Add basic scan scheduling logic for targets

Author: J12934

operator/api/v1/target_types.go

@@ -42,11 +42,14 @@ type TargetStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 	State string `json:"state,omitempty"`
+
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
-
+// +kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type`,description="Target Type"
+// +kubebuilder:printcolumn:name="Address",type=string,JSONPath=`.spec.address`,description="Target Address"
 // Target is the Schema for the targets API
 type Target struct {
 	metav1.TypeMeta   `json:",inline"`

operator/api/v1/zz_generated.deepcopy.go

@@ -0,0 +1,80 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: targets.scans.experimental.securecodebox.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.type
+    description: Target Type
+    name: Type
+    type: string
+  - JSONPath: .spec.address
+    description: Target Address
+    name: Address
+    type: string
+  group: scans.experimental.securecodebox.io
+  names:
+    kind: Target
+    plural: targets
+  scope: ""
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: Target is the Schema for the targets API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: TargetSpec defines the desired state of Target
+          properties:
+            address:
+              description: Foo is an example field of Target. Edit Target_types.go
+                to remove/update
+              type: string
+            type:
+              description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+                Important: Run "make" to regenerate code after modifying this file'
+              enum:
+              - Host
+              - IPRange
+              - Domain
+              type: string
+          type: object
+        status:
+          description: TargetStatus defines the observed state of Target
+          properties:
+            lastScheduleTime:
+              format: date-time
+              type: string
+            state:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                of cluster Important: Run "make" to regenerate code after modifying
+                this file'
+              type: string
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

operator/config/crd/bases/scans.experimental.securecodebox.io_targets.yaml

@@ -97,3 +97,23 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - scans.experimental.securecodebox.io
+  resources:
+  - targets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - scans.experimental.securecodebox.io
+  resources:
+  - targets/status
+  verbs:
+  - get
+  - patch
+  - update

operator/config/rbac/role.yaml

@@ -1,7 +1,7 @@
 apiVersion: scans.experimental.securecodebox.io/v1
 kind: Target
 metadata:
-  name: target-sample
+  name: juice-shop
 spec:
-  # Add fields here
-  foo: bar
+  type: "Host"
+  address: "juice-shop.demo-targets.svc"

…ator/config/samples/scans_v1_target.yaml …g/samples/scans_v1_target_juiceshop.yamloperator/config/samples/scans_v1_target.yaml renamed to operator/config/samples/scans_v1_target_juiceshop.yaml operator/config/samples/scans_v1_target.yaml renamed to operator/config/samples/scans_v1_target_juiceshop.yaml

@@ -776,8 +776,6 @@ func (r *ScanReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		panic(err)
 	}
 
-	// Todo: Better config management
-
 	if err := mgr.GetFieldIndexer().IndexField(&batch.Job{}, ownerKey, func(rawObj runtime.Object) []string {
 		// grab the job object, extract the owner...
 		job := rawObj.(*batch.Job)

operator/controllers/scan_controller.go

@@ -18,15 +18,21 @@ package controllers
 
 import (
 	"context"
+	"time"
 
 	"github.com/go-logr/logr"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	scansv1 "experimental.securecodebox.io/api/v1"
 )
 
+// ScanInterval defines how often a Target should be scanned
+var ScanInterval time.Duration = 1 * time.Minute
+
 // TargetReconciler reconciles a Target object
 type TargetReconciler struct {
 	client.Client
@@ -41,34 +47,65 @@ func (r *TargetReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
 	log := r.Log.WithValues("target", req.NamespacedName)
 
-	// your logic here
-
-	log.Info("Starting Target Reconciler")
-
 	var target scansv1.Target
 	err := r.Get(ctx, req.NamespacedName, &target)
 	if err != nil {
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
-	if target.Status.State == "" {
-		target.Status.State = "Scanning"
+	var childScans scansv1.ScanList
+	if err := r.List(ctx, &childScans, client.InNamespace(req.Namespace), client.MatchingFields{ownerKey: req.Name}); err != nil {
+		log.Error(err, "unable to list child Scans")
+		return ctrl.Result{}, err
 	}
-	switch target.Status.State {
-	case "Scanning":
-		switch target.Spec.Type {
-		case "Host":
 
+	var nextSchedule time.Time
+	if target.Status.LastScheduleTime != nil {
+		nextSchedule = target.Status.LastScheduleTime.Add(ScanInterval)
+	} else {
+		nextSchedule = time.Now().Add(-1 * time.Second)
+	}
+
+	// check if it is time to start the scans
+	if !time.Now().Before(nextSchedule) {
+		// It's time!
+		log.Info("Should start scans here")
+
+		var now metav1.Time = metav1.Now()
+		target.Status.LastScheduleTime = &now
+		if err := r.Status().Update(ctx, &target); err != nil {
+			log.Error(err, "unable to update Targets status")
+			return ctrl.Result{}, err
 		}
-	case "Sleeping":
-		// TODO: Reschedule
+
+		// Recalculate next schedule
+		nextSchedule = time.Now().Add(ScanInterval)
 	}
 
-	return ctrl.Result{}, nil
+	return ctrl.Result{RequeueAfter: nextSchedule.Sub(time.Now())}, nil
 }
 
 func (r *TargetReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	if err := mgr.GetFieldIndexer().IndexField(&scansv1.Scan{}, ownerKey, func(rawObj runtime.Object) []string {
+		// grab the job object, extract the owner...
+		scan := rawObj.(*scansv1.Scan)
+		owner := metav1.GetControllerOf(scan)
+		if owner == nil {
+			return nil
+		}
+		// ...make sure it's a Scan belonging to a Target...
+		if owner.APIVersion != apiGVStr || owner.Kind != "Target" {
+			return nil
+		}
+
+		// ...and if so, return it
+		return []string{owner.Name}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&scansv1.Target{}).
+		Owns(&scansv1.Scan{}).
 		Complete(r)
 }