Skip to content

Add managed by label to required labels in service autodiscovery #1349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ilyesbdlala merged 2 commits into from
Oct 12, 2022
Merged

Add managed by label to required labels in service autodiscovery #1349

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c16da21
Add managed by label to required labels in service autodiscovery
the-simmon Sep 9, 2022
3eca5ac
Add upgrading section
the-simmon Sep 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions UPGRADING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,3 +151,7 @@ helm upgrade --install nmap secureCodeBox/nmap --set=cascadingRules.enabled=true

➡️ [Reference: #1347](https://github.com/secureCodeBox/secureCodeBox/pull/1347)


### Service Autodiscovery - Managed-by label assumed to be presented for all scans
Old versions of the operator did not set `app.kubernetes.io/managed-by` label. Starting with V4 the service autodiscovery will assume every scheduled scan created by the autodiscovery will have this label. This means that older scheduled scans without the label will not be detected by the service autodiscovery and new duplicate scheduled scans will be created. Old scheduled scans without the `app.kubernetes.io/managed-by` label must be deleted manually.
➡️ [Reference: #1349](https://github.com/secureCodeBox/secureCodeBox/pull/1349)
3 changes: 1 addition & 2 deletions auto-discovery/kubernetes/controllers/service_scan_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ func (r *ServiceScanReconciler) Reconcile(ctx context.Context, req ctrl.Request)
versionedLabels := map[string]string{
"auto-discovery.securecodebox.io/target-service": service.Name,
"auto-discovery.securecodebox.io/target-port": fmt.Sprintf("%d", host.Port),
"app.kubernetes.io/managed-by": "securecodebox-autodiscovery",
}
for containerName, podDigest := range podDigests {
// The map should only contain one entry at this point. As the reconciler breaks (see containerDigestsAllMatch) if the services points to a list pods with different digests per container name
Expand Down Expand Up @@ -155,8 +156,6 @@ func (r *ServiceScanReconciler) Reconcile(ctx context.Context, req ctrl.Request)
// service was never scanned
log.Info("Discovered new unscanned service, scanning it now", "service", service.Name, "namespace", service.Namespace)

// label is added after the initial query as it was added later and isn't guaranteed to be on every auto-discovery managed scan.
versionedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"
versionedLabels = generateScanLabels(versionedLabels, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs)

// No scan for this pod digest yet. Scanning now
Expand Down