Try to avoid controller-uid

DigitecGalaxus · Jan 31, 2025 · 413dc09 · 413dc09
1 parent 30236b6
commit 413dc09
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 5 deletions.
diff --git a/pkg/kube/logs.go b/pkg/kube/logs.go
@@ -9,6 +9,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
 	"k8s.io/client-go/kubernetes"
 )
 
@@ -72,12 +73,9 @@ func (r *logsReader) getPodByJob(ctx context.Context, job *batchv1.Job) (*corev1
 }
 
 func (r *logsReader) podListLookup(ctx context.Context, namespace string, refreshedJob *batchv1.Job) (*corev1.PodList, error) {
-	matchingLabelKey := "controller-uid"
+	matchingLabelKey := trivyoperator.LabelControllerUid
 	matchingLabelValue := refreshedJob.Spec.Selector.MatchLabels[matchingLabelKey]
-	if matchingLabelValue == "" {
-		matchingLabelKey = "batch.kubernetes.io/controller-uid" // for k8s v1.27.x and above
-		matchingLabelValue = refreshedJob.Spec.Selector.MatchLabels[matchingLabelKey]
-	}
+
 	selector := fmt.Sprintf("%s=%s", matchingLabelKey, matchingLabelValue)
 	return r.clientset.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{
 		LabelSelector: selector})

diff --git a/pkg/trivyoperator/constants.go b/pkg/trivyoperator/constants.go
@@ -25,6 +25,7 @@ const (
 	LabelResourceNamespace = "annotation.trivy-operator.resource.namespace"
 	LabelContainerName     = "annotation.trivy-operator.container.name"
 	LabelResourceSpecHash  = "annotation.resource-spec-hash"
+	LabelControllerUid     = "annotation.controller-uid"
 	LabelPluginConfigHash  = "plugin-config-hash"
 	LabelResourceImageID   = "resource-image-id"
 	LabelReusedReport      = "reused-report"

diff --git a/pkg/vulnerabilityreport/builder.go b/pkg/vulnerabilityreport/builder.go
@@ -38,6 +38,7 @@ type ScanJobBuilder struct {
 	podSecurityContext       *corev1.PodSecurityContext
 	containerSecurityContext *corev1.SecurityContext
 	podPriorityClassName     string
+	controllerUid			 string
 	skipInitContainers       bool
 	sbomClusterReports       map[string]v1alpha1.SbomReportData
 	customVolumesMount       []corev1.VolumeMount
@@ -143,6 +144,11 @@ func (s *ScanJobBuilder) WithCustomVolumesMount(customVolumesMount []corev1.Volu
 	return s
 }
 
+func (s *ScanJobBuilder) WithControllerUid(controllerUid string) *ScanJobBuilder {
+	s.controllerUid = controllerUid
+	return s
+}
+
 func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 	spec, err := kube.GetPodSpec(s.object)
 	if err != nil {
@@ -187,6 +193,7 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 
 	jobLabels := map[string]string{
 		trivyoperator.LabelResourceSpecHash:           podSpecHash,
+		trivyoperator.LabelControllerUid:			   s.controllerUid,
 		trivyoperator.LabelK8SAppManagedBy:            trivyoperator.AppTrivyOperator,
 		trivyoperator.LabelVulnerabilityReportScanner: s.pluginContext.GetName(),
 	}
@@ -206,6 +213,12 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
 		BackoffLimit:          ptr.To[int32](0),
 		Completions:           ptr.To[int32](1),
 		ActiveDeadlineSeconds: utils.DurationSecondsPtr(s.timeout),
+		ManualSelector:		    ptr.To[bool](true),
+		Selector:  &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				trivyoperator.LabelControllerUid: s.controllerUid,
+			},
+		},
 		Template: corev1.PodTemplateSpec{
 			ObjectMeta: metav1.ObjectMeta{
 				Labels:      podTemplateLabels,

diff --git a/pkg/vulnerabilityreport/builder_test.go b/pkg/vulnerabilityreport/builder_test.go
@@ -72,6 +72,7 @@ func TestScanJobBuilder(t *testing.T) {
 	t.Run("Should get scan job with labels", func(t *testing.T) {
 		g := gomega.NewGomegaWithT(t)
 		job, _, err := vulnerabilityreport.NewScanJobBuilder().
+			WithControllerUid("guid1").
 			WithPlugin(&testPlugin{}).
 			WithPluginContext(trivyoperator.NewPluginContext().
 				WithName("test-plugin").
@@ -116,6 +117,7 @@ func TestScanJobBuilder(t *testing.T) {
 					trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 					trivyoperator.LabelResourceNamespace:          "prod-ns",
 					trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+					trivyoperator.LabelControllerUid:			   "guid1",
 				},
 				Annotations: map[string]string{
 					trivyoperator.AnnotationContainerImages: `{"nginx":"nginx:1.16"}`,
@@ -125,6 +127,12 @@ func TestScanJobBuilder(t *testing.T) {
 				BackoffLimit:          ptr.To[int32](0),
 				Completions:           ptr.To[int32](1),
 				ActiveDeadlineSeconds: ptr.To[int64](3),
+				ManualSelector:		    ptr.To[bool](true),
+				Selector:  &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						trivyoperator.LabelControllerUid: "guid1",
+					},
+				},
 				Template: corev1.PodTemplateSpec{
 					ObjectMeta: metav1.ObjectMeta{
 						Labels: map[string]string{
@@ -134,6 +142,7 @@ func TestScanJobBuilder(t *testing.T) {
 							trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 							trivyoperator.LabelResourceNamespace:          "prod-ns",
 							trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+							trivyoperator.LabelControllerUid:			   "guid1",
 						},
 					},
 					Spec: corev1.PodSpec{},
@@ -145,6 +154,7 @@ func TestScanJobBuilder(t *testing.T) {
 	t.Run("Should get scan job with annotations", func(t *testing.T) {
 		g := gomega.NewGomegaWithT(t)
 		job, _, err := vulnerabilityreport.NewScanJobBuilder().
+			WithControllerUid("guid1").
 			WithPlugin(&testPlugin{}).
 			WithPluginContext(trivyoperator.NewPluginContext().
 				WithName("test-plugin").
@@ -190,6 +200,7 @@ func TestScanJobBuilder(t *testing.T) {
 					trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 					trivyoperator.LabelResourceNamespace:          "prod-ns",
 					trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+					trivyoperator.LabelControllerUid:			   "guid1",
 				},
 				Annotations: map[string]string{
 					"test-annotation":                       "test-value",
@@ -200,6 +211,12 @@ func TestScanJobBuilder(t *testing.T) {
 				BackoffLimit:          ptr.To[int32](0),
 				Completions:           ptr.To[int32](1),
 				ActiveDeadlineSeconds: ptr.To[int64](3),
+				ManualSelector:		    ptr.To[bool](true),
+				Selector:  &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						trivyoperator.LabelControllerUid: "guid1",
+					},
+				},
 				Template: corev1.PodTemplateSpec{
 					ObjectMeta: metav1.ObjectMeta{
 						Labels: map[string]string{
@@ -209,6 +226,7 @@ func TestScanJobBuilder(t *testing.T) {
 							trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 							trivyoperator.LabelResourceNamespace:          "prod-ns",
 							trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+							trivyoperator.LabelControllerUid:			   "guid1",
 						},
 						Annotations: map[string]string{
 							"test-annotation": "test-value",
@@ -223,6 +241,7 @@ func TestScanJobBuilder(t *testing.T) {
 	t.Run("Should get scan job running in workload namespace", func(t *testing.T) {
 		g := gomega.NewGomegaWithT(t)
 		job, _, err := vulnerabilityreport.NewScanJobBuilder().
+			WithControllerUid("guid1").
 			WithPlugin(&testPlugin{}).
 			WithPluginContext(trivyoperator.NewPluginContext().
 				WithName("test-plugin").
@@ -270,6 +289,7 @@ func TestScanJobBuilder(t *testing.T) {
 					trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 					trivyoperator.LabelResourceNamespace:          "prod-ns",
 					trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+					trivyoperator.LabelControllerUid:			   "guid1",
 				},
 				Annotations: map[string]string{
 					trivyoperator.AnnotationContainerImages: `{"nginx":"nginx:1.16"}`,
@@ -279,6 +299,12 @@ func TestScanJobBuilder(t *testing.T) {
 				BackoffLimit:          ptr.To[int32](0),
 				Completions:           ptr.To[int32](1),
 				ActiveDeadlineSeconds: ptr.To[int64](3),
+				ManualSelector:		    ptr.To[bool](true),
+				Selector:  &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						trivyoperator.LabelControllerUid: "guid1",
+					},
+				},
 				Template: corev1.PodTemplateSpec{
 					ObjectMeta: metav1.ObjectMeta{
 						Labels: map[string]string{
@@ -288,6 +314,7 @@ func TestScanJobBuilder(t *testing.T) {
 							trivyoperator.LabelResourceName:               "nginx-6799fc88d8",
 							trivyoperator.LabelResourceNamespace:          "prod-ns",
 							trivyoperator.LabelResourceSpecHash:           "78b69db6df",
+							trivyoperator.LabelControllerUid:			   "guid1",
 						},
 					},
 					Spec: corev1.PodSpec{},

diff --git a/pkg/vulnerabilityreport/controller/workload.go b/pkg/vulnerabilityreport/controller/workload.go
@@ -29,6 +29,7 @@ import (
 	"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport"
 
 	. "github.com/aquasecurity/trivy-operator/pkg/operator/predicate"
+	"github.com/google/uuid"
 )
 
 const trivyServerUp = "trivy_server_up"
@@ -319,7 +320,10 @@ func (r *WorkloadController) SubmitScanJob(ctx context.Context, owner client.Obj
 		return fmt.Errorf("getting scan job scan job custom volume: %w", err)
 	}
 
+	newUUID := uuid.New()
+
 	scanJobBuilder := vulnerabilityreport.NewScanJobBuilder().
+		WithControllerUid(newUUID.String()).
 		WithPlugin(r.Plugin).
 		WithPluginContext(r.PluginContext).
 		WithTimeout(r.Config.ScanJobTimeout).