Merge pull request #230 from kubescape/noname

ensure containers have a name in applicationprofiles patches
kubescape · Apr 7, 2024 · 120d3e7 · 120d3e7
2 parents 43f93b1 + 9f8084f
commit 120d3e7
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 33 deletions.
diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -107,9 +107,9 @@ func (am *ApplicationProfileManager) ensureInstanceID(container *containercollec
 			watchedContainer.InstanceID = instanceIDs[i]
 		}
 	}
-	// find container type and index
+	// fill container type, index and names
 	if watchedContainer.ContainerType == utils.Unknown {
-		watchedContainer.SetContainerType(pod, container.K8s.ContainerName)
+		watchedContainer.SetContainerInfo(pod, container.K8s.ContainerName)
 	}
 
 	// FIXME ephemeralContainers are not supported yet
@@ -289,7 +289,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 	// 3b. the profile is missing the container profile - ADD the container profile at the right index
 	// 3c. default - patch the container ourselves and REPLACE it at the right index
 	if len(capabilities) > 0 || len(execs) > 0 || len(opens) > 0 {
-		// calculate patch
+		// 0. calculate patch
 		profileOperations := utils.CreateCapabilitiesPatchOperations(capabilities, execs, opens, watchedContainer.ContainerType.String(), watchedContainer.ContainerIndex)
 		patch, err := json.Marshal(profileOperations)
 		if err != nil {
@@ -300,11 +300,11 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 				helpers.String("k8s workload", watchedContainer.K8sContainerID))
 			return
 		}
-		// try to patch application profile
+		// 1. try to patch application profile
 		var gotErr error
 		if err := am.storageClient.PatchApplicationProfile(slug, namespace, patch, watchedContainer.SyncChannel); err != nil {
 			if apierrors.IsNotFound(err) {
-				// new application profile
+				// 2a. new application profile
 				newProfile := &v1beta1.ApplicationProfile{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: slug,
@@ -337,7 +337,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 					helpers.Int("container index", watchedContainer.ContainerIndex),
 					helpers.String("container ID", watchedContainer.ContainerID),
 					helpers.String("k8s workload", watchedContainer.K8sContainerID))
-				// get existing profile
+				// 2b. get existing profile
 				existingProfile, err := am.storageClient.GetApplicationProfile(namespace, slug)
 				if err != nil {
 					gotErr = err
@@ -353,7 +353,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 					var addProfileContainer bool
 					if existingProfileContainer == nil {
 						existingProfileContainer = &v1beta1.ApplicationProfileContainer{
-							Name: watchedContainer.InstanceID.GetContainerName(),
+							Name: watchedContainer.ContainerNames[watchedContainer.ContainerIndex],
 						}
 						addProfileContainer = true
 					}
@@ -369,7 +369,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 					// replace or add application profile container using patch
 					switch {
 					case existingContainers == nil:
-						// insert a new container slice, with the new container at the right index
+						// 3a. insert a new container slice, with the new container at the right index
 						containers := make([]v1beta1.ApplicationProfileContainer, watchedContainer.ContainerIndex+1)
 						containers[watchedContainer.ContainerIndex] = *existingProfileContainer
 						replaceOperations = append(replaceOperations, utils.PatchOperation{
@@ -378,11 +378,14 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 							Value: containers,
 						})
 					case addProfileContainer:
+						// 3b. insert a new container at the right index
 						for i := len(existingContainers); i < watchedContainer.ContainerIndex; i++ {
 							replaceOperations = append(replaceOperations, utils.PatchOperation{
-								Op:    "add",
-								Path:  fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i),
-								Value: v1beta1.ApplicationProfileContainer{},
+								Op:   "add",
+								Path: fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, i),
+								Value: v1beta1.ApplicationProfileContainer{
+									Name: watchedContainer.ContainerNames[i],
+								},
 							})
 						}
 						replaceOperations = append(replaceOperations, utils.PatchOperation{
@@ -391,6 +394,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 							Value: existingProfileContainer,
 						})
 					default:
+						// 3c. replace the existing container at the right index
 						replaceOperations = append(replaceOperations, utils.PatchOperation{
 							Op:    "replace",
 							Path:  fmt.Sprintf("/spec/%s/%d", watchedContainer.ContainerType, watchedContainer.ContainerIndex),

diff --git a/pkg/relevancymanager/v1/relevancy_manager.go b/pkg/relevancymanager/v1/relevancy_manager.go
@@ -91,7 +91,7 @@ func (rm *RelevancyManager) getContainerInfo(watchedContainer *utils.WatchedCont
 	}
 	pod := wl.(*workloadinterface.Workload)
 
-	watchedContainer.SetContainerType(pod, containerName)
+	watchedContainer.SetContainerInfo(pod, containerName)
 
 	// get pod template hash
 	podTemplateHash, _ = pod.GetLabel("pod-template-hash")

diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -3,7 +3,6 @@ package utils
 import (
 	"errors"
 	"fmt"
-	"github.com/deckarep/golang-set/v2"
 	"math/rand"
 	"path/filepath"
 	"runtime"
@@ -12,17 +11,18 @@ import (
 	"strings"
 	"time"
 
+	"github.com/armosec/utils-k8s-go/wlid"
+	"github.com/deckarep/golang-set/v2"
 	"github.com/goradd/maps"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
+	"github.com/kubescape/k8s-interface/instanceidhandler"
 	"github.com/kubescape/k8s-interface/instanceidhandler/v1/containerinstance"
 	helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers"
 	"github.com/kubescape/k8s-interface/instanceidhandler/v1/initcontainerinstance"
 	"github.com/kubescape/k8s-interface/workloadinterface"
-
-	"github.com/armosec/utils-k8s-go/wlid"
-	"github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/k8s-interface/instanceidhandler"
 	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 )
 
@@ -68,6 +68,7 @@ type WatchedContainerData struct {
 	SBOMResourceVersion                        int
 	ContainerType                              ContainerType
 	ContainerIndex                             int
+	ContainerNames                             []string // depends on the container type
 	NsMntId                                    uint64
 	InitialDelayExpired                        bool
 }
@@ -192,30 +193,30 @@ func InsertApplicationProfileContainer(profile *v1beta1.ApplicationProfile, cont
 	}
 }
 
-func (watchedContainer *WatchedContainerData) SetContainerType(wl workloadinterface.IWorkload, containerName string) {
+func (watchedContainer *WatchedContainerData) SetContainerInfo(wl workloadinterface.IWorkload, containerName string) {
+	checkContainers := func(containers []v1.Container, containerType ContainerType) {
+		var containerNames []string
+		for i, c := range containers {
+			containerNames = append(containerNames, c.Name)
+			if c.Name == containerName {
+				watchedContainer.ContainerIndex = i
+				watchedContainer.ContainerType = containerType
+				watchedContainer.ContainerNames = containerNames
+			}
+		}
+	}
+	// containers
 	containers, err := wl.GetContainers()
 	if err != nil {
 		return
 	}
-	for i, c := range containers {
-		if c.Name == containerName {
-			watchedContainer.ContainerIndex = i
-			watchedContainer.ContainerType = Container
-			break
-		}
-	}
+	checkContainers(containers, Container)
 	// initContainers
 	initContainers, err := wl.GetInitContainers()
 	if err != nil {
 		return
 	}
-	for i, c := range initContainers {
-		if c.Name == containerName {
-			watchedContainer.ContainerIndex = i
-			watchedContainer.ContainerType = InitContainer
-			break
-		}
-	}
+	checkContainers(initContainers, InitContainer)
 }
 
 func EnrichProfileContainer(newProfileContainer *v1beta1.ApplicationProfileContainer, observedCapabilities []string, execs map[string]mapset.Set[string], opens map[string]mapset.Set[string]) {