feat(worker): add GCS FUSE volume support for K8s runner

Replace emptyDir volumes with GCS FUSE-backed volumes for K8s job pods,
enabling persistent shared storage between the worker and job containers.

- Add IsolatedGcsVolume class for GCS-backed volume management
- Update K8s runner with gcsfuse sidecar volumes, pod annotations, and flush logic
- Update isolated-volume factory to route to GCS when configured
- Add GCS file listing in prowler-scan component
- Add @google-cloud/storage dependency
- Terraform: enable GCS FUSE addon, create bucket, configure IAM
- Helm: add job runner KSA, env vars, and GCS config values

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>

Author: betterclever

bun.lock

@@ -53,6 +53,14 @@ spec:
         - name: K8S_IMAGE_PULL_SECRET
           value: {{ .Values.execution.k8s.imagePullSecret | quote }}
         {{- end }}
+        {{- if .Values.execution.k8s.gcsBucket }}
+        - name: GCS_VOLUME_BUCKET
+          value: {{ .Values.execution.k8s.gcsBucket | quote }}
+        {{- end }}
+        {{- if .Values.execution.k8s.jobServiceAccount }}
+        - name: K8S_JOB_SERVICE_ACCOUNT
+          value: {{ .Values.execution.k8s.jobServiceAccount | quote }}
+        {{- end }}
         {{- else if .Values.execution.workerDockerHost }}
         - name: DOCKER_HOST
           value: {{ .Values.execution.workerDockerHost | quote }}

deploy/helm/shipsec/templates/worker-deployment.yaml

@@ -8,6 +8,10 @@ metadata:
   labels:
     {{- include "shipsec.labels" . | nindent 4 }}
     app.kubernetes.io/component: worker
+  {{- if .Values.execution.k8s.workerGcpSa }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ .Values.execution.k8s.workerGcpSa | quote }}
+  {{- end }}
 ---
 # Role in the workloads namespace — worker creates Jobs and ConfigMaps here
 apiVersion: rbac.authorization.k8s.io/v1
@@ -44,4 +48,17 @@ subjects:
 - kind: ServiceAccount
   name: shipsec-worker
   namespace: {{ .Values.global.namespaces.workers }}
+{{- if .Values.execution.k8s.jobRunnerGcpSa }}
+---
+# ServiceAccount for job pods (GCS FUSE CSI access via Workload Identity)
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shipsec-job-runner
+  namespace: {{ .Values.global.namespaces.workloads }}
+  labels:
+    {{- include "shipsec.labels" . | nindent 4 }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ .Values.execution.k8s.jobRunnerGcpSa | quote }}
+{{- end }}
 {{- end }}

deploy/helm/shipsec/templates/worker-rbac.yaml

@@ -88,3 +88,7 @@ execution:
     jobNamespace: shipsec-workloads
     imagePullPolicy: IfNotPresent
     imagePullSecret: ghcr-creds
+    gcsBucket: shipsec-volumes-shipsec-dev
+    jobServiceAccount: shipsec-job-runner
+    jobRunnerGcpSa: shipsec-job-runner@shipsec.iam.gserviceaccount.com
+    workerGcpSa: shipsec-worker@shipsec.iam.gserviceaccount.com

deploy/helm/shipsec/values/gke-managed.yaml

@@ -78,6 +78,12 @@ resource "google_container_cluster" "gke" {
     workload_pool = "${var.project_id}.svc.id.goog"
   }
 
+  addons_config {
+    gcs_fuse_csi_driver_config {
+      enabled = true
+    }
+  }
+
   depends_on = [google_project_service.enabled]
 }
 
@@ -101,6 +107,78 @@ resource "google_container_node_pool" "default_pool" {
   }
 }
 
+# --- GCS FUSE volume support ---
+
+# GCS bucket for job volumes
+resource "google_storage_bucket" "volumes" {
+  project                     = var.project_id
+  name                        = "${var.project_id}-volumes-${var.cluster_name}"
+  location                    = var.region
+  uniform_bucket_level_access = true
+  force_destroy               = true
+
+  lifecycle_rule {
+    condition {
+      age = 7
+    }
+    action {
+      type = "Delete"
+    }
+  }
+}
+
+# GCP SA for job pods (mounted via GCS FUSE CSI)
+resource "google_service_account" "job_runner" {
+  project      = var.project_id
+  account_id   = "shipsec-job-runner"
+  display_name = "ShipSec K8s Job Runner"
+}
+
+# Job runner SA → bucket access
+resource "google_storage_bucket_iam_member" "job_runner_storage" {
+  bucket = google_storage_bucket.volumes.name
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.job_runner.email}"
+}
+
+# Workload Identity: K8s SA → GCP SA (for job pods in shipsec-workloads)
+resource "google_service_account_iam_member" "job_runner_wi" {
+  service_account_id = google_service_account.job_runner.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[shipsec-workloads/shipsec-job-runner]"
+}
+
+# Worker SA also needs GCS access (to upload inputs / read outputs via SDK)
+resource "google_service_account" "worker" {
+  project      = var.project_id
+  account_id   = "shipsec-worker"
+  display_name = "ShipSec Worker"
+}
+
+resource "google_storage_bucket_iam_member" "worker_storage" {
+  bucket = google_storage_bucket.volumes.name
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.worker.email}"
+}
+
+resource "google_service_account_iam_member" "worker_wi" {
+  service_account_id = google_service_account.worker.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[shipsec-workers/shipsec-worker]"
+}
+
+output "gcs_volumes_bucket" {
+  value = google_storage_bucket.volumes.name
+}
+
+output "job_runner_sa_email" {
+  value = google_service_account.job_runner.email
+}
+
+output "worker_sa_email" {
+  value = google_service_account.worker.email
+}
+
 output "artifact_registry_repo" {
   value = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.docker.repository_id}"
 }

infra/gcp/envs/dev/main.tf

@@ -23,6 +23,7 @@
     "@ai-sdk/mcp": "^1.0.13",
     "@ai-sdk/openai": "^3.0.18",
     "@aws-sdk/client-s3": "^3.975.0",
+    "@google-cloud/storage": "^7.14.0",
     "@googleapis/admin": "^29.0.0",
     "@grpc/grpc-js": "^1.14.3",
     "@kubernetes/client-node": "^1.4.0",

worker/package.json

@@ -300,8 +300,22 @@ async function listVolumeFiles(volume: ReturnType<typeof createIsolatedVolume>):
   const volumeName = volume.getVolumeName();
   if (!volumeName) return [];
 
-  // In K8s mode, volumes are ConfigMap-backed — list keys via K8s API
+  // In K8s mode, volumes are ConfigMap-backed or GCS-backed
   if (process.env.EXECUTION_MODE === 'k8s') {
+    // GCS FUSE volumes: list objects in the GCS prefix via SDK
+    if (process.env.GCS_VOLUME_BUCKET) {
+      try {
+        const { Storage } = await import('@google-cloud/storage');
+        const storage = new Storage();
+        const bucket = storage.bucket(process.env.GCS_VOLUME_BUCKET);
+        const [files] = await bucket.getFiles({ prefix: `${volumeName}/` });
+        return files.map((f) => f.name.replace(`${volumeName}/`, ''));
+      } catch {
+        return [];
+      }
+    }
+
+    // ConfigMap-backed volumes: list keys via K8s API
     try {
       const k8s = await import('@kubernetes/client-node');
       const kc = new k8s.KubeConfig();

worker/src/components/security/prowler-scan.ts

@@ -0,0 +1,214 @@
+/**
+ * IsolatedGcsVolume — GCS FUSE CSI volume replacement for IsolatedK8sVolume.
+ *
+ * Uses a GCS bucket mounted via the GCS FUSE CSI driver instead of ConfigMaps.
+ * Same interface as IsolatedK8sVolume / IsolatedContainerVolume so components
+ * can swap transparently via the createIsolatedVolume() factory.
+ *
+ * Advantages over ConfigMap-backed volumes:
+ * - No 1 MiB size limit (handles large outputs like Prowler)
+ * - Native read-write (no log-based writeback hack)
+ * - ReadWriteMany (parallel pods can share data)
+ * - Worker reads output directly from GCS via SDK
+ */
+import { Storage } from '@google-cloud/storage';
+import { ValidationError, ConfigurationError, ContainerError } from '@shipsec/component-sdk';
+
+let _storage: Storage | null = null;
+
+function getStorage(): Storage {
+  if (!_storage) {
+    // Auto-discovers Workload Identity credentials in GKE
+    _storage = new Storage();
+  }
+  return _storage;
+}
+
+function getBucketName(): string {
+  const bucket = process.env.GCS_VOLUME_BUCKET;
+  if (!bucket) {
+    throw new ConfigurationError('GCS_VOLUME_BUCKET environment variable is not set');
+  }
+  return bucket;
+}
+
+function sanitizeName(raw: string): string {
+  return raw
+    .toLowerCase()
+    .replace(/[^a-z0-9-]/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-|-$/g, '')
+    .slice(0, 53);
+}
+
+export class IsolatedGcsVolume {
+  private prefix?: string;
+  private isInitialized = false;
+  private bucketName: string;
+
+  constructor(
+    private tenantId: string,
+    private runId: string,
+  ) {
+    if (!/^[a-zA-Z0-9_-]+$/.test(tenantId)) {
+      throw new ValidationError(
+        'Invalid tenant ID: must contain only alphanumeric characters, hyphens, and underscores',
+        {
+          fieldErrors: {
+            tenantId: ['must contain only alphanumeric characters, hyphens, and underscores'],
+          },
+        },
+      );
+    }
+    if (!/^[a-zA-Z0-9_-]+$/.test(runId)) {
+      throw new ValidationError(
+        'Invalid run ID: must contain only alphanumeric characters, hyphens, and underscores',
+        {
+          fieldErrors: {
+            runId: ['must contain only alphanumeric characters, hyphens, and underscores'],
+          },
+        },
+      );
+    }
+    this.bucketName = getBucketName();
+  }
+
+  /**
+   * Upload files to GCS under a unique prefix and return the prefix.
+   * GCS key structure: {tenantId}/{runId}/{timestamp}/{filename}
+   */
+  async initialize(files: Record<string, string | Buffer>): Promise<string> {
+    if (this.isInitialized) {
+      throw new ConfigurationError('Volume already initialized', {
+        details: { prefix: this.prefix, tenantId: this.tenantId, runId: this.runId },
+      });
+    }
+
+    const timestamp = Date.now();
+    const tenantShort = sanitizeName(this.tenantId);
+    const runShort = sanitizeName(this.runId);
+    this.prefix = `${tenantShort}/${runShort}/${timestamp}`;
+
+    try {
+      const storage = getStorage();
+      const bucket = storage.bucket(this.bucketName);
+
+      const uploads = Object.entries(files).map(async ([filename, content]) => {
+        this.validateFilename(filename);
+        const key = `${this.prefix}/${filename}`;
+        const file = bucket.file(key);
+        const data = typeof content === 'string' ? Buffer.from(content, 'utf-8') : content;
+        await file.save(data);
+      });
+
+      await Promise.all(uploads);
+
+      this.isInitialized = true;
+      return this.prefix;
+    } catch (error) {
+      if (this.prefix) {
+        await this.cleanup().catch(() => {});
+      }
+      throw new ContainerError(
+        `Failed to initialize GCS volume: ${error instanceof Error ? error.message : String(error)}`,
+        {
+          cause: error instanceof Error ? error : undefined,
+          details: { tenantId: this.tenantId, runId: this.runId },
+        },
+      );
+    }
+  }
+
+  private validateFilename(filename: string): void {
+    if (filename.includes('..') || filename.startsWith('/')) {
+      throw new ValidationError(`Invalid filename (path traversal): ${filename}`, {
+        fieldErrors: { filename: ['path traversal not allowed'] },
+      });
+    }
+    const safePattern = /^[a-zA-Z0-9._/-]+$/;
+    if (!safePattern.test(filename)) {
+      throw new ValidationError(`Invalid filename (contains unsafe characters): ${filename}`, {
+        fieldErrors: { filename: ['contains unsafe characters'] },
+      });
+    }
+  }
+
+  /**
+   * Download files from GCS by name.
+   */
+  async readFiles(filenames: string[]): Promise<Record<string, string>> {
+    if (!this.prefix) {
+      throw new ConfigurationError('Volume not initialized');
+    }
+
+    const storage = getStorage();
+    const bucket = storage.bucket(this.bucketName);
+    const results: Record<string, string> = {};
+
+    for (const filename of filenames) {
+      try {
+        const key = `${this.prefix}/${filename}`;
+        const file = bucket.file(key);
+        const [contents] = await file.download();
+        results[filename] = contents.toString('utf-8');
+      } catch (error) {
+        console.warn(
+          `Could not read file ${filename} from GCS: ${error instanceof Error ? error.message : String(error)}`,
+        );
+      }
+    }
+
+    return results;
+  }
+
+  /**
+   * Returns volume config for the runner.
+   * The K8s runner recognizes the "gcsfuse:" prefix and creates a CSI volume.
+   * Format: "gcsfuse:{bucketName}:{prefix}"
+   */
+  getVolumeConfig(containerPath = '/inputs', readOnly = true) {
+    if (!this.prefix) {
+      throw new ConfigurationError('Volume not initialized');
+    }
+    return {
+      source: `gcsfuse:${this.bucketName}:${this.prefix}`,
+      target: containerPath,
+      readOnly,
+    };
+  }
+
+  /**
+   * Returns a bind mount string (for interface compatibility).
+   */
+  getBindMount(containerPath = '/inputs', readOnly = true): string {
+    if (!this.prefix) {
+      throw new ConfigurationError('Volume not initialized');
+    }
+    const mode = readOnly ? 'ro' : 'rw';
+    return `gcsfuse:${this.bucketName}:${this.prefix}:${containerPath}:${mode}`;
+  }
+
+  /**
+   * Delete all objects under the GCS prefix.
+   */
+  async cleanup(): Promise<void> {
+    if (!this.prefix) return;
+
+    try {
+      const storage = getStorage();
+      const bucket = storage.bucket(this.bucketName);
+      await bucket.deleteFiles({ prefix: `${this.prefix}/` });
+    } catch (error) {
+      console.error(
+        `Failed to cleanup GCS volume ${this.prefix}: ${error instanceof Error ? error.message : String(error)}`,
+      );
+    } finally {
+      this.isInitialized = false;
+      this.prefix = undefined;
+    }
+  }
+
+  getVolumeName(): string | undefined {
+    return this.prefix;
+  }
+}

worker/src/utils/gcs-volume.ts

@@ -8,3 +8,4 @@ export {
   createIsolatedVolume,
 } from './isolated-volume';
 export { IsolatedK8sVolume } from './k8s-volume';
+export { IsolatedGcsVolume } from './gcs-volume';