search

eraser-dev / eraser

🧹 Cleaning up images from Kubernetes nodes
https://eraser-dev.github.io/eraser/
Apache License 2.0
500 stars 62 forks source link

Add support for CRI "pinned" images #380

Open cpuguy83 opened 2 years ago

cpuguy83 commented 2 years ago

The CRI API has a field on images Pinned. This will be used for images like pause and should be used as as a filter for image removal.

ref: https://github.com/containerd/containerd/pull/6456

sozercan commented 1 year ago

tracked in https://github.com/containerd/containerd/pull/7944 now

sozercan commented 1 year ago

looks like containerd pr got merged

inFocus7 commented 1 year ago

So we'll want to allow toggling if we want to remove/keep Pinned images?

If a user decides to keep pinned images (ex. removePinnedImages: false or whatever a toggle would be): do we still want to scan those images? Or skip them from being scanned, since it doesn't matter as we're keeping them?

The main, or maybe only(?), reason I can think of scanning them is if we do the following issue #356 and it would be nice to raise any CVEs caught. Although since that hasn't been done, not sure if it's worth scanning (for now).

inFocus7 commented 11 months ago

Is anyone in the eraser team planned to pick this up? If not, I could work on this 👀 (I have a WIP branch I was trying stuff out in a few months ago. I pushed to my forked repo, because I forgot most of my changes made lol)

sozercan commented 11 months ago

@inFocus7 sounds great! i don't think anyone has been working on this. assigned to you. thanks!

inFocus7 commented 11 months ago

@sozercan Awesome, thanks! I wrote some thoughts in this Google Docs Design/Thoughts Docs.

If you don't want to click into the link (understandable), it boils down to:

  1. Will we want to be strict and never delete Pinned images? Or should we allow this to be user-configurable, so they can decide if should delete or keep them?
  2. Do we even care about scanning Pinned images when we won't delete them?
    • Their vulnerabilities technically won't matter if we don't delete them, as the results would essentially be ignored.
    • From my understanding, scanning them would only be useful if we did any reports to make users aware, but as far as I know I don't believe we do something like this at the moment.

Actually, from looking over the architecture, I think it makes more sense to handle Pinned images through the collector and remover. Pinned statuses have nothing to do with vulnerabilities, and the scanner can be bypassed, so doing so in the scanner wouldn't be too helpful.

I'm assuming it should be possible to handle pinned images in those pods, since they have flags, so we should hopefully be able to do add a bool flag for skip-pinned (or similar).

The question of: "Do we want to still scan Pinned images if we want to keep them no matter what?" still remains.

I updated the Google doc with a section at the end with explaining this.