feat: Specify scan job timeout for Polaris scanner

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

pkg/cmd/find_vulnerabilities.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"time"
 
 	"github.com/aquasecurity/starboard/pkg/find/vulnerabilities/crd"
 	"github.com/aquasecurity/starboard/pkg/find/vulnerabilities/trivy"
@@ -12,10 +11,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-const (
-	scanJobTimeoutFlagName = "scan-job-timeout"
-)
-
 func GetVulnerabilitiesCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 	cmd := &cobra.Command{
 		Aliases: []string{"vulns", "vuln"},
@@ -87,17 +82,7 @@ NAME is the name of a particular Kubernetes workload.
 		},
 	}
 
-	cmd.Flags().Duration(scanJobTimeoutFlagName, time.Duration(0),
-		"The length of time to wait before giving up on a scan job. Non-zero values should contain a"+
-			" corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout the scan job.")
+	registerScannerOpts(cmd)
 
 	return cmd
 }
-
-func getScannerOpts(cmd *cobra.Command) (opts trivy.ScannerOpts, err error) {
-	opts.ScanJobTimeout, err = cmd.Flags().GetDuration(scanJobTimeoutFlagName)
-	if err != nil {
-		return
-	}
-	return
-}

pkg/cmd/polaris.go

@@ -25,7 +25,11 @@ func NewPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 			if err != nil {
 				return
 			}
-			reports, err := polaris.NewScanner(clientset).Scan(ctx)
+			opts, err := getScannerOpts(cmd)
+			if err != nil {
+				return
+			}
+			reports, err := polaris.NewScanner(opts, clientset).Scan(ctx)
 			if err != nil {
 				return
 			}
@@ -40,5 +44,8 @@ func NewPolarisCmd(cf *genericclioptions.ConfigFlags) *cobra.Command {
 			return
 		},
 	}
+
+	registerScannerOpts(cmd)
+
 	return cmd
 }

pkg/cmd/root.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"errors"
 	"strings"
+	"time"
 
 	"github.com/aquasecurity/starboard/pkg/kube"
 
@@ -74,3 +75,22 @@ func WorkloadFromArgs(namespace string, args []string) (workload kube.Workload,
 	}
 	return
 }
+
+const (
+	scanJobTimeoutFlagName = "scan-job-timeout"
+)
+
+func registerScannerOpts(cmd *cobra.Command) {
+	cmd.Flags().Duration(scanJobTimeoutFlagName, time.Duration(0),
+		"The length of time to wait before giving up on a scan job. Non-zero values should contain a"+
+			" corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout the scan job.")
+
+}
+
+func getScannerOpts(cmd *cobra.Command) (opts kube.ScannerOpts, err error) {
+	opts.ScanJobTimeout, err = cmd.Flags().GetDuration(scanJobTimeoutFlagName)
+	if err != nil {
+		return
+	}
+	return
+}

pkg/find/vulnerabilities/trivy/scanner.go

@@ -6,7 +6,6 @@ import (
 	"github.com/aquasecurity/starboard/pkg/ext"
 	"io"
 	"k8s.io/klog"
-	"time"
 
 	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/runner"
@@ -31,13 +30,8 @@ const (
 	trivyImageRef = "docker.io/aquasec/trivy:0.8.0"
 )
 
-// ScannerOpts holds configuration of the vulnerability Scanner.
-type ScannerOpts struct {
-	ScanJobTimeout time.Duration
-}
-
 // NewScanner constructs a new vulnerability Scanner with the specified options and Kubernetes client Interface.
-func NewScanner(opts ScannerOpts, clientset kubernetes.Interface) vulnerabilities.Scanner {
+func NewScanner(opts kube.ScannerOpts, clientset kubernetes.Interface) vulnerabilities.Scanner {
 	return &scanner{
 		opts:      opts,
 		clientset: clientset,
@@ -48,7 +42,7 @@ func NewScanner(opts ScannerOpts, clientset kubernetes.Interface) vulnerabilitie
 }
 
 type scanner struct {
-	opts      ScannerOpts
+	opts      kube.ScannerOpts
 	clientset kubernetes.Interface
 	pods      *pod.Manager
 	secrets   *secret.Manager

pkg/kube/workload.go

@@ -2,6 +2,7 @@ package kube
 
 import (
 	"fmt"
+	"time"
 )
 
 const (
@@ -91,3 +92,8 @@ func WorkloadKindFromString(s string) (WorkloadKind, error) {
 	}
 	return WorkloadKindUnknown, fmt.Errorf("unrecognized workload: %s", s)
 }
+
+// ScannerOpts holds configuration of the vulnerability Scanner.
+type ScannerOpts struct {
+	ScanJobTimeout time.Duration
+}

pkg/polaris/scanner.go

@@ -3,8 +3,6 @@ package polaris
 import (
 	"context"
 	"fmt"
-	"time"
-
 	starboard "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 
 	"k8s.io/utils/pointer"
@@ -21,11 +19,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-const (
-	runnerTimeout = 90 * time.Second
-	jobTimeout    = 60 * time.Second
-)
-
 const (
 	polarisContainerName = "polaris"
 	// TODO: The latest semver tagged image 0.6.0 doesn't return audit checks ?!
@@ -35,13 +28,15 @@ const (
 )
 
 type Scanner struct {
+	opts      kube.ScannerOpts
 	clientset kubernetes.Interface
 	pods      *pod.Manager
 	converter Converter
 }
 
-func NewScanner(clientset kubernetes.Interface) *Scanner {
+func NewScanner(opts kube.ScannerOpts, clientset kubernetes.Interface) *Scanner {
 	return &Scanner{
+		opts:      opts,
 		clientset: clientset,
 		pods:      pod.NewPodManager(clientset),
 		converter: DefaultConverter,
@@ -51,8 +46,7 @@ func NewScanner(clientset kubernetes.Interface) *Scanner {
 func (s *Scanner) Scan(ctx context.Context) (reports []starboard.ConfigAudit, err error) {
 	polarisJob := s.preparePolarisJob()
 
-	err = runner.NewWithTimeout(runnerTimeout).
-		Run(ctx, kube.NewRunnableJob(s.clientset, polarisJob))
+	err = runner.New().Run(ctx, kube.NewRunnableJob(s.clientset, polarisJob))
 	if err != nil {
 		err = fmt.Errorf("running polaris job: %w", err)
 		return
@@ -93,7 +87,7 @@ func (s *Scanner) preparePolarisJob() *batch.Job {
 		Spec: batch.JobSpec{
 			BackoffLimit:          pointer.Int32Ptr(1),
 			Completions:           pointer.Int32Ptr(1),
-			ActiveDeadlineSeconds: pointer.Int64Ptr(int64(jobTimeout.Seconds())),
+			ActiveDeadlineSeconds: s.getActiveDeadlineSeconds(),
 			Template: core.PodTemplateSpec{
 				ObjectMeta: meta.ObjectMeta{
 					Labels: map[string]string{
@@ -135,3 +129,12 @@ func (s *Scanner) preparePolarisJob() *batch.Job {
 		},
 	}
 }
+
+// TODO Move to scanners.Base struct [DRY]
+func (s *Scanner) getActiveDeadlineSeconds() (timeout *int64) {
+	if s.opts.ScanJobTimeout > 0 {
+		timeout = pointer.Int64Ptr(int64(s.opts.ScanJobTimeout.Seconds()))
+		return
+	}
+	return
+}