Lay the foundations for the kubernetes provider (#621)

This commit: * Adds the provider struct and the empty functions for discovering and scanning. * Creates a kubernetes client for accessing the kubernetes API * Adds a configuration loader which looks for environment variables prefixed with VMCLARITY_KUBERNETES * Adds the Kubernetes provider type to the api spec * Updates uibackend to handle the kubernetes provider type * Sdds location field to the container asset type which can be used by the provider to keep track of where a container was found * Support kubernetes provider configuration in helm-chart
openclarity · Sep 7, 2023 · 0808c9d · 0808c9d
1 parent c01a552
commit 0808c9d
Show file tree

Hide file tree

Showing 15 changed files with 386 additions and 153 deletions.
diff --git a/api/models/models.gen.go b/api/models/models.gen.go
diff --git a/api/openapi.yaml b/api/openapi.yaml
@@ -931,6 +931,7 @@ components:
         - GCP
         - Docker
         - External
+        - Kubernetes
 
     Scans:
       type: object
@@ -1625,6 +1626,8 @@ components:
           type: string
         containerName:
           type: string
+        location:
+          type: string
         # TODO(paralta) Check if image needs to be a required property
         image:
           $ref: '#/components/schemas/ContainerImageInfo' 

diff --git a/api/server/server.gen.go b/api/server/server.gen.go
diff --git a/charts/vmclarity/README.md b/charts/vmclarity/README.md
@@ -178,10 +178,11 @@ secrets.
 | orchestrator.image.registry | string | `"ghcr.io"` | Orchestrator image registry |
 | orchestrator.image.repository | string | `"openclarity/vmclarity-orchestrator"` | Orchestrator image repository |
 | orchestrator.image.tag | string | `"latest"` | Orchestrator image tag (immutable tags are recommended) |
+| orchestrator.kubernetes | object | `{}` |  |
 | orchestrator.logLevel | string | `"info"` | Orchestrator service log level |
 | orchestrator.podSecurityContext.enabled | bool | `true` | Whether Orchestrator pod security context is enabled |
 | orchestrator.podSecurityContext.fsGroup | int | `1001` | Orchestrator pod security context fsGroup |
-| orchestrator.provider | string | `"aws"` | Which provider to enable |
+| orchestrator.provider | string | `"aws"` | Which provider driver to enable. If enabling the Kubernetes provider ensure that the orchestrator serviceAccount section is configured to allow access to the Kubernetes API. |
 | orchestrator.replicas | int | `1` | Number of replicas for the Orchestrator service Currently 1 supported. |
 | orchestrator.resources.limits | object | `{}` | The resources limits for the orchestrator containers |
 | orchestrator.resources.requests | object | `{}` | The requested resources for the orchestrator containers |

diff --git a/charts/vmclarity/templates/orchestrator/deployment.yaml b/charts/vmclarity/templates/orchestrator/deployment.yaml
@@ -148,3 +148,10 @@ spec:
               value: .scannerStorageContainerName
             {{- end -}}
             {{- end }}
+
+            {{- if eq .Values.orchestrator.provider "kubernetes" }}
+            - name: PROVIDER
+              value: "kubernetes"
+            {{- with .Values.orchestrator.kubernetes }}
+            {{- end -}}
+            {{- end }}
diff --git a/charts/vmclarity/values.yaml b/charts/vmclarity/values.yaml
@@ -153,7 +153,9 @@ orchestrator:
   # -- Address that scanenrs can use to reach the freshclam mirror
   freshclamMirrorAddress: ""
 
-  # -- Which provider to enable
+  # -- Which provider driver to enable.
+  # If enabling the Kubernetes provider ensure that the orchestrator
+  # serviceAccount section is configured to allow access to the Kubernetes API.
   provider: "aws"
 
   aws:
@@ -212,6 +214,8 @@ orchestrator:
     # -- Storage container to use for transfering snapshots between regions
     scannerStorageContainerName: ""
 
+  kubernetes: {}
+
 ui:
   # -- Number of replicas for the UI service
   replicas: 1

diff --git a/pkg/orchestrator/config.go b/pkg/orchestrator/config.go
@@ -148,6 +148,8 @@ func LoadConfig() (*Config, error) {
 		providerKind = models.Docker
 	case strings.ToLower(string(models.External)):
 		providerKind = models.External
+	case strings.ToLower(string(models.Kubernetes)):
+		providerKind = models.Kubernetes
 	case strings.ToLower(string(models.AWS)):
 		fallthrough
 	default:

diff --git a/pkg/orchestrator/orchestrator.go b/pkg/orchestrator/orchestrator.go
@@ -34,6 +34,7 @@ import (
 	"github.com/openclarity/vmclarity/pkg/orchestrator/provider/docker"
 	"github.com/openclarity/vmclarity/pkg/orchestrator/provider/external"
 	"github.com/openclarity/vmclarity/pkg/orchestrator/provider/gcp"
+	"github.com/openclarity/vmclarity/pkg/orchestrator/provider/kubernetes"
 	"github.com/openclarity/vmclarity/pkg/orchestrator/scanconfigwatcher"
 	"github.com/openclarity/vmclarity/pkg/orchestrator/scanwatcher"
 	"github.com/openclarity/vmclarity/pkg/shared/backendclient"
@@ -137,6 +138,8 @@ func NewProvider(ctx context.Context, kind models.CloudProvider) (provider.Provi
 		return gcp.New(ctx)
 	case models.External:
 		return external.New(ctx)
+	case models.Kubernetes:
+		return kubernetes.New(ctx)
 	default:
 		return nil, fmt.Errorf("unsupported provider: %s", kind)
 	}

diff --git a/pkg/orchestrator/provider/kubernetes/config.go b/pkg/orchestrator/provider/kubernetes/config.go
@@ -0,0 +1,50 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kubernetes
+
+import (
+	"fmt"
+
+	"github.com/spf13/viper"
+)
+
+const (
+	DefaultEnvPrefix = "VMCLARITY_KUBERNETES"
+)
+
+type Config struct {
+	// KubeConfig defines a path to a kubeconfig file to use to connect to
+	// the Kubernetes API
+	KubeConfig string `mapstructure:"kubeconfig"`
+}
+
+func NewConfig() (*Config, error) {
+	// Avoid modifying the global instance
+	v := viper.New()
+
+	v.SetEnvPrefix(DefaultEnvPrefix)
+	v.AllowEmptyEnv(true)
+	v.AutomaticEnv()
+
+	_ = v.BindEnv("kubeconfig")
+
+	config := &Config{}
+	if err := v.Unmarshal(config); err != nil {
+		return nil, fmt.Errorf("failed to parse provider configuration. Provider=Kubernetes: %w", err)
+	}
+
+	return config, nil
+}
diff --git a/pkg/orchestrator/provider/kubernetes/provider.go b/pkg/orchestrator/provider/kubernetes/provider.go
@@ -0,0 +1,87 @@
+// Copyright © 2023 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kubernetes
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/openclarity/vmclarity/api/models"
+	"github.com/openclarity/vmclarity/pkg/orchestrator/provider"
+)
+
+type Provider struct {
+	clientset kubernetes.Interface
+	config    *Config
+}
+
+var _ provider.Provider = &Provider{}
+
+func New(ctx context.Context) (provider.Provider, error) {
+	config, err := NewConfig()
+	if err != nil {
+		return nil, fmt.Errorf("invalid configuration: %w", err)
+	}
+
+	var clientConfig *rest.Config
+	if config.KubeConfig == "" {
+		// If KubeConfig config option not set, assume we're running
+		// incluster.
+		clientConfig, err = rest.InClusterConfig()
+		if err != nil {
+			return nil, fmt.Errorf("unable to load in-cluster client configuration: %w", err)
+		}
+	} else {
+		cc, err := clientcmd.LoadFromFile(config.KubeConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to load kubeconfig from %s: %w", config.KubeConfig, err)
+		}
+		clientConfig, err = clientcmd.NewNonInteractiveClientConfig(*cc, "", &clientcmd.ConfigOverrides{}, nil).ClientConfig()
+		if err != nil {
+			return nil, fmt.Errorf("unable to create client configuration from the provided kubeconfig file: %w", err)
+		}
+	}
+
+	clientset, err := kubernetes.NewForConfig(clientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create kubernetes clientset: %w", err)
+	}
+
+	return &Provider{
+		clientset: clientset,
+		config:    config,
+	}, nil
+}
+
+func (p *Provider) Kind() models.CloudProvider {
+	return models.Kubernetes
+}
+
+func (p *Provider) DiscoverAssets(ctx context.Context) ([]models.AssetType, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (p *Provider) RunAssetScan(context.Context, *provider.ScanJobConfig) error {
+	return fmt.Errorf("not implemented")
+}
+
+func (p *Provider) RemoveAssetScan(context.Context, *provider.ScanJobConfig) error {
+	return fmt.Errorf("not implemented")
+}
diff --git a/pkg/uibackend/api/models/models.gen.go b/pkg/uibackend/api/models/models.gen.go
diff --git a/pkg/uibackend/api/openapi.yaml b/pkg/uibackend/api/openapi.yaml
@@ -493,6 +493,8 @@ components:
         - 'GCP Instance'
         - 'Docker Instance'
         - 'External Instance'
+        - 'Container'
+        - 'Container Image'
 
   responses:
     UnknownError:

diff --git a/pkg/uibackend/api/server/server.gen.go b/pkg/uibackend/api/server/server.gen.go