podscanner

package
v1.7.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 7, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ParsedImage 

type ParsedImage struct {
	Registry  string // path before last /
	ImageName string // last path segment before : or @
	Tag       string // after :, or "latest" if absent
}

ParsedImage holds the components of a container image reference.

func ParseImage 

func ParseImage(image string) ParsedImage

ParseImage splits a container image string into registry, image_name, and tag. Handles: docker.io/istio/proxyv2:1.20.1, registry:5000/repo/image:tag, image@sha256:...

func (ParsedImage) Matches 

func (p ParsedImage) Matches(vals *configmap.IstioValues, compareHub bool) bool

Matches returns true if the parsed container image matches the expected Istio values. When compareHub is true, registry must match hub; when false, only image name and tag are compared.

type PodScanner 

type PodScanner struct {
	// contains filtered or unexported fields
}

PodScanner lists Pods with Istio sidecars and finds their parent workloads.

func NewPodScanner 

func NewPodScanner(c client.Client, webhookCaller webhook.WebhookCaller) *PodScanner

NewPodScanner creates a new PodScanner.

func (*PodScanner) ScanOutdatedPods 

func (s *PodScanner) ScanOutdatedPods(ctx context.Context, lastModifiedByRevision map[string]time.Time, tagToRevision map[string]string, lastModifiedByTag map[string]time.Time, opts ScanOptions) ([]WorkloadRef, error)

ScanOutdatedPods lists all Pods, finds each pod's controller (Deployment/StatefulSet/DaemonSet), builds a pod from the workload template, submits it to the Istio injection webhook, and compares the mutated response's istio-proxy image with the current pod. Returns WorkloadRefs for pods with outdated sidecars. lastModifiedByRevision is used for the ConfigMap LastModified skip. lastModifiedByTag is used for the tag MWC LastModified skip when workload uses a tag. tagToRevision maps istio revision tags to revisions (from istio-revision-tag-* MutatingWebhookConfigurations).

type ScanOptions 

type ScanOptions struct {
	// CompareHub, when true, requires registry to match when comparing images.
	// When false, only image name and tag are compared (registry is ignored).
	CompareHub bool
	// IstiodConfigReadDelay is added to the effective lastModified (max of ConfigMap and MWC) when deciding whether to skip pods.
	// Pods created within this window after a config update may have been injected before
	// Istiod loaded the new config, so we still scan them.
	IstiodConfigReadDelay time.Duration
	// SkipNamespaces lists namespaces to skip when scanning pods.
	SkipNamespaces []string
	// LimitToNamespaces, when non-empty, restricts scanning to pods in these namespaces only.
	LimitToNamespaces []string
}

ScanOptions configures pod scanning behavior.

type WorkloadRef 

type WorkloadRef struct {
	types.NamespacedName
	Kind string // "Deployment", "StatefulSet", or "DaemonSet"
}

WorkloadRef identifies a Deployment, StatefulSet, or DaemonSet.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.