Skip to content

feat(cp-node): Add systemd mode support for imagescan installation #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PaveenV wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(cp-node): Add systemd mode support for imagescan installation #401

PaveenV wants to merge 1 commit into from

Conversation

@PaveenV
Copy link
Contributor

@PaveenV PaveenV commented Feb 2, 2026
edited
Loading

Purpose of this PR?

  1. Added systemd mode support for image scanning in the cp-node onboarding workflow
  2. Introduced a systemd service and timer to run image scans on a configured schedule
  3. Added logic to automatically create the registry if it does not already exist
  4. Added logic to flush the image scan status to SaaS for visibly.
  5. Added support for deboard image scanning for systemd mode.

Ticket: https://accu-knox.atlassian.net/browse/CNAPP-24231

@PaveenV PaveenV marked this pull request as draft February 2, 2026 18:47
@PaveenV PaveenV force-pushed the cp-node branch 2 times, most recently from 097cbc6 to 21c1277 Compare February 3, 2026 17:48
@PaveenV PaveenV self-assigned this Feb 3, 2026
@PaveenV PaveenV requested a review from achrefbensaad February 3, 2026 17:55
@PaveenV PaveenV marked this pull request as ready for review February 3, 2026 17:55
@PaveenV PaveenV changed the title feat(imagescan): Add installation through cp node feat(cp-node): Add systemd mode support for imagescan installation Feb 3, 2026
seswarrajan
seswarrajan reviewed Feb 4, 2026
View reviewed changes
cmd/onboard-vm-node.go
Copy link
Contributor

@seswarrajan seswarrajan Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So with In Cluster Scan for VM.. We will be additionally deploying kubeshield agent?

Copy link
Contributor

@seswarrajan seswarrajan Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If yes... Can we perform a benchmarking on the max memory being utilised by the services ??

Copy link
Contributor Author

@PaveenV PaveenV Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we are not deploying the kubeshield agent; we are running the knoxctl command to discover and scan the image in the VM.

For this benchmarking, we scanned 214 container images.
Benchmarking results:

  • Consumed 2min 24.569s CPU time.
  • 81.7M memory peak.
  • 42.1M memory swap peak.

pkg/common/constants.go
DiscoverAgent string = "accuknox-discover"
HardeningAgent string = "accuknox-hardening-agent"
RRA string = "accuknox-rra"
Kubeshield string = "accuknox-scanner"
Copy link
Contributor

@seswarrajan seswarrajan Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why added twice ? One in line 93 and other in line 99?

Copy link
Contributor Author

@PaveenV PaveenV Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed, please verify

pkg/onboard/templates/systemdTemplates/containerscan.service
CPUWeight=50
{{- end }}

OOMPolicy=stop
Copy link
Contributor

@seswarrajan seswarrajan Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are missing a dependency env here... We might be dependent on spire-agent if it is a control-plane right... Can we add the same here..

Copy link
Contributor Author

@PaveenV PaveenV Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added spire agent in the wants and after in the systemd service file.

@PaveenV
feat(cp-node): Add systemd mode support for imagescan installation
49d01d1 
Signed-off-by: Paveen Kumar <paveenkumar@accuknox.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seswarrajan seswarrajan seswarrajan left review comments

@vishnusomank vishnusomank Awaiting requested review from vishnusomank

@achrefbensaad achrefbensaad Awaiting requested review from achrefbensaad

At least 1 approving review is required to merge this pull request.

Assignees

@PaveenV PaveenV

Labels

do not merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PaveenV @seswarrajan