Merge pull request #472 from kubescape/enrich-cloud-metadata

enrich cloud metadata for AWS, bump k8s-interface
kubescape · Feb 3, 2025 · aa8c689 · aa8c689
2 parents 2172310 + a4bbaa5
commit aa8c689
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 8 deletions.
diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/inspektor-gadget/inspektor-gadget v0.36.1
 	github.com/kubescape/backend v0.0.25
 	github.com/kubescape/go-logger v0.0.23
-	github.com/kubescape/k8s-interface v0.0.182
+	github.com/kubescape/k8s-interface v0.0.183
 	github.com/kubescape/storage v0.0.141
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/opencontainers/go-digest v1.0.0
@@ -55,7 +55,7 @@ require (
 	k8s.io/apimachinery v0.32.1
 	k8s.io/client-go v0.32.1
 	k8s.io/cri-api v0.32.1
-	k8s.io/kubectl v0.31.2
+	k8s.io/kubectl v0.32.1
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/yaml v1.4.0
 )

diff --git a/go.sum b/go.sum
@@ -690,8 +690,8 @@ github.com/kubescape/backend v0.0.25 h1:PLESA7KGJskebR5hiSqPeJ1cPQ8Ra+4yNYXKyIej
 github.com/kubescape/backend v0.0.25/go.mod h1:FpazfN+c3Ucuvv4jZYCnk99moSBRNMVIxl5aWCZAEBo=
 github.com/kubescape/go-logger v0.0.23 h1:5xh+Nm8eGImhFbtippRKLaFgsvlKE1ufvQhNM2P/570=
 github.com/kubescape/go-logger v0.0.23/go.mod h1:Ayg7g769c7sXVB+P3fkJmbsJpoEmMmaUf9jeo+XuC3U=
-github.com/kubescape/k8s-interface v0.0.182 h1:Un8mQB6W2LfSv23YIA5NJKLoFvqw70S1so5FKsB92dA=
-github.com/kubescape/k8s-interface v0.0.182/go.mod h1:h8HQI5t4WdfjtYriBMG92vdLntpBWLNe3F/bumuRaYg=
+github.com/kubescape/k8s-interface v0.0.183 h1:eTuHlKJkBYYA03AR/YGr4KUC+xnbV6SG0/8+yrt9Yrs=
+github.com/kubescape/k8s-interface v0.0.183/go.mod h1:YjIAQtrK4nCy+XQ/6jwo+BqlLyJk7DN2Mx4pUcbzq10=
 github.com/kubescape/storage v0.0.141 h1:dck2qWHtlui6T4rUoV3U9O/BNZybxlDN7Vrlnow4CSg=
 github.com/kubescape/storage v0.0.141/go.mod h1:oqdNN8gANL58jagGDsEbRiWskvKK0s/ckdqrHZnG+Vw=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -1695,8 +1695,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M=
-k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM=
+k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8=
+k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ=
 k8s.io/kubelet v0.32.1 h1:bB91GvMsZb+LfzBxnjPEr1Fal/sdxZtYphlfwAaRJGw=
 k8s.io/kubelet v0.32.1/go.mod h1:4sAEZ6PlewD0GroV3zscY7llym6kmNNTVmUI/Qshm6w=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=

diff --git a/pkg/cloudmetadata/metadata.go b/pkg/cloudmetadata/metadata.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	k8sInterfaceCloudMetadata "github.com/kubescape/k8s-interface/cloudmetadata"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,5 +19,31 @@ func GetCloudMetadata(ctx context.Context, client *k8sinterface.KubernetesApi, n
 		return nil, fmt.Errorf("failed to get node %s: %v", nodeName, err)
 	}
 
-	return k8sInterfaceCloudMetadata.GetCloudMetadata(ctx, node, nodeName)
+	cMetadata, err := k8sInterfaceCloudMetadata.GetCloudMetadata(ctx, node, nodeName)
+	if err != nil {
+		return nil, err
+	}
+
+	// special case for AWS, if the account ID is not found in the node metadata, we need to get it from ConfigMap
+	enrichCloudMetadataForAWS(ctx, client, cMetadata)
+	return cMetadata, nil
+}
+
+func enrichCloudMetadataForAWS(ctx context.Context, client *k8sinterface.KubernetesApi, cMetadata *apitypes.CloudMetadata) {
+	if cMetadata == nil || cMetadata.Provider != k8sInterfaceCloudMetadata.ProviderAWS || cMetadata.AccountID != "" {
+		return
+	}
+
+	cm, err := client.GetKubernetesClient().CoreV1().ConfigMaps("kube-system").Get(ctx, "aws-auth", metav1.GetOptions{})
+	if err != nil {
+		logger.L().Warning("failed to get aws-auth ConfigMap", helpers.Error(err))
+		return
+	}
+
+	err = k8sInterfaceCloudMetadata.EnrichCloudMetadataFromAWSAuthConfigMap(cMetadata, cm)
+	if err != nil {
+		logger.L().Warning("failed to enrich cloud metadata from aws-auth ConfigMap", helpers.Error(err))
+	}
+
+	logger.L().Debug("enriched cloud metadata from aws-auth ConfigMap")
 }
diff --git a/tests/chart/templates/node-agent/clusterrole.yaml b/tests/chart/templates/node-agent/clusterrole.yaml
@@ -6,7 +6,7 @@ metadata:
     kubescape.io/ignore: "true"
 rules:
 - apiGroups: [""]
-  resources: ["pods", "nodes", "nodes/proxy", "services", "endpoints", "namespaces"]
+  resources: ["pods", "nodes", "nodes/proxy", "services", "endpoints", "namespaces", "configmaps"]
   verbs: ["get", "watch", "list"]
 - apiGroups: [""]
   resources: ["events"]