Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetImmediateOwnerReference ¶
GetImmediateOwnerReference returns the immediate owner of the specified Pod. For example, for a Pod controlled by a Deployment it will return the active ReplicaSet object, whereas for an unmanaged Pod the immediate owner is the Pod itself.
func HasContainersReadyCondition ¶
HasContainersReadyCondition iterates conditions of the specified Pod to check whether all containers in the Pod are ready.
func IsPodManagedByStarboardOperator ¶
IsPodManagedByStarboardOperator returns true if the specified Pod is managed by the Starboard Operator, false otherwise.
We define managed Pods as ones controlled by Jobs created by the Starboard Operator. They're labeled with `app.kubernetes.io/managed-by=starboard-operator`.
func SliceContainsString ¶
SliceContainsString returns true if the specified slice of strings contains the give value, false otherwise.
Types ¶
type JobReconciler ¶
type JobReconciler struct {
Config etc.Operator
Client client.Client
LogsReader *logs.Reader
Log logr.Logger
Scheme *runtime.Scheme
Scanner scanner.VulnerabilityScanner
Store reports.StoreInterface
}
func (*JobReconciler) GetPodControlledBy ¶
func (*JobReconciler) SetupWithManager ¶
func (r *JobReconciler) SetupWithManager(mgr ctrl.Manager) error
type PodReconciler ¶
type PodReconciler struct {
Config etc.Operator
Client client.Client
Store reports.StoreInterface
Scanner scanner.VulnerabilityScanner
Log logr.Logger
Scheme *runtime.Scheme
}
func (*PodReconciler) IgnorePodInOperatorNamespace ¶
func (r *PodReconciler) IgnorePodInOperatorNamespace(installMode etc.InstallMode, pod types.NamespacedName) bool
IgnorePodInOperatorNamespace determines whether to reconcile the specified Pod based on the give InstallMode or not. Returns true if the Pod should be ignored, false otherwise.
In the SingleNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace.
In the MultiNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace unless the operator namespace is added to the list of target namespaces.
func (*PodReconciler) Reconcile ¶
Reconcile resolves the actual state of the system against the desired state of the system. The desired state is that there is a vulnerability report associated with the controller managing the given Pod. Since the scanning is asynchronous, the desired state is also when there's a pending scan Job for the underlying workload.
As Kubernetes invokes the Reconcile() function multiple times throughout the lifecycle of a Pod, it is important that the implementation be idempotent to prevent the creation of duplicate scan Jobs or vulnerability reports.
The Reconcile function returns two object which indicate whether or not Kubernetes should requeue the request.
func (*PodReconciler) SetupWithManager ¶
func (r *PodReconciler) SetupWithManager(mgr ctrl.Manager) error
Source Files