fix: k8s all-namespaces support (#4096)

2026-01-31 13:53:14 +08:00 · 2023-04-23 20:08:37 +03:00
parent bd0c60364a
commit 107752df65
5 changed files with 23 additions and 6 deletions
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -27,6 +27,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
 ### Options

 ```
+  -A, --all-namespaces              fetch resources from all cluster namespaces
      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration          cache TTL when using redis as cache backend
      --clear-cache                 clear image caches without scanning
--- a/go.mod
+++ b/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230413111230-522e0fca9814
+	github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295
 	github.com/aws/aws-sdk-go v1.44.234
 	github.com/aws/aws-sdk-go-v2 v1.17.7
 	github.com/aws/aws-sdk-go-v2/config v1.18.15
--- a/go.sum
+++ b/go.sum
@@ -343,8 +343,8 @@ github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575 h1:8Y/qLPXGF
 github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575/go.mod h1:zn8GepvD5wBkCmmtBDwh0BWfiMUxS6xfGRcTPmXRVXo=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
-github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230413111230-522e0fca9814 h1:50r4mAGLHB0yx/OX7/MY0GMN5hCLG2OcZsa1JgQfwvE=
-github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230413111230-522e0fca9814/go.mod h1:oGiNSpa6b+3E9SxzTuaneysOP/47eQUiem5R0x0HG58=
+github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295 h1:ZdQMyXrUTNhsjKMiGLNtwIpGkn0Aj7r6eRPzaJlDbYc=
+github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295/go.mod h1:FPtS3hhfzykyaIiAIUg3vovniDP5loM9hHRa8W2+PuU=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
--- a/pkg/flag/kubernetes_flags.go
+++ b/pkg/flag/kubernetes_flags.go
@@ -62,6 +62,13 @@ var (
 		Value:      []string{},
 		Usage:      "specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)",
 	}
+	AllNamespaces = Flag{
+		Name:       "all-namespaces",
+		ConfigName: "kubernetes.all.namespaces",
+		Shorthand:  "A",
+		Value:      false,
+		Usage:      "fetch resources from all cluster namespaces",
+	}
 )

 type K8sFlagGroup struct {
@@ -72,6 +79,7 @@ type K8sFlagGroup struct {
 	K8sVersion     *Flag
 	Parallel       *Flag
 	Tolerations    *Flag
+	AllNamespaces  *Flag
 }

 type K8sOptions struct {
@@ -82,6 +90,7 @@ type K8sOptions struct {
 	K8sVersion     string
 	Parallel       int
 	Tolerations    []corev1.Toleration
+	AllNamespaces  bool
 }

 func NewK8sFlagGroup() *K8sFlagGroup {
@@ -93,6 +102,7 @@ func NewK8sFlagGroup() *K8sFlagGroup {
 		K8sVersion:     &K8sVersionFlag,
 		Parallel:       &ParallelFlag,
 		Tolerations:    &TolerationsFlag,
+		AllNamespaces:  &AllNamespaces,
 	}
 }

@@ -109,6 +119,7 @@ func (f *K8sFlagGroup) Flags() []*Flag {
 		f.K8sVersion,
 		f.Parallel,
 		f.Tolerations,
+		f.AllNamespaces,
 	}
 }

@@ -133,6 +144,7 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		K8sVersion:     getString(f.K8sVersion),
 		Parallel:       parallel,
 		Tolerations:    tolerations,
+		AllNamespaces:  getBool(f.AllNamespaces),
 	}, nil
 }

--- a/pkg/k8s/commands/namespace.go
+++ b/pkg/k8s/commands/namespace.go
@@ -16,10 +16,14 @@ func namespaceRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) e
 	if err := validateReportArguments(opts); err != nil {
 		return err
 	}
+	var trivyk trivyk8s.TrivyK8S
+	if opts.AllNamespaces {
+		trivyk = trivyk8s.New(cluster, log.Logger).AllNamespaces()
+	} else {
+		trivyk = trivyk8s.New(cluster, log.Logger).Namespace(getNamespace(opts, cluster.GetCurrentNamespace()))
+	}

-	trivyk8s := trivyk8s.New(cluster, log.Logger).Namespace(getNamespace(opts, cluster.GetCurrentNamespace()))
-
-	artifacts, err := trivyk8s.ListArtifacts(ctx)
+	artifacts, err := trivyk.ListArtifacts(ctx)
 	if err != nil {
 		return xerrors.Errorf("get k8s artifacts error: %w", err)
 	}