feat: add GKE exceptions (yonahd#252)

* feat: add GKE exceptions * remove generated GKE replica sets * refactor StorageClass exception * add CRDS * fix spacing * update * comments * spelling --------- Co-authored-by: Phil Brocker <phil.brocker@gmail.com>
zpxlz · May 1, 2024 · e75b893 · e75b893
1 parent bd3337a
commit e75b893
Show file tree

Hide file tree

Showing 9 changed files with 293 additions and 9 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,13 +1,21 @@
 Please read [CONTRIBUTING.md](CONTRIBUTING.md) for additional information on contributing to this repository!
 
+<!--
+  !!!! README !!!! Please fill this out.
+
+  Please follow conventional commit naming conventions:
+
+  https://www.conventionalcommits.org/en/v1.0.0/#summary
+-->
+
 <!-- A short description of what your PR does and what it solves. -->
 
 ## What this PR does / why we need it
 
 ## PR Checklist
 
-- [ ] This PR adds exceptions
-- [ ] This PR add new code
+- [ ] This PR adds K8s exceptions (false positives)
+- [ ] This PR adds new code
 - [ ] This PR includes test for any new code
 
 ## Github Issue

diff --git a/pkg/kor/clusterroles.go b/pkg/kor/clusterroles.go
@@ -78,6 +78,30 @@ var exceptionClusterRoles = []ExceptionResource{
 		ResourceName: "view",
 		Namespace:    "",
 	},
+	{
+		ResourceName: "cloud-provider",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:certificates.k8s.io:certificatesigningrequests:nodeclient",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:controller:cloud-node-controller",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:controller:glbc",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:persistent-volume-provisioner",
+		Namespace:    "",
+	},
 }
 
 func retrieveUsedClusterRoles(clientset kubernetes.Interface, filterOpts *filters.Options) ([]string, error) {

diff --git a/pkg/kor/configmaps.go b/pkg/kor/configmaps.go
@@ -47,6 +47,46 @@ var exceptionConfigMaps = []ExceptionResource{
 		ResourceName: "cluster-info",
 		Namespace:    "kube-public",
 	},
+	{
+		ResourceName: "config-images",
+		Namespace:    "gmp-system",
+	},
+	{
+		ResourceName: "webhook-ca",
+		Namespace:    "gmp-system",
+	},
+	{
+		ResourceName: "cluster-autoscaler-status",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "cluster-kubestore",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "clustermetrics",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-common-webhook-heartbeat",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "ingress-uid",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "konnectivity-agent-autoscaler-config",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "kube-dns-autoscaler",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "kubedns-config-images",
+		Namespace:    "kube-system",
+	},
 }
 
 func retrieveUsedCM(clientset kubernetes.Interface, namespace string) ([]string, []string, []string, []string, []string, error) {

diff --git a/pkg/kor/crds.go b/pkg/kor/crds.go
@@ -16,6 +16,93 @@ import (
 	"github.com/yonahd/kor/pkg/filters"
 )
 
+var exceptionCrds = []ExceptionResource{
+	{
+		ResourceName: "capacityrequests.internal.autoscaling.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "clusterpodmonitorings.monitoring.googleapis.com",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "clusterrules.monitoring.googleapis.com",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "frontendconfigs.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "gkenetworkparamsets.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "globalrules.monitoring.googleapis.com",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "managedcertificates.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "memberships.hub.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "networks.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "podmonitorings.monitoring.googleapis.com",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "provisioningrequests.autoscaling.x-k8s.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "rules.monitoring.googleapis.com",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "serviceattachments.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "servicenetworkendpointgroups.networking.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "updateinfos.nodemanagement.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "volumesnapshotclasses.snapshot.storage.k8s.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "volumesnapshotcontents.snapshot.storage.k8s.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "volumesnapshots.snapshot.storage.k8s.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "allowlistedv2workloads.auto.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "allowlistedworkloads.auto.gke.io",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "backendconfigs.cloud.google.com",
+		Namespace:    "",
+	},
+}
+
 func processCrds(apiExtClient apiextensionsclientset.Interface, dynamicClient dynamic.Interface, filterOpts *filters.Options) ([]string, error) {
 
 	var unusedCRDs []string
@@ -29,6 +116,9 @@ func processCrds(apiExtClient apiextensionsclientset.Interface, dynamicClient dy
 		if pass := filters.KorLabelFilter(&crd, &filters.Options{}); pass {
 			continue
 		}
+		if isResourceException(crd.Name, crd.Namespace, exceptionCrds) {
+			continue
+		}
 
 		gvr := schema.GroupVersionResource{
 			Group:    crd.Spec.Group,

diff --git a/pkg/kor/daemonsets.go b/pkg/kor/daemonsets.go
@@ -13,6 +13,93 @@ import (
 	"github.com/yonahd/kor/pkg/filters"
 )
 
+var exceptionDaemonSets = []ExceptionResource{
+	{
+		ResourceName: "kube-proxy",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "fluentbit-gke-256pd",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "fluentbit-gke-max",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-10",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-100",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-20",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-200",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-50",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-scaling-500",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "gke-metrics-agent-windows",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "metadata-proxy-v0.1",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nccl-fastsocket-installer",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-large-cos",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-large-ubuntu",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-medium-cos",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-medium-ubuntu",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-small-cos",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "nvidia-gpu-device-plugin-small-ubuntu",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "pdcsi-node-windows",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "runsc-metric-server",
+		Namespace:    "kube-system",
+	},
+	{
+		ResourceName: "tpu-device-plugin",
+		Namespace:    "kube-system",
+	},
+}
+
 func ProcessNamespaceDaemonSets(clientset kubernetes.Interface, namespace string, filterOpts *filters.Options) ([]string, error) {
 	daemonSetsList, err := clientset.AppsV1().DaemonSets(namespace).List(context.TODO(), metav1.ListOptions{LabelSelector: filterOpts.IncludeLabels})
 	if err != nil {
@@ -25,6 +112,9 @@ func ProcessNamespaceDaemonSets(clientset kubernetes.Interface, namespace string
 		if pass, _ := filter.SetObject(&daemonSet).Run(filterOpts); pass {
 			continue
 		}
+		if isResourceException(daemonSet.Name, daemonSet.Namespace, exceptionDaemonSets) {
+			continue
+		}
 
 		if daemonSet.Labels["kor/used"] == "false" {
 			daemonSetsWithoutReplicas = append(daemonSetsWithoutReplicas, daemonSet.Name)

diff --git a/pkg/kor/roles.go b/pkg/kor/roles.go
@@ -14,6 +14,17 @@ import (
 	"github.com/yonahd/kor/pkg/filters"
 )
 
+var exceptionRoles = []ExceptionResource{
+	{
+		ResourceName: "cloud-provider",
+		Namespace:    "",
+	},
+	{
+		ResourceName: "system:controller:glbc",
+		Namespace:    "",
+	},
+}
+
 func retrieveUsedRoles(clientset kubernetes.Interface, namespace string, filterOpts *filters.Options) ([]string, error) {
 	// Get a list of all role bindings in the specified namespace
 	roleBindings, err := clientset.RbacV1().RoleBindings(namespace).List(context.TODO(), metav1.ListOptions{})
@@ -54,6 +65,10 @@ func retrieveRoleNames(clientset kubernetes.Interface, namespace string, filterO
 			continue
 		}
 
+		if isResourceException(role.Name, "", exceptionRoles) {
+			continue
+		}
+
 		names = append(names, role.Name)
 	}
 	return names, unusedRoleNames, nil

diff --git a/pkg/kor/serviceaccounts.go b/pkg/kor/serviceaccounts.go
@@ -14,7 +14,14 @@ import (
 )
 
 var exceptionServiceAccounts = []ExceptionResource{
-	{ResourceName: "default", Namespace: "*"},
+	{
+		ResourceName: "default",
+		Namespace:    "*",
+	},
+	{
+		ResourceName: "metadata-proxy",
+		Namespace:    "kube-system",
+	},
 }
 
 func getServiceAccountsFromClusterRoleBindings(clientset kubernetes.Interface, namespace string) ([]string, error) {

diff --git a/pkg/kor/services.go b/pkg/kor/services.go
@@ -18,6 +18,10 @@ var exceptionServices = []ExceptionResource{
 		ResourceName: "k8s.io-minikube-hostpath",
 		Namespace:    "kube-system",
 	},
+	{
+		ResourceName: "vpa-recommender",
+		Namespace:    "kube-system",
+	},
 }
 
 func ProcessNamespaceServices(clientset kubernetes.Interface, namespace string, filterOpts *filters.Options) ([]string, error) {