⭐ model runtime cache images#8452
Conversation
2ad27a0 to
7551857
Compare
7173249 to
7543f73
Compare
7543f73 to
a292050
Compare
a292050 to
ea83e13
Compare
ea83e13 to
e719c54
Compare
e719c54 to
58a00c1
Compare
| plugin.Resource | ||
| GetKind() *plugin.TValue[string] | ||
| } | ||
|
|
||
| type runtimeDelegateEndpointResource interface { | ||
| plugin.Resource |
There was a problem hiding this comment.
🟡 warning — sharedRuntimeField silently swallows errors from runtime.GetSharedData — if the shared runtime returns a transient error (network blip, timeout), the caller sees false and falls through to a potentially incorrect match result instead of propagating the failure. Consider at minimum logging the error, or returning it so callers can distinguish "field not available" from "lookup failed".
| if !ok || node.Name.Data != nodeName { | ||
| continue | ||
| } | ||
| delegates := node.GetRuntimeDelegates() | ||
| if delegates.Error != nil { | ||
| return nil, false, delegates.Error | ||
| } | ||
| if !runtimeDelegateAvailable(k.MqlRuntime, delegates.Data, runtimeKindFromContainerID(k.ContainerId.Data)) { | ||
| return nil, false, nil | ||
| } | ||
|
|
||
| images := node.GetRuntimeImages() | ||
| if images.Error != nil { | ||
| return nil, true, images.Error | ||
| } | ||
| keys := runtimeImageMatchKeys(k.Image.Data, k.ImageId.Data) | ||
| digestKeys := runtimeImageDigestMatchKeys(k.ImageId.Data) | ||
| matches := []plugin.Resource{} | ||
| for _, item := range images.Data { | ||
| image, ok := item.(plugin.Resource) | ||
| if !ok { | ||
| continue | ||
| } |
There was a problem hiding this comment.
🔵 suggestion — runtimeImageMatches iterates all nodes to find the one matching nodeName, then iterates all images on that node. If the node has many images, the digest-key fast path (lines 265-269) skips tag matching entirely via continue, which is correct — but the keys map built on line 260 always includes both image and imageID candidates even when only digestKeys will be used. Minor: you could defer building keys until after the len(digestKeys) == 0 check to avoid unnecessary map allocations.
Summary
runtime-cache-imagesdiscovery that reads the operator-provided delegate file, filters pod image observations toruntime-cache-node-name, and emitsruntime-imagescan assets instead of pull-capableregistry-imageassetsruntime-imageconnection type with an initial no-pull containerd implementation: connect to the configured mounted socket, export the already-cached image through containerd image/content services, load the OCI layout locally, and reuse the existing tar-based container scannercontainer-images,docker-image, andregistry-imagebehavior unchanged; unsupported runtime delegate kinds fail closed rather than falling back to registry pullsReview fixes
notPresentinstead ofruntimeUnavailablenodeName, avoiding unrelated pod deserialization errorsValidation
git diff --checkgo test ./providers/os/connection/container -run 'TestRuntimeImage|TestContainerd'go test ./providers/os/resources -run 'Test(SplitImageReferenceNames|NormalizeRuntimeImageID|StringsSetToAnySortsValues|RuntimeImageArgsFromReference)'cd providers/k8s && go test ./resources -run 'Test(RuntimeCache|DiscoverRuntimeCache|RuntimeImage|Containerd|Split|Normalize|StringsSet)'cd providers/k8s && go test ./resourcescd providers/k8s && go test ./resources -run 'TestDiscover.*RuntimeCache|TestRuntimeCache|TestLoadRuntimeCacheSettings|Test(NodeNameForPodUID|ContainerStatusPodUID|RuntimeImage)'cd providers/os && go test ./connection/container ./resources -run 'Test.*Runtime|TestContainerd'Notes
ctrbinary in the scanner image. CRI-O, Docker, Podman, native CRI clients, richer result modeling, and further per-node scan-result reuse remain explicit follow-up work in the plan doc.