Skip to content

⭐ k8s: filter discovery by label selectors#8448

Open
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:feat/k8s-discovery-label-selectors
Open

⭐ k8s: filter discovery by label selectors#8448
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:feat/k8s-discovery-label-selectors

Conversation

@MaxRink

@MaxRink MaxRink commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add k8s provider flags for namespace and object label selectors
  • apply namespace selectors before namespace assets are emitted and before staged namespace discovery continues
  • apply object selectors to discovered workload assets, admission-review objects, and pod-backed container image discovery
  • avoid emitting the cluster root asset when discovery is scoped by label selectors

Review fixes

  • admission-review discovery now honors namespace label selectors for Namespace objects
  • admission-review discovery fails closed for namespaced non-Namespace objects when namespace labels are required but unavailable
  • log a warning when a namespaced admission-review object is skipped because namespace labels are unavailable for selector evaluation

Tests

  • git diff --check
  • cd providers/k8s && go test ./resources -run 'TestAssetFromAdmissionReview|TestLabelSelectorFilters'
  • cd providers/k8s && go test ./provider ./resources
  • go test ./provider ./resources -count=1
  • go test ./... -count=1
  • git -c core.fsmonitor=false diff --check

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K8s discovery label selector filtering works correctly but has a copyright header issue in the new test file.

Comment thread providers/k8s/resources/discovery_test.go Outdated
@MaxRink

MaxRink commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

I have read the Mondoo CLA Document and I hereby sign the CLA

@mondoo-code-review mondoo-code-review Bot dismissed their stale review June 15, 2026 18:26

Superseded by new review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K8s discovery can now be scoped to specific namespaces and objects via label selectors, reducing scan noise.

Comment thread providers/k8s/resources/discovery.go
Comment thread providers/k8s/resources/discovery.go
@MaxRink MaxRink force-pushed the feat/k8s-discovery-label-selectors branch from 96ab1d6 to 13e9f8c Compare June 16, 2026 09:56
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

recheck

@tas50 tas50 changed the title feat(k8s): filter discovery by label selectors ⭐ k8s: filter discovery by label selectors Jun 18, 2026
@MaxRink MaxRink marked this pull request as draft June 19, 2026 06:13
@MaxRink MaxRink marked this pull request as ready for review June 19, 2026 08:15
@MaxRink MaxRink force-pushed the feat/k8s-discovery-label-selectors branch from 871c79e to 364b4a7 Compare June 19, 2026 08:39

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds label selector filtering for Kubernetes discovery, allowing users to scope scans by namespace and object labels.

Comment thread providers/k8s/resources/discovery.go Outdated
@MaxRink MaxRink force-pushed the feat/k8s-discovery-label-selectors branch from 364b4a7 to a043e43 Compare June 19, 2026 09:43

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K8s discovery gains label selector filtering for namespaces and objects via two new CLI flags.

Comment thread providers/k8s/resources/discovery.go
Comment thread providers/k8s/resources/discovery.go
@MaxRink MaxRink force-pushed the feat/k8s-discovery-label-selectors branch from a043e43 to 76d641b Compare June 19, 2026 10:04
@MaxRink MaxRink force-pushed the feat/k8s-discovery-label-selectors branch from 76d641b to 565052d Compare June 25, 2026 00:25

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K8s discovery can now be filtered by namespace and object label selectors, with robust admission review handling.

Comment on lines +101 to +116
func admissionRequestObjectDict(aRequest *admissionv1.AdmissionRequest) (map[string]any, error) {
if aRequest == nil {
return nil, errors.New("admission review request is nil")
}
if len(aRequest.Object.Raw) == 0 {
return nil, errors.New("admission review request object is empty")
}
obj, err := resources.ResourcesFromManifest(bytes.NewReader(aRequest.Object.Raw))
if err != nil {
return nil, err
}
if len(obj) == 0 {
return nil, errors.New("admission review request object did not contain any resources")
}
return convert.JsonToDict(obj[0])
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warningadmissionRequestObjectDict is defined here but never called from production code — only from TestAdmissionRequestObjectDictRejectsMalformedRequestObject in the test file. If it's intended for future use, consider deferring it until it has a caller; otherwise remove it to avoid dead code. The validation logic it duplicates already exists inline in assetFromAdmissionReview.

Long: "namespace-label-selector",
Type: plugin.FlagType_String,
Default: "",
Desc: "Only include Kubernetes namespaces matching the label selector",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is also discovering all the objects under the selected namespace. I think it's worth mentioning it explicitly in the docs.

@imilchev imilchev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, looks good. Added 1 small comment + your PR needs a rebase. Once these are resolved, we can merge it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants