feat: add support for k8s intrusive flag

Signed-off-by: chenk <[email protected]>
chen-keinan · Mar 13, 2024 · a8aafb6 · a8aafb6
1 parent 71da44f
commit a8aafb6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go
@@ -58,6 +58,11 @@ var (
 		Shorthand:  "A",
 		Usage:      "fetch resources from all cluster namespaces",
 	}
+	Intrusive = Flag[bool]{
+		Name:       "intrusive",
+		ConfigName: "kubernetes.intrusive",
+		Usage:      "When the flag is activated, the node-collector job will be executed, revealing misconfiguration findings detected within the Node.",
+	}
 	NodeCollectorNamespace = Flag[string]{
 		Name:       "node-collector-namespace",
 		ConfigName: "node.collector.namespace",
@@ -101,6 +106,7 @@ type K8sFlagGroup struct {
 	Components             *Flag[[]string]
 	K8sVersion             *Flag[string]
 	Tolerations            *Flag[[]string]
+	Intrusive              *Flag[bool]
 	NodeCollectorImageRef  *Flag[string]
 	AllNamespaces          *Flag[bool]
 	NodeCollectorNamespace *Flag[string]
@@ -121,6 +127,7 @@ type K8sOptions struct {
 	AllNamespaces          bool
 	NodeCollectorNamespace string
 	ExcludeOwned           bool
+	Intrusive              bool
 	ExcludeNodes           map[string]string
 	QPS                    float32
 	Burst                  int
@@ -134,6 +141,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
 		Components:             ComponentsFlag.Clone(),
 		K8sVersion:             K8sVersionFlag.Clone(),
 		Tolerations:            TolerationsFlag.Clone(),
+		Intrusive:              Intrusive.Clone(),
 		AllNamespaces:          AllNamespaces.Clone(),
 		NodeCollectorNamespace: NodeCollectorNamespace.Clone(),
 		ExcludeOwned:           ExcludeOwned.Clone(),
@@ -193,6 +201,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		Components:             f.Components.Value(),
 		K8sVersion:             f.K8sVersion.Value(),
 		Tolerations:            tolerations,
+		Intrusive:              f.Intrusive.Value(),
 		AllNamespaces:          f.AllNamespaces.Value(),
 		NodeCollectorNamespace: f.NodeCollectorNamespace.Value(),
 		ExcludeOwned:           f.ExcludeOwned.Value(),

diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go
@@ -3,7 +3,6 @@ package commands
 import (
 	"context"
 
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts"
@@ -28,7 +27,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err
 			return xerrors.Errorf("get k8s artifacts with node info error: %w", err)
 		}
 	case types.FormatJSON, types.FormatTable:
-		if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") {
+		if opts.Scanners.AnyEnabled(types.MisconfigScanner) && opts.Intrusive {
 			artifacts, err = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx,
 				trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace),
 				trivyk8s.WithIgnoreLabels(opts.ExcludeNodes),