A couple of our Java/Kotlin based deployments and jobs execute containerized c++ or python tools (to avoid dependency hell). By using docker-in-docker, this has allowed our k8s versions to behave the same way as our bare metal (i.e. run from IntelliJ or docker-compose). In other words, it doesn't make sense for us to spin up yet another job with a shared volume when we can use dind.

I see that this will no longer be supported in 1.24 and dds identifies the expected deployment; however, I can't find anywhere what to do about this? Do I just do the same thing with containerd.sock and nerdctl? Any alternative documented would be appreciated

The tool currently does not detect resources that mount the dockershim.sock, which is being deprecated and removed. Customers might mount this socket for various cluster tools (e.g. aws/amazon-vpc-cni-k8s#1397).

Running kubectl dds on my cluster and getting the above error. Verbose mode doesn't tell me which resource

$ kubectl dds -v
error: the server could not find the requested resource

I have even deleted the pods from failing jobs, but I still get the error

Running on kube v1.20. Version info below

$ kubectl version 
Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-eks-6b7464", GitCommit:"6b746440c04cb81db4426842b4ae65c3f7035e53", GitTreeState:"clean", BuildDate:"2021-03-19T19:35:50Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.15-eks-6d3986b", GitCommit:"d4be14f563712c4e1964fe8a4171ca353b6e7e1a", GitTreeState:"clean", BuildDate:"2022-07-20T22:04:24Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

I found that panic occurs when directly using ReplicaSet.
DDS does not support ReplicaSet but I want to avoid the panic.

$ kubectl dds

NAMESPACE       TYPE    NAME    STATUS
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
main.printResources({{{0x0, 0x0}, {0x0, 0x0}}, {{0x140004756c0, 0x7}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...}, ...)
        /Users/tanaka/dev/src/github.com/konoui/kubectl-detector-for-docker-socket/main.go:200 +0x1478
main.runCluster({0x101f4d9aa, 0x3}, 0x1400012c008?, 0x2)
        /Users/tanaka/dev/src/github.com/konoui/kubectl-detector-for-docker-socket/main.go:142 +0x4ac
main.main()
        /Users/tanaka/dev/src/github.com/konoui/kubectl-detector-for-docker-socket/main.go:62 +0x270

---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
  name: replicaset-docker-volume
  labels:
    app: rs
spec:
  replicas: 3
  selector:
    matchLabels:
      app: rs
  template:
    metadata:
      labels:
        app: rs
    spec:
      containers:
      - name: pause
        image: public.ecr.aws/eks-distro/kubernetes/pause:v1.21.5-eks-1-21-8
        ports:
        - containerPort: 80
        volumeMounts:
        - name: dockersock
          mountPath: "/var/run/docker.sock"
      volumes:
      - name: dockersock
        hostPath:
          path: /var/run/docker.sock

It is possible that a ReplicaSet is not owned by a Deployment but instead something else, for example ArgoRollouts.

In the event DDS scans a pod, refers to the ReplicaSet but is owned by a Rollout, it will log

> kubectl dds -n rbourne
error: deployments.apps "rollout-socket" not found%

However the end table is not outputted. This means a large cluster may have been scanned, Docker mounts detected but nothing is outputted. This can mislead the end user to determine no mounts exist in the cluster.

During a scan of a cluster, there may be custom resource definitions which own a pod beyond the stated list on the readme.md file - for example runners from summerwind.

Whilst an error about these owners is presented, the pod itself is not scanned. As such any pods mounting the docker host socket with an unknown owner will not be presented in the conclusion table.

I propose this tool scans the pod for the mount in the event the owner is unknown instead of ignoring it.

Replication:
Install an addon which controls pods, for example SummerWind Action Runners
Mount the Docker host socket with a runner
Run the tool

Output:

could not find resource manager for type Runner for pod my-docker-9k99f-12345
NAMESPACE	TYPE	NAME	STATUS

Default plugin version on krew is 0.1.0, which misses the check for dockershim.sock

I am trying to scan a cluster that has different kinds of workloads (deployments, pods, statefulsets, batch jobs, etc). However, when the scan finishes, I always get the same error: "jobs.batch not found. The following table may be incomplete due to errors detected during the run." The table only returns a single row, analyzing the kube-system namespace, but not all the other workloads, which amount to more than 300. I believe this issue arises because when the scan starts, there are some jobs running but then they finish during the scan (as they are meant to do). However, the plugin interprets this as an issue and throws an error. Is there any workaround for this problem?

Input = kubectl dds

Output =
error: [jobs.batch "job1" not found, jobs.batch "job2" not found, jobs.batch "job3" not found, jobs.batch "job4" not found]
Warning: The following table may be incomplete due to errors detected during the run
NAMESPACE TYPE NAME STATUS
kube-system daemonset aws-node mounted

Thank you for the great tool!
I found that the --exit-with-error flag does not work under some conditions.

Case1

flaky results occur when mounted and not-mounted resources of the same workload exist.

$ kubectl delete -f test/manifests
$ kubectl apply -f test/manifests/docker-volume.deploy.yaml
$ kubectl apply -f test/manifests/no-volume.deploy.yaml

$ kubectl dds --exit-with-error -n default
NAMESPACE       TYPE            NAME                    STATUS
default         deployment      deploy-docker-volume    mounted

$ echo $?
0

$ kubectl dds --exit-with-error
(snip)

$ echo $?
1

$ kubectl dds --exit-with-error
(snip)

$ echo $?
1

$ kubectl dds --exit-with-error
(snip)

$ echo $?
0

Case2

DDS exit with 0 when found only daemoset of docker volume.

$ kubectl delete -f test/manifests
$ kubectl dds --exit-with-error -n kube-system
NAMESPACE       TYPE            NAME            STATUS
kube-system     daemonset       aws-node        mounted

$ echo $?
0