feat: add missing registry override

If kubernetes does not provide a registry for an image give the option
to return the pull string to Anchore Enterprise with a default registry
set for the image.

Signed-off-by: Bradley Jones <[email protected]>

anchore-k8s-inventory.yaml

@@ -57,6 +57,15 @@ kubernetes:
 # Can be one of adhoc, periodic (defaults to adhoc)
 mode: adhoc
 
+# If no registry information can be found by a pod describe you can use this
+# field to override the registry for images where no registry is found. This
+# can happen when the cluster is configured to use a specific private repo.
+# However, kubernetes does not represent this in the pod describe output other
+# than as the default 'docker.io' registry in the Image ID and a blank registry
+# in the Image field. This should be set to match the private registry
+# configuration of the cluster.
+missing-registry-override:  # ex. myregistry.io
+
 # Handle cases where a tag is missing. For example - images designated by digest
 missing-tag-policy:
   # One of the following options [digest, insert, drop]. Default is 'digest'

internal/config/config.go

@@ -46,6 +46,7 @@ type Application struct {
 	Namespaces                      []string          `mapstructure:"namespaces"`
 	KubernetesRequestTimeoutSeconds int64             `mapstructure:"kubernetes-request-timeout-seconds"`
 	NamespaceSelectors              NamespaceSelector `mapstructure:"namespace-selectors"`
+	MissingRegistryOverride         string            `mapstructure:"missing-registry-override"`
 	MissingTagPolicy                MissingTagConf    `mapstructure:"missing-tag-policy"`
 	RunMode                         mode.Mode
 	Mode                            string      `mapstructure:"mode"`
@@ -124,6 +125,7 @@ func setNonCliDefaultValues(v *viper.Viper) {
 	v.SetDefault("kubernetes.request-batch-size", 100)
 	v.SetDefault("kubernetes.worker-pool-size", 100)
 	v.SetDefault("ignore-not-running", true)
+	v.SetDefault("missing-registry-override", "")
 	v.SetDefault("missing-tag-policy.policy", "digest")
 	v.SetDefault("missing-tag-policy.tag", "UNKNOWN")
 	v.SetDefault("namespaces", []string{})

internal/config/test-fixtures/snapshot/TestDefaultConfigString.golden

@@ -31,6 +31,7 @@ namespaceselectors:
   include: []
   exclude: []
   ignoreempty: false
+missingregistryoverride: ""
 missingtagpolicy:
   policy: digest
   tag: UNKNOWN

internal/config/test-fixtures/snapshot/TestEmptyConfigString.golden

@@ -31,6 +31,7 @@ namespaceselectors:
   include: []
   exclude: []
   ignoreempty: false
+missingregistryoverride: ""
 missingtagpolicy:
   policy: ""
   tag: ""

internal/config/test-fixtures/snapshot/TestSensitiveConfigString.golden

@@ -31,6 +31,7 @@ namespaceselectors:
   include: []
   exclude: []
   ignoreempty: false
+missingregistryoverride: ""
 missingtagpolicy:
   policy: digest
   tag: UNKNOWN

pkg/inventory/containers.go

@@ -14,20 +14,32 @@ var (
 	tagRegex    = regexp.MustCompile(`:[\w][\w.-]{0,127}$`)
 )
 
-func getContainersInPod(pod v1.Pod, missingTagPolicy, dummyTag string) []Container {
+func missingRegistryProcessing(imageTag, missingRegistryOverride string) string {
+	if missingRegistryOverride != "" {
+		parts := strings.Split(imageTag, "/")
+		if len(parts) <= 2 {
+			// Assume no registry is present and only image and/or repo
+			return fmt.Sprintf("%s/%s", missingRegistryOverride, imageTag)
+		}
+	}
+	return imageTag
+}
+
+func getContainersInPod(pod v1.Pod, missingRegistryOverride, missingTagPolicy, dummyTag string) []Container {
 	// Look at both status/spec for init and regular containers
 	// Must use status when looking at containers in order to obtain the container ID
 	// from the Status and the Image tag from the Spec
 	containers := make(map[string]Container, 0)
 
 	processPodSpec := func(c v1.Container) {
+		imageTag := missingRegistryProcessing(strings.Split(c.Image, "@")[0], missingRegistryOverride)
 		if containerFound, ok := containers[c.Name]; ok {
-			containerFound.ImageTag = strings.Split(c.Image, "@")[0]
+			containerFound.ImageTag = imageTag
 			containerFound.PodUID = string(pod.UID)
 		} else {
 			containers[c.Name] = Container{
 				PodUID:   string(pod.UID),
-				ImageTag: strings.Split(c.Image, "@")[0],
+				ImageTag: imageTag,
 				Name:     c.Name,
 			}
 		}
@@ -46,10 +58,11 @@ func getContainersInPod(pod v1.Pod, missingTagPolicy, dummyTag string) []Contain
 			containerFound.ImageDigest = digest
 			containers[c.Name] = containerFound
 		} else {
+			imageTag := missingRegistryProcessing(strings.Split(c.Image, "@")[0], missingRegistryOverride)
 			containers[c.Name] = Container{
 				ID:          c.ContainerID,
 				PodUID:      string(pod.UID),
-				ImageTag:    strings.Split(c.Image, "@")[0],
+				ImageTag:    imageTag,
 				ImageDigest: digest,
 				Name:        c.Name,
 			}
@@ -87,14 +100,18 @@ func getContainersInPod(pod v1.Pod, missingTagPolicy, dummyTag string) []Contain
 	return containerList
 }
 
-func GetContainersFromPods(pods []v1.Pod, ignoreNotRunning bool, missingTagPolicy, dummyTag string) []Container {
+func GetContainersFromPods(
+	pods []v1.Pod,
+	ignoreNotRunning bool,
+	missingRegistryOverride, missingTagPolicy, dummyTag string,
+) []Container {
 	var containers []Container
 
 	for _, pod := range pods {
 		if ignoreNotRunning && pod.Status.Phase != v1.PodRunning {
 			continue
 		}
-		containers = append(containers, getContainersInPod(pod, missingTagPolicy, dummyTag)...)
+		containers = append(containers, getContainersInPod(pod, missingRegistryOverride, missingTagPolicy, dummyTag)...)
 	}
 
 	// Handle missing tags