[Issue - 10441] Improved k8s cluster discovery (#5291)

* Skipping discovery of Assets when filter is not provided and go into Namespaces discovery instead. NewNamespacePlatformId also refactored in order to generate correct PlatformID. Some small changes to address redundancy in provider.go

Signed-off-by: Aleksandr Chagochkin <[email protected]>

* refactor platformids creation for manifests and api

Signed-off-by: Ivan Milchev <[email protected]>

* log meaningful error message when failing to list namespaces

Signed-off-by: Ivan Milchev <[email protected]>

---------

Signed-off-by: Aleksandr Chagochkin <[email protected]>
Signed-off-by: Ivan Milchev <[email protected]>
Co-authored-by: Ivan Milchev <[email protected]>

Author: Chichichkin

providers/k8s/connection/admission/connection.go

@@ -79,6 +79,10 @@ func (c *Connection) InventoryConfig() *inventory.Config {
 	return c.asset.Connections[0]
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	return c.AssetId()
+}
+
 func (c *Connection) AssetId() (string, error) {
 	reviews, err := c.AdmissionReviews()
 	if err != nil {

providers/k8s/connection/api/connection.go

@@ -214,6 +214,10 @@ func (c *Connection) Platform() *inventory.Platform {
 	}
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	return shared.IdPrefix, nil
+}
+
 func (c *Connection) AssetId() (string, error) {
 	// we use "kube-system" namespace uid as identifier for the cluster
 	// use the internal resources function to make sure we can get the right namespace

providers/k8s/connection/manifest/connection.go

@@ -152,6 +152,14 @@ func (c *Connection) Asset() *inventory.Asset {
 	return c.asset
 }
 
+func (c *Connection) BasePlatformId() (string, error) {
+	manifestHash, err := c.manifestHash()
+	if err != nil {
+		return "", err
+	}
+	return shared.IdPrefix + manifestHash, nil
+}
+
 func (c *Connection) AssetId() (string, error) {
 	// If we are doing an admission control scan, we have 1 resource in the manifest and it has a UID.
 	// Instead of using the file path to generate the ID, use the resource UID. We do this because for
@@ -168,6 +176,14 @@ func (c *Connection) AssetId() (string, error) {
 		}
 	}
 
+	manifestHash, err := c.manifestHash()
+	if err != nil {
+		return "", err
+	}
+	return shared.NewPlatformId(manifestHash), nil
+}
+
+func (c *Connection) manifestHash() (string, error) {
 	h := sha256.New()
 
 	// special handling for embedded content (e.g. piped in via stdin)
@@ -187,7 +203,7 @@ func (c *Connection) AssetId() (string, error) {
 	}
 
 	h.Write([]byte(absPath))
-	return shared.NewPlatformId(hex.EncodeToString(h.Sum(nil))), nil
+	return hex.EncodeToString(h.Sum(nil)), nil
 }
 
 func (c *Connection) InventoryConfig() *inventory.Config {

providers/k8s/connection/manifest/connection_test.go

@@ -97,7 +97,7 @@ func TestManifestDiscovery(t *testing.T) {
 	}
 	inv, err := resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 2)
+	require.Len(t, inv.Spec.Assets, 3)
 
 	conn.InventoryConfig().Discover.Targets = []string{"all"}
 	pluginRuntime = &plugin.Runtime{
@@ -108,7 +108,7 @@ func TestManifestDiscovery(t *testing.T) {
 	}
 	inv, err = resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 2)
+	require.Len(t, inv.Spec.Assets, 3)
 
 	conn.InventoryConfig().Discover.Targets = []string{"deployments"}
 	pluginRuntime = &plugin.Runtime{
@@ -153,7 +153,7 @@ func TestOperatorManifest(t *testing.T) {
 	}
 	inv, err := resources.Discover(pluginRuntime, cnquery.Features{})
 	require.NoError(t, err)
-	require.Len(t, inv.Spec.Assets, 3)
+	require.Len(t, inv.Spec.Assets, 4)
 
 	require.Len(t, inv.Spec.Assets[1].PlatformIds, 1)
 
@@ -175,7 +175,8 @@ func TestOperatorManifest(t *testing.T) {
 
 	require.NotEqual(t, inv.Spec.Assets[0].PlatformIds[0], inv.Spec.Assets[1].PlatformIds[0])
 	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash, inv.Spec.Assets[0].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/services/name/mondoo-operator-controller-manager-metrics-service", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[3].PlatformIds[0])
 }
 
 func TestOperatorManifestWithNamespaceFilter(t *testing.T) {
@@ -222,9 +223,17 @@ func TestOperatorManifestWithNamespaceFilter(t *testing.T) {
 		require.NoError(t, err)
 		require.NotEmpty(t, asset.PlatformIds[0])
 	}
+
+	h := sha256.New()
+	absPath, err := filepath.Abs(path)
+	require.NoError(t, err)
+	h.Write([]byte(absPath))
+	manifestHash := hex.EncodeToString(h.Sum(nil))
+	require.NoError(t, err)
+
 	require.NotEqual(t, inv.Spec.Assets[0].PlatformIds[0], inv.Spec.Assets[1].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/namespace/mondoo-operator", inv.Spec.Assets[0].PlatformIds[0])
-	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator", inv.Spec.Assets[0].PlatformIds[0])
+	require.Equal(t, "//platformid.api.mondoo.app/runtime/k8s/uid/"+manifestHash+"/namespace/mondoo-operator/deployments/name/mondoo-operator-controller-manager", inv.Spec.Assets[2].PlatformIds[0])
 }
 
 func TestManifestNoObjects(t *testing.T) {
@@ -316,5 +325,5 @@ func TestManifestDir(t *testing.T) {
 	}
 	require.NotEmpty(t, inv.Spec.Assets[0].PlatformIds[0])
 	// we have the operator deployment twice
-	require.Equal(t, inv.Spec.Assets[1].PlatformIds[0], inv.Spec.Assets[2].PlatformIds[0])
+	require.Equal(t, inv.Spec.Assets[3].PlatformIds[0], inv.Spec.Assets[4].PlatformIds[0])
 }

providers/k8s/connection/manifest/testdata/no-discovered-objects.yaml

@@ -319,19 +319,3 @@ kind: ConfigMap
 metadata:
   name: mondoo-operator-manager-config
   namespace: mondoo-operator
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: mondoo-operator
-  name: mondoo-operator-controller-manager-metrics-service
-  namespace: mondoo-operator
-spec:
-  ports:
-  - name: metrics
-    port: 8080
-    protocol: TCP
-    targetPort: metrics
-  selector:
-    app.kubernetes.io/name: mondoo-operator

providers/k8s/connection/shared/connection.go

@@ -26,7 +26,7 @@ const (
 	OPTION_OBJECT_KIND       = "object-kind"
 	OPTION_CONTEXT           = "context"
 	OPTION_KUBELOGIN         = "kubelogin"
-	idPrefix                 = "//platformid.api.mondoo.app/runtime/k8s/uid/"
+	IdPrefix                 = "//platformid.api.mondoo.app/runtime/k8s/uid/"
 )
 
 type ConnectionType string
@@ -44,6 +44,7 @@ type Connection interface {
 	Platform() *inventory.Platform
 	Asset() *inventory.Asset
 	AssetId() (string, error)
+	BasePlatformId() (string, error)
 
 	AdmissionReviews() ([]admissionv1.AdmissionReview, error)
 	Namespace(name string) (*v1.Namespace, error)
@@ -76,12 +77,12 @@ func sliceToPtrSlice[T any](items []T) []*T {
 }
 
 func NewPlatformId(assetId string) string {
-	return idPrefix + assetId
+	return IdPrefix + assetId
 }
 
-func NewWorkloadPlatformId(clusterIdentifier, workloadType, namespace, name, uid string) string {
+func NewWorkloadPlatformId(basePlatformId, clusterIdentifier, workloadType, namespace, name, uid string) string {
 	if workloadType == "namespace" {
-		return NewNamespacePlatformId(clusterIdentifier, name, uid)
+		return NewNamespacePlatformId(basePlatformId, name, uid)
 	}
 
 	platformIdentifier := clusterIdentifier
@@ -95,10 +96,6 @@ func NewWorkloadPlatformId(clusterIdentifier, workloadType, namespace, name, uid
 	return platformIdentifier
 }
 
-func NewNamespacePlatformId(clusterIdentifier, name, uid string) string {
-	if clusterIdentifier == "" {
-		return fmt.Sprintf("%snamespace/%s", idPrefix, name)
-	}
-
-	return fmt.Sprintf("%s/namespace/%s/uid/%s", clusterIdentifier, name, uid)
+func NewNamespacePlatformId(basePlatformId, name, uid string) string {
+	return fmt.Sprintf("%s%s/namespace/%s", basePlatformId, uid, name)
 }

providers/k8s/connection/shared/manifest_parser.go

@@ -71,6 +71,9 @@ func (t *ManifestParser) Namespaces() ([]v1.Namespace, error) {
 		o, err := meta.Accessor(res)
 		if err == nil {
 			ns := o.GetNamespace()
+			if ns == "" {
+				continue
+			}
 			// There are types of resources that do not have meta data. Instead of erroring
 			// skip them.
 			namespaceMap[ns] = struct{}{}

providers/k8s/provider/provider.go

@@ -108,7 +108,7 @@ func (s *Service) ParseCLI(req *plugin.ParseCLIReq) (*plugin.ParseCLIRes, error)
 	return &res, nil
 }
 
-func (s *Service) MockConnect(req *plugin.ConnectReq, callback plugin.ProviderCallback) (*plugin.ConnectRes, error) {
+func (s *Service) MockConnect(_ *plugin.ConnectReq, _ plugin.ProviderCallback) (*plugin.ConnectRes, error) {
 	return nil, errors.New("mock connect not yet implemented")
 }
 
@@ -135,7 +135,7 @@ func (s *Service) Connect(req *plugin.ConnectReq, callback plugin.ProviderCallba
 	}
 
 	return &plugin.ConnectRes{
-		Id:        uint32(conn.ID()),
+		Id:        conn.ID(),
 		Name:      conn.Name(),
 		Asset:     req.Asset,
 		Inventory: inventory,