ROX-25797: Central Scanner v4 communication#12448
Conversation
|
Skipping CI for Draft Pull Request. |
|
Images are ready for the commit at 0626984. To use with deploy scripts, first |
Maddosaurus
force-pushed
the
mm/rox-24117-nindexv4-acs
branch
2 times, most recently
from
63de2e2 to
ab62d13
Compare
Maddosaurus
force-pushed
the
mm/rox-25797-enrich
branch
2 times, most recently
from
c689a03 to
b30f011
Compare
Maddosaurus
force-pushed
the
mm/rox-25797-enrich
branch
from
bbabdd3 to
3463190
Compare
Maddosaurus
force-pushed
the
mm/rox-25797-enrich
branch
from
5f4fc42 to
351fa1b
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12448 +/- ##
==========================================
- Coverage 48.20% 48.15% -0.06%
==========================================
Files 2442 2446 +4
Lines 175662 176067 +405
==========================================
+ Hits 84671 84778 +107
- Misses 84170 84462 +292
- Partials 6821 6827 +6
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Why is this important? |
vikin91
left a comment
vikin91
left a comment
There was a problem hiding this comment.
Looks really good with no major blockers. I still mark it ❌ as there are many tiny issues that must be looked at before we can merge this.
This is important because the Matcher intialization with VEX data is currently not well optimized. |
|
I think you might have forgotten to push few things. I unresolved some comments as the code does not contain the fixes for them. Ping me again when you check what has happened |
vikin91
left a comment
vikin91
left a comment
There was a problem hiding this comment.
This looks much better! I left few comments, but they are not blocking.
The two open things are:
- renaming of interfaces
- making sure the metrics for v4 are collected and the scanner version is indicated in the metrics.
I am fine if those two topics are addressed in a followup.
Please make the CI happy and test that in a deployed cluster. After that I can give it a final look and mark it ✅
vikin91
left a comment
vikin91
left a comment
There was a problem hiding this comment.
Looks good and can be merged if CI is happy. Good job!
# Conflicts: # pkg/scannerv4/mappers/mappers.go # scanner/enricher/fixedby/fixedby.go # scanner/enricher/nvd/nvd.go # scanner/enricher/nvd/nvd_test.go # scanner/updater/manual/manual.go
Move to latest master claircore Tidy dependencies Switch to uber gomock Fix import cycle, add key to sensor deduper
Make Scanner v4 known to NewWithCreator Set up default Scannerv4 to be Node Scanner Expand GetNodeInventoryScan to handle v4 IndexReports
# Conflicts: # generated/storage/node_integration_vtproto.pb.go
- Remove duplication between log messages and error wraps - Document static layer SHA - Remove TODO and keep shared max concurrent config for Node Index and Image Scans
Improve conditional readability Co-authored-by: Piotr Rygielski <114479+vikin91@users.noreply.github.com>
Maddosaurus
force-pushed
the
mm/rox-25797-enrich
branch
from
2d1b230 to
66a7a13
Compare
|
@Maddosaurus: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| cr := report.CloneVT() | ||
|
|
||
| // Read the node from the database, if not found we fail. | ||
| node, found, err := p.nodeDatastore.GetNode(ctx, event.GetId()) |
There was a problem hiding this comment.
the node's ID is the same as the event ID? Is that allowed? Is it possible to set the Index Report's "HashID" to the node's ID instead?
| } | ||
|
|
||
| // Send the Node and Index Report to Scanner for enrichment | ||
| err = p.enricher.EnrichNodeWithInventory(node, nil, cr) |
There was a problem hiding this comment.
Perhaps for a followup: I'm thinking a separate function. We seem to replace Inventory with Index, so I'm thinking we should have a separate Index function, too. If underneath it stays the same, that's ok, as at least the interface would look a bit cleaner
|
|
||
| func NewNodeMatchSemaphoreWithValue(val int64) NodeMatchSemaphore { | ||
| return &nodeMatchSemaphoreImpl{ | ||
| NewSemaphoreWithValue(val), |
There was a problem hiding this comment.
nit: explicitly set ScanSemaphore: NewSemaphoreWithValue(val), so it's clear what this is doing
| // The Scanner endpoint requires a digest for each image layer before analyzing it - TODO(ROX-25614) | ||
| // As the Node contents are treated as one big image layer, they also need a bogus digest. | ||
| // This digest is taken from the test of the digest library we're using (go-containerregistry). | ||
| const mockDigest = "registry/repository@sha256:deadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f" |
There was a problem hiding this comment.
it's unfortunate this is required, but I get why you did it. If not handled differently in the future, can we at least update this to make it clear this is for nodes?
| nodeDigest, err := name.NewDigest(mockDigest) | ||
| if err != nil { | ||
| log.Errorf("Failed to parse digest from node %q: %v", node.GetName(), err) | ||
| } |
There was a problem hiding this comment.
since this is hardcoded, this can be put into an init() function or perhaps we ignore the error and just do this in a var block. No need to waste cycles recreating this every time this is called
| var ( | ||
| _ scannerTypes.Scanner = (*clairify)(nil) | ||
| _ scannerTypes.ImageVulnerabilityGetter = (*clairify)(nil) | ||
| _ scannerTypes.NodeScanner = (*clairify)(nil) |
There was a problem hiding this comment.
thanks for adding this 😃. I'm a fan of this, as it makes it clear (and will give us compilation errors once something deviates)
| @@ -26,13 +28,20 @@ type CVESuppressor interface { | |||
|
|
|||
| // New returns a new NodeEnricher for the given Prometheus metrics subsystem and the Clair node scanner creator. | |||
| func New(cves CVESuppressor, subsystem pkgMetrics.Subsystem) NodeEnricher { | |||
There was a problem hiding this comment.
how come this is all combined?
| } | ||
|
|
||
| if integration.GetType() == scannerTypes.ScannerV4 { | ||
| log.Debugf("Scanner v4 is not an orchestrator Scanner, exiting") |
| // Currently, only StackRox Scanner and Scanner v4 are supported node integrations. | ||
| // Assumes integration.GetCategories() includes storage.ImageIntegrationCategory_NODE_SCANNER. | ||
| func ImageIntegrationToNodeIntegration(integration *storage.ImageIntegration) (*storage.NodeIntegration, error) { | ||
| i := &storage.NodeIntegration{ |
There was a problem hiding this comment.
we should do this after the switch. No need to allocate space for this when we may just exit early in the default
| IntegrationConfig: &storage.NodeIntegration_Clairify{ | ||
| } | ||
|
|
||
| switch integration.GetType() { |
There was a problem hiding this comment.
It's probably (hopefully) unlikely, but I guess it's possible GetType and the type of the IntegrationConfig may not match. I'm thinking we can revert back to the check before (check for the config's type rather than this string type). We can do something like:
switch integration.GetIntegrationConfig().(type) {
case *v4.ImageIntegration_Clairify:
case *v4.ImageIntegration_ScannerV4:
}
5 participants
Description
This PR adds part of the Node Indexing on Scanner v4 feature.
The pipeline is not fully implemented, as a conversion function is missing. This will be introduced in a follow up PR (see
TODO(ROX-26089)comments in the code and #12798).The most important changes summarized:
The goal is to ensure that an incoming IndexReport that was generated by a Node will be matched by Scanner v4's Matcher.
The resulting VulnerabilityReport will be converted into a
storage.NodeScanand upserted tostorage.Nodein the aforementioned follow-up PR.User-facing documentation
CHANGELOG is updatedOR update is not neededdocumentation PR is created and is linked aboveOR is not neededTesting and quality
the change is production ready: the change is GA or otherwisethe functionality is gated by a feature flagAutomated testing
How I validated my change
Ensure an SSD StorageClass is the default StorageClass for the clusterto trueROX_SCANNER_V4=trueROX_NODE_INDEX_ENABLED=truefor the Collector DaemonSetROX_NODE_SCANNING_INTERVAL=45sandROX_NODE_SCANNING_MAX_INITIAL_WAIT=10sreceived node index report with %d packages from %d content sets for node %s(frompipeline.go)Received Vulnerability Report with %d vulnerabilities: %v(fromscannerv4.go)