Skip to content

AutoDiscovery: volume is propagated as emptyDir to ScheduledScan #2724

New issue
New issue
Closed
#2982
Closed
AutoDiscovery: volume is propagated as emptyDir to ScheduledScan#2724
#2982
Assignees
BorisShek
Labels
bugBugshelp wantedExtra attention is needed
@paraddise

Description

@paraddise
paraddise
opened on Oct 21, 2024

🐞 Bug report

Describe the bug

Deployed auto-discovery service with custom zap config and added volumes, but in ScheduledScan volume is emptyDir, but must be configMap.

Steps To Reproduce

  1. Create configMap with zap config.
  2. Deploy configmap with serviceDiscovery config:
serviceAutoDiscovery:
    enabled: true
    scanConfigs:
      - scanType: zap-advanced-scan
        name: "zap"
        parameters:
          - "-t"
          - "{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"
        repeatInterval: "168h"
        labels: {}
        annotations:
          defectdojo.securecodebox.io/product-type-name: "SecureCodeBox"
          defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
          defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
          defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
          defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"
        volumes:
          - name: zap-advanced-scan-config
            configMap:
              name: zap-advanced-scan-config
              optional: true
        volumeMounts:
          - name: zap-advanced-scan-config
            mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml
            subPath: 2-zap-advanced-scan.yaml
            readOnly: true
        hookSelector: {}
        env: []
  1. Observer ScheduledScan
k get -n default scheduledscan juice-shop-service-zap-port-3000 -o jsonpath='{ .spec }' | jq
{
  "interval": "168h0m0s",
  "retriggerOnScanTypeChange": true,
  "scanSpec": {
    "parameters": [
      "-t",
      "http://juice-shop.default.svc:3000"
    ],
    "resourceMode": "namespaceLocal",
    "scanType": "zap-advanced-scan",
    "volumeMounts": [
      {
        "mountPath": "/home/securecodebox/configs/2-zap-advanced-scan.yaml",
        "name": "zap-advanced-scan-config",
        "readOnly": true,
        "subPath": "2-zap-advanced-scan.yaml"
      }
    ],
    "volumes": [
      {
        "name": "zap-advanced-scan-config"
      }
    ]
  }
}
  1. pod will be created with emptyDir.

Expected behavior

volume propagated to pod

System (please complete the following information):

  • secureCodeBox Version: 4.9.0
  • Kubernetes Version: 1.30

Additional context

I checked source, I saw there just reference to corev1.Volume https://github.com/secureCodeBox/secureCodeBox/blob/main/auto-discovery/kubernetes/pkg/config/autodiscovery_config.go#L76
So I don't understand why auto-discovery ignores configMap.

Metadata

Metadata

Assignees

Labels

bugBugshelp wantedExtra attention is needed

Type

No type

Projects

secureCodeBox

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions