eraser icon indicating copy to clipboard operation
eraser copied to clipboard

Published 20 hours ago • verified publisher icon eraser-dev

Add support for CRI "pinned" images

Open cpuguy83 opened this issue 2 years ago • 6 comments

The CRI API has a field on images Pinned. This will be used for images like pause and should be used as as a filter for image removal.

ref: https://github.com/containerd/containerd/pull/6456

cpuguy83 avatar Aug 19 '22 17:08 cpuguy83

tracked in https://github.com/containerd/containerd/pull/7944 now

sozercan avatar Feb 23 '23 18:02 sozercan

looks like containerd pr got merged

sozercan avatar Jun 13 '23 18:06 sozercan

So we'll want to allow toggling if we want to remove/keep Pinned images?

If a user decides to keep pinned images (ex. removePinnedImages: false or whatever a toggle would be): do we still want to scan those images? Or skip them from being scanned, since it doesn't matter as we're keeping them?

The main, or maybe only(?), reason I can think of scanning them is if we do the following issue #356 and it would be nice to raise any CVEs caught. Although since that hasn't been done, not sure if it's worth scanning (for now).

inFocus7 avatar Sep 05 '23 16:09 inFocus7

Is anyone in the eraser team planned to pick this up? If not, I could work on this 👀 (I have a WIP branch I was trying stuff out in a few months ago. I pushed to my forked repo, because I forgot most of my changes made lol)

inFocus7 avatar Nov 29 '23 23:11 inFocus7

@inFocus7 sounds great! i don't think anyone has been working on this. assigned to you. thanks!

sozercan avatar Nov 29 '23 23:11 sozercan

@sozercan Awesome, thanks! I wrote some thoughts in this Google Docs Design/Thoughts Docs.

If you don't want to click into the link (understandable), it boils down to:

  1. Will we want to be strict and never delete Pinned images? Or should we allow this to be user-configurable, so they can decide if should delete or keep them?
  2. Do we even care about scanning Pinned images when we won't delete them?
    • Their vulnerabilities technically won't matter if we don't delete them, as the results would essentially be ignored.
    • From my understanding, scanning them would only be useful if we did any reports to make users aware, but as far as I know I don't believe we do something like this at the moment.

Actually, from looking over the architecture, I think it makes more sense to handle Pinned images through the collector and remover. Pinned statuses have nothing to do with vulnerabilities, and the scanner can be bypassed, so doing so in the scanner wouldn't be too helpful.

I'm assuming it should be possible to handle pinned images in those pods, since they have flags, so we should hopefully be able to do add a bool flag for skip-pinned (or similar).

The question of: "Do we want to still scan Pinned images if we want to keep them no matter what?" still remains.

I updated the Google doc with a section at the end with explaining this.

inFocus7 avatar Nov 30 '23 00:11 inFocus7