Adding workloadNamespace field

Signed-off-by: jnathangreeg <[email protected]>
kubescape · Aug 15, 2024 · ee60a6d · ee60a6d
1 parent d8d19ea
commit ee60a6d
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 13 deletions.
diff --git a/admission/rules/v1/helpers.go b/admission/rules/v1/helpers.go
@@ -10,21 +10,21 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func GetParentWorkloadAndKind(event admission.Attributes, clientset kubernetes.Interface) (string, string, error) {
+func GetParentWorkloadDetails(event admission.Attributes, clientset kubernetes.Interface) (string, string, string, error) {
 	podName, namespace := event.GetName(), event.GetNamespace()
 
 	if podName == "" || namespace == "" {
-		return "", "", fmt.Errorf("invalid pod details from admission event")
+		return "", "", "", fmt.Errorf("invalid pod details from admission event")
 	}
 
 	pod, err := GetPodDetails(clientset, podName, namespace)
 	if err != nil {
-		return "", "", fmt.Errorf("failed to get pod details: %v", err)
+		return "", "", "", fmt.Errorf("failed to get pod details: %v", err)
 	}
 
-	workloadKind, parentWorkload := ExtractPodInformation(pod)
+	workloadKind, workloadName, workloadNamespace := ExtractPodInformation(pod)
 
-	return workloadKind, parentWorkload, nil
+	return workloadKind, workloadName, workloadNamespace, nil
 }
 
 func GetPodDetails(clientset kubernetes.Interface, podName, namespace string) (*v1.Pod, error) {
@@ -50,17 +50,18 @@ func GetNodeName(event admission.Attributes, clientset kubernetes.Interface) (st
 	return pod.Spec.NodeName, nil
 }
 
-func ExtractPodInformation(pod *v1.Pod) (string, string) {
-	workloadKind := ""
-	parentWorkload := ""
+func ExtractPodInformation(pod *v1.Pod) (string, string, string) {
+	var workloadKind, workloadName, workloadNamespace string
 
 	for _, ownerRef := range pod.OwnerReferences {
+		// Consider common workload controllers
 		if ownerRef.Kind == "ReplicaSet" || ownerRef.Kind == "StatefulSet" || ownerRef.Kind == "DaemonSet" || ownerRef.Kind == "Job" {
 			workloadKind = ownerRef.Kind
-			parentWorkload = ownerRef.Name
+			workloadName = ownerRef.Name
+			workloadNamespace = pod.Namespace
 			break
 		}
 	}
 
-	return workloadKind, parentWorkload
+	return workloadKind, workloadName, workloadNamespace
 }
diff --git a/admission/rules/v1/r2000_exec_to_pod.go b/admission/rules/v1/r2000_exec_to_pod.go
@@ -5,11 +5,11 @@ import (
 	"time"
 
 	"github.com/kubescape/operator/admission/rules"
+	"github.com/kubescape/operator/objectcache"
 	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
-	"github.com/kubescape/operator/objectcache"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 )
@@ -69,7 +69,7 @@ func (rule *R2000ExecToPod) ProcessEvent(event admission.Attributes, access inte
 
 	client := access.(objectcache.KubernetesCache).GetClientset()
 
-	workloadKind, workloadName, err := GetParentWorkloadAndKind(event, client)
+	workloadKind, workloadName, workloadNamespace, err := GetParentWorkloadDetails(event, client)
 	if err != nil {
 		zap.L().Error("Failed to get parent workload and kind", zap.Error(err))
 		return nil
@@ -113,6 +113,7 @@ func (rule *R2000ExecToPod) ProcessEvent(event admission.Attributes, access inte
 			PodName:      event.GetName(),
 			Namespace:    event.GetNamespace(),
 			WorkloadName: workloadName,
+			WorkloadNamespace: workloadNamespace,
 			WorkloadKind: workloadKind,
 			NodeName:     nodeName,
 		},

diff --git a/admission/rules/v1/r2000_exec_to_pod_test.go b/admission/rules/v1/r2000_exec_to_pod_test.go
@@ -42,6 +42,7 @@ func TestR2000(t *testing.T) {
 
 	assert.NotNil(t, result)
 	assert.Equal(t, "test-workload", result.GetRuntimeAlertK8sDetails().WorkloadName)
+	assert.Equal(t, "test-namespace", result.GetRuntimeAlertK8sDetails().WorkloadNamespace)
 	assert.Equal(t, "ReplicaSet", result.GetRuntimeAlertK8sDetails().WorkloadKind)
 	assert.Equal(t, "test-node", result.GetRuntimeAlertK8sDetails().NodeName)
 	assert.Equal(t, "Exec to pod detected on pod test-pod", result.GetRuleAlert().RuleDescription)

diff --git a/admission/rules/v1/r2001_portforward.go b/admission/rules/v1/r2001_portforward.go
@@ -69,7 +69,7 @@ func (rule *R2001PortForward) ProcessEvent(event admission.Attributes, access in
 
 	client := access.(objectcache.KubernetesCache).GetClientset()
 
-	workloadKind, workloadName, err := GetParentWorkloadAndKind(event, client)
+	workloadKind, workloadName, workloadNamespace, err := GetParentWorkloadDetails(event, client)
 	if err != nil {
 		zap.L().Error("Failed to get parent workload and kind", zap.Error(err))
 		return nil
@@ -113,6 +113,7 @@ func (rule *R2001PortForward) ProcessEvent(event admission.Attributes, access in
 			PodName:      event.GetName(),
 			Namespace:    event.GetNamespace(),
 			WorkloadName: workloadName,
+			WorkloadNamespace: workloadNamespace,
 			WorkloadKind: workloadKind,
 			NodeName:     nodeName,
 		},

diff --git a/admission/rules/v1/r2001_portforward_test.go b/admission/rules/v1/r2001_portforward_test.go
@@ -42,6 +42,7 @@ func TestR2001(t *testing.T) {
 
 	assert.NotNil(t, result)
 	assert.Equal(t, "test-workload", result.GetRuntimeAlertK8sDetails().WorkloadName)
+	assert.Equal(t, "test-namespace", result.GetRuntimeAlertK8sDetails().WorkloadNamespace)
 	assert.Equal(t, "ReplicaSet", result.GetRuntimeAlertK8sDetails().WorkloadKind)
 	assert.Equal(t, "test-node", result.GetRuntimeAlertK8sDetails().NodeName)
 	assert.Equal(t, "Port forward detected on pod test-pod", result.GetRuleAlert().RuleDescription)