweight `render-node-inventory` init container that renders the node-specific inventory file before `cnspec` starts. This keeps custom scanner images simple: the scanner image must provide `cnspec`, but it does not need a POSIX shell or `sed`.
+
 ### Why are (some of) my nodes unscored?
 
 In some cases a node scan can require more memory than initially allotted. You can check whether that is the case by running:

pkg/constants/images.go

@@ -19,4 +19,7 @@ const (
 	// SPIFFE Helper image
 	// https://github.com/spiffe/spiffe-helper/releases
 	SPIFFEHelperImage = "ghcr.io/spiffe/spiffe-helper:0.8.0"
+
+	// BusyBox image used for lightweight init helpers.
+	BusyBoxImage = "busybox:1.36"
 )

pkg/utils/k8s/registry_wif.go

@@ -142,7 +142,7 @@ echo "Docker config generated for ACR: ${ACR_LOGIN_SERVER}"
 		}
 
 	default:
-		image = "busybox:1.36"
+		image = constants.BusyBoxImage
 		shell = "/bin/sh"
 		script = `echo "ERROR: Unknown workload identity provider"; exit 1`
 		env = []corev1.EnvVar{}

pkg/utils/k8s/update_fields.go

@@ -53,6 +53,7 @@ func UpdateDeploymentFields(obj, desired *appsv1.Deployment) {
 	ps := &obj.Spec.Template.Spec
 	dps := &desired.Spec.Template.Spec
 	ps.ServiceAccountName = dps.ServiceAccountName
+	ps.InitContainers = dps.InitContainers
 	ps.Containers = dps.Containers
 	ps.Volumes = dps.Volumes
 	ps.ImagePullSecrets = dps.ImagePullSecrets
@@ -73,6 +74,7 @@ func UpdateDaemonSetFields(obj, desired *appsv1.DaemonSet) {
 	ps.PriorityClassName = dps.PriorityClassName
 	ps.AutomountServiceAccountToken = dps.AutomountServiceAccountToken
 	ps.Tolerations = dps.Tolerations
+	ps.InitContainers = dps.InitContainers
 	ps.Containers = dps.Containers
 	ps.Volumes = dps.Volumes
 	ps.ImagePullSecrets = dps.ImagePullSecrets

pkg/utils/k8s/update_fields_test.go

@@ -21,7 +21,8 @@ func TestUpdateCronJobFields_ImagePullSecrets(t *testing.T) {
 				Spec: batchv1.JobSpec{
 					Template: corev1.PodTemplateSpec{
 						Spec: corev1.PodSpec{
-							Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+							InitContainers: []corev1.Container{{Name: "init", Image: "busybox:1.36"}},
+							Containers:     []corev1.Container{{Name: "test", Image: "test:latest"}},
 							ImagePullSecrets: []corev1.LocalObjectReference{
 								{Name: "my-secret"},
 								{Name: "another-secret"},
@@ -37,6 +38,7 @@ func TestUpdateCronJobFields_ImagePullSecrets(t *testing.T) {
 	UpdateCronJobFields(obj, desired)
 
 	assert.Equal(t, desired.Spec.Schedule, obj.Spec.Schedule)
+	assert.Equal(t, desired.Spec.JobTemplate.Spec.Template.Spec.InitContainers, obj.Spec.JobTemplate.Spec.Template.Spec.InitContainers)
 	assert.Equal(t, desired.Spec.JobTemplate.Spec.Template.Spec.Containers, obj.Spec.JobTemplate.Spec.Template.Spec.Containers)
 	assert.Equal(t, desired.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets, obj.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets)
 }
@@ -87,7 +89,8 @@ func TestUpdateDeploymentFields_ImagePullSecrets(t *testing.T) {
 		Spec: appsv1.DeploymentSpec{
 			Template: corev1.PodTemplateSpec{
 				Spec: corev1.PodSpec{
-					Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+					InitContainers: []corev1.Container{{Name: "init", Image: "busybox:1.36"}},
+					Containers:     []corev1.Container{{Name: "test", Image: "test:latest"}},
 					ImagePullSecrets: []corev1.LocalObjectReference{
 						{Name: "my-secret"},
 					},
@@ -100,6 +103,7 @@ func TestUpdateDeploymentFields_ImagePullSecrets(t *testing.T) {
 	UpdateDeploymentFields(obj, desired)
 
 	assert.Equal(t, desired.Spec.Template.Spec.ImagePullSecrets, obj.Spec.Template.Spec.ImagePullSecrets)
+	assert.Equal(t, desired.Spec.Template.Spec.InitContainers, obj.Spec.Template.Spec.InitContainers)
 	assert.Equal(t, desired.Spec.Template.Spec.Containers, obj.Spec.Template.Spec.Containers)
 }
 
@@ -108,7 +112,8 @@ func TestUpdateDaemonSetFields_ImagePullSecrets(t *testing.T) {
 		Spec: appsv1.DaemonSetSpec{
 			Template: corev1.PodTemplateSpec{
 				Spec: corev1.PodSpec{
-					Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+					InitContainers: []corev1.Container{{Name: "init", Image: "busybox:1.36"}},
+					Containers:     []corev1.Container{{Name: "test", Image: "test:latest"}},
 					ImagePullSecrets: []corev1.LocalObjectReference{
 						{Name: "my-secret"},
 					},
@@ -121,5 +126,6 @@ func TestUpdateDaemonSetFields_ImagePullSecrets(t *testing.T) {
 	UpdateDaemonSetFields(obj, desired)
 
 	assert.Equal(t, desired.Spec.Template.Spec.ImagePullSecrets, obj.Spec.Template.Spec.ImagePullSecrets)
+	assert.Equal(t, desired.Spec.Template.Spec.InitContainers, obj.Spec.Template.Spec.InitContainers)
 	assert.Equal(t, desired.Spec.Template.Spec.Containers, obj.Spec.Template.Spec.Containers)
 }