Documentation
¶
Overview ¶
Package operator implements the v1.15 phase 3 K8s operator. Two CRDs (basic at v1.15.0; the full reconciler with profiles + waivers lands at v2.10 per ROADMAP):
ComplianceSchedule — operator-authored cron that fires scans
against a configured daemon URL.
ScanJob — one-shot scan; the operator creates a Pod
from the spec'd compliancekit image and
watches it to completion.
The operator is a thin K8s controller that bridges CRDs to either the daemon's REST API (ComplianceSchedule) or a fresh Pod (ScanJob). It deliberately does NOT manage the daemon itself — the Helm chart / Kustomize overlay / Terraform module is the daemon's install vector.
Index ¶
- Variables
- func AddToScheme(s *runtime.Scheme) error
- type ComplianceSchedule
- type ComplianceScheduleList
- type ComplianceScheduleSpec
- type ComplianceScheduleStatus
- type DaemonRef
- type ScanJob
- type ScanJobList
- type ScanJobReconciler
- type ScanJobSpec
- type ScanJobStatus
- type ScheduleReconciler
- type SecretKeyRef
Constants ¶
This section is empty.
Variables ¶
var GroupVersion = schema.GroupVersion{Group: "compliancekit.io", Version: "v1alpha1"}
GroupVersion identifies the API group + version this package owns. Keep in sync with the CRD manifests under deploy/operator/crds/.
var SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
SchemeBuilder collects the types this package contributes for controller-runtime's scheme registration.
Functions ¶
func AddToScheme ¶
AddToScheme registers the operator's CRD types onto s.
Types ¶
type ComplianceSchedule ¶
type ComplianceSchedule struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ComplianceScheduleSpec `json:"spec,omitempty"`
Status ComplianceScheduleStatus `json:"status,omitempty"`
}
ComplianceSchedule fires a scan against a daemon at a cron cadence. The operator translates the schedule to per-tick POSTs against /api/v1/scans/trigger using the configured Bearer token.
+kubebuilder:object:root=true +kubebuilder:subresource:status
func (*ComplianceSchedule) DeepCopy ¶
func (in *ComplianceSchedule) DeepCopy() *ComplianceSchedule
DeepCopy returns a clone of the receiver.
func (*ComplianceSchedule) DeepCopyInto ¶
func (in *ComplianceSchedule) DeepCopyInto(out *ComplianceSchedule)
DeepCopyInto copies the receiver into out.
func (*ComplianceSchedule) DeepCopyObject ¶
func (in *ComplianceSchedule) DeepCopyObject() runtime.Object
DeepCopyObject implements runtime.Object.
type ComplianceScheduleList ¶
type ComplianceScheduleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ComplianceSchedule `json:"items"`
}
+kubebuilder:object:root=true
func (*ComplianceScheduleList) DeepCopy ¶
func (in *ComplianceScheduleList) DeepCopy() *ComplianceScheduleList
DeepCopy returns a clone of the receiver.
func (*ComplianceScheduleList) DeepCopyInto ¶
func (in *ComplianceScheduleList) DeepCopyInto(out *ComplianceScheduleList)
DeepCopyInto copies the list.
func (*ComplianceScheduleList) DeepCopyObject ¶
func (in *ComplianceScheduleList) DeepCopyObject() runtime.Object
DeepCopyObject implements runtime.Object.
type ComplianceScheduleSpec ¶
type ComplianceScheduleSpec struct {
// CronExpr is a standard 5-field cron expression (UTC unless the
// daemon's CK_TZ overrides). robfig/cron/v3 evaluates the spec.
CronExpr string `json:"cronExpr"`
// Providers selects which provider scans run on each tick. Empty
// = every provider currently enabled in the daemon.
Providers []string `json:"providers,omitempty"`
// DaemonRef points at a daemon instance the schedule targets.
DaemonRef DaemonRef `json:"daemonRef"`
// Enabled lets the operator pause / un-pause without deleting the
// CR. Defaults true.
Enabled *bool `json:"enabled,omitempty"`
}
ComplianceScheduleSpec is the operator-authored payload.
func (*ComplianceScheduleSpec) DeepCopyInto ¶
func (in *ComplianceScheduleSpec) DeepCopyInto(out *ComplianceScheduleSpec)
DeepCopyInto copies the spec.
type ComplianceScheduleStatus ¶
type ComplianceScheduleStatus struct {
LastRunTime *metav1.Time `json:"lastRunTime,omitempty"`
LastStatus string `json:"lastStatus,omitempty"`
NextRunTime *metav1.Time `json:"nextRunTime,omitempty"`
Conditions []metav1.Condition `json:"conditions,omitempty"`
}
ComplianceScheduleStatus is the controller-managed half.
func (*ComplianceScheduleStatus) DeepCopyInto ¶
func (in *ComplianceScheduleStatus) DeepCopyInto(out *ComplianceScheduleStatus)
DeepCopyInto copies the status.
type DaemonRef ¶
type DaemonRef struct {
// URL is the daemon's externally-reachable base URL.
URL string `json:"url"`
// BearerSecret references a Secret + key in the operator's
// namespace whose value is the daemon API bearer token.
BearerSecret SecretKeyRef `json:"bearerSecret"`
}
DaemonRef points at a daemon instance the schedule / scan targets.
type ScanJob ¶
type ScanJob struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ScanJobSpec `json:"spec,omitempty"`
Status ScanJobStatus `json:"status,omitempty"`
}
ScanJob requests a single one-shot scan. The operator creates a Pod from the spec'd image + args and watches it to completion.
+kubebuilder:object:root=true +kubebuilder:subresource:status
func (*ScanJob) DeepCopyInto ¶
DeepCopyInto copies the receiver into out.
func (*ScanJob) DeepCopyObject ¶
DeepCopyObject implements runtime.Object.
type ScanJobList ¶
type ScanJobList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ScanJob `json:"items"`
}
+kubebuilder:object:root=true
func (*ScanJobList) DeepCopy ¶
func (in *ScanJobList) DeepCopy() *ScanJobList
DeepCopy returns a clone of the receiver.
func (*ScanJobList) DeepCopyInto ¶
func (in *ScanJobList) DeepCopyInto(out *ScanJobList)
DeepCopyInto copies the list.
func (*ScanJobList) DeepCopyObject ¶
func (in *ScanJobList) DeepCopyObject() runtime.Object
DeepCopyObject implements runtime.Object.
type ScanJobReconciler ¶
type ScanJobReconciler struct {
client.Client
DefaultImage string // fallback when ScanJob.Spec.Image is empty
}
ScanJobReconciler watches ScanJob CRs.
func (*ScanJobReconciler) SetupWithManager ¶
func (r *ScanJobReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager wires the reconciler into the controller-runtime manager.
type ScanJobSpec ¶
type ScanJobSpec struct {
// Image is the compliancekit OCI image to scan with. Defaults to
// the operator's `image.repository:image.tag` configured at boot.
Image string `json:"image,omitempty"`
// Args are appended after `scan`. e.g. ["--provider=aws",
// "--out=/tmp/findings.json"].
Args []string `json:"args,omitempty"`
// EvidencePackPVC mounts a PVC at /work to receive the evidence
// pack output. Optional.
EvidencePackPVC string `json:"evidencePackPVC,omitempty"`
// EnvFromSecret loads env vars from a Secret (cloud creds).
EnvFromSecret string `json:"envFromSecret,omitempty"`
}
ScanJobSpec is the per-job payload.
func (*ScanJobSpec) DeepCopyInto ¶
func (in *ScanJobSpec) DeepCopyInto(out *ScanJobSpec)
DeepCopyInto copies the spec.
type ScanJobStatus ¶
type ScanJobStatus struct {
// Phase mirrors the underlying Pod's PodPhase string
// (Pending / Running / Succeeded / Failed / Unknown).
Phase string `json:"phase,omitempty"`
// PodName is the name of the Pod this CR spawned.
PodName string `json:"podName,omitempty"`
StartTime *metav1.Time `json:"startTime,omitempty"`
CompletionTime *metav1.Time `json:"completionTime,omitempty"`
Conditions []metav1.Condition `json:"conditions,omitempty"`
}
ScanJobStatus reflects the underlying Pod state.
func (*ScanJobStatus) DeepCopyInto ¶
func (in *ScanJobStatus) DeepCopyInto(out *ScanJobStatus)
DeepCopyInto copies the status.
type ScheduleReconciler ¶
ScheduleReconciler watches ComplianceSchedule CRs.
func (*ScheduleReconciler) SetupWithManager ¶
func (r *ScheduleReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager wires the reconciler into the controller-runtime manager.
type SecretKeyRef ¶
SecretKeyRef is a (name, key) reference to a value in a Secret.
Source Files