gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 15:37:50 -08:00
Code Issues Packages Projects Releases Wiki Activity

BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#6323)

Browse Source 
Signed-off-by: chenk <hen.keinan@gmail.com>
This commit is contained in:
chenk
2024-04-27 17:30:17 +03:00
committed by GitHub
parent 2d090ef2df
commit 060d0bb641
12 changed files with 129 additions and 407 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
pkg/flag/kubernetes_flags.go
View File

@@ -10,20 +10,6 @@ import (
)
var (
ClusterContextFlag = Flag[string]{
Name: "context",
ConfigName: "kubernetes.context",
Usage: "specify a context to scan",
Aliases: []Alias{
{Name: "ctx"},
},
}
K8sNamespaceFlag = Flag[string]{
Name: "namespace",
ConfigName: "kubernetes.namespace",
Shorthand: "n",
Usage: "specify a namespace to scan",
}
KubeConfigFlag = Flag[string]{
Name: "kubeconfig",
ConfigName: "kubernetes.kubeconfig",
@@ -52,12 +38,6 @@ var (
ConfigName: "kubernetes.tolerations",
Usage: "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)",
}
AllNamespaces = Flag[bool]{
Name: "all-namespaces",
ConfigName: "kubernetes.all-namespaces",
Shorthand: "A",
Usage: "fetch resources from all cluster namespaces",
}
NodeCollectorNamespace = Flag[string]{
Name: "node-collector-namespace",
ConfigName: "kubernetes.node-collector.namespace",
@@ -80,6 +60,27 @@ var (
ConfigName: "kubernetes.exclude.nodes",
Usage: "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
}
ExcludeKinds = Flag[[]string]{
Name: "exclude-kinds",
ConfigName: "kubernetes.excludeKinds",
Usage: "indicate the kinds exclude from scanning (example: node)",
}
IncludeKinds = Flag[[]string]{
Name: "include-kinds",
ConfigName: "kubernetes.includeKinds",
Usage: "indicate the kinds included in scanning (example: node)",
}
ExcludeNamespaces = Flag[[]string]{
Name: "exclude-namespaces",
ConfigName: "kubernetes.excludeNamespaces",
Usage: "indicate the namespaces excluded from scanning (example: kube-system)",
}
IncludeNamespaces = Flag[[]string]{
Name: "include-namespaces",
ConfigName: "kubernetes.includeNamespaces",
Usage: "indicate the namespaces included in scanning (example: kube-system)",
}
QPS = Flag[float64]{
Name: "qps",
ConfigName: "kubernetes.qps",
@@ -95,49 +96,52 @@ var (
)
type K8sFlagGroup struct {
ClusterContext *Flag[string]
Namespace *Flag[string]
KubeConfig *Flag[string]
Components *Flag[[]string]
K8sVersion *Flag[string]
Tolerations *Flag[[]string]
NodeCollectorImageRef *Flag[string]
AllNamespaces *Flag[bool]
NodeCollectorNamespace *Flag[string]
ExcludeOwned *Flag[bool]
ExcludeNodes *Flag[[]string]
ExcludeKinds *Flag[[]string]
IncludeKinds *Flag[[]string]
ExcludeNamespaces *Flag[[]string]
IncludeNamespaces *Flag[[]string]
QPS *Flag[float64]
Burst *Flag[int]
}
type K8sOptions struct {
ClusterContext string
Namespace string
KubeConfig string
Components []string
K8sVersion string
Tolerations []corev1.Toleration
NodeCollectorImageRef string
AllNamespaces bool
NodeCollectorNamespace string
ExcludeOwned bool
ExcludeNodes map[string]string
ExcludeKinds []string
IncludeKinds []string
ExcludeNamespaces []string
IncludeNamespaces []string
QPS float32
Burst int
}
func NewK8sFlagGroup() *K8sFlagGroup {
return &K8sFlagGroup{
ClusterContext: ClusterContextFlag.Clone(),
Namespace: K8sNamespaceFlag.Clone(),
KubeConfig: KubeConfigFlag.Clone(),
Components: ComponentsFlag.Clone(),
K8sVersion: K8sVersionFlag.Clone(),
Tolerations: TolerationsFlag.Clone(),
AllNamespaces: AllNamespaces.Clone(),
NodeCollectorNamespace: NodeCollectorNamespace.Clone(),
ExcludeOwned: ExcludeOwned.Clone(),
ExcludeNodes: ExcludeNodes.Clone(),
ExcludeKinds: ExcludeKinds.Clone(),
IncludeKinds: IncludeKinds.Clone(),
ExcludeNamespaces: ExcludeNamespaces.Clone(),
IncludeNamespaces: IncludeNamespaces.Clone(),
NodeCollectorImageRef: NodeCollectorImageRef.Clone(),
QPS: QPS.Clone(),
Burst: Burst.Clone(),
@@ -150,17 +154,18 @@ func (f *K8sFlagGroup) Name() string {
func (f *K8sFlagGroup) Flags() []Flagger {
return []Flagger{
f.ClusterContext,
f.Namespace,
f.KubeConfig,
f.Components,
f.K8sVersion,
f.Tolerations,
f.AllNamespaces,
f.NodeCollectorNamespace,
f.ExcludeOwned,
f.ExcludeNodes,
f.NodeCollectorImageRef,
f.ExcludeKinds,
f.IncludeKinds,
f.ExcludeNamespaces,
f.IncludeNamespaces,
f.QPS,
f.Burst,
}
@@ -185,20 +190,27 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
}
exludeNodeLabels[excludeNodeParts[0]] = excludeNodeParts[1]
}
if len(f.ExcludeNamespaces.Value()) > 0 && len(f.IncludeNamespaces.Value()) > 0 {
return K8sOptions{}, fmt.Errorf("include-namespaces and exclude-namespaces flags cannot be used together")
}
if len(f.ExcludeKinds.Value()) > 0 && len(f.IncludeKinds.Value()) > 0 {
return K8sOptions{}, fmt.Errorf("include-kinds and exclude-kinds flags cannot be used together")
}
return K8sOptions{
ClusterContext: f.ClusterContext.Value(),
Namespace: f.Namespace.Value(),
KubeConfig: f.KubeConfig.Value(),
Components: f.Components.Value(),
K8sVersion: f.K8sVersion.Value(),
Tolerations: tolerations,
AllNamespaces: f.AllNamespaces.Value(),
NodeCollectorNamespace: f.NodeCollectorNamespace.Value(),
ExcludeOwned: f.ExcludeOwned.Value(),
ExcludeNodes: exludeNodeLabels,
NodeCollectorImageRef: f.NodeCollectorImageRef.Value(),
QPS: float32(f.QPS.Value()),
ExcludeKinds: f.ExcludeKinds.Value(),
IncludeKinds: f.IncludeKinds.Value(),
ExcludeNamespaces: f.ExcludeNamespaces.Value(),
IncludeNamespaces: f.IncludeNamespaces.Value(),
Burst: f.Burst.Value(),
}, nil
}