From a8aafb63795b78ea219e6546e3ff029e6efa8d44 Mon Sep 17 00:00:00 2001 From: chenk Date: Wed, 13 Mar 2024 10:54:27 +0200 Subject: [PATCH] feat: add support for k8s intrusive flag Signed-off-by: chenk --- pkg/flag/kubernetes_flags.go | 9 +++++++++ pkg/k8s/commands/cluster.go | 3 +-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/flag/kubernetes_flags.go b/pkg/flag/kubernetes_flags.go index 7a87040ba698..babb10a281a9 100644 --- a/pkg/flag/kubernetes_flags.go +++ b/pkg/flag/kubernetes_flags.go @@ -58,6 +58,11 @@ var ( Shorthand: "A", Usage: "fetch resources from all cluster namespaces", } + Intrusive = Flag[bool]{ + Name: "intrusive", + ConfigName: "kubernetes.intrusive", + Usage: "When the flag is activated, the node-collector job will be executed, revealing misconfiguration findings detected within the Node.", + } NodeCollectorNamespace = Flag[string]{ Name: "node-collector-namespace", ConfigName: "node.collector.namespace", @@ -101,6 +106,7 @@ type K8sFlagGroup struct { Components *Flag[[]string] K8sVersion *Flag[string] Tolerations *Flag[[]string] + Intrusive *Flag[bool] NodeCollectorImageRef *Flag[string] AllNamespaces *Flag[bool] NodeCollectorNamespace *Flag[string] @@ -121,6 +127,7 @@ type K8sOptions struct { AllNamespaces bool NodeCollectorNamespace string ExcludeOwned bool + Intrusive bool ExcludeNodes map[string]string QPS float32 Burst int @@ -134,6 +141,7 @@ func NewK8sFlagGroup() *K8sFlagGroup { Components: ComponentsFlag.Clone(), K8sVersion: K8sVersionFlag.Clone(), Tolerations: TolerationsFlag.Clone(), + Intrusive: Intrusive.Clone(), AllNamespaces: AllNamespaces.Clone(), NodeCollectorNamespace: NodeCollectorNamespace.Clone(), ExcludeOwned: ExcludeOwned.Clone(), @@ -193,6 +201,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) { Components: f.Components.Value(), K8sVersion: f.K8sVersion.Value(), Tolerations: tolerations, + Intrusive: f.Intrusive.Value(), AllNamespaces: f.AllNamespaces.Value(), NodeCollectorNamespace: f.NodeCollectorNamespace.Value(), ExcludeOwned: f.ExcludeOwned.Value(), diff --git a/pkg/k8s/commands/cluster.go b/pkg/k8s/commands/cluster.go index bf28f26f5d7f..9b208d0d2e1a 100644 --- a/pkg/k8s/commands/cluster.go +++ b/pkg/k8s/commands/cluster.go @@ -3,7 +3,6 @@ package commands import ( "context" - "golang.org/x/exp/slices" "golang.org/x/xerrors" k8sArtifacts "github.com/aquasecurity/trivy-kubernetes/pkg/artifacts" @@ -28,7 +27,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err return xerrors.Errorf("get k8s artifacts with node info error: %w", err) } case types.FormatJSON, types.FormatTable: - if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") { + if opts.Scanners.AnyEnabled(types.MisconfigScanner) && opts.Intrusive { artifacts, err = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx, trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace), trivyk8s.WithIgnoreLabels(opts.ExcludeNodes),