feat: Exclude resources created for leader election from config audit (…

…#687) Resolves: #684 Co-authored-by: Daniel Pacak <[email protected]>
aquasecurity · Aug 27, 2021 · 16a6a37 · 16a6a37
1 parent 216c73b
commit 16a6a37
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/pkg/operator/controller/configauditreport.go b/pkg/operator/controller/configauditreport.go
@@ -78,6 +78,7 @@ func (r *ConfigAuditReportReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		err = ctrl.NewControllerManagedBy(mgr).
 			For(resource.forObject, builder.WithPredicates(
 				Not(ManagedByStarboardOperator),
+				Not(IsLeaderElectionResource),
 				Not(IsBeingTerminated),
 				installModePredicate,
 			)).

diff --git a/pkg/operator/predicate/predicate.go b/pkg/operator/predicate/predicate.go
@@ -6,6 +6,7 @@ import (
 	"github.com/aquasecurity/starboard/pkg/starboard"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
@@ -114,6 +115,15 @@ var IsLinuxNode = predicate.NewPredicateFuncs(func(obj client.Object) bool {
 	return false
 })
 
+// IsLeaderElectionResource returns true for resources used in leader election, means resources
+// annotated with resourcelock.LeaderElectionRecordAnnotationKey.
+var IsLeaderElectionResource = predicate.NewPredicateFuncs(func(obj client.Object) bool {
+	if _, ok := obj.GetAnnotations()[resourcelock.LeaderElectionRecordAnnotationKey]; ok {
+		return true
+	}
+	return false
+})
+
 func Not(p predicate.Predicate) predicate.Predicate {
 	return predicate.Funcs{
 		CreateFunc: func(event event.CreateEvent) bool {