From 9e5114ed65dcfd249b80ce7b23456972d6e73c42 Mon Sep 17 00:00:00 2001 From: Ivan Milchev Date: Wed, 17 Apr 2024 13:59:41 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20v11.0.0=20(#1094)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/mondoo-operator/Chart.yaml | 4 +- .../templates/mondooauditconfig-crd.yaml | 275 +++++++++-------- .../templates/mondoooperatorconfig-crd.yaml | 24 +- charts/mondoo-operator/values.yaml | 2 +- .../k8s.mondoo.com_mondooauditconfigs.yaml | 280 ++++++++++-------- .../k8s.mondoo.com_mondoooperatorconfigs.yaml | 25 +- config/manager/kustomization.yaml | 2 +- config/rbac/role.yaml | 1 - config/webhook/kustomization.yaml | 2 +- config/webhook/manifests.yaml | 1 - 10 files changed, 345 insertions(+), 271 deletions(-) diff --git a/charts/mondoo-operator/Chart.yaml b/charts/mondoo-operator/Chart.yaml index c002aece1..c9b13aa02 100755 --- a/charts/mondoo-operator/Chart.yaml +++ b/charts/mondoo-operator/Chart.yaml @@ -16,9 +16,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.22.0 +version: 11.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.22.0" +appVersion: "11.0.0" diff --git a/charts/mondoo-operator/templates/mondooauditconfig-crd.yaml b/charts/mondoo-operator/templates/mondooauditconfig-crd.yaml index d54bdfe48..4356d49c4 100644 --- a/charts/mondoo-operator/templates/mondooauditconfig-crd.yaml +++ b/charts/mondoo-operator/templates/mondooauditconfig-crd.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: mondooauditconfigs.k8s.mondoo.com annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: {{- include "mondoo-operator.labels" . | nindent 4 }} spec: @@ -31,14 +31,19 @@ spec: description: MondooAuditConfig is the Schema for the mondooauditconfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,26 +77,28 @@ spec: type: object mode: default: permissive - description: Mode represents whether the webhook will behave in - a "permissive" mode (the default) which will only scan and report - on k8s resources or "enforcing" mode where depending on the scan - results may reject the k8s resource creation/modification. + description: |- + Mode represents whether the webhook will behave in a "permissive" mode (the default) which + will only scan and report on k8s resources or "enforcing" mode where depending + on the scan results may reject the k8s resource creation/modification. enum: - permissive - enforcing type: string replicas: default: 1 - description: Number of replicas for the admission webhook. For enforcing - mode, the minimum should be two to prevent problems during Pod - failures, e.g. node failure, node scaling, etc. + description: |- + Number of replicas for the admission webhook. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, + e.g. node failure, node scaling, etc. format: int32 minimum: 1 type: integer serviceAccountName: default: mondoo-operator-webhook - description: ServiceAccountName specifies the Kubernetes ServiceAccount - the webhook should use during its operation. + description: |- + ServiceAccountName specifies the Kubernetes ServiceAccount the webhook should use + during its operation. type: string type: object consoleIntegration: @@ -108,18 +115,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -135,8 +148,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -145,11 +159,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object schedule: @@ -163,17 +177,17 @@ spec: namespaces: properties: exclude: - description: Exclude is the list of resources to ignore for - any watching/scanning actions. Use this if the goal is to - watch/scan all resources except for this Exclude list. + description: |- + Exclude is the list of resources to ignore for any watching/scanning actions. Use this if + the goal is to watch/scan all resources except for this Exclude list. items: type: string type: array include: - description: Include is the list of resources to watch/scan. - Setting Include overrides anything in the Exclude list as - specifying an Include list is effectively excluding everything - except for what is on the Include list. + description: |- + Include is the list of resources to watch/scan. Setting Include overrides anything in the + Exclude list as specifying an Include list is effectively excluding everything except for what + is on the Include list. items: type: string type: array @@ -182,10 +196,9 @@ spec: kubernetesResources: properties: containerImageScanning: - description: 'DEPRECATED: ContainerImageScanning determines whether - container images are being scanned. The current implementation - runs a separate job once every 24h that scans the container images - running in the cluster.' + description: |- + DEPRECATED: ContainerImageScanning determines whether container images are being scanned. The current implementation + runs a separate job once every 24h that scans the container images running in the cluster. type: boolean enable: type: boolean @@ -200,20 +213,24 @@ spec: to remove/update properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic mondooTokenSecretRef: - description: MondooTokenSecretRef can optionally hold a time-limited - token that the mondoo-operator will use to create a Mondoo service - account saved to the Secret specified in .spec.mondooCredsSecretRef + description: |- + MondooTokenSecretRef can optionally hold a time-limited token that the mondoo-operator will use + to create a Mondoo service account saved to the Secret specified in .spec.mondooCredsSecretRef if that Secret does not exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -223,8 +240,8 @@ spec: type: boolean intervalTimer: default: 60 - description: IntervalTimer is the interval (in minutes) for the - node scanning. The default is "60". Only applicable for Deployment + description: |- + IntervalTimer is the interval (in minutes) for the node scanning. The default is "60". Only applicable for Deployment style. type: integer priorityClassName: @@ -236,18 +253,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -263,8 +286,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -273,17 +297,17 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object schedule: - description: Schedule specifies a custom crontab schedule for the - node scanning job. If not specified, the default schedule is used. - Only applicable for CronJob style + description: |- + Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is + used. Only applicable for CronJob style type: string style: default: cronjob @@ -296,14 +320,14 @@ spec: type: string type: object scanner: - description: Scanner defines the settings for the Mondoo scanner that - will be running in the cluster. The same scanner is used for scanning - the Kubernetes API, the nodes and for serving the admission controller. + description: |- + Scanner defines the settings for the Mondoo scanner that will be running in the cluster. The same scanner + is used for scanning the Kubernetes API, the nodes and for serving the admission controller. properties: env: - description: Env allows setting extra environment variables for - the scanner. If the operator sets already an env variable with - the same name, the value specified here will override it. + description: |- + Env allows setting extra environment variables for the scanner. If the operator sets already an env + variable with the same name, the value specified here will override it. items: description: EnvVar represents an environment variable present in a Container. @@ -312,15 +336,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the - container and any service environment variables. If a variable - cannot be resolved, the reference in the input string will - be unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the variable - exists or not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -333,9 +358,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -346,10 +372,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, - status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is @@ -364,10 +389,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -396,9 +420,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -421,20 +446,23 @@ spec: type: string type: object privateRegistriesPullSecretRef: - description: PrivateRegistryScanning defines the name of a secret - that contains the credentials for the private registries we have - to pull images from. + description: |- + PrivateRegistryScanning defines the name of a secret that contains the credentials for the private + registries we have to pull images from. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic replicas: default: 1 - description: Number of replicas for the scanner. For enforcing mode, - the minimum should be two to prevent problems during Pod failures, + description: |- + Number of replicas for the scanner. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, e.g. node failure, node scaling, etc. format: int32 minimum: 1 @@ -444,18 +472,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -471,8 +505,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -481,11 +516,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object serviceAccountName: diff --git a/charts/mondoo-operator/templates/mondoooperatorconfig-crd.yaml b/charts/mondoo-operator/templates/mondoooperatorconfig-crd.yaml index d2d311401..126ba992b 100644 --- a/charts/mondoo-operator/templates/mondoooperatorconfig-crd.yaml +++ b/charts/mondoo-operator/templates/mondoooperatorconfig-crd.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: name: mondoooperatorconfigs.k8s.mondoo.com annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: {{- include "mondoo-operator.labels" . | nindent 4 }} spec: @@ -22,14 +22,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,8 +54,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels allows providing a list of extra labels - to apply to the metrics-related resources (eg. ServiceMonitor) + description: |- + ResourceLabels allows providing a list of extra labels to apply to the metrics-related + resources (eg. ServiceMonitor) type: object type: object skipContainerResolution: diff --git a/charts/mondoo-operator/values.yaml b/charts/mondoo-operator/values.yaml index 8c43f4f3e..6f6309444 100644 --- a/charts/mondoo-operator/values.yaml +++ b/charts/mondoo-operator/values.yaml @@ -14,7 +14,7 @@ controllerManager: readOnlyRootFilesystem: true image: repository: ghcr.io/mondoohq/mondoo-operator - tag: v1.22.0 + tag: v11.0.0 imagePullPolicy: IfNotPresent resources: limits: diff --git a/config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml b/config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml index ada97d7e8..c967ad903 100644 --- a/config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml +++ b/config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: mondooauditconfigs.k8s.mondoo.com spec: group: k8s.mondoo.com @@ -21,14 +20,19 @@ spec: description: MondooAuditConfig is the Schema for the mondooauditconfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -62,26 +66,28 @@ spec: type: object mode: default: permissive - description: Mode represents whether the webhook will behave in - a "permissive" mode (the default) which will only scan and report - on k8s resources or "enforcing" mode where depending on the - scan results may reject the k8s resource creation/modification. + description: |- + Mode represents whether the webhook will behave in a "permissive" mode (the default) which + will only scan and report on k8s resources or "enforcing" mode where depending + on the scan results may reject the k8s resource creation/modification. enum: - permissive - enforcing type: string replicas: default: 1 - description: Number of replicas for the admission webhook. For - enforcing mode, the minimum should be two to prevent problems - during Pod failures, e.g. node failure, node scaling, etc. + description: |- + Number of replicas for the admission webhook. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, + e.g. node failure, node scaling, etc. format: int32 minimum: 1 type: integer serviceAccountName: default: mondoo-operator-webhook - description: ServiceAccountName specifies the Kubernetes ServiceAccount - the webhook should use during its operation. + description: |- + ServiceAccountName specifies the Kubernetes ServiceAccount the webhook should use + during its operation. type: string type: object consoleIntegration: @@ -98,19 +104,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -126,8 +137,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -136,11 +148,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object schedule: @@ -154,17 +166,17 @@ spec: namespaces: properties: exclude: - description: Exclude is the list of resources to ignore for - any watching/scanning actions. Use this if the goal is to - watch/scan all resources except for this Exclude list. + description: |- + Exclude is the list of resources to ignore for any watching/scanning actions. Use this if + the goal is to watch/scan all resources except for this Exclude list. items: type: string type: array include: - description: Include is the list of resources to watch/scan. - Setting Include overrides anything in the Exclude list as - specifying an Include list is effectively excluding everything - except for what is on the Include list. + description: |- + Include is the list of resources to watch/scan. Setting Include overrides anything in the + Exclude list as specifying an Include list is effectively excluding everything except for what + is on the Include list. items: type: string type: array @@ -173,10 +185,9 @@ spec: kubernetesResources: properties: containerImageScanning: - description: 'DEPRECATED: ContainerImageScanning determines whether - container images are being scanned. The current implementation - runs a separate job once every 24h that scans the container - images running in the cluster.' + description: |- + DEPRECATED: ContainerImageScanning determines whether container images are being scanned. The current implementation + runs a separate job once every 24h that scans the container images running in the cluster. type: boolean enable: type: boolean @@ -191,20 +202,24 @@ spec: mondooauditconfig_types.go to remove/update properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic mondooTokenSecretRef: - description: MondooTokenSecretRef can optionally hold a time-limited - token that the mondoo-operator will use to create a Mondoo service - account saved to the Secret specified in .spec.mondooCredsSecretRef + description: |- + MondooTokenSecretRef can optionally hold a time-limited token that the mondoo-operator will use + to create a Mondoo service account saved to the Secret specified in .spec.mondooCredsSecretRef if that Secret does not exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -214,8 +229,8 @@ spec: type: boolean intervalTimer: default: 60 - description: IntervalTimer is the interval (in minutes) for the - node scanning. The default is "60". Only applicable for Deployment + description: |- + IntervalTimer is the interval (in minutes) for the node scanning. The default is "60". Only applicable for Deployment style. type: integer priorityClassName: @@ -227,19 +242,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -255,8 +275,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -265,17 +286,17 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object schedule: - description: Schedule specifies a custom crontab schedule for - the node scanning job. If not specified, the default schedule - is used. Only applicable for CronJob style + description: |- + Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is + used. Only applicable for CronJob style type: string style: default: cronjob @@ -288,14 +309,14 @@ spec: type: string type: object scanner: - description: Scanner defines the settings for the Mondoo scanner that - will be running in the cluster. The same scanner is used for scanning - the Kubernetes API, the nodes and for serving the admission controller. + description: |- + Scanner defines the settings for the Mondoo scanner that will be running in the cluster. The same scanner + is used for scanning the Kubernetes API, the nodes and for serving the admission controller. properties: env: - description: Env allows setting extra environment variables for - the scanner. If the operator sets already an env variable with - the same name, the value specified here will override it. + description: |- + Env allows setting extra environment variables for the scanner. If the operator sets already an env + variable with the same name, the value specified here will override it. items: description: EnvVar represents an environment variable present in a Container. @@ -305,15 +326,16 @@ spec: C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. @@ -326,9 +348,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -339,11 +362,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -358,10 +379,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -391,9 +411,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -416,21 +437,24 @@ spec: type: string type: object privateRegistriesPullSecretRef: - description: PrivateRegistryScanning defines the name of a secret - that contains the credentials for the private registries we - have to pull images from. + description: |- + PrivateRegistryScanning defines the name of a secret that contains the credentials for the private + registries we have to pull images from. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic replicas: default: 1 - description: Number of replicas for the scanner. For enforcing - mode, the minimum should be two to prevent problems during Pod - failures, e.g. node failure, node scaling, etc. + description: |- + Number of replicas for the scanner. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, + e.g. node failure, node scaling, etc. format: int32 minimum: 1 type: integer @@ -439,19 +463,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -467,8 +496,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -477,11 +507,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object serviceAccountName: diff --git a/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml b/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml index 222e344f4..c9f04fb64 100644 --- a/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml +++ b/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: mondoooperatorconfigs.k8s.mondoo.com spec: group: k8s.mondoo.com @@ -22,14 +21,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,8 +53,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels allows providing a list of extra labels - to apply to the metrics-related resources (eg. ServiceMonitor) + description: |- + ResourceLabels allows providing a list of extra labels to apply to the metrics-related + resources (eg. ServiceMonitor) type: object type: object skipContainerResolution: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 91abf2d81..448798870 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -17,4 +17,4 @@ kind: Kustomization images: - name: controller newName: ghcr.io/mondoohq/mondoo-operator - newTag: v1.22.0 + newTag: v11.0.0 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 48fdb94d8..69fbd218f 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 2603c427b..bfdf94819 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -10,7 +10,7 @@ resources: images: - name: controller newName: ghcr.io/mondoohq/mondoo-operator - newTag: v1.22.0 + newTag: v11.0.0 patchesStrategicMerge: - webhook_patch.yaml diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index a01634a47..6248884e1 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - creationTimestamp: null name: validating-webhook-configuration webhooks: - admissionReviewVersions: