consider include/exclude ns in continuous scanning

matthyx · matthyx · commit 90da220657f5 · 2025-02-07T17:47:19.000+01:00
Signed-off-by: Matthias Bertschy &lt;matthias.bertschy@gmail.com&gt;
diff --git a/continuousscanning/service.go b/continuousscanning/service.go
@@ -3,6 +3,7 @@ package continuousscanning
 import (
 	"context"
 
+	"github.com/kubescape/operator/config"
 	"github.com/kubescape/operator/watcher"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/watch"
@@ -14,6 +15,7 @@ import (
 )
 
 type ContinuousScanningService struct {
+	cfg               config.IConfig
 	tl                TargetLoader
 	shutdownRequested chan struct{}
 	workDone          chan struct{}
@@ -44,6 +46,7 @@ func (s *ContinuousScanningService) listen(ctx context.Context) <-chan armoapi.C
 					"got event from channel",
 					helpers.Interface("event", e),
 				)
+				s.cfg.SkipNamespace(e.Object.(metav1.Object).GetNamespace())
 				out.Enqueue(e)
 			case <-shutdownCh:
 				return
@@ -100,12 +103,13 @@ func (s *ContinuousScanningService) Stop() {
 	<-s.workDone
 }
 
-func NewContinuousScanningService(client dynamic.Interface, tl TargetLoader, h ...EventHandler) *ContinuousScanningService {
+func NewContinuousScanningService(cfg config.IConfig, client dynamic.Interface, tl TargetLoader, h ...EventHandler) *ContinuousScanningService {
 	doneCh := make(chan struct{})
 	eventQueue := watcher.NewCooldownQueue()
 	workDone := make(chan struct{})
 
 	return &ContinuousScanningService{
+		cfg:               cfg,
 		tl:                tl,
 		k8sdynamic:        client,
 		shutdownRequested: doneCh,
diff --git a/continuousscanning/service_test.go b/continuousscanning/service_test.go
@@ -151,7 +151,8 @@ func TestAddEventHandler(t *testing.T) {
 			tl := NewTargetLoader(f)
 			// We use the spy handler later to verify if it's been called
 			spyH := &spyHandler{called: false, wg: resourcesCreatedWg, mx: &sync.RWMutex{}}
-			css := NewContinuousScanningService(dynClient, tl, spyH)
+			operatorConfig := config.NewOperatorConfig(config.CapabilitiesConfig{}, utilsmetadata.ClusterConfig{}, &beUtils.Credentials{}, "", config.Config{Namespace: "kubescape"})
+			css := NewContinuousScanningService(operatorConfig, dynClient, tl, spyH)
 			css.Launch(ctx)
 
 			// Create Pods to be listened
@@ -264,7 +265,7 @@ func TestContinuousScanningService(t *testing.T) {
 			triggeringHandler := NewTriggeringHandler(wp, operatorConfig)
 			stubFetcher := &stubFetcher{podMatchRules}
 			loader := NewTargetLoader(stubFetcher)
-			css := NewContinuousScanningService(dynClient, loader, triggeringHandler)
+			css := NewContinuousScanningService(operatorConfig, dynClient, loader, triggeringHandler)
 			css.Launch(ctx)
 
 			// Create Pods to be listened
diff --git a/continuousscanning/watchbuilder.go b/continuousscanning/watchbuilder.go
@@ -17,7 +17,7 @@ func NewDynamicWatch(ctx context.Context, client dynamic.Interface, gvr schema.G
 	var w watch.Interface
 	var err error
 	if k8sinterface.IsNamespaceScope(&gvr) {
-		w, err = client.Resource(gvr).Namespace("").Watch(ctx, opts) // TODO support ExcludeNamespaces and IncludeNamespaces
+		w, err = client.Resource(gvr).Namespace("").Watch(ctx, opts)
 	} else {
 		w, err = client.Resource(gvr).Watch(ctx, opts)
 	}
diff --git a/mainhandler/handlerequests.go b/mainhandler/handlerequests.go
@@ -133,7 +133,7 @@ func (mainHandler *MainHandler) SetupContinuousScanning(ctx context.Context) err
 	loader := cs.NewTargetLoader(fetcher)
 
 	dynClient := mainHandler.k8sAPI.DynamicClient
-	svc := cs.NewContinuousScanningService(dynClient, loader, triggeringHandler, deletingHandler)
+	svc := cs.NewContinuousScanningService(mainHandler.config, dynClient, loader, triggeringHandler, deletingHandler)
 	svc.Launch(ctx)
 
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ func NewDynamicWatch(ctx context.Context, client dynamic.Interface, gvr schema.G`
`17`	`17`	`var w watch.Interface`
`18`	`18`	`var err error`
`19`	`19`	`if k8sinterface.IsNamespaceScope(&gvr) {`
`20`		`- w, err = client.Resource(gvr).Namespace("").Watch(ctx, opts) // TODO support ExcludeNamespaces and IncludeNamespaces`
	`20`	`+ w, err = client.Resource(gvr).Namespace("").Watch(ctx, opts)`
`21`	`21`	`} else {`
`22`	`22`	`w, err = client.Resource(gvr).Watch(ctx, opts)`
`23`	`23`	`}`