feat: Vulnerability scan using Trivy fs scan command

``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans
using trivy fs scan command

This is the implementation of first approach suggested here #830

pkg/kube/object.go

@@ -445,6 +445,59 @@ func (o *ObjectResolver) GetRelatedReplicasetName(ctx context.Context, object Ob
 	return "", fmt.Errorf("can only get related ReplicaSet for Deployment or Pod, not %q", string(object.Kind))
 }
 
+// GetNodeName will return the nodename from one of the running pod of any kubernetes kind
+func (o *ObjectResolver) GetNodeName(ctx context.Context, obj client.Object) (nodeName string, err error) {
+	switch t := obj.(type) {
+	case *corev1.Pod:
+		return (obj.(*corev1.Pod)).Spec.NodeName, nil
+	case *appsv1.Deployment:
+		replicaSet, err := o.ReplicaSetByDeployment(ctx, obj.(*appsv1.Deployment))
+		if err != nil {
+			return "", err
+		}
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), replicaSet.Spec.Selector.MatchLabels)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	case *appsv1.ReplicaSet:
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), obj.(*appsv1.ReplicaSet).Spec.Selector.MatchLabels)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	case *corev1.ReplicationController:
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), obj.(*corev1.ReplicationController).Spec.Selector)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	case *appsv1.StatefulSet:
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), obj.(*appsv1.StatefulSet).Spec.Selector.MatchLabels)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	case *appsv1.DaemonSet:
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), obj.(*appsv1.DaemonSet).Spec.Selector.MatchLabels)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	case *batchv1beta1.CronJob:
+		//Todo handle cronjob
+		return "", nil
+	case *batchv1.Job:
+		pods, err := o.getPodsByLabelSelector(ctx, obj.GetNamespace(), obj.(*batchv1.Job).Spec.Selector.MatchLabels)
+		if err != nil || (pods != nil && len(pods.Items) == 0) {
+			return "", err
+		}
+		return pods.Items[0].Spec.NodeName, nil
+	default:
+		return "", fmt.Errorf("unsupported workload kind: %T", t)
+	}
+}
+
 func (o *ObjectResolver) getActiveReplicaSetByDeployment(ctx context.Context, object Object) (string, error) {
 	deploy := &appsv1.Deployment{}
 	err := o.Client.Get(ctx, types.NamespacedName{Namespace: object.Namespace, Name: object.Name}, deploy)
@@ -488,3 +541,15 @@ func (o *ObjectResolver) getReplicaSetByPod(ctx context.Context, object Object)
 	}
 	return controller.Name, nil
 }
+
+func (o *ObjectResolver) getPodsByLabelSelector(ctx context.Context, namespace string,
+	labelSelector labels.Set) (pods *corev1.PodList, err error) {
+	pods = &corev1.PodList{}
+	err = o.Client.List(ctx, pods, client.InNamespace(namespace),
+		client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labelSelector)})
+	if err != nil {
+		return pods, fmt.Errorf("listing pods in namespace %s for labelselector %v: %w", namespace,
+			labelSelector, err)
+	}
+	return pods, err
+}

pkg/operator/controller/vulnerabilityreport.go

@@ -228,8 +228,13 @@ func (r *VulnerabilityReportReconciler) submitScanJob(ctx context.Context, owner
 		WithTolerations(scanJobTolerations).
 		WithAnnotations(scanJobAnnotations).
 		WithCredentials(credentials).
+		WithClient(r.Client).
 		Get()
 
+	if err != nil {
+		return fmt.Errorf("getting scan job spec: %w", err)
+	}
+
 	for _, secret := range secrets {
 		secret.Namespace = r.PluginContext.GetNamespace()
 		err = r.Client.Create(ctx, secret)