Skip to content

feat: add support any kinds for policy checks #2693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: main
Choose a base branch
from
Open

feat: add support any kinds for policy checks #2693

wants to merge 24 commits into from

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Aug 6, 2025
edited
Loading

Description

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

simar7
simar7 reviewed Aug 7, 2025
View reviewed changes
simar7
simar7 reviewed Aug 7, 2025
View reviewed changes
pkg/operator/etc/config.go
@@ -54,7 +54,7 @@ type Config struct {
WebhookBroadcastTimeout *time.Duration `env:"OPERATOR_WEBHOOK_BROADCAST_TIMEOUT" envDefault:"30s"`
WebhookBroadcastCustomHeaders string `env:"OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS"`
WebhookSendDeletedReports bool `env:"OPERATOR_SEND_DELETED_REPORTS" envDefault:"false"`
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job"`
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job,PersistentVolume"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is configurable today, why can't the user scan them now? I must be missing something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was impossible because specific Kind values were hard-coded in multiple places.
When the actual type didn’t match one of those hard-coded cases, the code returned an error.
for example:
https://github.com/aquasecurity/trivy-operator/blob/main/pkg/kube/object.go#L204-L237
https://github.com/aquasecurity/trivy-operator/blob/main/pkg/kube/object.go#L336-L385
and other

@simar7
Copy link
Member

simar7 commented Aug 7, 2025

Just thinking out loud how to test this change: As part of our integration tests, we can specify the new PV resource and have it get scanned and create reports based on that. WDYT?

@simar7
Copy link
Member

simar7 commented Aug 7, 2025
edited
Loading

Another point about testing, I added perf support on a feature branch (to enable profiling) but I think I'll enhance it by adding support for it to be enabled with a configuration option. That we the performance team can test this branch to see if there's a big performance overhead or not.

I updated that PR here #2666

afdesk added 17 commits August 19, 2025 12:08
@afdesk
Merge branch 'main' of github.com:afdesk/trivy-operator into feat/cus…
d8a81cc 
…tom-resources
@afdesk
fix: use a correct package for slices
acdb9db
@afdesk
refactor: improve kind selection
ab3a423
@afdesk
feat: add namespaced resource detection
56d3c0f
@afdesk
refactor: use scopeResolver to detect cluster-scope resources
344da7e
@afdesk
test: remove deprecared use-case
df7042a
@afdesk
refactor: rename a variable
dfae3da
@afdesk
Merge branch 'main' of github.com:afdesk/trivy-operator into feat/cus…
532d6ad 
…tom-resources
@afdesk
chore: create reconcilers for every resource
f08123f
@afdesk
refactor: integrate k8s scope resolver into object resolver
6b3047b
@afdesk
refactor: integrate k8s scope resolve into NewObjectResolver
15c4ab9
@afdesk
fix: don't add Ingress for every workloads
884c7fc
@afdesk
refactor: use prepare method for GVK
01af588
@afdesk
test: add unit-tests for K8sScopeResolver
97223be
@afdesk
fix: linter error
5eb2097
@afdesk
test: add integration test cases for PV and PVC
37dd96d
@afdesk
chore: update GetTargetWorkloads
445eae3
@afdesk
Copy link
Contributor Author

afdesk commented Aug 25, 2025

Just thinking out loud how to test this change: As part of our integration tests, we can specify the new PV resource and have it get scanned and create reports based on that. WDYT?

tried to add it here 37dd96d

@afdesk afdesk marked this pull request as ready for review August 25, 2025 18:32
@afdesk afdesk requested a review from Copilot August 25, 2025 18:35
Copilot
Copilot AI reviewed Aug 25, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for any kinds of resources in policy checks by implementing a new scope resolution system. It removes hardcoded resource type validation and introduces dynamic resource discovery based on the Kubernetes scheme.

  • Introduces a new K8sScope resolver for dynamic scope detection of Kubernetes resources
  • Replaces hardcoded resource lists with dynamic resource discovery in controllers
  • Adds support for PersistentVolume and PersistentVolumeClaim resources in configuration audits

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
pkg/kube/scope.go New scope resolver implementation for dynamic resource scope detection
pkg/kube/scope_test.go Comprehensive tests for the new scope resolver functionality
pkg/kube/object.go Major refactoring to support dynamic resource discovery and remove hardcoded validations
pkg/kube/object_test.go Updated tests to use new scope resolver instead of deprecated functions
pkg/configauditreport/controller/resource.go Updated to use dynamic resource discovery instead of hardcoded resource lists
pkg/configauditreport/controller/policyconfig.go Simplified resource setup using new dynamic discovery
pkg/utils/util.go Removed kind validation to allow any resource types
pkg/operator/etc/config.go Added PersistentVolume to default target workloads
tests/itest/trivy-operator/behavior/behavior.go Added integration tests for PV and PVC resources
tests/itest/trivy-operator/suite_test.go Updated test configuration to include PVC in target workloads

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

pkg/kube/object.go
@@ -202,11 +248,11 @@ func ObjectRefFromKindAndObjectKey(kind Kind, name client.ObjectKey) ObjectRef {
// adding it as the trivy-operator.LabelResourceSpecHash label to an instance of a
// security report.
func ComputeSpecHash(obj client.Object) (string, error) {
switch t := obj.(type) {
switch obj.(type) {
Copy link
Preview

Copilot AI Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable t is declared but no longer used after the switch statement change. Consider removing the unused variable declaration.

Copilot uses AI. Check for mistakes.

pkg/operator/etc/config.go
@@ -54,7 +54,7 @@ type Config struct {
WebhookBroadcastTimeout *time.Duration `env:"OPERATOR_WEBHOOK_BROADCAST_TIMEOUT" envDefault:"30s"`
WebhookBroadcastCustomHeaders string `env:"OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS"`
WebhookSendDeletedReports bool `env:"OPERATOR_SEND_DELETED_REPORTS" envDefault:"false"`
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job"`
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job,PersistentVolume"`
Copy link
Preview

Copilot AI Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding PersistentVolume to the default target workloads should also include PersistentVolumeClaim for consistency, as both are tested in the integration tests.

Suggested change
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job,PersistentVolume"`
TargetWorkloads string `env:"OPERATOR_TARGET_WORKLOADS" envDefault:"Pod,ReplicaSet,ReplicationController,StatefulSet,DaemonSet,CronJob,Job,PersistentVolume,PersistentVolumeClaim"`

Copilot uses AI. Check for mistakes.

simar7
simar7 reviewed Aug 25, 2025
View reviewed changes
tests/itest/trivy-operator/behavior/behavior.go
@@ -456,6 +457,79 @@ func ConfigurationCheckerBehavior(inputs *Inputs) func() {
})

})

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add another case where we don't specify the scanning of a PVC but create one? In such a case the assertion should ensure that no report is generated.

Another case should be that we create a new resource (something other than what we support by default) it shouldn't generate any reports either.

@afdesk afdesk mentioned this pull request Aug 27, 2025
Closed
5 tasks
@afdesk afdesk added this to the v0.29.0 milestone Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
v0.29.0
Development

Successfully merging this pull request may close these issues.
2 participants
@afdesk @simar7