From 11f14b115c811ecbaa672e4f31ed049c29b7eebb Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Mon, 23 Sep 2024 16:47:16 +0200 Subject: [PATCH] use application profile instead of sbomp Signed-off-by: Matthias Bertschy --- admission/rulebinding/cache/cache.go | 28 +- go.mod | 113 +++---- go.sum | 275 +++++++++--------- main.go | 13 +- mainhandler/handlerequests.go | 16 +- mainhandler/vulnscan.go | 12 +- utils/types.go | 1 + utils/utils.go | 3 +- watcher/applicationprofilewatcher.go | 253 ++++++++++++++++ ...t.go => applicationprofilewatcher_test.go} | 264 ++++++----------- watcher/filteredsbomwatcher.go | 232 --------------- 11 files changed, 574 insertions(+), 636 deletions(-) create mode 100644 watcher/applicationprofilewatcher.go rename watcher/{filteredsbomwatcher_test.go => applicationprofilewatcher_test.go} (52%) delete mode 100644 watcher/filteredsbomwatcher.go diff --git a/admission/rulebinding/cache/cache.go b/admission/rulebinding/cache/cache.go index ef50e82..1b9d510 100644 --- a/admission/rulebinding/cache/cache.go +++ b/admission/rulebinding/cache/cache.go @@ -4,9 +4,9 @@ import ( "context" "strings" - "github.com/kubescape/node-agent/pkg/rulebindingmanager/types" typesv1 "github.com/kubescape/node-agent/pkg/rulebindingmanager/types/v1" "github.com/kubescape/node-agent/pkg/watcher" + "k8s.io/apimachinery/pkg/runtime" "github.com/kubescape/node-agent/pkg/k8sclient" @@ -119,12 +119,10 @@ func (c *RBCache) AddNotifier(n *chan rulebindingmanager.RuleBindingNotify) { // ------------------ watcher.Watcher methods ----------------------- -func (c *RBCache) AddHandler(ctx context.Context, obj *unstructured.Unstructured) { +func (c *RBCache) AddHandler(_ context.Context, obj runtime.Object) { var rbs []rulebindingmanager.RuleBindingNotify - - switch obj.GetKind() { - case types.RuntimeRuleBindingAlertKind: - ruleBinding, err := unstructuredToRuleBinding(obj) + if un, ok := obj.(*unstructured.Unstructured); ok { + ruleBinding, err := unstructuredToRuleBinding(un) if err != nil { logger.L().Error("failed to convert unstructured to rule binding", helpers.Error(err)) return @@ -138,12 +136,11 @@ func (c *RBCache) AddHandler(ctx context.Context, obj *unstructured.Unstructured } } } -func (c *RBCache) ModifyHandler(ctx context.Context, obj *unstructured.Unstructured) { - var rbs []rulebindingmanager.RuleBindingNotify - switch obj.GetKind() { - case types.RuntimeRuleBindingAlertKind: - ruleBinding, err := unstructuredToRuleBinding(obj) +func (c *RBCache) ModifyHandler(_ context.Context, obj runtime.Object) { + var rbs []rulebindingmanager.RuleBindingNotify + if un, ok := obj.(*unstructured.Unstructured); ok { + ruleBinding, err := unstructuredToRuleBinding(un) if err != nil { logger.L().Error("failed to convert unstructured to rule binding", helpers.Error(err)) return @@ -157,13 +154,12 @@ func (c *RBCache) ModifyHandler(ctx context.Context, obj *unstructured.Unstructu } } } -func (c *RBCache) DeleteHandler(_ context.Context, obj *unstructured.Unstructured) { + +func (c *RBCache) DeleteHandler(_ context.Context, obj runtime.Object) { var rbs []rulebindingmanager.RuleBindingNotify - switch obj.GetKind() { - case types.RuntimeRuleBindingAlertKind: - rbs = c.deleteRuleBinding(uniqueName(obj)) + if un, ok := obj.(*unstructured.Unstructured); ok { + rbs = c.deleteRuleBinding(uniqueName(un)) } - // notify for n := range c.notifiers { for i := range rbs { diff --git a/go.mod b/go.mod index 075cb65..40fab54 100644 --- a/go.mod +++ b/go.mod @@ -1,46 +1,48 @@ module github.com/kubescape/operator -go 1.22.5 +go 1.22.7 + +toolchain go1.23.1 require ( - github.com/armosec/armoapi-go v0.0.430 + github.com/armosec/armoapi-go v0.0.439 github.com/armosec/cluster-notifier-api-go v0.0.5 github.com/armosec/registryx v0.0.16 github.com/armosec/utils-go v0.0.57 github.com/armosec/utils-k8s-go v0.0.26 - github.com/aws/aws-sdk-go v1.50.8 + github.com/aws/aws-sdk-go v1.55.5 github.com/cenkalti/backoff v2.2.1+incompatible github.com/deckarep/golang-set/v2 v2.6.0 github.com/distribution/reference v0.6.0 - github.com/docker/docker v27.1.1+incompatible + github.com/docker/docker v27.2.1+incompatible github.com/go-openapi/runtime v0.28.0 - github.com/google/go-containerregistry v0.19.1 + github.com/google/go-containerregistry v0.20.2 github.com/google/uuid v1.6.0 github.com/goradd/maps v0.1.5 github.com/gorilla/mux v1.8.1 github.com/gorilla/websocket v1.5.1 github.com/kubescape/backend v0.0.20 github.com/kubescape/go-logger v0.0.22 - github.com/kubescape/k8s-interface v0.0.170 + github.com/kubescape/k8s-interface v0.0.176 github.com/kubescape/kubescape-network-scanner v0.0.15 - github.com/kubescape/node-agent v0.2.111 + github.com/kubescape/node-agent v0.2.152 github.com/kubescape/opa-utils v0.0.278 - github.com/kubescape/storage v0.0.89 + github.com/kubescape/storage v0.0.122 github.com/mitchellh/mapstructure v1.5.0 github.com/panjf2000/ants/v2 v2.9.1 github.com/spf13/viper v1.19.0 github.com/stretchr/testify v1.9.0 github.com/zeebo/assert v1.3.1 go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.44.0 - go.opentelemetry.io/otel v1.28.0 - go.opentelemetry.io/otel/trace v1.28.0 + go.opentelemetry.io/otel v1.29.0 + go.opentelemetry.io/otel/trace v1.29.0 gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 istio.io/pkg v0.0.0-20231221211216-7635388a563e - k8s.io/api v0.30.2 - k8s.io/apimachinery v0.30.2 - k8s.io/apiserver v0.30.2 - k8s.io/client-go v0.30.2 - k8s.io/utils v0.0.0-20240310230437-4693a0247e57 + k8s.io/api v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/apiserver v0.31.0 + k8s.io/client-go v0.31.0 + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 sigs.k8s.io/yaml v1.4.0 ) @@ -75,10 +77,10 @@ require ( github.com/xdg-go/scram v1.1.2 // indirect github.com/xdg-go/stringprep v1.0.4 // indirect github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect - go.etcd.io/etcd/api/v3 v3.5.12 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.12 // indirect - go.etcd.io/etcd/client/v3 v3.5.12 // indirect - k8s.io/apiextensions-apiserver v0.30.2 // indirect + go.etcd.io/etcd/api/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/v3 v3.5.14 // indirect + k8s.io/apiextensions-apiserver v0.31.0 // indirect ) require ( @@ -98,22 +100,22 @@ require ( github.com/anchore/syft v1.4.1 // indirect github.com/armosec/gojay v1.2.17 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect - github.com/aws/aws-sdk-go-v2/service/eks v1.28.1 // indirect - github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect - github.com/aws/smithy-go v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.35 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.33 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.34.0 // indirect + github.com/aws/aws-sdk-go-v2/service/eks v1.48.5 // indirect + github.com/aws/aws-sdk-go-v2/service/iam v1.35.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 // indirect + github.com/aws/smithy-go v1.20.4 // indirect github.com/becheran/wildmatch-go v1.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -124,20 +126,21 @@ require ( github.com/containerd/containerd v1.7.21 // indirect github.com/containerd/errdefs v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/containers/common v0.59.1 // indirect + github.com/containers/common v0.60.2 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/docker/cli v27.0.2+incompatible // indirect + github.com/docker/cli v27.2.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect - github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/emicklei/go-restful/v3 v3.12.1 // indirect github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/facebookincubator/nvdtools v0.1.5 // indirect github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/francoispqt/gojay v1.2.13 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect github.com/github/go-spdx/v2 v2.2.0 // indirect github.com/go-gota/gota v0.12.0 // indirect @@ -173,7 +176,7 @@ require ( github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/inspektor-gadget/inspektor-gadget v0.30.0 // indirect + github.com/inspektor-gadget/inspektor-gadget v0.32.1-0.20240910080600-c7396e29cbf6 // indirect github.com/jinzhu/copier v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -204,7 +207,7 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pquerna/cachecontrol v0.2.0 // indirect - github.com/prometheus/client_golang v1.20.2 // indirect + github.com/prometheus/client_golang v1.20.3 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect @@ -231,32 +234,33 @@ require ( github.com/vbatts/tar-split v0.11.5 // indirect github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect go.mongodb.org/mongo-driver v1.15.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/runtime v0.51.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.26.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.27.0 // indirect + go.opentelemetry.io/otel/metric v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.26.0 // indirect - golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect - golang.org/x/mod v0.17.0 // indirect + golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect + golang.org/x/mod v0.20.0 // indirect golang.org/x/net v0.28.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.23.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.6.0 // indirect gonum.org/v1/gonum v0.9.1 // indirect google.golang.org/api v0.177.0 // indirect @@ -265,15 +269,16 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/grpc v1.66.0 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/component-base v0.30.2 // indirect - k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect - sigs.k8s.io/controller-runtime v0.18.4 // indirect + k8s.io/component-base v0.31.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f // indirect + sigs.k8s.io/controller-runtime v0.19.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index ea7a9cd..e67e325 100644 --- a/go.sum +++ b/go.sum @@ -95,8 +95,8 @@ github.com/IBM/sarama v1.42.1 h1:wugyWa15TDEHh2kvq2gAy1IHLjEjuYOYgXz/ruC/OSQ= github.com/IBM/sarama v1.42.1/go.mod h1:Xxho9HkHd4K/MDUo/T/sOqwtX/17D33++E9Wib6hUdQ= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0= -github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ= +github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= +github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -133,8 +133,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/armosec/armoapi-go v0.0.430 h1:ekXSYUDvlX01tvYJ0yEUwYSi4mDjsoa+3Wd3AQPEURg= -github.com/armosec/armoapi-go v0.0.430/go.mod h1:mpok+lZaolcN5XRz/JxpwhfF8nln1OEKnGuvwAN+7Lo= +github.com/armosec/armoapi-go v0.0.439 h1:IqpxEbVaopgh35JNm61zGHvuzy6YavfAs8PfSD+x9OQ= +github.com/armosec/armoapi-go v0.0.439/go.mod h1:mpok+lZaolcN5XRz/JxpwhfF8nln1OEKnGuvwAN+7Lo= github.com/armosec/cluster-notifier-api-go v0.0.5 h1:UKY58ehKocKgtqzrawyaIHJa5paG9A4srv+4/6n+Ez4= github.com/armosec/cluster-notifier-api-go v0.0.5/go.mod h1:p5w9/zWIWwpi8W8mHGQdE6HuBb3AxXmZM9Rp//JWvx0= github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM= @@ -147,51 +147,40 @@ github.com/armosec/utils-k8s-go v0.0.26 h1:gVSV1mrALyphaesc+JXbx9SfbxLqfgg1KvvC1 github.com/armosec/utils-k8s-go v0.0.26/go.mod h1:WL2brx3tszxeSl1yHac0oAVJUg3o22HYh1dPjaSfjXU= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.50.8 h1:gY0WoOW+/Wz6XmYSgDH9ge3wnAevYDSQWPxxJvqAkP4= -github.com/aws/aws-sdk-go v1.50.8/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2 v1.19.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= -github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o= -github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.36/go.mod h1:T8Jsn/uNL/AFOXrVYQ1YQaN1r9gN34JU1855/Lyjv+o= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.30/go.mod h1:v3GSCnFxbHzt9dlWBqvA1K1f9lmWuf4ztupZBCAIVs4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= -github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= -github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= -github.com/aws/aws-sdk-go-v2/service/eks v1.28.1 h1:SA+98Rnehl2KXewvGXc2Lw2ns3Y4t9jdMHmEY5hcNws= -github.com/aws/aws-sdk-go-v2/service/eks v1.28.1/go.mod h1:cQRkgJKg6s9AIzFZ+i4pXdm+/3Fw4MuPNqCdMvSaqns= -github.com/aws/aws-sdk-go-v2/service/iam v1.21.1 h1:VTCWgsrromZqnlRgfziqqWWcW7LFkQLwJVYgf/5zgWA= -github.com/aws/aws-sdk-go-v2/service/iam v1.21.1/go.mod h1:LBsjrFczXiQLASO6FtDGTeHuZh6oHuIH6VKaOozFghg= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= -github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= -github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= +github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= +github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= +github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= +github.com/aws/aws-sdk-go-v2/config v1.27.35 h1:jeFgiWYNV0vrgdZqB4kZBjYNdy0IKkwrAjr2fwpHIig= +github.com/aws/aws-sdk-go-v2/config v1.27.35/go.mod h1:qnpEvTq8ZfjrCqmJGRfWZuF+lGZ/vG8LK2K0L/TY1gQ= +github.com/aws/aws-sdk-go-v2/credentials v1.17.33 h1:lBHAQQznENv0gLHAZ73ONiTSkCtr8q3pSqWrpbBBZz0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.33/go.mod h1:MBuqCUOT3ChfLuxNDGyra67eskx7ge9e3YKYBce7wpI= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/ecr v1.34.0 h1:kDSbKHvFf4I7Aw7wJSd2vGprafZbTEMUgwAxKXcnkVQ= +github.com/aws/aws-sdk-go-v2/service/ecr v1.34.0/go.mod h1:keOS9j4fv5ASh7dV29lIpGw2QgoJwGFAyMU0uPvfax4= +github.com/aws/aws-sdk-go-v2/service/eks v1.48.5 h1:vMwwdzKoUBt7vMHNkF16Hh7+8ndVGOAAEgqcrbz17M4= +github.com/aws/aws-sdk-go-v2/service/eks v1.48.5/go.mod h1:9dn8p15siUL80NCTPVNd+YvEpVTmWO+rboGx6qOMBa0= +github.com/aws/aws-sdk-go-v2/service/iam v1.35.3 h1:bWFkGGea2UoD/m229uuRfT0mu+6pKNB0Kq4U6j/Qz3U= +github.com/aws/aws-sdk-go-v2/service/iam v1.35.3/go.mod h1:PpmEOH3ZTQlDAezieBVdFMjPO1jovUMNPA4OpCtnwbY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 h1:JRwuL+S1Qe1owZQoxblV7ORgRf2o0SrtzDVIbaVCdQ0= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.8/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 h1:+HpGETD9463PFSj7lX5+eq7aLDs85QUIA+NBkeAsscA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 h1:bAi+4p5EKnni+jrfcAhb7iHFQ24bthOAV9t0taf3DCE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.8/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= +github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= +github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/becheran/wildmatch-go v1.0.0 h1:mE3dGGkTmpKtT4Z+88t8RStG40yN9T+kFEGj2PZFSzA= github.com/becheran/wildmatch-go v1.0.0/go.mod h1:gbMvj0NtVdJ15Mg/mH9uxk2R1QCistMyU7d9KFzroX4= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -229,8 +218,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk= -github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso= +github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= +github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -268,8 +257,8 @@ github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQ github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= -github.com/containers/common v0.59.1 h1:7VkmJN3YvD0jLFwaUjLHSRJ98JLffydiyOJjYr0dUTo= -github.com/containers/common v0.59.1/go.mod h1:53VicJCZ2AD0O+Br7VVoyrS7viXF4YmwlTIocWUT8XE= +github.com/containers/common v0.60.2 h1:utcwp2YkO8c0mNlwRxsxfOiqfj157FRrBjxgjR6f+7o= +github.com/containers/common v0.60.2/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54= github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= @@ -281,8 +270,8 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= -github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -300,12 +289,12 @@ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.0.2+incompatible h1:IgWU3lWqAYNibtcxgl/PY4TB0eCmK1ZpNUZVJfenDQs= -github.com/docker/cli v27.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70= +github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= -github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= +github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -327,8 +316,8 @@ github.com/elastic/elastic-transport-go/v8 v8.4.0 h1:EKYiH8CHd33BmMna2Bos1rDNMM8 github.com/elastic/elastic-transport-go/v8 v8.4.0/go.mod h1:YLHer5cj0csTzNFXoNQ8qhtGY1GTvSqPnKWKaqQE3Hk= github.com/elastic/go-elasticsearch/v8 v8.12.0 h1:krkiCf4peJa7bZwGegy01b5xWWaYpik78wvisTeRO1U= github.com/elastic/go-elasticsearch/v8 v8.12.0/go.mod h1:wSzJYrrKPZQ8qPuqAqc6KMR4HrBfHnZORvyL+FMFqq0= -github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= -github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= +github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -371,6 +360,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -427,7 +418,6 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI= github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= @@ -501,12 +491,11 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY= -github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -530,8 +519,8 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= @@ -618,8 +607,8 @@ github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+h github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/inspektor-gadget v0.30.0 h1:N9VCDLR9h8iS2TnU4p7j5ErMI/aYCOrn7vycHTnhfc8= -github.com/inspektor-gadget/inspektor-gadget v0.30.0/go.mod h1:FpyWQG0hF/SCKYDYapLMlXVY8bqkRbzI/lGqJKg4xVw= +github.com/inspektor-gadget/inspektor-gadget v0.32.1-0.20240910080600-c7396e29cbf6 h1:q1AQFkLoiqYl5VNqVV8ukRZVPmjYIZ5l3eSBYSB/P/k= +github.com/inspektor-gadget/inspektor-gadget v0.32.1-0.20240910080600-c7396e29cbf6/go.mod h1:CP5u1qNRQfdyJAPdfDExEHfNSGcqTeRtIilBX80DtIo= github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= @@ -671,22 +660,22 @@ github.com/kubescape/backend v0.0.20 h1:E3nZGqWW8ELSh/n3ZRitlkmuZq33Lyx/42Lm4gpg github.com/kubescape/backend v0.0.20/go.mod h1:FpazfN+c3Ucuvv4jZYCnk99moSBRNMVIxl5aWCZAEBo= github.com/kubescape/go-logger v0.0.22 h1:gle7wH6emOiGv9ljdpVi82pWLQ3jGucrUucvil6JXHE= github.com/kubescape/go-logger v0.0.22/go.mod h1:x3HBpZo3cMT/WIdy18BxvVVd5D0e/PWFVk/HiwBNu3g= -github.com/kubescape/k8s-interface v0.0.170 h1:EtzomWoeeIWDz7QrAEsqUDpLHQwoh2m3tZITfrE/tiE= -github.com/kubescape/k8s-interface v0.0.170/go.mod h1:VoEoHI4Va08NiGAkYzbITF50aFMT5y4fPHRb4x2LtME= +github.com/kubescape/k8s-interface v0.0.176 h1:o8vKztPZtVff06qRK9H9h2M8auD7sQfbY36X0oFG9ws= +github.com/kubescape/k8s-interface v0.0.176/go.mod h1:1jA1z5uLLyVkGxWjlT9WibUvcE+chK4g9Hrxg+GajP4= github.com/kubescape/kubescape-network-scanner v0.0.15 h1:LsaVCQzj0PbA30BeFdzxchW2bkg6nn5quwllWmm/2/s= github.com/kubescape/kubescape-network-scanner v0.0.15/go.mod h1:fqTzRCWsuniGEEZHtOEdITxnqx+i5ICdOVuenSQJd3U= github.com/kubescape/kubescape/v3 v3.0.4 h1:gZ5d8QMxLYZQ6Yz9wRvGcDQlBUIV+v/Y/41g56/YDy8= github.com/kubescape/kubescape/v3 v3.0.4/go.mod h1:upPCVTCRT3+LuZ1bawGtjreRmr/Xa+LT0fHtPzlylRU= -github.com/kubescape/node-agent v0.2.111 h1:c1+8u8rCSBtIOn5Eb21cdgM16B+SghsnhcwfTYiUk60= -github.com/kubescape/node-agent v0.2.111/go.mod h1:1KYGsFyRdCqd7/U8xxT6rXcApmXVv9lGaPcijhqqeJA= +github.com/kubescape/node-agent v0.2.152 h1:D1P3tIazmy+iTyud8PvqH0laW39LxMNuHktFBWWCRyg= +github.com/kubescape/node-agent v0.2.152/go.mod h1:cP+hwtIfESsNpHkFBf+G1iY3cK5dPBAklvEPLfhO+Wo= github.com/kubescape/opa-utils v0.0.278 h1:x0akigrjYjocD0HzlRZ4+ZgL+ZK33286d2L48z6m0PE= github.com/kubescape/opa-utils v0.0.278/go.mod h1:N/UnbZHpoiHQH7O50yadhIXZvVl0IVtTGBmePPrSQSg= github.com/kubescape/rbac-utils v0.0.21-0.20230806101615-07e36f555520 h1:SqlwF8G+oFazeYmZQKoPczLEflBQpwpHCU8DoLLyfj8= github.com/kubescape/rbac-utils v0.0.21-0.20230806101615-07e36f555520/go.mod h1:wuxMUSDzGUyWd25IJfBzEJ/Udmw2Vy7npj+MV3u3GrU= github.com/kubescape/regolibrary v1.0.315 h1:Oyr+K8QsOnOulzVkIqOcIoK+g+NDIdoRvTG54BhCh3Q= github.com/kubescape/regolibrary v1.0.315/go.mod h1:xTXVzytnyytxl5RwEEYuL98/xMpdgDJeX4Ayx7CAxZc= -github.com/kubescape/storage v0.0.89 h1:kYjaYqKndm3C/15MB1J4hgdmA4vbV4zCMWox2ga8O3M= -github.com/kubescape/storage v0.0.89/go.mod h1:eLCQ7JKpR6JRjtENnN3JduvRLMOyJFtBihfdVC+1hLA= +github.com/kubescape/storage v0.0.122 h1:yf2vTTjWQs4xAejQwE60QvBFBe95FLS5NCRmG0Mej7A= +github.com/kubescape/storage v0.0.122/go.mod h1:NB/IE4XmYTaLaQlYrE9buFycfRSzrYY+kF/r6f4oAB4= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= @@ -739,10 +728,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/moby v27.0.2+incompatible h1:iYtGEjFi9lkX2m/Bop2H/peXzx3VtzmPlE9r0JHyH0s= -github.com/moby/moby v27.0.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= -github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= -github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= +github.com/moby/moby v27.2.1+incompatible h1:mIRBoOsLr+Q6s+h65ZFyi6cXBEVy2RXCWS5HOHlxx54= +github.com/moby/moby v27.2.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= +github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= +github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI= @@ -773,10 +762,10 @@ github.com/olvrng/ujson v1.1.0 h1:8xVUzVlqwdMVWh5d1UHBtLQ1D50nxoPuPEq9Wozs8oA= github.com/olvrng/ujson v1.1.0/go.mod h1:Mz4G3RODTUfbkKyvi0lgmPx/7vd3Saksk+1jgk8s9xo= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.18.0 h1:W9Y7IWXxPUpAit9ieMOLI7PJZGaW22DTKgiVAuhDTLc= -github.com/onsi/ginkgo/v2 v2.18.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.20.0 h1:PE84V2mHqoT1sglvHc8ZdQtPcwmvvt29WLEEO3xmdZw= +github.com/onsi/ginkgo/v2 v2.20.0/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/open-policy-agent/opa v0.68.0 h1:Jl3U2vXRjwk7JrHmS19U3HZO5qxQRinQbJ2eCJYSqJQ= github.com/open-policy-agent/opa v0.68.0/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -823,8 +812,8 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= -github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -961,14 +950,16 @@ github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinC github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU= github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= -github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= -github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk= +github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs= github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 h1:0KGbf+0SMg+UFy4e1A/CPVvXn21f1qtWdeJwxZFoQG8= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY= @@ -994,14 +985,14 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t github.com/zeebo/assert v1.3.1 h1:vukIABvugfNMZMQO1ABsyQDJDTVQbn+LWSMy1ol1h6A= github.com/zeebo/assert v1.3.1/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/api/v3 v3.5.12 h1:W4sw5ZoU2Juc9gBWuLk5U6fHfNVyY1WC5g9uiXZio/c= -go.etcd.io/etcd/api/v3 v3.5.12/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4= +go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0= +go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU= go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/pkg/v3 v3.5.12 h1:EYDL6pWwyOsylrQyLp2w+HkQ46ATiOvoEdMarindU2A= -go.etcd.io/etcd/client/pkg/v3 v3.5.12/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4= +go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ= +go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI= go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs= -go.etcd.io/etcd/client/v3 v3.5.12 h1:v5lCPXn1pf1Uu3M4laUE2hp/geOTc5uPcYYsNe1lDxg= -go.etcd.io/etcd/client/v3 v3.5.12/go.mod h1:tSbBCakoWmmddL+BKVAJHa9km+O/E+bumDe9mSbPiqw= +go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg= +go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk= go.mongodb.org/mongo-driver v1.15.0 h1:rJCKC8eEliewXjZGf0ddURtl7tTVy1TK3bfl0gkUSLc= go.mongodb.org/mongo-driver v1.15.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= @@ -1016,14 +1007,14 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.44.0 h1:QaNUlLvmettd1vnmFHrgBYQHearxWP3uO4h4F3pVtkM= go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.44.0/go.mod h1:cJu+5jZwoZfkBOECSFtBZK/O7h/pY5djn0fwnIGnQ4A= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/contrib/instrumentation/runtime v0.51.0 h1:1tBjncp/Rr5iuV0WfdKGGynrzIJ8bMm5z7Zl6jMjfIE= go.opentelemetry.io/contrib/instrumentation/runtime v0.51.0/go.mod h1:6MqTuVXkhmzrIc7SFHYVTo7N6OFvVpDH5eq5xXKpAZQ= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.26.0 h1:HGZWGmCVRCVyAs2GQaiHQPbDHo+ObFWeUEOd+zDnp64= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.26.0/go.mod h1:SaH+v38LSCHddyk7RGlU9uZyQoRrKao6IBnJw6Kbn+c= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= @@ -1034,14 +1025,14 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 h1:1wp/g go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0/go.mod h1:gbTHmghkGgqxMomVQQMur1Nba4M0MQ8AYThXDUjsJ38= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 h1:0W5o9SzoR15ocYHEQfvfipzcNog1lBxOLfnex91Hk6s= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0/go.mod h1:zVZ8nz+VSggWmnh6tTsJqXQ7rU4xLwRtna1M4x5jq58= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI= -go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= +go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= @@ -1086,8 +1077,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= -golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -1123,8 +1114,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1196,8 +1187,8 @@ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= +golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1290,13 +1281,13 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1308,8 +1299,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1376,8 +1367,8 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1564,6 +1555,8 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -1600,32 +1593,32 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= istio.io/pkg v0.0.0-20231221211216-7635388a563e h1:ZlLVbKDlCzfP0MPbWc6VRcY23d9NdjLxwpPQpDrh3Gc= istio.io/pkg v0.0.0-20231221211216-7635388a563e/go.mod h1:fvmqEdHhZjYYwf6dSiIwvwc7db54kMWVTfsb91KmhzY= -k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI= -k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI= -k8s.io/apiextensions-apiserver v0.30.2 h1:l7Eue2t6QiLHErfn2vwK4KgF4NeDgjQkCXtEbOocKIE= -k8s.io/apiextensions-apiserver v0.30.2/go.mod h1:lsJFLYyK40iguuinsb3nt+Sj6CmodSI4ACDLep1rgjw= -k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg= -k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.2 h1:ACouHiYl1yFI2VFI3YGM+lvxgy6ir4yK2oLOsLI1/tw= -k8s.io/apiserver v0.30.2/go.mod h1:BOTdFBIch9Sv0ypSEcUR6ew/NUFGocRFNl72Ra7wTm8= -k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50= -k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs= -k8s.io/component-base v0.30.2 h1:pqGBczYoW1sno8q9ObExUqrYSKhtE5rW3y6gX88GZII= -k8s.io/component-base v0.30.2/go.mod h1:yQLkQDrkK8J6NtP+MGJOws+/PPeEXNpwFixsUI7h/OE= -k8s.io/cri-api v0.30.2 h1:4KR5W6ziqfGzKYVmFG9AEOJzxNbCPyZMoeCeIlK9jew= -k8s.io/cri-api v0.30.2/go.mod h1://4/umPJSW1ISNSNng4OwjpkvswJOQwU8rnkvO8P+xg= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= -k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= +k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= +k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= +k8s.io/cri-api v0.31.0 h1:6o0XrhWlc1/zseGCh+aMScdXCg5nT6KCGdyx7HQkSKo= +k8s.io/cri-api v0.31.0/go.mod h1:Po3TMAYH/+KrZabi7QiwQI4a692oZcUOUThd/rqwxrI= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f h1:bnWtxXWdAl5bVOCEPoNdvMkyj6cTW3zxHuwKIakuV9w= +k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f/go.mod h1:G0W3eI9gG219NHRq3h5uQaRBl4pj4ZpwzRP5ti8y770= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= -sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/main.go b/main.go index deb8682..8ce23a0 100644 --- a/main.go +++ b/main.go @@ -13,6 +13,7 @@ import ( "github.com/kubescape/node-agent/pkg/rulebindingmanager" "github.com/kubescape/node-agent/pkg/watcher/dynamicwatcher" + kssc "github.com/kubescape/storage/pkg/generated/clientset/versioned" _ "net/http/pprof" @@ -104,6 +105,14 @@ func main() { initHttpHandlers(operatorConfig) k8sApi := k8sinterface.NewKubernetesApi() restclient.SetDefaultWarningHandler(restclient.NoWarnings{}) + k8sConfig := k8sApi.K8SConfig + // force GRPC + k8sConfig.AcceptContentTypes = "application/vnd.kubernetes.protobuf" + k8sConfig.ContentType = "application/vnd.kubernetes.protobuf" + ksStorageClient, err := kssc.NewForConfig(k8sConfig) + if err != nil { + logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err)) + } kubernetesCache := objectcache.NewKubernetesCache(k8sApi) @@ -116,7 +125,7 @@ func main() { } // setup main handler - mainHandler := mainhandler.NewMainHandler(operatorConfig, k8sApi) + mainHandler := mainhandler.NewMainHandler(operatorConfig, k8sApi, ksStorageClient) if components.Components.Gateway.Enabled { go func() { // open websocket connection to notification server @@ -168,7 +177,7 @@ func main() { } // Create watchers - dWatcher := dynamicwatcher.NewWatchHandler(k8sApi, operatorConfig.SkipNamespace) + dWatcher := dynamicwatcher.NewWatchHandler(k8sApi, ksStorageClient.SpdxV1beta1(), operatorConfig.SkipNamespace) // create ruleBinding cache ruleBindingCache := rulebindingcachev1.NewCache(k8sApi) diff --git a/mainhandler/handlerequests.go b/mainhandler/handlerequests.go index 00c0564..1613e8e 100644 --- a/mainhandler/handlerequests.go +++ b/mainhandler/handlerequests.go @@ -45,6 +45,7 @@ import ( type MainHandler struct { eventWorkerPool *ants.PoolWithFunc k8sAPI *k8sinterface.KubernetesApi + ksStorageClient kssc.Interface commandResponseChannel *commandResponseChannelData config config.IConfig sendReport bool @@ -79,12 +80,13 @@ func init() { } // CreateWebSocketHandler Create ws-handler obj -func NewMainHandler(config config.IConfig, k8sAPI *k8sinterface.KubernetesApi) *MainHandler { +func NewMainHandler(config config.IConfig, k8sAPI *k8sinterface.KubernetesApi, ksStorageClient kssc.Interface) *MainHandler { commandResponseChannel := make(chan *CommandResponseData, 100) limitedGoRoutinesCommandResponseChannel := make(chan *timerData, 10) mainHandler := &MainHandler{ k8sAPI: k8sAPI, + ksStorageClient: ksStorageClient, commandResponseChannel: &commandResponseChannelData{commandResponseChannel: &commandResponseChannel, limitedGoRoutinesCommandResponseChannel: &limitedGoRoutinesCommandResponseChannel}, config: config, sendReport: config.EventReceiverURL() != "", @@ -146,12 +148,8 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) { } }() - ksStorageClient, err := kssc.NewForConfig(k8sinterface.GetK8sConfig()) - if err != nil { - logger.L().Ctx(ctx).Fatal(fmt.Sprintf("Unable to initialize the storage client: %v", err)) - } eventQueue := watcher.NewCooldownQueue() - watchHandler := watcher.NewWatchHandler(ctx, mainHandler.config, mainHandler.k8sAPI, ksStorageClient, eventQueue) + watchHandler := watcher.NewWatchHandler(ctx, mainHandler.config, mainHandler.k8sAPI, mainHandler.ksStorageClient, eventQueue) // wait for the kubevuln component to be ready logger.L().Info("Waiting for vuln scan to be ready") @@ -160,7 +158,7 @@ func (mainHandler *MainHandler) HandleWatchers(ctx context.Context) { // start watching go watchHandler.PodWatch(ctx, mainHandler.eventWorkerPool) - go watchHandler.SBOMFilteredWatch(ctx, mainHandler.eventWorkerPool) + go watchHandler.ApplicationProfileWatch(ctx, mainHandler.eventWorkerPool) } func (h *MainHandler) StartContinuousScanning(_ context.Context) error { @@ -229,8 +227,8 @@ func (actionHandler *ActionHandler) runCommand(ctx context.Context, sessionObj * switch c.CommandName { case apis.TypeScanImages: return actionHandler.scanImage(ctx, sessionObj) - case utils.CommandScanFilteredSBOM: - actionHandler.scanFilteredSBOM(ctx, sessionObj) + case utils.CommandScanApplicationProfile: + return actionHandler.scanApplicationProfile(ctx, sessionObj) case apis.TypeRunKubescape, apis.TypeRunKubescapeJob: return actionHandler.kubescapeScan(ctx) case apis.TypeSetKubescapeCronJob: diff --git a/mainhandler/vulnscan.go b/mainhandler/vulnscan.go index 4f06f4f..581587c 100644 --- a/mainhandler/vulnscan.go +++ b/mainhandler/vulnscan.go @@ -339,8 +339,8 @@ func (actionHandler *ActionHandler) scanImage(ctx context.Context, sessionObj *u return nil } -func (actionHandler *ActionHandler) scanFilteredSBOM(ctx context.Context, sessionObj *utils.SessionObj) error { - ctx, span := otel.Tracer("").Start(ctx, "actionHandler.scanFilteredSBOM") +func (actionHandler *ActionHandler) scanApplicationProfile(ctx context.Context, sessionObj *utils.SessionObj) error { + ctx, span := otel.Tracer("").Start(ctx, "actionHandler.scanApplicationProfile") defer span.End() if !actionHandler.config.Components().Kubevuln.Enabled { @@ -352,7 +352,7 @@ func (actionHandler *ActionHandler) scanFilteredSBOM(ctx context.Context, sessio return fmt.Errorf("failed to get container for image %s", actionHandler.command.Args[utils.ArgsContainerData]) } - // scanning a filtered SBOM (SBOM already downloaded) so AuthConfig can be empty + // scanning an application profile so AuthConfig can be empty span.AddEvent("scanning", trace.WithAttributes(attribute.String("wlid", actionHandler.wlid))) cmd := actionHandler.getImageScanCommand(containerData, sessionObj, &ImageScanConfig{}) @@ -390,9 +390,9 @@ func (actionHandler *ActionHandler) getImageScanCommand(containerData *utils.Con cmd.Args[identifiers.AttributeUseHTTP] = true } - // Add instanceID only if container is not empty - if containerData.Slug != "" { - cmd.InstanceID = &containerData.Slug + // Add instanceID only if not empty + if containerData.InstanceID != "" { + cmd.InstanceID = &containerData.InstanceID } if actionHandler.reporter != nil { prepareSessionChain(sessionObj, cmd, actionHandler) diff --git a/utils/types.go b/utils/types.go index 2ee97d4..600c602 100644 --- a/utils/types.go +++ b/utils/types.go @@ -16,6 +16,7 @@ type SessionObj struct { type ContainerData struct { ImageTag string // imageTag (from container.Image) ImageID string // imageID (from containerStatus.ImageID) + InstanceID string // instanceID.GetStringFormatted() ContainerName string // containerName ContainerType string // containerType (init or regular) Slug string // represent the unique identifier of the container diff --git a/utils/utils.go b/utils/utils.go index d38137e..9f1663f 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -29,7 +29,7 @@ const ArgsPod = "pod" const ArgsContainerData = "containerData" const dockerPullableURN = "docker-pullable://" -const CommandScanFilteredSBOM = "scanFilteredSBOM" +const CommandScanApplicationProfile = "scanApplicationProfile" func MapToString(m map[string]interface{}) []string { s := []string{} @@ -108,6 +108,7 @@ func PodToContainerData(k8sAPI *k8sinterface.KubernetesApi, pod *core1.Pod, inst Wlid: wlid, ContainerType: string(instanceID.GetInstanceType()), ImageTag: imageTag, + InstanceID: instanceID.GetStringFormatted(), }, nil } diff --git a/watcher/applicationprofilewatcher.go b/watcher/applicationprofilewatcher.go new file mode 100644 index 0000000..32727ea --- /dev/null +++ b/watcher/applicationprofilewatcher.go @@ -0,0 +1,253 @@ +package watcher + +import ( + "context" + "fmt" + "slices" + "time" + + instanceidhandlerv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1" + "github.com/kubescape/k8s-interface/instanceidhandler/v1/containerinstance" + spdxv1beta1 "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" + + "github.com/armosec/armoapi-go/apis" + "github.com/kubescape/go-logger" + "github.com/kubescape/go-logger/helpers" + helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers" + "github.com/kubescape/operator/utils" + "github.com/panjf2000/ants/v2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/watch" +) + +const retryInterval = 1 * time.Second + +var ( + ErrMissingWLID = fmt.Errorf("missing WLID") + ErrMissingSlug = fmt.Errorf("missing slug") + ErrMissingImageTag = fmt.Errorf("missing image tag") + ErrMissingImageID = fmt.Errorf("missing image ID") + ErrMissingInstanceID = fmt.Errorf("missing instanceID") + ErrMissingContainerName = fmt.Errorf("missing container name") +) + +// ApplicationProfileWatch watches and processes changes on ApplicationProfile resources +func (wh *WatchHandler) ApplicationProfileWatch(ctx context.Context, workerPool *ants.PoolWithFunc) { + inputEvents := make(chan watch.Event) + cmdCh := make(chan *apis.Command) + errorCh := make(chan error) + apEvents := make(<-chan watch.Event) + + // The watcher is considered unavailable by default + apWatcherUnavailable := make(chan struct{}) + go func() { + apWatcherUnavailable <- struct{}{} + }() + + go wh.HandleApplicationProfileEvents(inputEvents, cmdCh, errorCh) + + // notifyWatcherDown notifies the appropriate channel that the watcher + // is down and backs off for the retry interval to not produce + // unnecessary events + notifyWatcherDown := func(watcherDownCh chan<- struct{}) { + go func() { watcherDownCh <- struct{}{} }() + time.Sleep(retryInterval) + } + + var watcher watch.Interface + var err error + for { + select { + case apEvent, ok := <-apEvents: + if ok { + inputEvents <- apEvent + } else { + notifyWatcherDown(apWatcherUnavailable) + } + case cmd, ok := <-cmdCh: + if ok { + utils.AddCommandToChannel(ctx, wh.cfg, cmd, workerPool) + } else { + notifyWatcherDown(apWatcherUnavailable) + } + case err, ok := <-errorCh: + if ok { + logger.L().Ctx(ctx).Error(fmt.Sprintf("error in ApplicationProfileWatch: %v", err.Error())) + } else { + notifyWatcherDown(apWatcherUnavailable) + } + case <-apWatcherUnavailable: + if watcher != nil { + watcher.Stop() + } + + watcher, err = wh.getApplicationProfileWatcher() + if err != nil { + notifyWatcherDown(apWatcherUnavailable) + } else { + apEvents = watcher.ResultChan() + } + } + } + +} + +func (wh *WatchHandler) HandleApplicationProfileEvents(sfEvents <-chan watch.Event, producedCommands chan<- *apis.Command, errorCh chan<- error) { + defer close(errorCh) + + for e := range sfEvents { + obj, ok := e.Object.(*spdxv1beta1.ApplicationProfile) + if !ok { + errorCh <- ErrUnsupportedObject + continue + } + + switch e.Type { + case watch.Added: + // + case watch.Modified: + // + case watch.Deleted: + continue + case watch.Bookmark: + continue + } + + if skipAP(obj.ObjectMeta.Annotations) { + continue + } + + // FIXME move this to kubevuln and only send the AP name and namespace + fullAP, err := wh.getApplicationProfile(obj.Namespace, obj.Name) + if err != nil { + logger.L().Error("failed to get full application profile", helpers.String("name", obj.ObjectMeta.Name), helpers.String("namespace", obj.ObjectMeta.Namespace), helpers.Error(err)) + errorCh <- err + continue + } + + // loop through all containers in the application profile + processContainers := func(containers []spdxv1beta1.ApplicationProfileContainer, containerType string) { + for _, container := range containers { + // create container data + containerData, err := getContainerData(fullAP, container, containerType) + if err != nil { + logger.L().Error("failed to get container data from application profile", + helpers.String("name", fullAP.ObjectMeta.Name), + helpers.String("namespace", fullAP.ObjectMeta.Namespace), + helpers.String("container", container.Name), + helpers.Error(err)) + errorCh <- err + continue + } + // update caches + if imageID, ok := wh.SlugToImageID.Load(containerData.Slug); !ok { + wh.SlugToImageID.Set(containerData.Slug, containerData.ImageID) + wh.WlidAndImageID.Add(getWlidAndImageID(containerData)) + } else { + if imageID != containerData.ImageID { + wh.SlugToImageID.Set(containerData.Slug, containerData.ImageID) + wh.WlidAndImageID.Add(getWlidAndImageID(containerData)) + } + } + // create command + cmd := &apis.Command{ + Wlid: containerData.Wlid, + CommandName: utils.CommandScanApplicationProfile, + Args: map[string]interface{}{ + utils.ArgsContainerData: containerData, + }, + } + // send command + logger.L().Info("scanning application profile container", helpers.String("wlid", cmd.Wlid), helpers.String("slug", containerData.Slug), helpers.String("containerName", containerData.ContainerName), helpers.String("imageTag", containerData.ImageTag), helpers.String("imageID", containerData.ImageID)) + producedCommands <- cmd + } + } + processContainers(fullAP.Spec.InitContainers, instanceidhandlerv1.InitContainer) + processContainers(fullAP.Spec.Containers, instanceidhandlerv1.Container) + processContainers(fullAP.Spec.EphemeralContainers, instanceidhandlerv1.EphemeralContainer) + } +} + +func getContainerData(obj *spdxv1beta1.ApplicationProfile, container spdxv1beta1.ApplicationProfileContainer, containerType string) (*utils.ContainerData, error) { + // get instance ID string from annotations + instanceIDString, ok := obj.Annotations[helpersv1.InstanceIDMetadataKey] + if !ok { + return nil, fmt.Errorf("missing instance ID in annotations") + } + // generate instance ID + instanceID, err := instanceidhandlerv1.GenerateInstanceIDFromString(instanceIDString) + if err != nil { + return nil, fmt.Errorf("failed to generate instance ID: %w", err) + } + // add container name and type to instance ID + instanceID.(*containerinstance.InstanceID).ContainerName = container.Name + instanceID.(*containerinstance.InstanceID).InstanceType = containerType + // generate slug + slug, err := instanceID.GetSlug(false) + if err != nil { + return nil, fmt.Errorf("failed to generate slug: %w", err) + } + // create container data + containerData := &utils.ContainerData{ + ImageTag: container.ImageTag, + ImageID: container.ImageID, + InstanceID: instanceID.GetStringFormatted(), + ContainerName: container.Name, + ContainerType: containerType, + Slug: slug, + Wlid: obj.Annotations[helpersv1.WlidMetadataKey], + } + // validate container data + if err := validateContainerDataApplicationProfiles(containerData); err != nil { + return nil, fmt.Errorf("failed to validate container data: %w", err) + } + return containerData, nil +} + +func skipAP(annotations map[string]string) bool { + ann := []string{ + "", // empty string for backward compatibility + helpersv1.Ready, + helpersv1.Completed, + } + + if len(annotations) == 0 { + return true // skip + } + + if status, ok := annotations[helpersv1.StatusMetadataKey]; ok { + return !slices.Contains(ann, status) + } + return false // do not skip +} + +func (wh *WatchHandler) getApplicationProfile(namespace, name string) (*spdxv1beta1.ApplicationProfile, error) { + return wh.storageClient.SpdxV1beta1().ApplicationProfiles(namespace).Get(context.Background(), name, v1.GetOptions{}) +} + +func (wh *WatchHandler) getApplicationProfileWatcher() (watch.Interface, error) { + // no need to support ExcludeNamespaces and IncludeNamespaces since node-agent will respect them as well + return wh.storageClient.SpdxV1beta1().ApplicationProfiles("").Watch(context.Background(), v1.ListOptions{}) +} + +func validateContainerDataApplicationProfiles(containerData *utils.ContainerData) error { + if containerData.ContainerName == "" { + return ErrMissingContainerName + } + if containerData.ImageID == "" { + return ErrMissingImageID + } + if containerData.Slug == "" { + return ErrMissingSlug + } + if containerData.Wlid == "" { + return ErrMissingWLID + } + if containerData.ImageTag == "" { + return ErrMissingImageTag + } + if containerData.InstanceID == "" { + return ErrMissingInstanceID + } + return nil +} diff --git a/watcher/filteredsbomwatcher_test.go b/watcher/applicationprofilewatcher_test.go similarity index 52% rename from watcher/filteredsbomwatcher_test.go rename to watcher/applicationprofilewatcher_test.go index 84c9ddd..aa63003 100644 --- a/watcher/filteredsbomwatcher_test.go +++ b/watcher/applicationprofilewatcher_test.go @@ -3,6 +3,7 @@ package watcher import ( "context" _ "embed" + "errors" "testing" "github.com/armosec/armoapi-go/apis" @@ -66,7 +67,7 @@ func TestNewWatchHandlerProducesValidResult(t *testing.T) { } } -func TestHandleSBOMFilteredEvents(t *testing.T) { +func TestHandleApplicationProfileEvents(t *testing.T) { tt := []struct { name string inputEvents []watch.Event @@ -77,48 +78,61 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { expectedWlidAndImageIDMap []string }{ { - name: "Adding a new Filtered SBOM should produce a matching scan command", + name: "Adding a new application profile should produce a matching scan command", inputEvents: []watch.Event{ { Type: watch.Added, - Object: &spdxv1beta1.SBOMSyftFiltered{ + Object: &spdxv1beta1.ApplicationProfile{ ObjectMeta: v1.ObjectMeta{ - Name: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", + Name: "replicaset-nginx-6ccd565b7d", Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.0", - helpersv1.ContainerNameMetadataKey: "nginx", + helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d", + helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", + helpersv1.CompletionMetadataKey: helpersv1.Complete, + helpersv1.StatusMetadataKey: helpersv1.Ready, }, }, + Spec: spdxv1beta1.ApplicationProfileSpec{ + Containers: []spdxv1beta1.ApplicationProfileContainer{{ + Name: "nginx", + ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", + ImageTag: "nginx:1.14.0", + }}, + }, }, }, { Type: watch.Modified, - Object: &spdxv1beta1.SBOMSyftFiltered{ + Object: &spdxv1beta1.ApplicationProfile{ ObjectMeta: v1.ObjectMeta{ - Name: "replicaset-nginx-6ccd565b7d-nginx-e4ff-657a", + Name: "replicaset-nginx-7584b6f84c", Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/initContainerName-nginx", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.0", - helpersv1.ContainerNameMetadataKey: "nginx", + helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-7584b6f84c", + helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", + helpersv1.CompletionMetadataKey: helpersv1.Complete, + helpersv1.StatusMetadataKey: helpersv1.Ready, }, }, + Spec: spdxv1beta1.ApplicationProfileSpec{ + InitContainers: []spdxv1beta1.ApplicationProfileContainer{{ + Name: "nginx", + ImageID: "docker.io/library/nginx@sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3", + ImageTag: "nginx:latest", + }}, + }, }, }, }, expectedCommands: []*apis.Command{ { - CommandName: utils.CommandScanFilteredSBOM, + CommandName: utils.CommandScanApplicationProfile, Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", Args: map[string]interface{}{ utils.ArgsContainerData: &utils.ContainerData{ Slug: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", ImageTag: "nginx:1.14.0", + InstanceID: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", ContainerName: "nginx", ContainerType: "container", Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", @@ -126,13 +140,14 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { }, }, { - CommandName: utils.CommandScanFilteredSBOM, + CommandName: utils.CommandScanApplicationProfile, Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", Args: map[string]interface{}{ utils.ArgsContainerData: &utils.ContainerData{ - Slug: "replicaset-nginx-6ccd565b7d-nginx-e4ff-657a", - ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - ImageTag: "nginx:1.14.0", + Slug: "replicaset-nginx-7584b6f84c-nginx-d01e-79cc", + ImageID: "docker.io/library/nginx@sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3", + ImageTag: "nginx:latest", + InstanceID: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-7584b6f84c/initContainerName-nginx", ContainerName: "nginx", ContainerType: "initContainer", Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", @@ -141,15 +156,16 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { }, }, expectedObjectNames: []string{ - "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", - "replicaset-nginx-6ccd565b7d-nginx-e4ff-657a", + "replicaset-nginx-6ccd565b7d", + "replicaset-nginx-7584b6f84c", }, expectedSlugToImageIDMap: map[string]string{ "replicaset-nginx-6ccd565b7d-nginx-49d3-1861": "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - "replicaset-nginx-6ccd565b7d-nginx-e4ff-657a": "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", + "replicaset-nginx-7584b6f84c-nginx-d01e-79cc": "docker.io/library/nginx@sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3", }, expectedWlidAndImageIDMap: []string{ - "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx" + "nginx" + "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", + "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginxnginxdocker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", + "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginxnginxdocker.io/library/nginx@sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3", }, expectedErrors: []error{}, }, @@ -158,22 +174,28 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { inputEvents: []watch.Event{ { Type: watch.Added, - Object: &spdxv1beta1.SBOMSyftFiltered{ + Object: &spdxv1beta1.ApplicationProfile{ ObjectMeta: v1.ObjectMeta{ - Name: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", + Name: "replicaset-nginx-6ccd565b7d", Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "", // missing image tag - helpersv1.ContainerNameMetadataKey: "nginx", + helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d", + helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", + helpersv1.CompletionMetadataKey: helpersv1.Complete, + helpersv1.StatusMetadataKey: helpersv1.Ready, }, }, + Spec: spdxv1beta1.ApplicationProfileSpec{ + Containers: []spdxv1beta1.ApplicationProfileContainer{{ + Name: "nginx", + ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", + ImageTag: "", // missing image tag + }}, + }, }, }, }, expectedCommands: []*apis.Command{}, - expectedObjectNames: []string{"replicaset-nginx-6ccd565b7d-nginx-49d3-1861"}, + expectedObjectNames: []string{"replicaset-nginx-6ccd565b7d"}, expectedSlugToImageIDMap: map[string]string{}, expectedWlidAndImageIDMap: []string{}, expectedErrors: []error{ @@ -185,7 +207,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { inputEvents: []watch.Event{ { Type: watch.Deleted, - Object: &spdxv1beta1.SBOMSyftFiltered{}, + Object: &spdxv1beta1.ApplicationProfile{}, }, }, expectedCommands: []*apis.Command{}, @@ -210,7 +232,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { assert.NoError(t, err) operatorConfig := config.NewOperatorConfig(config.CapabilitiesConfig{}, clusterConfig, &beUtils.Credentials{}, "", cfg) - k8sClient := k8sfake.NewSimpleClientset() + k8sClient := k8sfake.NewClientset() k8sAPI := utils.NewK8sInterfaceFake(k8sClient) storageClient := kssfake.NewSimpleClientset(startingObjects...) @@ -220,7 +242,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { wh := NewWatchHandler(ctx, operatorConfig, k8sAPI, storageClient, nil) - go wh.HandleSBOMFilteredEvents(inputEvents, cmdCh, errorCh) + go wh.HandleApplicationProfileEvents(inputEvents, cmdCh, errorCh) go func() { for _, e := range tc.inputEvents { @@ -250,7 +272,7 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { } } - actualObjects, _ := storageClient.SpdxV1beta1().SBOMSyftFiltereds("").List(ctx, v1.ListOptions{}) + actualObjects, _ := storageClient.SpdxV1beta1().ApplicationProfiles("").List(ctx, v1.ListOptions{}) actualObjectNames := []string{} for _, obj := range actualObjects.Items { @@ -270,143 +292,17 @@ func TestHandleSBOMFilteredEvents(t *testing.T) { } assert.Equal(t, tc.expectedObjectNames, actualObjectNames, "Objects in the storage don’t match") - assert.Equal(t, tc.expectedErrors, actualErrors, "Errors don’t match") + assert.Equal(t, len(tc.expectedErrors), len(actualErrors), "Errors don’t match") + for i := range actualErrors { + assert.True(t, errors.Is(actualErrors[i], tc.expectedErrors[i]), "Errors don’t match") + } assert.Equal(t, tc.expectedCommands, actualCommands, "Commands don’t match") }) } } -func TestGetContainerDataFilteredSBOM(t *testing.T) { - tests := []struct { - obj *spdxv1beta1.SBOMSyftFiltered - want *utils.ContainerData - name string - wantErr bool - }{ - { - name: "valid SBOMSyftFiltered object", - obj: &spdxv1beta1.SBOMSyftFiltered{ - ObjectMeta: v1.ObjectMeta{ - Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - helpersv1.ContainerNameMetadataKey: "nginx", - }, - }, - }, - want: &utils.ContainerData{ - Slug: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", - Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - ContainerName: "nginx", - ContainerType: "container", - ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - ImageTag: "nginx:1.14.1", - }, - wantErr: false, - }, - { - name: "invalid SBOMSyftFiltered object - missing instanceID", - obj: &spdxv1beta1.SBOMSyftFiltered{ - ObjectMeta: v1.ObjectMeta{ - Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - helpersv1.ContainerNameMetadataKey: "nginx", - }, - }, - }, - want: nil, - wantErr: true, - }, - { - name: "invalid SBOMSyftFiltered object - missing other fields", - obj: &spdxv1beta1.SBOMSyftFiltered{ - ObjectMeta: v1.ObjectMeta{ - Annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", - helpersv1.WlidMetadataKey: "", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - helpersv1.ContainerNameMetadataKey: "nginx", - }, - }, - }, - want: nil, - wantErr: true, - }, - } - - wh := &WatchHandler{} - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := wh.getContainerDataFilteredSBOM(tt.obj) - assert.Equal(t, tt.want, got) - assert.Equal(t, tt.wantErr, err != nil) - }) - } -} -func TestAnnotationsToContainerData(t *testing.T) { - tests := []struct { - annotations map[string]string - wantData *utils.ContainerData - name string - wantErr bool - }{ - { - name: "valid annotations", - annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "apiVersion-apps/v1/namespace-systest-ns-rarz/kind-ReplicaSet/name-nginx-6ccd565b7d/containerName-nginx", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - }, - wantData: &utils.ContainerData{ - Slug: "replicaset-nginx-6ccd565b7d-nginx-49d3-1861", - Wlid: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - ContainerName: "nginx", - ContainerType: "container", - ImageID: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - ImageTag: "nginx:1.14.1", - }, - wantErr: false, - }, - { - name: "missing instance ID annotation", - annotations: map[string]string{ - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - }, - wantData: &utils.ContainerData{}, - wantErr: true, - }, - { - name: "invalid instance ID annotation", - annotations: map[string]string{ - helpersv1.InstanceIDMetadataKey: "invalidInstanceID", - helpersv1.WlidMetadataKey: "wlid://cluster-gke_armo-test-clusters_us-central1-c_dwertent-syft/namespace-systest-ns-rarz/deployment-nginx", - helpersv1.ImageIDMetadataKey: "docker.io/library/nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2", - helpersv1.ImageTagMetadataKey: "nginx:1.14.1", - }, - wantData: &utils.ContainerData{}, - wantErr: true, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - gotData, gotErr := annotationsToContainerData(tt.annotations) - assert.Equal(t, tt.wantData, gotData) - assert.Equal(t, tt.wantErr, gotErr != nil) - }) - } -} -func TestSkipSBOM(t *testing.T) { +func TestSkipAP(t *testing.T) { tests := []struct { annotations map[string]string name string @@ -449,12 +345,13 @@ func TestSkipSBOM(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - gotSkip := skipSBOM(tt.annotations) + gotSkip := skipAP(tt.annotations) assert.Equal(t, tt.wantSkip, gotSkip) }) } } -func TestValidateContainerDataFilteredSBOM(t *testing.T) { + +func TestValidateContainerDataApplicationProfile(t *testing.T) { tests := []struct { wantErr error containerData *utils.ContainerData @@ -463,10 +360,11 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { { name: "missing ContainerName", containerData: &utils.ContainerData{ - ImageID: "imageID", - Slug: "slug", - Wlid: "wlid", - ImageTag: "imageTag", + ImageID: "imageID", + Slug: "slug", + InstanceID: "TODO", + Wlid: "wlid", + ImageTag: "imageTag", }, wantErr: ErrMissingContainerName, }, @@ -475,6 +373,7 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { containerData: &utils.ContainerData{ ContainerName: "containerName", Slug: "slug", + InstanceID: "TODO", Wlid: "wlid", ImageTag: "imageTag", }, @@ -484,18 +383,31 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { name: "missing Slug", containerData: &utils.ContainerData{ ContainerName: "containerName", + InstanceID: "TODO", ImageID: "imageID", Wlid: "wlid", ImageTag: "imageTag", }, wantErr: ErrMissingSlug, }, + { + name: "missing InstanceID", + containerData: &utils.ContainerData{ + ContainerName: "containerName", + Slug: "slug", + ImageID: "imageID", + Wlid: "wlid", + ImageTag: "imageTag", + }, + wantErr: ErrMissingInstanceID, + }, { name: "missing WLID", containerData: &utils.ContainerData{ ContainerName: "containerName", ImageID: "imageID", Slug: "slug", + InstanceID: "TODO", ImageTag: "imageTag", }, wantErr: ErrMissingWLID, @@ -506,6 +418,7 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { ContainerName: "containerName", ImageID: "imageID", Slug: "slug", + InstanceID: "TODO", Wlid: "wlid", }, wantErr: ErrMissingImageTag, @@ -516,6 +429,7 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { ContainerName: "containerName", ImageID: "imageID", Slug: "slug", + InstanceID: "TODO", Wlid: "wlid", ImageTag: "imageTag", }, @@ -525,7 +439,7 @@ func TestValidateContainerDataFilteredSBOM(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - err := validateContainerDataFilteredSBOM(tt.containerData) + err := validateContainerDataApplicationProfiles(tt.containerData) assert.Equal(t, tt.wantErr, err) }) } diff --git a/watcher/filteredsbomwatcher.go b/watcher/filteredsbomwatcher.go deleted file mode 100644 index 2f1097e..0000000 --- a/watcher/filteredsbomwatcher.go +++ /dev/null @@ -1,232 +0,0 @@ -package watcher - -import ( - "context" - "fmt" - "slices" - "time" - - instanceidhandlerv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1" - spdxv1beta1 "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - - "github.com/armosec/armoapi-go/apis" - "github.com/kubescape/go-logger" - "github.com/kubescape/go-logger/helpers" - helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers" - "github.com/kubescape/operator/utils" - "github.com/panjf2000/ants/v2" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/watch" -) - -const retryInterval = 1 * time.Second - -var ( - ErrMissingWLID = fmt.Errorf("missing WLID") - ErrMissingSlug = fmt.Errorf("missing slug") - ErrMissingImageTag = fmt.Errorf("missing image ID") - ErrMissingImageID = fmt.Errorf("missing image tag") - ErrMissingContainerName = fmt.Errorf("missing container name") -) - -// SBOMFilteredWatch watches and processes changes on Filtered SBOMs -func (wh *WatchHandler) SBOMFilteredWatch(ctx context.Context, workerPool *ants.PoolWithFunc) { - inputEvents := make(chan watch.Event) - cmdCh := make(chan *apis.Command) - errorCh := make(chan error) - sbomEvents := make(<-chan watch.Event) - - // The watcher is considered unavailable by default - sbomWatcherUnavailable := make(chan struct{}) - go func() { - sbomWatcherUnavailable <- struct{}{} - }() - - go wh.HandleSBOMFilteredEvents(inputEvents, cmdCh, errorCh) - - // notifyWatcherDown notifies the appropriate channel that the watcher - // is down and backs off for the retry interval to not produce - // unnecessary events - notifyWatcherDown := func(watcherDownCh chan<- struct{}) { - go func() { watcherDownCh <- struct{}{} }() - time.Sleep(retryInterval) - } - - var watcher watch.Interface - var err error - for { - select { - case sbomEvent, ok := <-sbomEvents: - if ok { - inputEvents <- sbomEvent - } else { - notifyWatcherDown(sbomWatcherUnavailable) - } - case cmd, ok := <-cmdCh: - if ok { - utils.AddCommandToChannel(ctx, wh.cfg, cmd, workerPool) - } else { - notifyWatcherDown(sbomWatcherUnavailable) - } - case err, ok := <-errorCh: - if ok { - logger.L().Ctx(ctx).Error(fmt.Sprintf("error in SBOMFilteredWatch: %v", err.Error())) - } else { - notifyWatcherDown(sbomWatcherUnavailable) - } - case <-sbomWatcherUnavailable: - if watcher != nil { - watcher.Stop() - } - - watcher, err = wh.getSBOMFilteredWatcher() - if err != nil { - notifyWatcherDown(sbomWatcherUnavailable) - } else { - sbomEvents = watcher.ResultChan() - } - } - } - -} - -func (wh *WatchHandler) HandleSBOMFilteredEvents(sfEvents <-chan watch.Event, producedCommands chan<- *apis.Command, errorCh chan<- error) { - defer close(errorCh) - - for e := range sfEvents { - obj, ok := e.Object.(*spdxv1beta1.SBOMSyftFiltered) - if !ok { - errorCh <- ErrUnsupportedObject - continue - } - - switch e.Type { - case watch.Added: - // - case watch.Modified: - // - case watch.Deleted: - continue - case watch.Bookmark: - continue - } - - if skipSBOM(obj.ObjectMeta.Annotations) { - continue - } - - containerData, err := wh.getContainerDataFilteredSBOM(obj) - if err != nil { - logger.L().Error("failed to get container data from filtered SBOM", - helpers.String("name", obj.ObjectMeta.Name), - helpers.String("namespace", obj.ObjectMeta.Namespace), - helpers.Interface("annotations", obj.ObjectMeta.Annotations), - helpers.Error(err)) - errorCh <- err - continue - } - - if imageID, ok := wh.SlugToImageID.Load(containerData.Slug); !ok { - wh.SlugToImageID.Set(containerData.Slug, containerData.ImageID) - wh.WlidAndImageID.Add(getWlidAndImageID(containerData)) - } else { - if imageID != containerData.ImageID { - wh.SlugToImageID.Set(containerData.Slug, containerData.ImageID) - wh.WlidAndImageID.Add(getWlidAndImageID(containerData)) - } - } - - cmd := &apis.Command{ - Wlid: containerData.Wlid, - CommandName: utils.CommandScanFilteredSBOM, - Args: map[string]interface{}{ - utils.ArgsContainerData: containerData, - }, - } - // send - logger.L().Info("scanning filtered SBOM", helpers.String("wlid", cmd.Wlid), helpers.String("slug", containerData.Slug), helpers.String("containerName", containerData.ContainerName), helpers.String("imageTag", containerData.ImageTag), helpers.String("imageID", containerData.ImageID)) - producedCommands <- cmd - } -} - -func (wh *WatchHandler) getContainerDataFilteredSBOM(obj *spdxv1beta1.SBOMSyftFiltered) (*utils.ContainerData, error) { - - containerData, err := annotationsToContainerData(obj.GetAnnotations()) - if err != nil { - return nil, err - } - - if err := validateContainerDataFilteredSBOM(containerData); err != nil { - return nil, err - } - return containerData, nil -} - -func annotationsToContainerData(annotations map[string]string) (*utils.ContainerData, error) { - containerData := &utils.ContainerData{} - rawInstanceID, ok := annotations[helpersv1.InstanceIDMetadataKey] - if !ok { - return containerData, fmt.Errorf("missing instance ID annotation") - } - - instanceID, err := instanceidhandlerv1.GenerateInstanceIDFromString(rawInstanceID) - if err != nil { - return containerData, err - } - - slug, err := instanceID.GetSlug(false) - if err != nil { - return containerData, err - } - containerData.Slug = slug - containerData.Wlid = annotations[helpersv1.WlidMetadataKey] - containerData.ContainerName = instanceID.GetContainerName() - containerData.ContainerType = string(instanceID.GetInstanceType()) - - // FIXME: use the annotations after adding imageID and imageTag to the filtered SBOM - containerData.ImageID = annotations[helpersv1.ImageIDMetadataKey] - containerData.ImageTag = annotations[helpersv1.ImageTagMetadataKey] - - return containerData, nil -} - -func skipSBOM(annotations map[string]string) bool { - ann := []string{ - "", // empty string for backward compatibility - helpersv1.Ready, - helpersv1.Completed, - } - - if len(annotations) == 0 { - return true // skip - } - - if status, ok := annotations[helpersv1.StatusMetadataKey]; ok { - return !slices.Contains(ann, status) - } - return false // do not skip -} - -func (wh *WatchHandler) getSBOMFilteredWatcher() (watch.Interface, error) { - // no need to support ExcludeNamespaces and IncludeNamespaces since node-agent will respect them as well - return wh.storageClient.SpdxV1beta1().SBOMSyftFiltereds("").Watch(context.Background(), v1.ListOptions{}) -} - -func validateContainerDataFilteredSBOM(containerData *utils.ContainerData) error { - if containerData.ContainerName == "" { - return ErrMissingContainerName - } - if containerData.ImageID == "" { - return ErrMissingImageID - } - if containerData.Slug == "" { - return ErrMissingSlug - } - if containerData.Wlid == "" { - return ErrMissingWLID - } - if containerData.ImageTag == "" { - return ErrMissingImageTag - } - return nil -}