UD-1190: Add support for plugin pod annotations and plugin service ac…

…count annotations Signed-off-by: Kevin Conner <[email protected]>
undistro · Feb 8, 2024 · cad9991 · cad9991
1 parent 6d08b71
commit cad9991
Show file tree

Hide file tree

Showing 12 changed files with 80 additions and 2 deletions.
diff --git a/api/zora/v1alpha1/plugin_types.go b/api/zora/v1alpha1/plugin_types.go
@@ -63,6 +63,10 @@ type PluginSpec struct {
 	// Cannot be updated.
 	Env []corev1.EnvVar `json:"env,omitempty"`
 
+	// Annotations to set in plugin and worker containers.
+	// Cannot be updated.
+	Annotations map[string]string `json:"annotations,omitempty"`
+
 	// Compute Resources required by this container.
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

diff --git a/api/zora/v1alpha1/zz_generated.deepcopy.go b/api/zora/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -103,18 +103,22 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.vulnerability.plugins | list | `["trivy"]` | Vulnerability scanners plugins |
 | scan.worker.image.repository | string | `"ghcr.io/undistro/zora/worker"` | worker image repository |
 | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| scan.plugins.annotations.`<annotation-name>` | object | `"annotation value"` | Annotations to be added to the plugins service account |
 | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
 | scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag |
+| scan.plugins.marvin.podAnnotations.`<annotation-name>` | object | `"annotation value"` | Annotations to be added to marvin plugin pods |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
 | scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag |
+| scan.plugins.trivy.podAnnotations.`<annotation-name>` | object | `"annotation value"` | Annotations to be added to trivy plugin pods |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
 | scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag |
+| scan.plugins.popeye.podAnnotations.`<annotation-name>` | object | `"annotation value"` | Annotations to be added to popeye plugin pods |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
 | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |

diff --git a/charts/zora/crds/zora.undistro.io_plugins.yaml b/charts/zora/crds/zora.undistro.io_plugins.yaml
@@ -58,6 +58,12 @@ spec:
           spec:
             description: PluginSpec defines the desired state of Plugin
             properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations to set in plugin and worker containers. Cannot
+                  be updated.
+                type: object
               args:
                 description: 'Arguments to the entrypoint. The docker image''s CMD
                   is used if this is not provided. Variable references $(VAR_NAME)

diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml
@@ -74,6 +74,9 @@ spec:
             - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
             - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
             - --cronjob-serviceaccount-name=zora-plugins
+{{- if .Values.scan.plugins.annotations}}
+            - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
+{{- end }}
             - --saas-workspace-id={{ .Values.saas.workspaceID }}
             - --saas-server={{ .Values.saas.server }}
             - --version={{ .Chart.Version }}

diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml
@@ -30,6 +30,10 @@ spec:
     runAsNonRoot: true
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
+  {{- if .Values.scan.plugins.marvin.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.scan.plugins.marvin.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml
@@ -34,6 +34,9 @@ spec:
   securityContext:
     runAsNonRoot: true
     allowPrivilegeEscalation: false
+  annotations:
+    {{- toYaml .Values.scan.plugins.popeye.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml
@@ -31,6 +31,10 @@ spec:
   env:
     - name: TRIVY_IGNORE_VULN_DESCRIPTIONS
       value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }}
+  {{- if .Values.scan.plugins.trivy.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.scan.plugins.trivy.podAnnotations | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c

diff --git a/cmd/main.go b/cmd/main.go
@@ -61,6 +61,7 @@ func main() {
 	var workerImage string
 	var cronJobClusterRoleBinding string
 	var cronJobServiceAccount string
+	var cronJobAnnotations string
 	var saasWorkspaceID string
 	var saasServer string
 	var version string
@@ -78,6 +79,7 @@ func main() {
 	flag.StringVar(&workerImage, "worker-image", "ghcr.io/undistro/zora/worker:latest", "Docker image name of Worker container")
 	flag.StringVar(&cronJobClusterRoleBinding, "cronjob-clusterrolebinding-name", "zora-plugins-rolebinding", "Name of ClusterRoleBinding to append CronJob ServiceAccounts")
 	flag.StringVar(&cronJobServiceAccount, "cronjob-serviceaccount-name", "zora-plugins", "Name of ServiceAccount to be configured, appended to ClusterRoleBinding and used by CronJobs")
+	flag.StringVar(&cronJobAnnotations, "cronjob-serviceaccount-annotations", "annotaion1=value1,annotation2=value2", "Annotations to be applied to the CronJob Service Account")
 	flag.StringVar(&saasWorkspaceID, "saas-workspace-id", "", "Your workspace ID in Zora SaaS")
 	flag.StringVar(&saasServer, "saas-server", "http://localhost:3003", "Address for Zora's saas server")
 	flag.StringVar(&version, "version", "0.8.0", "Zora version")
@@ -139,6 +141,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	annotations, err := annotations(cronJobAnnotations)
+	if err != nil {
+		setupLog.Error(err, "unable to parse annotations")
+		os.Exit(1)
+	}
 	if err = (&zoracontroller.ClusterScanReconciler{
 		Client:                  mgr.GetClient(),
 		K8sClient:               kcli,
@@ -149,6 +156,7 @@ func main() {
 		WorkerImage:             workerImage,
 		ClusterRoleBindingName:  cronJobClusterRoleBinding,
 		ServiceAccountName:      cronJobServiceAccount,
+		Annotations:             annotations,
 		OnUpdate:                onClusterScanUpdate,
 		OnDelete:                onClusterScanDelete,
 		KubexnsImage:            kubexnsImage,
@@ -183,3 +191,21 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func annotations(cronJobAnnotations string) (map[string]string, error) {
+	cronJobAnnotations = strings.Trim(cronJobAnnotations, " ")
+	if len(cronJobAnnotations) == 0 {
+		return nil, nil
+	}
+	annotations := map[string]string{}
+	for _, annotation := range strings.Split(cronJobAnnotations, ",") {
+		index := strings.Index(annotation, "=")
+		if index == -1 || index == len(annotation) {
+			return nil, fmt.Errorf("Could not parse annotation %s", annotation)
+		}
+		key := annotation[:index]
+		value := annotation[index+1:]
+		annotations[key] = value
+	}
+	return annotations, nil
+}
diff --git a/config/crd/bases/zora.undistro.io_plugins.yaml b/config/crd/bases/zora.undistro.io_plugins.yaml
@@ -44,6 +44,12 @@ spec:
           spec:
             description: PluginSpec defines the desired state of Plugin
             properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                description: Annotations to set in plugin and worker containers. Cannot
+                  be updated.
+                type: object
               args:
                 description: 'Arguments to the entrypoint. The docker image''s CMD
                   is used if this is not provided. Variable references $(VAR_NAME)

diff --git a/internal/controller/zora/clusterscan_controller.go b/internal/controller/zora/clusterscan_controller.go
@@ -63,6 +63,7 @@ type ClusterScanReconciler struct {
 	ServiceAccountName      string
 	KubexnsImage            string
 	ChecksConfigMap         string
+	Annotations             map[string]string
 	OnUpdate                saas.ClusterScanHook
 	OnDelete                saas.ClusterScanHook
 }
@@ -462,7 +463,7 @@ func (r *ClusterScanReconciler) applyRBAC(ctx context.Context, clusterscan *v1al
 		return err
 	}
 
-	sa := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: r.ServiceAccountName, Namespace: clusterscan.Namespace}}
+	sa := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: r.ServiceAccountName, Namespace: clusterscan.Namespace, Annotations: r.Annotations}}
 	res, err := ctrl.CreateOrUpdate(ctx, r.Client, sa, func() error {
 		return controllerutil.SetOwnerReference(clusterscan, sa, r.Scheme)
 	})

diff --git a/pkg/plugins/cronjob.go b/pkg/plugins/cronjob.go
@@ -115,7 +115,7 @@ func (r *CronJobMutator) Mutate() error {
 	r.Existing.Spec.JobTemplate.Spec.Template.Spec.RestartPolicy = corev1.RestartPolicyNever
 	r.Existing.Spec.JobTemplate.Spec.BackoffLimit = pointer.Int32(0)
 	r.Existing.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = r.ServiceAccountName
-	r.Existing.Spec.JobTemplate.Spec.Template.Annotations = map[string]string{annotationDefaultContainer: r.Plugin.Name}
+	r.Existing.Spec.JobTemplate.Spec.Template.Annotations = r.annotations()
 	r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes = []corev1.Volume{
 		{
 			Name:         resultsVolumeName,
@@ -320,3 +320,13 @@ func (r *CronJobMutator) workerEnv() []corev1.EnvVar {
 	)
 	return p
 }
+
+func (r *CronJobMutator) annotations() map[string]string {
+	annotations := map[string]string{}
+	for key, value := range r.Plugin.Spec.Annotations {
+		annotations[key] = value
+	}
+	annotations[annotationDefaultContainer] = r.Plugin.Name
+
+	return annotations
+}