Allow to set custom kube-bench image (#201)

castai · Dec 6, 2023 · a69363f · a69363f
1 parent acec50f
commit a69363f
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 12 deletions.
diff --git a/charts/castai-kvisor/values.yaml b/charts/castai-kvisor/values.yaml
@@ -78,6 +78,9 @@ config: |
   kubeBench:
     enabled: true
     scanInterval: "30s"
+    image:
+      name: "ghcr.io/castai/kvisor/kube-bench:v0.8.0"
+      pullPolicy: IfNotPresent
   imageScan:
     enabled: true
     scanInterval: "15s"

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
@@ -203,6 +203,7 @@ func run(ctx context.Context, logger logrus.FieldLogger, castaiClient castai.Cli
 		kubeBenchCtrl := kubebench.NewController(
 			log,
 			clientSet,
+			cfg.KubeBench,
 			cfg.PodNamespace,
 			cfg.Provider,
 			cfg.KubeBench.ScanInterval,

diff --git a/config/config.go b/config/config.go
@@ -96,9 +96,15 @@ type Linter struct {
 }
 
 type KubeBench struct {
-	Enabled      bool          `envconfig:"KUBE_BENCH_ENABLED" yaml:"enabled"`
-	Force        bool          `envconfig:"KUBE_BENCH_FORCE" yaml:"force"`
-	ScanInterval time.Duration `envconfig:"KUBE_BENCH_SCAN_INTERVAL" yaml:"scanInterval"`
+	Enabled      bool           `envconfig:"KUBE_BENCH_ENABLED" yaml:"enabled"`
+	Force        bool           `envconfig:"KUBE_BENCH_FORCE" yaml:"force"`
+	ScanInterval time.Duration  `envconfig:"KUBE_BENCH_SCAN_INTERVAL" yaml:"scanInterval"`
+	Image        KubeBenchImage `envconfig:"KUBE_BENCH_IMAGE" yaml:"image"`
+}
+
+type KubeBenchImage struct {
+	Name       string `envconfig:"KUBE_BENCH_IMAGE_NAME" yaml:"name"`
+	PullPolicy string `envconfig:"KUBE_BENCH_IMAGE_PULL_POLICY" yaml:"pullPolicy"`
 }
 
 type KubeClient struct {
@@ -215,6 +221,10 @@ func Load(configPath string) (Config, error) {
 		if cfg.KubeBench.ScanInterval == 0 {
 			cfg.KubeBench.ScanInterval = 30 * time.Second
 		}
+		if cfg.KubeBench.Image.Name == "" {
+			cfg.KubeBench.Image.Name = "ghcr.io/castai/kvisor/kube-bench:v0.8.0"
+			cfg.KubeBench.Image.PullPolicy = "IfNotPresent"
+		}
 	}
 	if cfg.Linter.Enabled {
 		if cfg.Linter.ScanInterval == 0 {

diff --git a/config/config_test.go b/config/config_test.go
@@ -93,6 +93,10 @@ func newTestConfig() Config {
 		KubeBench: KubeBench{
 			Enabled:      true,
 			ScanInterval: 15 * time.Second,
+			Image: KubeBenchImage{
+				Name:       "ghcr.io/castai/kvisor/kube-bench:v0.8.",
+				PullPolicy: "IfNotPresent",
+			},
 		},
 		CloudScan: CloudScan{
 			Enabled:      true,

diff --git a/linters/kubebench/controller.go b/linters/kubebench/controller.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/castai/kvisor/config"
 	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 	lru "github.com/hashicorp/golang-lru"
@@ -40,6 +41,7 @@ const (
 func NewController(
 	log logrus.FieldLogger,
 	client kubernetes.Interface,
+	cfg config.KubeBench,
 	castaiNamespace string,
 	provider string,
 	scanInterval time.Duration,
@@ -55,6 +57,7 @@ func NewController(
 	return &Controller{
 		log:                           log,
 		client:                        client,
+		cfg:                           cfg,
 		castaiNamespace:               castaiNamespace,
 		delta:                         newDeltaState(),
 		provider:                      provider,
@@ -70,6 +73,7 @@ func NewController(
 type Controller struct {
 	log                           logrus.FieldLogger
 	client                        kubernetes.Interface
+	cfg                           config.KubeBench
 	castaiNamespace               string
 	castClient                    castai.Client
 	delta                         *nodeDeltaState
@@ -274,10 +278,17 @@ func (s *Controller) addReportToCache(n *corev1.Node, report *castai.KubeBenchRe
 // We are interested in kube-bench pod succeeding and not the Job
 func (s *Controller) createKubebenchJob(ctx context.Context, node *corev1.Node, jobName string) (*corev1.Pod, error) {
 	specFn := resolveSpec(s.provider, node)
+	jobSpec := specFn(node.GetName(), jobName)
+
+	// Set image from config.
+	cont := jobSpec.Spec.Template.Spec.Containers[0]
+	cont.Image = s.cfg.Image.Name
+	cont.ImagePullPolicy = corev1.PullPolicy(s.cfg.Image.PullPolicy)
+	jobSpec.Spec.Template.Spec.Containers[0] = cont
 
 	job, err := s.client.BatchV1().
 		Jobs(s.castaiNamespace).
-		Create(ctx, specFn(node.GetName(), jobName), metav1.CreateOptions{})
+		Create(ctx, jobSpec, metav1.CreateOptions{})
 	if err != nil {
 		s.log.WithError(err).Error("can not create kube-bench scan job")
 		return nil, err

diff --git a/linters/kubebench/controller_test.go b/linters/kubebench/controller_test.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/castai/kvisor/castai"
+	"github.com/castai/kvisor/config"
 	"github.com/golang/mock/gomock"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
@@ -41,6 +42,7 @@ func TestSubscriber(t *testing.T) {
 		ctrl := NewController(
 			log,
 			clientset,
+			config.KubeBench{},
 			castaiNamespace,
 			"gke",
 			5*time.Millisecond,
@@ -117,6 +119,7 @@ func TestSubscriber(t *testing.T) {
 		ctrl := NewController(
 			log,
 			clientset,
+			config.KubeBench{},
 			castaiNamespace,
 			"gke",
 			5*time.Millisecond,
@@ -172,6 +175,7 @@ func TestSubscriber(t *testing.T) {
 		ctrl := NewController(
 			log,
 			clientset,
+			config.KubeBench{},
 			castaiNamespace,
 			"gke",
 			5*time.Millisecond,

diff --git a/linters/kubebench/spec/aks.go b/linters/kubebench/spec/aks.go
@@ -32,7 +32,7 @@ func AKS(nodeName, jobName string) *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:  "kube-bench",
-							Image: kubeBenchImage,
+							Image: "<placeholder>",
 							SecurityContext: &corev1.SecurityContext{
 								ReadOnlyRootFilesystem:   lo.ToPtr(true),
 								AllowPrivilegeEscalation: lo.ToPtr(false),

diff --git a/linters/kubebench/spec/common.go b/linters/kubebench/spec/common.go
diff --git a/linters/kubebench/spec/eks.go b/linters/kubebench/spec/eks.go
@@ -32,7 +32,7 @@ func EKS(nodeName, jobName string) *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:  "kube-bench",
-							Image: kubeBenchImage,
+							Image: "<placeholder>",
 							SecurityContext: &corev1.SecurityContext{
 								ReadOnlyRootFilesystem:   lo.ToPtr(true),
 								AllowPrivilegeEscalation: lo.ToPtr(false),

diff --git a/linters/kubebench/spec/gke.go b/linters/kubebench/spec/gke.go
@@ -32,7 +32,7 @@ func GKE(nodeName, jobName string) *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:  "kube-bench",
-							Image: kubeBenchImage,
+							Image: "<placeholder>",
 							SecurityContext: &corev1.SecurityContext{
 								ReadOnlyRootFilesystem:   lo.ToPtr(true),
 								AllowPrivilegeEscalation: lo.ToPtr(false),

diff --git a/linters/kubebench/spec/master.go b/linters/kubebench/spec/master.go
@@ -47,7 +47,7 @@ func Master(nodeName, jobName string) *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:  "kube-bench",
-							Image: kubeBenchImage,
+							Image: "<placeholder>",
 							SecurityContext: &corev1.SecurityContext{
 								ReadOnlyRootFilesystem:   lo.ToPtr(true),
 								AllowPrivilegeEscalation: lo.ToPtr(false),

diff --git a/linters/kubebench/spec/node.go b/linters/kubebench/spec/node.go
@@ -32,7 +32,7 @@ func Node(nodeName, jobName string) *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:  "kube-bench",
-							Image: kubeBenchImage,
+							Image: "<placeholder>",
 							SecurityContext: &corev1.SecurityContext{
 								ReadOnlyRootFilesystem:   lo.ToPtr(true),
 								AllowPrivilegeEscalation: lo.ToPtr(false),