Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Allow images to be excluded from scanning #1659

Merged
merged 7 commits into from
Jan 28, 2019
Merged

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jan 14, 2019

  • add registry-exclude-image flag that accepts a list of glob expressions
  • exclude Kubernetes system images by default k8s.gcr.io/*
  • add exclusion tests
  • add usage examples to docs

Fix #1654 images can be excluded by registry domain eg.:
--registry-exclude-image=gcr.io/*,quay.io/*

Fix #1509 it is now possible to disable the image cache completely with:
--registry-exclude-image=*

- add registry-exclude-image flag that accepts a list of glob expressions
- exclude Kubernetes system images by default (k8s.gcr.io/*)
@stefanprodan stefanprodan requested a review from squaremo January 14, 2019 16:13
cluster/kubernetes/images.go Outdated Show resolved Hide resolved
cmd/fluxd/main.go Outdated Show resolved Hide resolved
@stephenmoloney
Copy link
Contributor

just wondering, when is it desirable to not scan images in a registry?

@stefanprodan
Copy link
Member Author

@stephenmoloney see @alanjcastonguay comment on #1654

@stefanprodan
Copy link
Member Author

@squaremo should we exclude quay.io/weaveworks/flux* and quay.io/weaveworks/helm-operator* by default?

@squaremo
Copy link
Member

should we exclude quay.io/weaveworks/flux* and quay.io/weaveworks/helm-operator* by default?

No; people routinely automate those (e.g., Weaveworks).

@stefanprodan
Copy link
Member Author

@squaremo I've addressed your comments in the latest commits and I've also made changes to the docs. Let me know if I've missed something. Thanks

Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, this looks like it'll work :-) I made some suggestions for tightening up the code; you can take or leave those (if you leave them, also leave a comment in response..)

Can you rebase out some of those unrelated documentation changes (re Helm and so on) please -- I'm happy to stamp another PR with them.

CHANGELOG.md Outdated Show resolved Hide resolved
cluster/kubernetes/images.go Outdated Show resolved Hide resolved
cluster/kubernetes/images.go Outdated Show resolved Hide resolved
cluster/kubernetes/images.go Outdated Show resolved Hide resolved
@@ -66,11 +67,51 @@ func TestMergeCredentials(t *testing.T) {
client := extendedClient{clientset, nil}

creds := registry.ImageCreds{}
mergeCredentials(noopLog, client, ns, spec, creds, make(map[string]registry.Credentials))
cluster := NewCluster(clientset, nil, nil, nil, log.NewNopLogger(), []string{}, []string{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrmm, it's a bit unwieldy that you have to create a cluster in order to filter the images. Maybe construct the filter independently of the cluster.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That way you can make it a no-op if there are no exclusions, and you can build the list of included images in one step in mergeCredentials (rather than building a list of all of them, then filtering it down).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I meant is this: given a predicate includeImage(imageName) bool, you can step through a pod template, testing each image extracted against the predicate as you go. There's no need to build the list of images, then run through it again to filter it.

How do you get such a predicate? You can just construct it -- you have the algorithm right here -- and it need not depend on the cluster, since all that's doing is providing the list of exclusions.

deploy/memcache-dep.yaml Outdated Show resolved Hide resolved
site/faq.md Outdated Show resolved Hide resolved
@stefanprodan stefanprodan force-pushed the registry-filter branch 2 times, most recently from 08b4429 to cf5c238 Compare January 23, 2019 16:06
@stefanprodan
Copy link
Member Author

@squaremo I've removed the docs changes from this PR and I've addressed your comments in the latest commit. As for making the tests work without cluster I'm not really sure how to do that without adding the exclusion list on all functions... I would leave that for another PR if it's ok with you.

@@ -66,11 +67,51 @@ func TestMergeCredentials(t *testing.T) {
client := extendedClient{clientset, nil}

creds := registry.ImageCreds{}
mergeCredentials(noopLog, client, ns, spec, creds, make(map[string]registry.Credentials))
cluster := NewCluster(clientset, nil, nil, nil, log.NewNopLogger(), []string{}, []string{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I meant is this: given a predicate includeImage(imageName) bool, you can step through a pod template, testing each image extracted against the predicate as you go. There's no need to build the list of images, then run through it again to filter it.

How do you get such a predicate? You can just construct it -- you have the algorithm right here -- and it need not depend on the cluster, since all that's doing is providing the list of exclusions.

imageCreds registry.ImageCreds,
seenCreds map[string]registry.Credentials) {
// filter the images based on the exclusion list
images := filterImages(podTemplate)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All that happens to filterImages is that it's applied to one of the other arguments -- you may as well supply the result.

Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, if this works, it works. Other "making it .." goals can follow.

@squaremo
Copy link
Member

That last commit is a nice refinement 👍

@stefanprodan stefanprodan merged commit ef8e102 into master Jan 28, 2019
@stefanprodan stefanprodan deleted the registry-filter branch January 28, 2019 14:17
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants