image-pruning: add upstream deployments to the graph

Signed-off-by: Michal Minář <[email protected]>

Author: Michal Minář

pkg/apps/graph/nodes/nodes.go

@@ -37,6 +37,33 @@ func FindOrCreateSyntheticDaemonSetNode(g osgraph.MutableUniqueGraph, ds *kapise
 	).(*DaemonSetNode)
 }
 
+// EnsureDeploymentNode adds the provided upstream deployment to the graph if it does not exist
+func EnsureDeploymentNode(g osgraph.MutableUniqueGraph, deployment *kapisext.Deployment) *DeploymentNode {
+	deploymentName := DeploymentNodeName(deployment)
+	deploymentNode := osgraph.EnsureUnique(
+		g,
+		deploymentName,
+		func(node osgraph.Node) graph.Node {
+			return &DeploymentNode{Node: node, Deployment: deployment, IsFound: true}
+		},
+	).(*DeploymentNode)
+
+	podTemplateSpecNode := kubegraph.EnsurePodTemplateSpecNode(g, &deployment.Spec.Template, deployment.Namespace, deploymentName)
+	g.AddEdge(deploymentNode, podTemplateSpecNode, osgraph.ContainsEdgeKind)
+
+	return deploymentNode
+}
+
+func FindOrCreateSyntheticDeploymentNode(g osgraph.MutableUniqueGraph, deployment *kapisext.Deployment) *DeploymentNode {
+	return osgraph.EnsureUnique(
+		g,
+		DeploymentNodeName(deployment),
+		func(node osgraph.Node) graph.Node {
+			return &DeploymentNode{Node: node, Deployment: deployment, IsFound: false}
+		},
+	).(*DeploymentNode)
+}
+
 // EnsureDeploymentConfigNode adds the provided deployment config to the graph if it does not exist
 func EnsureDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *deployapi.DeploymentConfig) *DeploymentConfigNode {
 	dcName := DeploymentConfigNodeName(dc)

pkg/apps/graph/nodes/types.go

@@ -11,6 +11,7 @@ import (
 
 var (
 	DaemonSetNodeKind        = reflect.TypeOf(kapisext.DaemonSet{}).Name()
+	DeploymentNodeKind       = reflect.TypeOf(kapisext.Deployment{}).Name()
 	DeploymentConfigNodeKind = reflect.TypeOf(deployapi.DeploymentConfig{}).Name()
 )
 
@@ -41,6 +42,33 @@ func (*DaemonSetNode) Kind() string {
 	return DaemonSetNodeKind
 }
 
+func DeploymentNodeName(o *kapisext.Deployment) osgraph.UniqueName {
+	return osgraph.GetUniqueRuntimeObjectNodeName(DeploymentNodeKind, o)
+}
+
+type DeploymentNode struct {
+	osgraph.Node
+	Deployment *kapisext.Deployment
+
+	IsFound bool
+}
+
+func (n DeploymentNode) Found() bool {
+	return n.IsFound
+}
+
+func (n DeploymentNode) Object() interface{} {
+	return n.Deployment
+}
+
+func (n DeploymentNode) String() string {
+	return string(DeploymentNodeName(n.Deployment))
+}
+
+func (*DeploymentNode) Kind() string {
+	return DeploymentNodeKind
+}
+
 func DeploymentConfigNodeName(o *deployapi.DeploymentConfig) osgraph.UniqueName {
 	return osgraph.GetUniqueRuntimeObjectNodeName(DeploymentConfigNodeKind, o)
 }

pkg/cmd/server/bootstrappolicy/policy.go

@@ -552,6 +552,7 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("get", "list").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs", "builds").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
+				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("deployments").RuleOrDie(),
 
 				rbac.NewRule("delete").Groups(imageGroup, legacyImageGroup).Resources("images").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(imageGroup, legacyImageGroup).Resources("images", "imagestreams").RuleOrDie(),

pkg/image/prune/prune.go

@@ -137,6 +137,8 @@ type PrunerOptions struct {
 	Builds *buildapi.BuildList
 	// DSs is the entire list of daemon sets across all namespaces in the cluster.
 	DSs *kapisext.DaemonSetList
+	// Deployments is the entire list of kube's deployments across all namespaces in the cluster.
+	Deployments *kapisext.DeploymentList
 	// DCs is the entire list of deployment configs across all namespaces in the cluster.
 	DCs *deployapi.DeploymentConfigList
 	// LimitRanges is a map of LimitRanges across namespaces, being keys in this map.
@@ -201,6 +203,7 @@ var _ Pruner = &pruner{}
 // - any pending pods
 // - any replication controllers
 // - any daemonsets
+// - any kube deployments
 // - any deployment configs
 // - any build configs
 // - any builds
@@ -246,6 +249,7 @@ func NewPruner(options PrunerOptions) (Pruner, error) {
 		return nil, err
 	}
 	addDaemonSetsToGraph(g, options.DSs)
+	addDeploymentsToGraph(g, options.Deployments)
 	addDeploymentConfigsToGraph(g, options.DCs)
 
 	return &pruner{
@@ -489,6 +493,19 @@ func addDaemonSetsToGraph(g graph.Graph, dss *kapisext.DaemonSetList) {
 	}
 }
 
+// addDeploymentsToGraph adds kube's deployments to the graph.
+//
+// Edges are added to the graph from each deployment to the images specified by its pod spec's list of
+// containers, as long as the image is managed by OpenShift.
+func addDeploymentsToGraph(g graph.Graph, dmnts *kapisext.DeploymentList) {
+	for i := range dmnts.Items {
+		d := &dmnts.Items[i]
+		glog.V(4).Infof("Examining Deployment %s", getName(d))
+		dNode := deploygraph.EnsureDeploymentNode(g, d)
+		addPodSpecToGraph(g, &d.Spec.Template.Spec, dNode)
+	}
+}
+
 // addDeploymentConfigsToGraph adds deployment configs to the graph.
 //
 // Edges are added to the graph from each deployment config to the images

pkg/image/prune/prune_test.go

@@ -265,6 +265,26 @@ func ds(namespace, name string, containerImages ...string) kapisext.DaemonSet {
 	}
 }
 
+func deploymentList(deployments ...kapisext.Deployment) kapisext.DeploymentList {
+	return kapisext.DeploymentList{
+		Items: deployments,
+	}
+}
+
+func deployment(namespace, name string, containerImages ...string) kapisext.Deployment {
+	return kapisext.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Spec: kapisext.DeploymentSpec{
+			Template: kapi.PodTemplateSpec{
+				Spec: podSpec(containerImages...),
+			},
+		},
+	}
+}
+
 func dcList(dcs ...deployapi.DeploymentConfig) deployapi.DeploymentConfigList {
 	return deployapi.DeploymentConfigList{
 		Items: dcs,
@@ -501,6 +521,7 @@ func TestImagePruning(t *testing.T) {
 		bcs                        buildapi.BuildConfigList
 		builds                     buildapi.BuildList
 		dss                        kapisext.DaemonSetList
+		deployments                kapisext.DeploymentList
 		dcs                        deployapi.DeploymentConfigList
 		limits                     map[string][]*kapi.LimitRange
 		expectedImageDeletions     []string
@@ -665,6 +686,15 @@ func TestImagePruning(t *testing.T) {
 			expectedImageDeletions: []string{"sha256:0000000000000000000000000000000000000000000000000000000000000001"},
 		},
 
+		"referenced by upstream deployment - don't prune": {
+			images: imageList(
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000"),
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000001", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000001"),
+			),
+			deployments:            deploymentList(deployment("foo", "rc1", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
+			expectedImageDeletions: []string{"sha256:0000000000000000000000000000000000000000000000000000000000000001"},
+		},
+
 		"referenced by bc - sti - ImageStreamImage - don't prune": {
 			images: imageList(image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
 			bcs:    bcList(bc("foo", "bc1", "source", "ImageStreamImage", "foo", "bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
@@ -1175,6 +1205,7 @@ func TestImagePruning(t *testing.T) {
 			BCs:         &test.bcs,
 			Builds:      &test.builds,
 			DSs:         &test.dss,
+			Deployments: &test.deployments,
 			DCs:         &test.dcs,
 			LimitRanges: test.limits,
 			RegistryURL: &url.URL{Scheme: "https", Host: registryHost},
@@ -1422,6 +1453,7 @@ func TestRegistryPruning(t *testing.T) {
 			BCs:              &buildapi.BuildConfigList{},
 			Builds:           &buildapi.BuildList{},
 			DSs:              &kapisext.DaemonSetList{},
+			Deployments:      &kapisext.DeploymentList{},
 			DCs:              &deployapi.DeploymentConfigList{},
 			RegistryURL:      &url.URL{Scheme: "https", Host: "registry1.io"},
 		}
@@ -1481,17 +1513,19 @@ func TestImageWithStrongAndWeakRefsIsNotPruned(t *testing.T) {
 	bcs := bcList()
 	builds := buildList()
 	dss := dsList()
+	deployments := deploymentList()
 	dcs := dcList()
 
 	options := PrunerOptions{
-		Images:  &images,
-		Streams: &streams,
-		Pods:    &pods,
-		RCs:     &rcs,
-		BCs:     &bcs,
-		Builds:  &builds,
-		DSs:     &dss,
-		DCs:     &dcs,
+		Images:      &images,
+		Streams:     &streams,
+		Pods:        &pods,
+		RCs:         &rcs,
+		BCs:         &bcs,
+		Builds:      &builds,
+		DSs:         &dss,
+		Deployments: &deployments,
+		DCs:         &dcs,
 	}
 	keepYoungerThan := 24 * time.Hour
 	keepTagRevisions := 2

pkg/oc/admin/prune/images.go

@@ -270,6 +270,14 @@ func (o PruneImagesOptions) Run() error {
 		fmt.Fprintf(os.Stderr, "Failed to list daemonsets: %v\n - * Make sure to update clusterRoleBindings.\n", err)
 	}
 
+	allDeployments, err := o.KubeClient.Extensions().Deployments(o.Namespace).List(metav1.ListOptions{})
+	if err != nil {
+		if !kerrors.IsForbidden(err) {
+			return err
+		}
+		fmt.Fprintf(os.Stderr, "Failed to list deployments: %v\n - * Make sure to update clusterRoleBindings.\n", err)
+	}
+
 	allDCs, err := o.AppsClient.DeploymentConfigs(o.Namespace).List(metav1.ListOptions{})
 	if err != nil {
 		return err
@@ -342,6 +350,7 @@ func (o PruneImagesOptions) Run() error {
 		BCs:                allBCs,
 		Builds:             allBuilds,
 		DSs:                allDSs,
+		Deployments:        allDeployments,
 		DCs:                allDCs,
 		LimitRanges:        limitRangesMap,
 		DryRun:             o.Confirm == false,