[Feature Request] Trigger command when image vulnerability scan container of the scan job finishes

[Zeratoxx]

We need a way to trigger command(s) after the scan container of the scan job finishes.

We want to use the ClientServer mode. We have to use a multi-cluster Linkerd mesh. With that, each scan job of trivy needs a proxy to connect to a trivy server in the mesh.
Now the problem is that the proxy keeps running even after the Trivy scan completes and therefore the scan pod never ends.
It is possible to interrupt the proxy from outside (https://linkerd.io/2.14/tasks/graceful-shutdown/ ; https://itnext.io/three-ways-to-use-linkerd-with-kubernetes-jobs-c12ccc6d4c7c).

My personal issue has two ways for a solution:

1. Calling a shutdown hook for the proxy from one container to another inside the pod.
2. Wrapping the Trivy entrypoint with Linkerd-Await.

But with that, I need, as I already wrote above, either the possiblity to ...

• ... trigger command(s) after the scan container of the scan job finishes.
• ... wrap the entrypoint command of the trivy container.

I’m open to discussing how to implement the feature.

[chen-keinan]

@Zeratoxx wil it make sense to use finalizers as a hook ?

[Zeratoxx]

@Zeratoxx wil it make sense to use finalizers as a hook ?

Hi @chen-keinan :)

Afaik, finalizers only work with pods on the lowest level. But in my specific case, the container with the proxy is running in the same pod as the scan container as a sidecar, so that's one level below a pod.

This means that all scan pods never end and therefore the finalizer hook will probably never fire.

So I guess, I cannot use finalizer hooks unfortunately :/

[chen-keinan]

@Zeratoxx I mean if we add finalizer to scan-job so when scan job is completed it can fire finalizers ? wdyt ?

[Syndlex]

I don't know if this can work.

The Problem is that the Pod resource will never fire the finalizer since Linkerd is injecting the Proxy as a sidecar. The Pod resource of a Job is in state Running as long as there are containers that are running.

But i am not very familiar with all the functions of the finalizer.

[chen-keinan]

I don't know if this can work.

The Problem is that the Pod resource will never fire the finalizer since Linkerd is injecting the Proxy as a sidecar. The Pod resource of a Job is in state Running as long as there are containers that are running.

But i am not very familiar with all the functions of the finalizer.

I do not mean for the pod resource you deploy , I mean to give you the ability to add logic to trivy-scan-job

[Syndlex]

Yes thats basicly what's needed.

An extension so we can call the Linkerd Proxy too shutdown.

[Zeratoxx]

@Zeratoxx I mean if we add finalizer to scan-job so when scan job is completed it can fire finalizers ? wdyt ?

---

I do not mean for the pod resource you deploy , I mean to give you the ability to add logic to trivy-scan-job

---

@chen-keinan To be honest, I don't understand how your proposed solution could be implemented with finalizers.

I suppose that you also don't mean the Kubernetes Job resource. You rather meant the Trivy scan container? 🤔 I'm kinda confused.

[chen-keinan]

@Zeratoxx I mean if we add finalizer to scan-job so when scan job is completed it can fire finalizers ? wdyt ?

I do not mean for the pod resource you deploy , I mean to give you the ability to add logic to trivy-scan-job

@chen-keinan To be honest, I don't understand how your proposed solution could be implemented with finalizers.

I suppose that you also don't mean the Kubernetes Job resource. You rather meant the Trivy scan container? 🤔 I'm kinda confused.

@Zeratoxx I do nave a solution yet, only trying to understand better the req.

[Syndlex]

In other apps we just run curl when the main executable in the Main Job Container is finished. This doesn't work here because we can not change the entrypoint and do not have curl installed.