Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable retrieving container.image.repo_digests attribute in k8sattributes processor #34029

Open
evantorrie opened this issue Jul 11, 2024 · 2 comments
Open

Enable retrieving container.image.repo_digests attribute in k8sattributes processor #34029

evantorrie opened this issue Jul 11, 2024 · 2 comments
Labels
enhancement New feature or request needs triage New item requiring triage processor/k8sattributes k8s Attributes processor Stale

Comments

@evantorrie
Copy link
Contributor

Component(s)

processor/k8sattributes

Is your feature request related to a problem? Please describe.

We currently make use of the k8sattributes processor to augment Resource attributes from pods running in our k8s clusters.

We are interested in obtaining a useable repo digest version of the image (i.e. something that references an immutable fetchable image from a repository) associated with the container in a Kubernetes pod that is emitting telemetry, rather than relying on just the image name + tag.

One use of this is to be able to identify vulnerable containers which are still emitting telemetry in our fleet. Relying purely on mutable tag references (e.g. :latest) results in false positives when a vulnerability has been addressed and a new "latest" version of the image has been pushed. Yet vulnerable versions may still remain remaining, even though they still reference <image>:latest in their PodSpec.

Describe the solution you'd like

If we include container.image.repo_digests in the k8sattributes::metadata array, we'd like to get not only container.image.name, container.image.tag, but also container.image.repo_digests added to the resource for that signal.

Describe alternatives you've considered

Scrape information from kube-state-metrics (which does provide the image digest) and somehow cross-join that with the resource attributes determined by k8sattributes processor?

Additional context

This issue was initially opened in #32152 thinking that the correct attribute to populate would be container.image.id using the k8s ImageID field. However, after more diligence in the now closed PR #32314, it was observed that Kubernetes doesn't provide a solid guarantee that its k8s API imageID field will always have a fetchable repository digest reference. In some cases, it may just be a digest lacking a repository image reference.

This new issue is intended to address this deficiency by recommending we populate the alternative container.image.repo_digests field if and only if the reference returned in the k8s API is a "Canonical" reference as defined by the code in github.com/distribution/reference.

// Canonical reference is an object with a fully unique
// name including a name with domain and digest
@evantorrie evantorrie added enhancement New feature or request needs triage New item requiring triage labels Jul 11, 2024
@github-actions github-actions bot added the processor/k8sattributes k8s Attributes processor label Jul 11, 2024
@github-actions GitHub Actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

This was referenced Jul 11, 2024
Closed
Merged
@ChrsMark ChrsMark mentioned this issue Jul 11, 2024
Open
This was referenced Jul 16, 2024
Closed
Closed
This was referenced Jul 30, 2024
Closed
Closed
dmitryax pushed a commit that referenced this issue Aug 6, 2024
@evantorrie @ChrsMark
[processor/k8sattributes] Add container.image.repo_digests (#34031)
528678e 
**Description:**

Adds support for extracting canonical repo digest image references for a
container from k8s attributes

**Link to tracking Issue:** #34029 

**Testing:**

1. Adds unit tests for extracting the k8s `.imageID` field from
container status API if it is of the `reference.Canonical` form, and
storing it in a `ImageRepoDigest` string field. (Note: k8s will only
ever return one value here, although the semantic conventions for
`container.image.repo_digests` define it to be a `Slice`. We convert
into a Slice lazily when we populate the pcommon data structure.
2. Adds unit tests for including `container.image.repo_digests` in rules
for extraction.
3. Includes `container.image.repo_digests` in the e2e tests for
k8sattributes processor.


**Documentation:**

Added `container.image.repo_digests` as an example of attributes that
can be extracted from a container

---------

Co-authored-by: Christos Markou <chrismarkou92@gmail.com>
This was referenced Aug 13, 2024
Closed
Closed
This was referenced Aug 27, 2024
Closed
Closed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2024

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Sep 9, 2024
This was referenced Sep 10, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs triage New item requiring triage processor/k8sattributes k8s Attributes processor Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evantorrie