fluxcd · stefanprodan · Jan 28, 2019 · Jan 14, 2019 · Jan 14, 2019 · Jan 14, 2019
diff --git a/cluster/kubernetes/images.go b/cluster/kubernetes/images.go
@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"fmt"
+	"github.com/ryanuber/go-glob"
 
 	"github.com/go-kit/kit/log"
 	"github.com/pkg/errors"
@@ -140,5 +141,16 @@ func (c *Cluster) ImagesToFetch() registry.ImageCreds {
 		}
 	}
 
+	// remove images based on the glob exclusion list
+	for imageID := range allImageCreds {
+		imageName := imageID.CanonicalName().Name.String()
+		for _, exp := range c.imageExcludeList {
+			if glob.Glob(exp, imageName) {
+				//c.logger.Log("debug", fmt.Sprintf("image %s excluded from scanning by %s", imageName, exp))
+				delete(allImageCreds, imageID)
+			}
+		}
+	}
+
 	return allImageCreds
 }
diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
@@ -104,7 +104,8 @@ type Cluster struct {
 	nsWhitelist       []string
 	nsWhitelistLogged map[string]bool // to keep track of whether we've logged a problem with seeing a whitelisted ns
 
-	mu sync.Mutex
+	imageExcludeList []string
+	mu               sync.Mutex
 }
 
 // NewCluster returns a usable cluster.
@@ -113,7 +114,8 @@ func NewCluster(clientset k8sclient.Interface,
 	applier Applier,
 	sshKeyRing ssh.KeyRing,
 	logger log.Logger,
-	nsWhitelist []string) *Cluster {
+	nsWhitelist []string,
+	imageExcludeList []string) *Cluster {
 
 	c := &Cluster{
 		client: extendedClient{
@@ -125,6 +127,7 @@ func NewCluster(clientset k8sclient.Interface,
 		sshKeyRing:        sshKeyRing,
 		nsWhitelist:       nsWhitelist,
 		nsWhitelistLogged: map[string]bool{},
+		imageExcludeList:  imageExcludeList,
 	}
 
 	return c
@@ -178,16 +181,16 @@ func (c *Cluster) AllControllers(namespace string) (res []cluster.Controller, er
 			podControllers, err := resourceKind.getPodControllers(c, ns.Name)
 			if err != nil {
 				if se, ok := err.(*apierrors.StatusError); ok {
-					switch (se.ErrStatus.Reason) {
-						case meta_v1.StatusReasonNotFound:
-							// Kind not supported by API server, skip
-							continue
-						case meta_v1.StatusReasonForbidden:
-							// K8s can return forbidden instead of not found for non super admins
-							c.logger.Log("warning", "not allowed to list resources", "err", err)
-							continue
-						default:
-							return nil, err
+					switch se.ErrStatus.Reason {
+					case meta_v1.StatusReasonNotFound:
+						// Kind not supported by API server, skip
+						continue
+					case meta_v1.StatusReasonForbidden:
+						// K8s can return forbidden instead of not found for non super admins
+						c.logger.Log("warning", "not allowed to list resources", "err", err)
+						continue
+					default:
+						return nil, err
 					}
 				} else {
 					return nil, err
@@ -291,16 +294,16 @@ func (c *Cluster) Export() ([]byte, error) {
 			podControllers, err := resourceKind.getPodControllers(c, ns.Name)
 			if err != nil {
 				if se, ok := err.(*apierrors.StatusError); ok {
-					switch (se.ErrStatus.Reason) {
-						case meta_v1.StatusReasonNotFound:
-							// Kind not supported by API server, skip
-							continue
-						case meta_v1.StatusReasonForbidden:
-							// K8s can return forbidden instead of not found for non super admins
-							c.logger.Log("warning", "not allowed to list resources", "err", err)
-							continue
-						default:
-							return nil, err
+					switch se.ErrStatus.Reason {
+					case meta_v1.StatusReasonNotFound:
+						// Kind not supported by API server, skip
+						continue
+					case meta_v1.StatusReasonForbidden:
+						// K8s can return forbidden instead of not found for non super admins
+						c.logger.Log("warning", "not allowed to list resources", "err", err)
+						continue
+					default:
+						return nil, err
 					}
 				} else {
 					return nil, err

diff --git a/cluster/kubernetes/kubernetes_test.go b/cluster/kubernetes/kubernetes_test.go
@@ -26,7 +26,7 @@ func testGetAllowedNamespaces(t *testing.T, namespace []string, expected []strin
 	clientset := fakekubernetes.NewSimpleClientset(newNamespace("default"),
 		newNamespace("kube-system"))
 
-	c := NewCluster(clientset, nil, nil, nil, log.NewNopLogger(), namespace)
+	c := NewCluster(clientset, nil, nil, nil, log.NewNopLogger(), namespace, []string{})
 
 	namespaces, err := c.getAllowedNamespaces()
 	if err != nil {

diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -105,6 +105,7 @@ func main() {
 		registryBurst        = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
 		registryTrace        = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
 		registryInsecure     = fs.StringSlice("registry-insecure-host", []string{}, "use HTTP for this image registry domain (e.g., registry.cluster.local), instead of HTTPS")
+		registryExcludeImage = fs.StringSlice("registry-exclude-image", []string{"k8s.gcr.io/*"}, "Do not scan images that match these glob expressions; the default is to exclude the 'k8s.gcr.io/*' images")
 
 		// AWS authentication
 		registryAWSRegions         = fs.StringSlice("registry-ecr-region", nil, "Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned")
@@ -258,7 +259,7 @@ func main() {
 		logger.Log("kubectl", kubectl)
 
 		kubectlApplier := kubernetes.NewKubectl(kubectl, restClientConfig)
-		k8sInst := kubernetes.NewCluster(clientset, ifclientset, kubectlApplier, sshKeyRing, logger, *k8sNamespaceWhitelist)
+		k8sInst := kubernetes.NewCluster(clientset, ifclientset, kubectlApplier, sshKeyRing, logger, *k8sNamespaceWhitelist, *registryExcludeImage)
 
 		if err := k8sInst.Ping(); err != nil {
 			logger.Log("ping", err)