Conversation
|
Skipping CI for Draft Pull Request. |
|
Current dependencies on/for this PR: This comment was auto-generated by Graphite. |
1a86416 to
3cdf143
Compare
1c6b5a7 to
7ffbcf8
Compare
3cdf143 to
1ec1f69
Compare
af46a2d to
ce78183
Compare
1ec1f69 to
2ae3d03
Compare
ce78183 to
681ff0b
Compare
dbb52af to
d45f428
Compare
681ff0b to
66d340b
Compare
d45f428 to
5bff80b
Compare
66d340b to
b5caa72
Compare
5bff80b to
0a7218e
Compare
b5caa72 to
9e75bcd
Compare
0a7218e to
ca013ad
Compare
9e75bcd to
9414f33
Compare
ca013ad to
c3df70d
Compare
9414f33 to
39f20f4
Compare
c3df70d to
f6906a5
Compare
6bf493c to
c94f16d
Compare
|
Besides the Style errors you're getting, this looks good to me! |
The style errors are wrong in this case - I made the changes to avoid potential compatibility issues and the |
615abd4 to
1398927
Compare
|
In 1398927 I addressed one of @md2119 comments from slack thread - point E |
proto/storage/node.proto
Outdated
| string node_name = 1; | ||
| google.protobuf.Timestamp scan_time = 2; | ||
|
|
||
| // Components represents a subset of the scannerV1.Components proto message containing only fields required for RHCOS node scanning |
There was a problem hiding this comment.
Put also comment in Scanner proto that this field is related to scannerV1.Components and should be updated in pair.
| } | ||
|
|
||
| func makeComponentKey(component *scannerV1.RHELComponent) string { | ||
| func convertExecutables(exe []*scannerV1.Executable) []*storage.NodeInventory_Components_RHELComponent_Executable { |
There was a problem hiding this comment.
Make sure to use getters here to avoid nils
| Module: rhelc.Module, | ||
| Cpes: rc.CPEs, | ||
| Executables: rhelc.Executables, | ||
| Executables: convertExecutables(rhelc.Executables), |
There was a problem hiding this comment.
Make sure to use getters here to avoid nils
| storage.NamespaceMetadata namespace = 6; | ||
| storage.Secret secret = 7; | ||
| storage.Node node = 9; | ||
| storage.NodeInventory node_inventory = 25; |
There was a problem hiding this comment.
Consider Next tag: 25. vs. leaving 26
There was a problem hiding this comment.
Try reserving 25 outside of oneof
|
Less risky parts of this PR have been moved into a separate prefactor PR: #4392 |
| message RHELComponent { | ||
| int64 id = 1; | ||
| string name = 2; | ||
| string namespace = 3; | ||
| string version = 4; | ||
| string arch = 5; | ||
| string module = 6; | ||
| repeated string cpes = 7; | ||
| string added_by = 8; | ||
| message Executable { | ||
| string path = 1; | ||
| message FeatureNameVersion { | ||
| string name = 1; | ||
| string version = 2; | ||
| } | ||
| repeated FeatureNameVersion required_features = 2; | ||
| } | ||
| repeated Executable executables = 9; | ||
| } |
There was a problem hiding this comment.
As part of ROX-13794, we will not map CPEs in the node "invetorization" (aka. scanning). Instead, we will return the content sets found in the O.S. installation. The CPE mapping will be performed by Central Scanner when matching vulnerabilities. Because of that, we need to replace cpe with content_sets. Two options:
- Replace the
cpefield inRHELComponentwithcontent_sets. - Remove the
cpefield and add acontent_setsfield toComponent.
Option 2 exists because today, we cannot determine precisely which content set each package came from, so we assume the package might have come from any of the content sets specified in the O.S. installation. This may be possible in the long future, so we might just use individual fields just as we do with CPEs, especially considering the size is neglectable.
CC @vikin91
fb20a0e to
d7da815
Compare
d7da815 to
96bb013
Compare
|
@vikin91: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Converting this to draft, as this PR will be replaced by #4430 (or its descendants) |
|
Closing in favor of #4483 and its descendants |
Description
This PR changes the scope in which the
storage.NodeInventoryis treated as a standalone proto message.Before this PR,
NodeInventorywas used as a standalone message between:Compliance -> Sensor -> Central.After this PR is merged, it is:
Compliance -> Sensor.Sensor is responsible for connecting the
NodeInventorywithNode(goal of #3892) and sendingNodefurther to central.The newly added
NodeInventoryfield will not be saved into the DB as a separate field or table, but it will be included in the serialized data in the DB.NodeInventoryis meant to be used in the request to Scanner to scan the packages included in it.The reply from Scanner will be converted in Central into a
storage.NodeScanthat willbe inserted into the DB the same way as the existing v1 node scan data (i.e., without any need for further refactoring as
NodeScanmessage is already being used).Currently, the API between Scanner and Central is unable to handle the
NodeInventory- support for this will be added in separate PRs:This PR handles the proto part for ROX-12943.
The proper implementation of ROX-12943 will be done in a follow-up - see #3892.
Checklist
Checks that do not apply
Testing Performed
make proto-generated-srcs generated-srcsand checkedcentral/graphql/resolvers/generated.gofor errorsCentral logs and seeing that the
NodewithNodeInventoryarrives.Query Central HTTP API
The goal was to query the API to see how the data is provided by Central.
The inventory scanning was disabled in this test (for each inventory item, scanner returned 0 vulns).
Query:
GET https://localhost:8443/v1/nodes/{clusterID}/{nodeID}Node contains v1 and v2 data (scanner scans v1 only)
Call result
{ "id": "bf5bf7d4-2d77-4194-9ab5-570848c55777", "name": "colima-fake", "taints": [], "clusterId": "4b3f14e0-b7ce-461d-8a36-b8698ff51f15", "clusterName": "remote", "labels": { "fakeLabelsK": "fakeLabelsV" }, "annotations": { "fakeAnnotationsK": "fakeAnnotationsV" }, "joinedAt": "2023-01-06T15:33:45.324727501Z", "internalIpAddresses": [ "192.168.255.254" ], "externalIpAddresses": [ "10.10.255.254" ], "containerRuntimeVersion": "docker://20.10.18", "containerRuntime": { "type": "DOCKER_CONTAINER_RUNTIME", "version": "20.10.18" }, "kernelVersion": "99.19.16", "operatingSystem": "Alpine Linux v3.16", "osImage": "RedHat CoreOS v99.66.33", "kubeletVersion": "v1.25.0+k3s1", "kubeProxyVersion": "v1.25.0+k3s1", "lastUpdated": "2023-01-06T15:33:45.561847530Z", "k8sUpdated": "2023-01-06T15:33:45.325838631Z", "nodeInventory": { "nodeName": "colima", "scanTime": "2023-01-06T15:33:45.324727501Z", "components": { "namespace": "Testme OS", "rhelComponents": [ { "id": "0", "name": "vim-minimal", "namespace": "rhel:8", "version": "2:7.4.629-6.el8.x86_64", "arch": "x86_64", "module": "FakeMod", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::baseos" ], "addedBy": "FakeLayer", "executables": [] }, { "id": "0", "name": "libsolv", "namespace": "rhel:8", "version": "0.7.7-1.el8.x86_64", "arch": "x86_64", "module": "FakeMod", "cpes": [], "addedBy": "FakeLayer", "executables": [] } ] }, "notes": [ "LANGUAGE_CVES_UNAVAILABLE" ] }, ... }Node contains v1 data only
Call result
{ "id": "f723ae15-334c-4c1e-a38a-453f27eba5f1", "name": "colima", "taints": [], "clusterId": "4b3f14e0-b7ce-461d-8a36-b8698ff51f15", "clusterName": "remote", "labels": {...}, "annotations": {...}, "joinedAt": "2023-01-06T09:29:58Z", "internalIpAddresses": [ "192.168.5.15" ], "externalIpAddresses": [], "containerRuntimeVersion": "docker://20.10.20", "containerRuntime": { "type": "DOCKER_CONTAINER_RUNTIME", "version": "20.10.20" }, "kernelVersion": "5.15.82-0-virt", "operatingSystem": "linux", "osImage": "Alpine Linux v3.16", "kubeletVersion": "v1.25.4+k3s1", "kubeProxyVersion": "v1.25.4+k3s1", "lastUpdated": "2023-01-06T14:16:11.495989645Z", "k8sUpdated": "2023-01-06T14:15:30.578707270Z", "nodeInventory": null, ... }Query Central GraphQL API
POST https://localhost:8443/api/graphqlgQL querries
Node contains v1 and v2 data (scanner scans v1 only)
Call result
{ "data": { "node": { "id": "bf5bf7d4-2d77-4194-9ab5-570848c55777", "name": "colima-fake", "nodeInventory": { "nodeName": "colima", "scanTime": "2023-01-06T16:11:25.317593632Z", "notes": [ "LANGUAGE_CVES_UNAVAILABLE" ], "components": { "rhelComponents": [ { "id": 0, "namespace": "rhel:8", "name": "vim-minimal", "version": "2:7.4.629-6.el8.x86_64", "arch": "x86_64", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::baseos" ] }, { "id": 0, "namespace": "rhel:8", "name": "libsolv", "version": "0.7.7-1.el8.x86_64", "arch": "x86_64", "cpes": [] } ] } }, "scan": { "scanTime": "2023-01-06T16:11:25.511172079Z", "nodeComponents": [ { "id": "docker#20.10.18#", "name": "docker", "nodeVulnerabilityCount": 0 }, { "id": "kernel#99.19.16#", "name": "kernel", "nodeVulnerabilityCount": 13 }, { "id": "kubelet#v1.25.0+k3s1#", "name": "kubelet", "nodeVulnerabilityCount": 0 }, { "id": "kube-proxy#v1.25.0+k3s1#", "name": "kube-proxy", "nodeVulnerabilityCount": 0 } ] } } } }Node contains v1 data only
Call result
{ "data": { "node": { "id": "f723ae15-334c-4c1e-a38a-453f27eba5f1", "name": "colima", "nodeInventory": null, "scan": { "scanTime": "2023-01-06T14:16:11.4924593Z", "nodeComponents": [ { "id": "docker#20.10.20#", "name": "docker", "nodeVulnerabilityCount": 0 }, { "id": "kernel#5.15.82-0-virt#", "name": "kernel", "nodeVulnerabilityCount": 181 }, { "id": "kubelet#v1.25.4+k3s1#", "name": "kubelet", "nodeVulnerabilityCount": 0 }, { "id": "kube-proxy#v1.25.4+k3s1#", "name": "kube-proxy", "nodeVulnerabilityCount": 0 } ] } } } }