add CSI information to discovery-agent#816
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends the discovery-agent’s Kubernetes dynamic collection and CyberArk snapshot upload to include Secrets Store CSI resources (SecretProviderClass and SecretProviderClassPodStatus), with field allow-listing/redaction, RBAC, and associated tests to support safely reporting CSI configuration/status to the backend.
Changes:
- Add allow-listed field sets for SecretProviderClass and SecretProviderClassPodStatus and apply them during dynamic redaction/selection.
- Extend CyberArk snapshot conversion/extraction to include the new CSI resource lists.
- Update Helm chart config and RBAC to collect and grant read access to the CSI resources, plus update snapshot tests.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/datagatherer/k8sdynamic/fieldfilter.go | Adds selected-field allow-lists for CSI resources. |
| pkg/datagatherer/k8sdynamic/fieldfilter_test.go | Adds selection tests covering the new CSI allow-lists. |
| pkg/datagatherer/k8sdynamic/dynamic.go | Applies selection/redaction for CSI resources during dynamic gathering. |
| pkg/client/client_cyberark.go | Adds extractors to populate snapshot fields for CSI resources. |
| pkg/client/client_cyberark_test.go | Updates default dynamic gatherer name list used by integration-style tests. |
| pkg/client/client_cyberark_convertdatareadings_test.go | Adds conversion tests for the new CSI snapshot fields. |
| internal/cyberark/dataupload/dataupload.go | Extends the snapshot schema with CSI resource arrays. |
| deploy/charts/disco-agent/tests/snapshot/configmap_test.yaml.snap | Updates Helm snapshot expectations for new gatherers. |
| deploy/charts/disco-agent/templates/rbac.yaml | Adds ClusterRole/Binding to read CSI resources. |
| deploy/charts/disco-agent/templates/configmap.yaml | Adds dynamic gatherer configs for CSI resources. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…jetstack-secure into dev/csi_information
|
Looks straightforward. I haven't tested with with an actual Kubernetes cluster with a Secrets Store CSI Driver installed, though. |
| case gvk.Kind == "SecretProviderClass" && gvk.Group == "secrets-store.csi.x-k8s.io": | ||
| if err := Select(SecretProviderClassSelectedFields, resource); err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
Is there really a point in redacting fields from SecretProviderClass resources (beyond the regular redacted metadata/labels)?
The reason we have Select for Routes and Secrets is because they do contain confidential information (data.tls\.key in secrets, spec.tls.key in routes). Are you sure SecretProviderClass or SecretProviderClassPodStatus have some secrets?
No description provided.