Skip to content

ROX-33548: Avoid unnecessary image scan requests in k8s event webhook#19377

Merged
clickboo merged 1 commit intomasterfrom
boo-adm-ctrl-rox-33548
Mar 13, 2026
Merged

ROX-33548: Avoid unnecessary image scan requests in k8s event webhook#19377
clickboo merged 1 commit intomasterfrom
boo-adm-ctrl-rox-33548

Conversation

@clickboo
Copy link
Contributor

@clickboo clickboo commented Mar 11, 2026
edited
Loading

Description

This PR introduces a simple optimization to avoid unnecessary image fetch requests when evaluating k8s events policies.

It is noteworthy that the k8s events webhook is invoked only by user initiated commands, and hence is shielded from the burst resilience required in policy eval webhook. A simple optimization should hence do.

While here, renamed detectors and policies for both conciseness and specificity. Also, fixed an incorrect message header in the output.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Tested on openshift infra cluster with oc exec policy + latest image tag (slow path), and a simple oc debug policy (fast path). Operations were blocked as expected.

@openshift-ci
Copy link

openshift-ci bot commented Mar 11, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@clickboo clickboo changed the title Boo adm ctrl rox 33548 ROX-33548: Avoid unnecessary image scan requests in k8s event webhook Mar 11, 2026
@clickboo clickboo force-pushed the boo-adm-ctrl-rox-33548 branch from 300e983 to 5be7e45 Compare March 11, 2026 11:08
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 11, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The repeated len(s.slowPathDetector.PolicySet().GetCompiledPolicies()) == 0 checks in evaluatePodEvent and waitForDeploymentAndDetect are on a hot path; consider computing a simple hasDeployFieldPolicies flag in state during ProcessNewSettings and using that instead to avoid repeated policy set traversal and potential nil access issues.
  • In ProcessNewSettings, allK8sEventPolicySet uses detection.NewPolicySet() while the per-deploy-field sets use detection.NewPolicySet(nil, nil)—it would be clearer and less error-prone to make the constructor usage consistent across all three policy sets.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The repeated `len(s.slowPathDetector.PolicySet().GetCompiledPolicies()) == 0` checks in `evaluatePodEvent` and `waitForDeploymentAndDetect` are on a hot path; consider computing a simple `hasDeployFieldPolicies` flag in `state` during `ProcessNewSettings` and using that instead to avoid repeated policy set traversal and potential nil access issues.
- In `ProcessNewSettings`, `allK8sEventPolicySet` uses `detection.NewPolicySet()` while the per-deploy-field sets use `detection.NewPolicySet(nil, nil)`—it would be clearer and less error-prone to make the constructor usage consistent across all three policy sets.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@clickboo clickboo force-pushed the boo-adm-ctrl-rox-33548 branch 2 times, most recently from 3694ffb to 191b5ca Compare March 11, 2026 12:43
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 11, 2026
edited
Loading

Images are ready for the commit at c764d9a.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-306-gc764d9a05f.

@codecov
Copy link

codecov bot commented Mar 11, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 37 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.64%. Comparing base (1dbbbc1) to head (c764d9a).
⚠️ Report is 54 commits behind head on master.

Files with missing lines Patch % Lines
...nsor/admission-control/manager/evaluate_runtime.go 0.00% 21 Missing ⚠️
sensor/admission-control/manager/manager_impl.go 0.00% 15 Missing ⚠️
sensor/admission-control/manager/responses.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19377      +/-   ##
==========================================
- Coverage   49.64%   49.64%   -0.01%     
==========================================
  Files        2698     2698              
  Lines      203132   203147      +15     
==========================================
  Hits       100855   100855              
- Misses      94751    94768      +17     
+ Partials     7526     7524       -2
Flag Coverage Δ
go-unit-tests 49.64% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@clickboo clickboo force-pushed the boo-adm-ctrl-rox-33548 branch from 191b5ca to 7992c8a Compare March 11, 2026 15:45
@stackrox stackrox deleted a comment from openshift-ci bot Mar 11, 2026
@clickboo clickboo force-pushed the boo-adm-ctrl-rox-33548 branch from 7992c8a to b7db63b Compare March 11, 2026 18:01
@clickboo clickboo force-pushed the boo-adm-ctrl-rox-33548 branch from b7db63b to c764d9a Compare March 12, 2026 04:42
@clickboo
Copy link
Contributor Author

clickboo commented Mar 12, 2026

/test all

@stackrox stackrox deleted a comment from openshift-ci bot Mar 12, 2026
@clickboo clickboo marked this pull request as ready for review March 12, 2026 07:17
@clickboo clickboo requested a review from a team as a code owner March 12, 2026 07:17
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider capturing a simple boolean flag in state (e.g. hasDeployFieldPolicies) when building the policy sets instead of repeatedly checking len(s.slowPathDetector.PolicySet().GetCompiledPolicies()) == 0, which would simplify the fast/slow path branching and avoid multiple PolicySet traversals.
  • After renaming allRuntimePoliciesDetector to allK8sEventPoliciesDetector, the log message in shouldBypassRuntimeDetection still refers to a "Runtime policy matcher"; updating this wording to match the new naming would make logs clearer.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Consider capturing a simple boolean flag in `state` (e.g. `hasDeployFieldPolicies`) when building the policy sets instead of repeatedly checking `len(s.slowPathDetector.PolicySet().GetCompiledPolicies()) == 0`, which would simplify the fast/slow path branching and avoid multiple PolicySet traversals.
- After renaming `allRuntimePoliciesDetector` to `allK8sEventPoliciesDetector`, the log message in `shouldBypassRuntimeDetection` still refers to a "Runtime policy matcher"; updating this wording to match the new naming would make logs clearer.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@clickboo clickboo requested a review from Stringy March 12, 2026 09:22
@clickboo clickboo merged commit d37b611 into master Mar 13, 2026
114 of 117 checks passed
@clickboo clickboo deleted the boo-adm-ctrl-rox-33548 branch March 13, 2026 05:39
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 18, 2026

The backport to release-4.10 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release-4.10 release-4.10
# Navigate to the new working tree
cd .worktrees/backport-release-4.10
# Create a new branch
git switch --create backport-19377-to-release-4.10
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d37b6110faee1714b2fcf2f0dd881b000be025e1
# Push it to GitHub
git push --set-upstream origin backport-19377-to-release-4.10
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release-4.10

Then, create a pull request where the base branch is release-4.10 and the compare/head branch is backport-19377-to-release-4.10.

clickboo added a commit that referenced this pull request Mar 18, 2026
@clickboo
ROX-33548: Avoid unnecessary image scan requests in k8s event webhook (
69c38c6 
…#19377)

(cherry picked from commit d37b611)
@clickboo clickboo mentioned this pull request Mar 18, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@Stringy Stringy Stringy approved these changes

Assignees

No one assigned

Labels

ai-review area/admission-controller area/sensor backport release-4.10

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@clickboo @rhacs-bot @Stringy