eraser-dev · inFocus7 · Sep 3, 2023 · Nov 29, 2023 · Nov 29, 2023 · Dec 2, 2023
@@ -75,6 +75,7 @@ const (
 	oneDay  = unversioned.Duration(time.Hour * 24)
 )
 
+// TODO - add defaults for gathering/scanning/removing Pinned images
 func Default() *unversioned.EraserConfig {
 	return &unversioned.EraserConfig{
 		Manager: unversioned.ManagerConfig{

@@ -25,6 +25,7 @@ type Image struct {
 	ImageID string   `json:"image_id"`
 	Names   []string `json:"names,omitempty"`
 	Digests []string `json:"digests,omitempty"`
+	Pinned  bool     `json:"pinned,omitempty"`
 }
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!

@@ -308,10 +308,12 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) {
 		fmt.Sprintf("--pprof-port=%d", profileConfig.Port),
 	}
 
-	collArgs := []string{"--scan-disabled=" + strconv.FormatBool(scanDisabled)}
+	// todo implement the config for this
+	collArgs := []string{"--scan-disabled=" + strconv.FormatBool(scanDisabled), "--scan-pinned=" + strconv.FormatBool(scanCfg.ScanPinned)}
 	collArgs = append(collArgs, profileArgs...)
 
-	removerArgs := []string{"--log-level=" + logger.GetLevel()}
+	// todo implement the config for this
+	removerArgs := []string{"--log-level=" + logger.GetLevel(), "--remove-pinned=" + strconv.FormatBool(eraserCfg.RemovePinned)}
 	removerArgs = append(removerArgs, profileArgs...)
 
 	pullSecrets := []corev1.LocalObjectReference{}

@@ -151,6 +151,7 @@ replace (
 	k8s.io/component-helpers => k8s.io/component-helpers v0.26.11
 	k8s.io/controller-manager => k8s.io/controller-manager v0.26.11
 	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.26.11
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.26.11
 	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.26.11
 	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.26.11
 	k8s.io/kube-proxy => k8s.io/kube-proxy v0.26.11

@@ -23,6 +23,7 @@ var (
 	enableProfile = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort   = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified")
 	scanDisabled  = flag.Bool("scan-disabled", false, "boolean for if scanner container is disabled")
+	scanPinned    = flag.Bool("scan-pinned", false, "boolean for if scanner container should scan pinned images")
 
 	// Timeout  of connecting to server (default: 5m).
 	timeout  = 5 * time.Minute
@@ -80,6 +81,11 @@ func main() {
 	}
 	log.Info("images collected", "finalImages:", finalImages)
 
+	if !(*scanPinned) {
+		log.Info("skipping scanning pinned images")
+		finalImages = util.RemovePinnedImages(finalImages)
+	}
+
 	data, err := json.Marshal(finalImages)
 	if err != nil {
 		log.Error(err, "failed to encode finalImages")

@@ -28,6 +28,7 @@ func getImages(c cri.Collector) ([]unversioned.Image, error) {
 		newImg := unversioned.Image{
 			ImageID: img.Id,
 			Names:   repoTags,
+			Pinned:  img.Pinned,
 		}
 
 		digests, errs := util.ProcessRepoDigests(img.RepoDigests)
@@ -71,6 +72,7 @@ func getImages(c cri.Collector) ([]unversioned.Image, error) {
 			ImageID: imageID,
 			Names:   img.Names,
 			Digests: img.Digests,
+			Pinned:  img.Pinned,
 		}
 
 		if !util.IsExcluded(excluded, currImage.ImageID, idToImageMap) {

@@ -8,7 +8,7 @@ import (
 	util "github.com/eraser-dev/eraser/pkg/utils"
 )
 
-func removeImages(c cri.Remover, targetImages []string) (int, error) {
+func removeImages(c cri.Remover, removePinned bool, targetImages []string) (int, error) {
 	removed := 0
 
 	backgroundContext, cancel := context.WithTimeout(context.Background(), timeout)
@@ -30,6 +30,7 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 		newImg := unversioned.Image{
 			ImageID: img.Id,
 			Names:   repoTags,
+			Pinned:  img.Pinned,
 		}
 
 		digests, errs := util.ProcessRepoDigests(img.RepoDigests)
@@ -75,6 +76,12 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 				continue
 			}
 
+			// TODO - figure out why is imgDigestOrTag used instead of imageID when it's called "idToImageMap" (copied usage from isExcluded).
+			if !removePinned && util.IsPinned(imageID, idToImageMap) {
+				log.Info("image is kept due to being pinned", "given", imgDigestOrTag, "imageID", imageID, "name", idToImageMap[imageID])
+				continue
+			}
+
 			err = c.DeleteImage(backgroundContext, imageID)
 			if err != nil {
 				log.Error(err, "error removing image", "given", imgDigestOrTag, "imageID", imageID, "name", idToImageMap[imageID])
@@ -108,6 +115,11 @@ func removeImages(c cri.Remover, targetImages []string) (int, error) {
 				continue
 			}
 
+			if !removePinned && util.IsPinned(imageID, idToImageMap) {
+				log.Info("image is kept due to being pinned", "imageID", imageID, "name", idToImageMap[imageID])
+				continue
+			}
+
 			if err := c.DeleteImage(backgroundContext, imageID); err != nil {
 				success = false
 				log.Error(err, "error removing image", "imageID", imageID, "name", idToImageMap[imageID])

@@ -30,6 +30,7 @@ var (
 	imageListPtr  = flag.String("imagelist", "", "name of ImageList")
 	enableProfile = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort   = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified")
+	removePinned  = flag.Bool("remove-pinned", false, "skip over pinned images when removing")
 
 	// Timeout  of connecting to server (default: 5m).
 	timeout  = 5 * time.Minute
@@ -130,7 +131,8 @@ func main() {
 		log.Info("no images to exclude")
 	}
 
-	removed, err := removeImages(client, imagelist)
+	// we pass in the removePinned flag to removeImages, because as of now we just have a list of imageIDs, and we don't know if they are pinned or not
+	removed, err := removeImages(client, *removePinned, imagelist)
 	if err != nil {
 		log.Error(err, "failed to remove images")
 		os.Exit(generalErr)

@@ -124,6 +124,7 @@ func main() {
 		log.Info("Failed", "Images", failedImages)
 	}
 
+	// send to eraser?
 	err = provider.SendImages(vulnerableImages, failedImages)
 	if err != nil {
 		log.Error(err, "unable to write images")

@@ -178,6 +178,10 @@ func GetNonRunningImages(runningImages map[string]string, allImages []unversione
 	return nonRunningImages
 }
 
+func IsPinned(img string, idToImageMap map[string]unversioned.Image) bool {
+	return idToImageMap[img].Pinned
+}
+
 func IsExcluded(excluded map[string]struct{}, img string, idToImageMap map[string]unversioned.Image) bool {
 	if len(excluded) == 0 {
 		return false
@@ -417,3 +421,13 @@ func ProcessRepoDigests(repoDigests []string) ([]string, []error) {
 
 	return digests, errs
 }
+
+func RemovePinnedImages(images []unversioned.Image) []unversioned.Image {
+	filteredImages := []unversioned.Image{}
+	for _, image := range images {
+		if !image.Pinned {
+			filteredImages = append(filteredImages, image)
+		}
+	}
+	return filteredImages
+}