Documentation
¶
Index ¶
- func IsPodManagedByStarboardOperator(pod *corev1.Pod) bool
- func SliceContainsString(slice []string, value string) bool
- type PodController
- func (r *PodController) GetJobMetaFrom(owner kube.Object, hash string, spec corev1.PodSpec) (scanner.JobMeta, error)
- func (r *PodController) IgnorePodInOperatorNamespace(installMode etc.InstallMode, pod types.NamespacedName) bool
- func (r *PodController) Reconcile(req ctrl.Request) (ctrl.Result, error)
- func (r *PodController) SetupWithManager(mgr ctrl.Manager) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsPodManagedByStarboardOperator ¶
IsPodManagedByStarboardOperator returns true if the specified Pod is managed by the Starboard Operator, false otherwise.
We define managed Pods as ones controlled by Jobs created by the Starboard Operator. They're labeled with `app.kubernetes.io/managed-by=starboard-operator`.
func SliceContainsString ¶
SliceContainsString returns true if the specified slice of strings contains the give value, false otherwise.
Types ¶
type PodController ¶
type PodController struct {
Config etc.Operator
Client client.Client
Store reports.StoreInterface
Scanner scanner.VulnerabilityScanner
Scheme *runtime.Scheme
}
func (*PodController) GetJobMetaFrom ¶
func (*PodController) IgnorePodInOperatorNamespace ¶
func (r *PodController) IgnorePodInOperatorNamespace(installMode etc.InstallMode, pod types.NamespacedName) bool
IgnorePodInOperatorNamespace determines whether to reconcile the specified Pod based on the give InstallMode or not. Returns true if the Pod should be ignored, false otherwise.
In the SingleNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace.
In the MultiNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace unless the operator namespace is added to the list of target namespaces.
func (*PodController) Reconcile ¶
Reconcile resolves the actual state of the system against the desired state of the system. The desired state is that there is a vulnerability report associated with the controller managing the given Pod. Since the scanning is asynchronous, the desired state is also when there's a pending scan Job for the underlying workload.
As Kubernetes invokes the Reconcile() function multiple times throughout the lifecycle of a Pod, it is important that the implementation be idempotent to prevent the creation of duplicate scan Jobs or vulnerability reports.
The Reconcile function returns two object which indicate whether or not Kubernetes should requeue the request.
func (*PodController) SetupWithManager ¶
func (r *PodController) SetupWithManager(mgr ctrl.Manager) error
Source Files