sbom-operator icon indicating copy to clipboard operation
sbom-operator copied to clipboard

Published 20 hours ago verified publisher icon ckotzbauer

Feature request: Map k8s pod labels as project tags

Open muellerst-hg opened this issue 1 year ago • 5 comments

As a System Operator, I would like to add pod labels as project tags in DependencyTrack So that grouping/filtering by label in dtrack is possible

Background: We use k8s pod labels to determine and group things like application, stage, department, ...

Given the following deployment was applied to k8s cluster:
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: dependencytrack-frontend
    namespace: dependencytrack-sales-live
  spec:
    template:
        metadata:
          labels:
            app=dependencytrack
            stage=live
            department=sales
            service=inventory
        spec:
          containers:
            - name: dependencytrack-frontend
              image: dependencytrack-frontend:4.5.1
  ---
When the sbom-operator scans the pod and adds the project to dtrack
Then the following tags should be added to dtrack:
  [namespace=dependencytrack-sales-live, app=dependencytrack, stage=live, department=sales, ...]
But currently only the following tags are added:
  [namespace=dependencytrack-sales-live, ...]

What do you think about the idea of adding Labels map[string]string to struct libk8s.PodInfo and allow custom mapping of labels to dtrack project tags? What would be an appropriate way to configure the custom mapping?

sbom-operator is awesome. Thank you!

muellerst-hg avatar Sep 11 '22 19:09 muellerst-hg

Hi @muellerst-hg, thanks for your request. Sure, the Dependency Track integration can be extended with the pod-labels as you specified. What do you mean with "custom mapping"? Can you give a few more details about this?

ckotzbauer avatar Sep 11 '22 19:09 ckotzbauer

Maybe "custom mapping" isn't the right term.

Given I have the following labels:
  spec:
    template:
        metadata:
          labels:
            app=dependencytrack
            stage=live
            department=sales
            service=inventory
            pod-template-hash=12c5401afc
And I have selected "app" and "stage" as labels to be added as tags
Then the following project tags should be added to dtrack
    app=dependencytrack
    stage=live

muellerst-hg avatar Sep 11 '22 19:09 muellerst-hg

With two labels "app=dependencytrack" and "app=nginx", some magic would be required to identify both by matching "app" left of the equals sign.

muellerst-hg avatar Sep 11 '22 19:09 muellerst-hg

A user could provide a regex for matching labels like SBOM_DTRACK_LABEL_TAG_MATCHER="^(?:app|stage)="

muellerst-hg avatar Sep 11 '22 19:09 muellerst-hg

I got it, you want to control which pod-labels should be mapped to Dependency Track.

ckotzbauer avatar Sep 12 '22 05:09 ckotzbauer