feat: node scan

Makefile

@@ -77,7 +77,7 @@ storage-image:
 		-t "$(REGISTRY)/$(REPO)/storage:$(TAG)" .
 	@echo "Built $(REGISTRY)/$(REPO)/storage:$(TAG)"
 
-WORKER_SRC_DIRS := cmd/worker api internal/messaging internal/handlers
+WORKER_SRC_DIRS := cmd/worker api internal/messaging internal/handlers internal/skippatterns
 WORKER_GO_SRCS := $(shell find $(WORKER_SRC_DIRS) -type f -name '*.go')
 WORKER_SRCS := $(GO_MOD_SRCS) $(WORKER_GO_SRCS)
 .PHONY: worker

api/labels.go

@@ -9,4 +9,6 @@ const (
 	LabelPartOfValue       = "sbomscanner"
 	LabelWorkloadScanKey   = "sbomscanner.kubewarden.io/workloadscan"
 	LabelWorkloadScanValue = "true"
+	LabelNodeScanKey       = "sbomscanner.kubewarden.io/nodescan"
+	LabelNodeScanValue     = "true"
 )

api/storage/register.go

@@ -40,6 +40,12 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 
 		&v1alpha1.VulnerabilityReport{},
 		&v1alpha1.VulnerabilityReportList{},
+
+		&v1alpha1.NodeSBOM{},
+		&v1alpha1.NodeSBOMList{},
+
+		&v1alpha1.NodeVulnerabilityReport{},
+		&v1alpha1.NodeVulnerabilityReportList{},
 	)
 	return nil
 }

api/storage/v1alpha1/node_metadata.go

@@ -0,0 +1,18 @@
+package v1alpha1
+
+// IndexNodeMetadataName is the field index for the digest of a node.
+const (
+	IndexNodeMetadataName = "nodeMetadata.name"
+)
+
+// NodeMetadata contains the metadata details of a node.
+type NodeMetadata struct {
+	// Name specifies the name of the node.
+	Name string `json:"name" protobuf:"bytes,1,req,name=name"`
+	// Platform specifies the platform of the image. Example "linux/amd64".
+	Platform string `json:"platform" protobuf:"bytes,2,req,name=platform"`
+}
+
+type NodeMetadataAccessor interface {
+	GetNodeMetadata() NodeMetadata
+}

api/storage/v1alpha1/nodesbom_types.go

@@ -0,0 +1,37 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeSBOMList contains a list of Software Bill of Materials for nodes
+type NodeSBOMList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []NodeSBOM `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:selectablefield:JSONPath=`.nodeMetadata.name`
+// +kubebuilder:selectablefield:JSONPath=`.nodeMetadata.platform`
+
+// NodeSBOM represents a Software Bill of Materials of a node
+type NodeSBOM struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	NodeMetadata NodeMetadata `json:"nodeMetadata" protobuf:"bytes,2,req,name=nodeMetadata"`
+	// SPDX contains the SPDX document of the SBOM in JSON format
+	SPDX runtime.RawExtension `json:"spdx" protobuf:"bytes,3,req,name=spdx"`
+}
+
+func (s *NodeSBOM) GetNodeMetadata() NodeMetadata {
+	return s.NodeMetadata
+}

api/storage/v1alpha1/nodevulnerabilityreport_types.go

@@ -0,0 +1,38 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeVulnerabilityReportList contains a list of NodeVulnerabilityReport
+type NodeVulnerabilityReportList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []NodeVulnerabilityReport `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:selectablefield:JSONPath=`.nodeMetadata.name`
+// +kubebuilder:selectablefield:JSONPath=`.nodeMetadata.platform`
+
+// NodeVulnerabilityReport is the Schema for the scanresults API
+type NodeVulnerabilityReport struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// NodeMetadata contains info about the scanned node
+	NodeMetadata NodeMetadata `json:"nodeMetadata" protobuf:"bytes,2,req,name=nodeMetadata"`
+
+	// Report is the actual vulnerability scan report
+	Report Report `json:"report" protobuf:"bytes,3,req,name=report"`
+}
+
+func (v *NodeVulnerabilityReport) GetNodeMetadata() NodeMetadata {
+	return v.NodeMetadata
+}

api/storage/v1alpha1/register.go

@@ -42,6 +42,10 @@ func AddKnownTypes(scheme *runtime.Scheme) error {
 		&VulnerabilityReportList{},
 		&WorkloadScanReport{},
 		&WorkloadScanReportList{},
+		&NodeSBOM{},
+		&NodeSBOMList{},
+		&NodeVulnerabilityReport{},
+		&NodeVulnerabilityReportList{},
 		&metav1.GetOptions{},
 		&metav1.CreateOptions{},
 		&metav1.UpdateOptions{},
@@ -58,7 +62,10 @@ func AddKnownTypes(scheme *runtime.Scheme) error {
 		return fmt.Errorf("unable to add field selector conversion function to Image: %w", err)
 	}
 
-	err = scheme.AddFieldLabelConversionFunc(SchemeGroupVersion.WithKind("SBOM"), imageMetadataFieldSelectorConversion)
+	err = scheme.AddFieldLabelConversionFunc(
+		SchemeGroupVersion.WithKind("SBOM"),
+		imageMetadataFieldSelectorConversion,
+	)
 	if err != nil {
 		return fmt.Errorf("unable to add field selector conversion function to SBOM: %w", err)
 	}
@@ -71,9 +78,26 @@ func AddKnownTypes(scheme *runtime.Scheme) error {
 		return fmt.Errorf("unable to add field selector conversion function to VulnerabilityReport: %w", err)
 	}
 
+	err = scheme.AddFieldLabelConversionFunc(
+		SchemeGroupVersion.WithKind("NodeSBOM"),
+		nodeMetadataFieldSelectorConversion,
+	)
+	if err != nil {
+		return fmt.Errorf("unable to add field selector conversion function to NodeSBOM: %w", err)
+	}
+
+	err = scheme.AddFieldLabelConversionFunc(
+		SchemeGroupVersion.WithKind("NodeVulnerabilityReport"),
+		nodeMetadataFieldSelectorConversion,
+	)
+	if err != nil {
+		return fmt.Errorf("unable to add field selector conversion function to NodeVulnerabilityReport: %w", err)
+	}
+
 	return nil
 }
 
+// imageMetadataFieldSelectorConversion allows field selection on the image metadata fields.
 func imageMetadataFieldSelectorConversion(label, value string) (string, string, error) {
 	switch label {
 	case "metadata.name":
@@ -104,3 +128,27 @@ func imageMetadataFieldSelectorConversion(label, value string) (string, string,
 		)
 	}
 }
+
+// nodeMetadataFieldSelectorConversion allows field selection on the node metadata fields.
+// This is needed to allow listing NodeSBOMs and NodeVulnerabilityReports by node metadata,
+// since the node name and platform are part of the node metadata and not the top-level resource metadata.
+func nodeMetadataFieldSelectorConversion(label, value string) (string, string, error) {
+	switch label {
+	case "metadata.name":
+		return label, value, nil
+	case "metadata.namespace":
+		return label, value, nil
+	case "nodeMetadata.name":
+		return label, value, nil
+	case "nodeMetadata.platform":
+		return label, value, nil
+	default:
+		return "", "", fmt.Errorf(
+			"%q is not a known field selector: only %q, %q, %q",
+			label,
+			"metadata.name",
+			"metadata.namespace",
+			"nodeMetadata.*",
+		)
+	}
+}