Require managed-by label in Service autodiscovery

The service autodiscovery checks if a scan already exists by checking if a scan with certain labels exists. The managed-by label was not added to those scans initially. Because of this the service autodiscovery can not assume that all scans have this label (when a scan was created before the managed-by label was added. Newer scans have the managed-by label). This makes the code a bit hard to read, as the autodiscovery is querying a scan with certain labels, just to add the managed-by label after that.

secureCodeBox/auto-discovery/kubernetes/controllers/service_scan_controller.go

Lines 123 to 129 in 102d8bf

    
           for containerName, podDigest := range podDigests { 
        
           	// The map should only contain one entry at this point. As the reconciler breaks (see containerDigestsAllMatch) if the services points to a list pods with different digests per container name 
        
           	for digest := range podDigest { 
        
           		versionedLabels[fmt.Sprintf("digest.auto-discovery.securecodebox.io/%s", containerName)] = digest[0:min(len(digest), 63)] 
        
           		break 
        
           	} 
        
           }

secureCodeBox/auto-discovery/kubernetes/controllers/service_scan_controller.go

Lines 158 to 159 in 102d8bf

    
           // label is added after the initial query as it was added later and isn't garanteed to be on every auto-discovery managed scan. 
        
           versionedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"

This could be changed with a breaking change. The service autodiscovery could assume that every scan has the manged-by label. This would be a minor code readability improvement. It would not change the behavior of the service autodiscovery.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Require managed-by label in Service autodiscovery #1194

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	for containerName, podDigest := range podDigests {
	// The map should only contain one entry at this point. As the reconciler breaks (see containerDigestsAllMatch) if the services points to a list pods with different digests per container name
	for digest := range podDigest {
	versionedLabels[fmt.Sprintf("digest.auto-discovery.securecodebox.io/%s", containerName)] = digest[0:min(len(digest), 63)]
	break
	}
	}

	// label is added after the initial query as it was added later and isn't garanteed to be on every auto-discovery managed scan.
	versionedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"

Require managed-by label in Service autodiscovery #1194

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions