feat(registry-scanner): check cronjob frequency to avoid misuse (#1983)

sysdiglabs · Oct 18, 2024 · 2ebd785 · 2ebd785
1 parent 6b0ebd8
commit 2ebd785
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 2 deletions.
diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml
@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
 type: application
 home: https://www.sysdig.com/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
-version: 1.4.0
+version: 1.4.1
 appVersion: 0.5.0
 maintainers:
   - name: sysdiglabs
diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md
@@ -135,7 +135,7 @@ Use the following command to deploy:
 helm upgrade --install registry-scanner \
    --namespace sysdig-agent \
    --create-namespace \
-   --version=1.4.0 \
+   --version=1.4.1 \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \

diff --git a/charts/registry-scanner/templates/_helpers.tpl b/charts/registry-scanner/templates/_helpers.tpl
@@ -138,3 +138,24 @@ Fail if cronjob.timeZone is set for Kubernetes < 1.24
     {{ fail "cronjob.timeZone was specified but kubernetes version is smaller than 1.24." }}
   {{- end }}
 {{- end }}
+{{/*
+Check cronjob value
+*/}}
+{{- define "registry-scanner.checkCronSchedule" -}}
+  {{- $schedule := .Values.cronjob.schedule}}
+  {{- $parts := splitList " " $schedule -}}
+
+  {{- if eq (len $parts) 5 -}}
+    {{- $minute := index $parts 0 -}}
+    {{- $hour := index $parts 1 -}}
+    {{- $dayOfMonth := index $parts 2 -}}
+    {{- $month := index $parts 3 -}}
+    {{- $dayOfWeek := index $parts 4 -}}
+
+    {{- if and (eq $dayOfMonth "*" ) (eq $dayOfWeek "*") (eq $month "*") -}}}
+      {{- printf "WARNING: You have configured the registry scanner to run on a schedule of '%s'. Running the scanner more often than every 24 hours can increase the load on your registry. The recommended configuration is to perform a scan weekly." $schedule | fail}}
+    {{- end -}}
+  {{- else -}}
+    {{- print "Error: Wrong cronjob format." | quote }}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/registry-scanner/templates/cronjob.yaml b/charts/registry-scanner/templates/cronjob.yaml
@@ -1,3 +1,4 @@
+{{- include "registry-scanner.checkCronSchedule" . }}
 {{- include "registry-scanner.validateTimeZone" . }}
 {{- if (include "registry-scanner.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 21)) }}
 apiVersion: batch/v1beta1

diff --git a/charts/registry-scanner/tests/cronjob_test.yaml b/charts/registry-scanner/tests/cronjob_test.yaml
@@ -121,3 +121,20 @@ tests:
       - failedTemplate:
           # errorMessage: spec.timeZone
           errorMessage: "cronjob.timeZone was specified but kubernetes version is smaller than 1.24."
+
+  - it: sets cronjob schedule more often than 24h
+    set:
+      cronjob.schedule: "0 0 * * *"
+    asserts:
+      - failedTemplate:
+          errorMessage: "WARNING: You have configured the registry scanner to run on a schedule of '0 0 * * *'. \
+           Running the scanner more often than every 24 hours can increase the load on your registry. \
+           The recommended configuration is to perform a scan weekly."
+
+  - it: sets cronjob schedule less often than 24h
+    set:
+      cronjob.schedule: "0 0 1 * *"
+    asserts:
+      - equal:
+          path: spec.schedule
+          value: "0 0 1 * *"