feat: Configure namespaces and install modes (#34)

Signed-off-by: Daniel Pacak <[email protected]>

Author: danielpacak

README.md

@@ -17,10 +17,7 @@ a Kubernetes cluster - for example, initiating a vulnerability scan when a new p
    ```
 1. Define Custom Security Resources used by Starboard:
    ```
-   $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/vulnerabilityreports-crd.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/configauditreports-crd.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/ciskubebenchreports-crd.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/kubehunterreports-crd.yaml
+   $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/vulnerabilityreports-crd.yaml
    ```
 2. Create the `starboard-operator` Namespace:
    ```
@@ -44,11 +41,11 @@ a Kubernetes cluster - for example, initiating a vulnerability scan when a new p
 
 | Name                                    | Default              | Description |
 |-----------------------------------------|----------------------|-------------|
-| `OPERATOR_STARBOARD_NAMESPACE`          | `starboard-operator` | The default namespace for Starboard |
-| `OPERATOR_SUPERVISED_NAMESPACE`         | `default`            | The namespace watched by the operator |
+| `OPERATOR_NAMESPACE`                    | ``                   | The namespace the operator is running in. |
+| `OPERATOR_TARGET_NAMESPACE`             | ``                   | The namespace the operator should be watching for changes. This can be a comma separated list of names to watch multiple namespaces (e.g. `ns1,ns2`). |
 | `OPERATOR_SCAN_JOB_TIMEOUT`             | `5m`                 | The length of time to wait before giving up on a scan job |
 | `OPERATOR_SCANNER_TRIVY_ENABLED`        | `true`               | The flag to enable Trivy vulnerability scanner |
-| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.11.0`              | The version of Trivy to be used |
+| `OPERATOR_SCANNER_TRIVY_VERSION`        | `0.11.0`             | The version of Trivy to be used |
 | `OPERATOR_SCANNER_AQUA_CSP_ENABLED`     | `false`              | The flag to enable Aqua CSP vulnerability scanner |
 | `OPERATOR_SCANNER_AQUA_CSP_VERSION`     | `5.0`                | The version of Aqua CSP scannercli container image to be used |
 

cmd/operator/main.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/aquasecurity/starboard-operator/pkg/logs"
 	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/aquasecurity/starboard-operator/pkg/aqua"
 
@@ -46,7 +48,7 @@ var (
 
 var (
 	scheme   = runtime.NewScheme()
-	setupLog = ctrl.Log.WithName("setup")
+	setupLog = logf.Log.WithName("starboard-operator.main")
 )
 
 func init() {
@@ -59,36 +61,77 @@ func init() {
 func main() {
 	logf.SetLogger(zap.New())
 
-	ctrl.SetLogger(logf.Log.WithName("starboard-operator"))
 	if err := run(); err != nil {
 		setupLog.Error(err, "Unable to run manager")
 	}
 }
 
 func run() error {
-	config, err := etc.GetConfig()
+	setupLog.Info("Starting operator", "version", versionInfo)
+	config, err := etc.GetOperatorConfig()
 	if err != nil {
-		return err
+		return fmt.Errorf("getting operator config: %w", err)
 	}
 
-	kubernetesConfig := ctrl.GetConfigOrDie()
-	// TODO Do not use this client unless absolutely necessary. We should rely on the client constructed by the ctrl.NewManager()
-	kubernetesClientset, err := kubernetes.NewForConfig(kubernetesConfig)
+	// Validate configured namespaces
+	operatorNamespace, err := config.GetOperatorNamespace()
 	if err != nil {
-		return err
+		return fmt.Errorf("getting operator namespace: %w", err)
 	}
 
-	scanner, err := getEnabledScanner(config)
+	targetNamespaces, err := config.GetTargetNamespaces()
 	if err != nil {
-		return err
+		return fmt.Errorf("getting target namespaces: %w", err)
+	}
+
+	setupLog.Info("Resolving multitenancy support",
+		"operatorNamespace", operatorNamespace,
+		"targetNamespaces", targetNamespaces)
+
+	mode, err := etc.ResolveInstallMode(operatorNamespace, targetNamespaces)
+	if err != nil {
+		return fmt.Errorf("resolving install mode: %w", err)
 	}
+	setupLog.Info("Resolving install mode", "mode", mode)
 
-	mgr, err := ctrl.NewManager(kubernetesConfig, ctrl.Options{
+	// Set the default manager options.
+	options := manager.Options{
 		Scheme: scheme,
-	})
+	}
+
+	if len(targetNamespaces) == 1 {
+		// Add support for OwnNamespace and SingleNamespace set in STARBOARD_TARGET_NAMESPACE (e.g. ns1).
+		setupLog.Info("Constructing single-namespaced cache", "namespace", targetNamespaces[0])
+		options.Namespace = targetNamespaces[0]
+	} else {
+		// Add support for MultiNamespace set in STARBOARD_TARGET_NAMESPACE (e.g. ns1,ns2).
+		// Note that we may face performance issues when using this with a high number of namespaces.
+		// More: https://godoc.org/github.com/kubernetes-sigs/controller-runtime/pkg/cache#MultiNamespacedCacheBuilder
+		setupLog.Info("Constructing multi-namespaced cache", "namespaces", targetNamespaces)
+		options.Namespace = ""
+		options.NewCache = cache.MultiNamespacedCacheBuilder(targetNamespaces)
+	}
 
+	kubernetesConfig, err := ctrl.GetConfig()
 	if err != nil {
-		return fmt.Errorf("unable to start manager: %w", err)
+		return fmt.Errorf("getting kube client config: %w", err)
+	}
+
+	// The only reason we're using kubernetes.Clientset is that we need it to read Pod logs,
+	// which is not supported by the client returned by the ctrl.Manager.
+	kubernetesClientset, err := kubernetes.NewForConfig(kubernetesConfig)
+	if err != nil {
+		return fmt.Errorf("constructing kube client: %w", err)
+	}
+
+	mgr, err := ctrl.NewManager(kubernetesConfig, options)
+	if err != nil {
+		return fmt.Errorf("constructing controllers manager: %w", err)
+	}
+
+	scanner, err := getEnabledScanner(config)
+	if err != nil {
+		return err
 	}
 
 	store := reports.NewStore(mgr.GetClient(), scheme)
@@ -98,7 +141,7 @@ func run() error {
 		Client:  mgr.GetClient(),
 		Store:   store,
 		Scanner: scanner,
-		Log:     ctrl.Log.WithName("controllers").WithName("pod"),
+		Log:     ctrl.Log.WithName("controller").WithName("pods"),
 		Scheme:  mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create pod controller: %w", err)
@@ -110,15 +153,15 @@ func run() error {
 		Client:     mgr.GetClient(),
 		Store:      store,
 		Scanner:    scanner,
-		Log:        ctrl.Log.WithName("controllers").WithName("job"),
+		Log:        ctrl.Log.WithName("controller").WithName("scan-jobs"),
 		Scheme:     mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create job controller: %w", err)
 	}
 
-	setupLog.Info("starting manager")
+	setupLog.Info("Starting controllers manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		return fmt.Errorf("problem running manager: %w", err)
+		return fmt.Errorf("starting controllers manager: %w", err)
 	}
 
 	return nil

pkg/controllers/job_controller.go

@@ -37,7 +37,7 @@ type JobReconciler struct {
 func (r *JobReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
 	log := r.Log.WithValues("job", req.NamespacedName)
-	if req.Namespace != r.Config.StarboardNamespace {
+	if req.Namespace != r.Config.Namespace {
 		return ctrl.Result{}, nil
 	}
 

pkg/controllers/pod_controller.go

@@ -45,7 +45,7 @@ type PodReconciler struct {
 func (r *PodReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
 
-	if r.Config.StarboardNamespace == req.Namespace {
+	if r.Config.Namespace == req.Namespace {
 		return ctrl.Result{}, nil
 	}
 
@@ -120,7 +120,7 @@ func (r *PodReconciler) ensureScanJob(ctx context.Context, owner kube.Object, p
 		kube.LabelResourceNamespace: p.Namespace,
 		kube.LabelResourceKind:      string(owner.Kind),
 		kube.LabelResourceName:      owner.Name,
-	}, client.InNamespace(r.Config.StarboardNamespace))
+	}, client.InNamespace(r.Config.Namespace))
 	if err != nil {
 		return err
 	}
@@ -131,7 +131,7 @@ func (r *PodReconciler) ensureScanJob(ctx context.Context, owner kube.Object, p
 	}
 
 	scanJob, secret, err := r.Scanner.NewScanJob(owner, p.Spec, scanner.Options{
-		Namespace:          r.Config.StarboardNamespace,
+		Namespace:          r.Config.Namespace,
 		ServiceAccountName: r.Config.ServiceAccount,
 		ImageCredentials:   make(map[string]docker.Auth),
 		ScanJobTimeout:     r.Config.ScanJobTimeout,

pkg/etc/config.go

@@ -1,6 +1,9 @@
 package etc
 
 import (
+	"errors"
+	"fmt"
+	"strings"
 	"time"
 
 	"github.com/caarlos0/env/v6"
@@ -19,10 +22,10 @@ type Config struct {
 }
 
 type Operator struct {
-	StarboardNamespace  string        `env:"OPERATOR_STARBOARD_NAMESPACE" envDefault:"starboard-operator"`
-	SupervisedNamespace string        `env:"OPERATOR_SUPERVISED_NAMESPACE" envDefault:"default"`
-	ServiceAccount      string        `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"`
-	ScanJobTimeout      time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"`
+	Namespace       string        `env:"OPERATOR_NAMESPACE"`
+	TargetNamespace string        `env:"OPERATOR_TARGET_NAMESPACE"`
+	ServiceAccount  string        `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"`
+	ScanJobTimeout  time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"`
 }
 
 type ScannerTrivy struct {
@@ -38,8 +41,41 @@ type ScannerAquaCSP struct {
 	Password string `env:"OPERATOR_SCANNER_AQUA_CSP_PASSWORD"`
 }
 
-func GetConfig() (Config, error) {
+func GetOperatorConfig() (Config, error) {
 	var config Config
 	err := env.Parse(&config)
 	return config, err
 }
+
+// GetOperatorNamespace returns the namespace the operator should be running in.
+func (c Config) GetOperatorNamespace() (string, error) {
+	namespace := c.Operator.Namespace
+	if namespace != "" {
+		return namespace, nil
+	}
+	return "", fmt.Errorf("%s must be set", "OPERATOR_NAMESPACE")
+}
+
+// GetTargetNamespaces returns namespaces the operator should be watching for changes.
+func (c Config) GetTargetNamespaces() ([]string, error) {
+	namespace := c.Operator.TargetNamespace
+	if namespace != "" {
+		return strings.Split(namespace, ","), nil
+	}
+	return nil, fmt.Errorf("%s must be set", "OPERATOR_TARGET_NAMESPACE")
+}
+
+// ResolveInstallMode resolves install mode defined by Operator Lifecycle Manager.
+// We do that for debugging purposes.
+func ResolveInstallMode(operatorNamespace string, targetNamespaces []string) (string, error) {
+	if len(targetNamespaces) == 1 && operatorNamespace == targetNamespaces[0] {
+		return "OwnNamespace", nil
+	}
+	if len(targetNamespaces) == 1 && operatorNamespace != targetNamespaces[0] {
+		return "SingleNamespace", nil
+	}
+	if len(targetNamespaces) > 1 {
+		return "MultiNamespace", nil
+	}
+	return "", errors.New("unsupported install mode")
+}