What steps did you take and what happened:
I've deployed the Trivy operator through helm with the following nodeCollector exclusion defined.
nodeCollector:
excludeNodes: "role=master,role=etcd,role=additional-control-plane-component"
Currently, the nodes within my cluster are differentiated by the value of the role label.
The node collector exclusion code naively populates a map[string]string with label key and values. This causes any label with a repeated key to overwrite the previous value.
|
func (c ConfigData) GetNodeCollectorExcludeNodes() (map[string]string, error) { |
|
nodeCollectorExcludeNodesStr, found := c[KeyNodeCollectorExcludeNodes] |
|
if !found || strings.TrimSpace(nodeCollectorExcludeNodesStr) == "" { |
|
return make(map[string]string), nil |
|
} |
|
|
|
nodeCollectorExcludeNodesMap := make(map[string]string) |
|
for _, excludeNode := range strings.Split(nodeCollectorExcludeNodesStr, ",") { |
|
sepByEqual := strings.Split(excludeNode, "=") |
|
if len(sepByEqual) != 2 { |
|
return make(map[string]string), fmt.Errorf("failed parsing incorrectly formatted exclude nodes values: %s", nodeCollectorExcludeNodesStr) |
|
} |
|
key, value := sepByEqual[0], sepByEqual[1] |
|
nodeCollectorExcludeNodesMap[key] = value |
|
} |
|
return nodeCollectorExcludeNodesMap, nil |
|
} |
This ultimately results in node-collector pods being created with a NodeSelector which attempts to schedule the pod to tainted control plane nodes.
What did you expect to happen:
I'd expect to be able to exclude nodes based on multiple values of the same label. I would prefer to avoid adding a unique label key per node pool.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
- Trivy-Operator version (use
trivy-operator version):
- Chart version: 0.25.0
- Trivy version: 0.23.0
- Kubernetes version (use
kubectl version):
- N/A
- OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc):
- N/A
What steps did you take and what happened:
I've deployed the Trivy operator through helm with the following
nodeCollectorexclusion defined.Currently, the nodes within my cluster are differentiated by the value of the role label.
The node collector exclusion code naively populates a
map[string]stringwith label key and values. This causes any label with a repeated key to overwrite the previous value.trivy-operator/pkg/trivyoperator/config.go
Lines 360 to 376 in 7961baa
This ultimately results in node-collector pods being created with a
NodeSelectorwhich attempts to schedule the pod to tainted control plane nodes.What did you expect to happen:
I'd expect to be able to exclude nodes based on multiple values of the same label. I would prefer to avoid adding a unique label key per node pool.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
trivy-operator version):- Chart version: 0.25.0
- Trivy version: 0.23.0
kubectl version):- N/A
- N/A