diff --git a/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondooauditconfigs.yaml b/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondooauditconfigs.yaml new file mode 100644 index 00000000000..d21766511e3 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondooauditconfigs.yaml @@ -0,0 +1,833 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + creationTimestamp: null + name: mondooauditconfigs.k8s.mondoo.com +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: webhook-service + namespace: mondoo-operator + path: /convert + conversionReviewVersions: + - v1 + group: k8s.mondoo.com + names: + kind: MondooAuditConfig + listKind: MondooAuditConfigList + plural: mondooauditconfigs + singular: mondooauditconfig + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: MondooAuditConfig is the Schema for the mondooauditconfigs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MondooAuditConfigSpec defines the desired state of MondooAuditConfig + properties: + admission: + properties: + certificateProvisioning: + description: CertificateProvisioning defines the certificate provisioning + configuration within the cluster. + properties: + mode: + default: manual + description: CertificateProvisioningMode is the specified + method the cluster uses for provisioning TLS certificates + enum: + - cert-manager + - openshift + - manual + type: string + type: object + enable: + type: boolean + image: + properties: + name: + type: string + tag: + type: string + type: object + mode: + default: permissive + description: |- + Mode represents whether the webhook will behave in a "permissive" mode (the default) which + will only scan and report on k8s resources or "enforcing" mode where depending + on the scan results may reject the k8s resource creation/modification. + enum: + - permissive + - enforcing + type: string + replicas: + default: 1 + description: |- + Number of replicas for the admission webhook. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, + e.g. node failure, node scaling, etc. + format: int32 + minimum: 1 + type: integer + serviceAccountName: + default: mondoo-operator-webhook + description: |- + ServiceAccountName specifies the Kubernetes ServiceAccount the webhook should use + during its operation. + type: string + type: object + consoleIntegration: + properties: + enable: + type: boolean + type: object + containers: + properties: + enable: + type: boolean + env: + description: |- + Env allows setting extra environment variables for the node scanner. If the operator sets already an env + variable with the same name, the value specified here will override it. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + schedule: + description: Specify a custom crontab schedule for the container + image scanning job. If not specified, the default schedule is + used. + type: string + type: object + filtering: + properties: + namespaces: + properties: + exclude: + description: |- + Exclude is the list of resources to ignore for any watching/scanning actions. Use this if + the goal is to watch/scan all resources except for this Exclude list. + items: + type: string + type: array + include: + description: |- + Include is the list of resources to watch/scan. Setting Include overrides anything in the + Exclude list as specifying an Include list is effectively excluding everything except for what + is on the Include list. + items: + type: string + type: array + type: object + type: object + kubernetesResources: + properties: + containerImageScanning: + description: |- + DEPRECATED: ContainerImageScanning determines whether container images are being scanned. The current implementation + runs a separate job once every 24h that scans the container images running in the cluster. + type: boolean + enable: + type: boolean + schedule: + description: Specify a custom crontab schedule for the Kubernetes + resource scanning job. If not specified, the default schedule + is used. + type: string + type: object + mondooCredsSecretRef: + description: Config is an example field of MondooAuditConfig. Edit + mondooauditconfig_types.go to remove/update + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + mondooTokenSecretRef: + description: |- + MondooTokenSecretRef can optionally hold a time-limited token that the mondoo-operator will use + to create a Mondoo service account saved to the Secret specified in .spec.mondooCredsSecretRef + if that Secret does not exist. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + nodes: + properties: + enable: + type: boolean + env: + description: |- + Env allows setting extra environment variables for the node scanner. If the operator sets already an env + variable with the same name, the value specified here will override it. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + intervalTimer: + default: 60 + description: |- + IntervalTimer is the interval (in minutes) for the node scanning. The default is "60". Only applicable for Deployment + style. + type: integer + priorityClassName: + description: PriorityClassName specifies the name of the PriorityClass + for the node scanning workloads. + type: string + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + schedule: + description: |- + Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is + used. Only applicable for CronJob style + type: string + style: + default: cronjob + description: Style specifies how node scanning is deployed. The + default is "cronjob" which will create a CronJob for the node + scanning. + enum: + - cronjob + - deployment + - daemonset + type: string + type: object + scanner: + description: |- + Scanner defines the settings for the Mondoo scanner that will be running in the cluster. The same scanner + is used for scanning the Kubernetes API, the nodes and for serving the admission controller. + properties: + env: + description: |- + Env allows setting extra environment variables for the scanner. If the operator sets already an env + variable with the same name, the value specified here will override it. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + properties: + name: + type: string + tag: + type: string + type: object + privateRegistriesPullSecretRef: + description: |- + PrivateRegistryScanning defines the name of a secret that contains the credentials for the private + registries we have to pull images from. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + replicas: + default: 1 + description: |- + Number of replicas for the scanner. + For enforcing mode, the minimum should be two to prevent problems during Pod failures, + e.g. node failure, node scaling, etc. + format: int32 + minimum: 1 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + serviceAccountName: + default: mondoo-operator-k8s-resources-scanning + type: string + type: object + required: + - mondooCredsSecretRef + type: object + status: + description: MondooAuditConfigStatus defines the observed state of MondooAuditConfig + properties: + conditions: + description: Conditions includes detailed status for the MondooAuditConfig + items: + properties: + affectedPods: + description: AffectedPods, when filled, contains a list which + are affected by an issue + items: + type: string + type: array + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + lastUpdateTime: + description: LastUpdateTime is the last time we probed the condition + format: date-time + type: string + memoryLimit: + description: MemoryLimit contains the currently active memory + limit for a Pod + type: string + message: + description: Message is a human-readable message indicating + details about the last transition + type: string + reason: + description: Reason is a unique, one-word, CamelCase reason + for the condition's last transition + type: string + status: + description: Status is the status of the condition + type: string + type: + description: Type is the specific type of the condition + type: string + required: + - status + - type + type: object + type: array + pods: + description: Pods store the name of the pods which are running mondoo + instances + items: + type: string + type: array + reconciledByOperatorVersion: + description: ReconciledByOperatorVersion contains the version of the + operator which reconciled this MondooAuditConfig + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondoooperatorconfigs.yaml b/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondoooperatorconfigs.yaml new file mode 100644 index 00000000000..f5c1a80c835 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/k8s.mondoo.com_mondoooperatorconfigs.yaml @@ -0,0 +1,120 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + creationTimestamp: null + name: mondoooperatorconfigs.k8s.mondoo.com +spec: + group: k8s.mondoo.com + names: + kind: MondooOperatorConfig + listKind: MondooOperatorConfigList + plural: mondoooperatorconfigs + singular: mondoooperatorconfig + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: MondooOperatorConfig is the Schema for the mondoooperatorconfigs + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MondooOperatorConfigSpec defines the desired state of MondooOperatorConfig + properties: + containerProxy: + description: ContainerProxy specifies a proxy to use for container + images. + type: string + httpProxy: + description: HttpProxy specifies a proxy to use for HTTP requests + to the Mondoo Platform. + type: string + metrics: + description: Metrics controls the enabling/disabling of metrics report + of mondoo-operator + properties: + enable: + type: boolean + resourceLabels: + additionalProperties: + type: string + description: |- + ResourceLabels allows providing a list of extra labels to apply to the metrics-related + resources (eg. ServiceMonitor) + type: object + type: object + skipContainerResolution: + description: Allows skipping Image resolution from upstream repository + type: boolean + type: object + status: + description: MondooOperatorConfigStatus defines the observed state of + MondooOperatorConfig + properties: + conditions: + description: Conditions includes more detailed status for the mondoo + config + items: + description: Condition contains details for the current condition + of a MondooOperatorConfig + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + lastUpdateTime: + description: LastUpdateTime is the last time the condition was + updated. + format: date-time + type: string + message: + description: Message is a human-readable message indicating + details about last transition. + type: string + reason: + description: Reason is a unique, one-word, CamelCase reason + for the condition's last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-controller-manager-metrics-service_v1_service.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..2ceb0f21ac8 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: mondoo-operator + name: mondoo-operator-controller-manager-metrics-service +spec: + ports: + - name: metrics + port: 8080 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: mondoo-operator +status: + loadBalancer: {} diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..682a577413e --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: mondoo-operator-k8s-resources-scanning +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - watch + - list diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 00000000000..4aec40d1983 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: mondoo-operator-k8s-resources-scanning +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mondoo-operator-k8s-resources-scanning +subjects: +- kind: ServiceAccount + name: mondoo-operator-k8s-resources-scanning + namespace: mondoo-operator diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_v1_serviceaccount.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_v1_serviceaccount.yaml new file mode 100644 index 00000000000..95c30c0f41c --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-k8s-resources-scanning_v1_serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + name: mondoo-operator-k8s-resources-scanning diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-manager-config_v1_configmap.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-manager-config_v1_configmap.yaml new file mode 100644 index 00000000000..2092fb5131b --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-manager-config_v1_configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + # Copyright (c) Mondoo, Inc. + # SPDX-License-Identifier: BUSL-1.1 + + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 60679458.mondoo.com +kind: ConfigMap +metadata: + name: mondoo-operator-manager-config diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-webhook_v1_serviceaccount.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-webhook_v1_serviceaccount.yaml new file mode 100644 index 00000000000..3c21ff85e29 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator-webhook_v1_serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + name: mondoo-operator-webhook diff --git a/operators/mondoo-operator/11.4.2/manifests/mondoo-operator.clusterserviceversion.yaml b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..647bddacf65 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/manifests/mondoo-operator.clusterserviceversion.yaml @@ -0,0 +1,442 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "k8s.mondoo.com/v1alpha2", + "kind": "MondooAuditConfig", + "metadata": { + "name": "mondoo-client", + "namespace": "mondoo-operator" + }, + "spec": { + "admission": { + "certificateProvisioning": { + "mode": "cert-manager" + }, + "enable": false + }, + "containers": { + "enable": true + }, + "kubernetesResources": { + "enable": true + }, + "mondooCredsSecretRef": { + "name": "mondoo-client" + }, + "nodes": { + "enable": false + } + } + }, + { + "apiVersion": "k8s.mondoo.com/v1alpha2", + "kind": "MondooOperatorConfig", + "metadata": { + "name": "mondoo-operator-config" + }, + "spec": { + "metrics": { + "enable": false + }, + "skipContainerResolution": false + } + } + ] + capabilities: Full Lifecycle + categories: Security + certified: "false" + containerImage: ghcr.io/mondoohq/mondoo-operator:v11.4.2 + createdAt: "2024-11-20T13:50:23Z" + description: Mondoo is an extensible security posture management platform for your entire infrastructure stack. Proactively address threats, prevent breaches and compliance violations. + operators.operatorframework.io/builder: operator-sdk-v1.37.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 + repository: https://github.com/mondoohq/mondoo-operator + support: Mondoo + name: mondoo-operator.v11.4.2 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: MondooAuditConfig is the Schema for the mondooauditconfigs API + displayName: Mondoo Audit Config + kind: MondooAuditConfig + name: mondooauditconfigs.k8s.mondoo.com + version: v1alpha2 + - description: MondooOperatorConfig is the Schema for the mondoooperatorconfigs API + displayName: Mondoo Operator Config + kind: MondooOperatorConfig + name: mondoooperatorconfigs.k8s.mondoo.com + version: v1alpha2 + description: | + The **Mondoo Operator** provides a new [Kubernetes](https://kubernetes.io/) native way to do a security assessment of your whole Kubernetes Cluster. The purpose of this project is to simplify and automate the configuration for a Mondoo-based security assessment for Kubernetes clusters. + + The Mondoo Operator provides the following features: + + - Continuous validation of deployed workloads + - Continuous validation of Kubernetes nodes **without** privileged access + - Admission Controller + + It is backed by Mondoo's powerful policy-as-code engine [cnspec](https://mondoo.com/docs/cnspec/cnspec-about/) and [MQL](https://mondoo.com/docs/mql/resources/). Mondoo ships out-of-the-box security policies for: + + - CIS Kubernetes Benchmarks + - CIS AKS/EKS/GKE/OpenShift Benchmarks + - NSA/CISA Kubernetes Hardening Guide + - Kubernetes Cluster and Workload Security + - Kubernetes Best Practices + + Further information is available at [User manual](https://github.com/mondoohq/mondoo-operator/blob/main/docs/user-manual.md). + + 1. Install the operator + + 2. Configure the Mondoo Secret + + - Create a new Mondoo service account to report assessments to [Mondoo Platform](https://mondoo.com/docs/platform/maintain/access/service_accounts/) + - Store the service account json into a local file `creds.json` + - Store service account as a secret in the mondoo namespace via: + + ```bash + kubectl create secret generic mondoo-client --namespace mondoo-operator --from-file=config=creds.json + ``` + + 3. Create `mondoo-config.yaml` + + ```yaml + apiVersion: k8s.mondoo.com/v1alpha2 + kind: MondooAuditConfig + metadata: + name: mondoo-client + namespace: mondoo-operator + spec: + kubernetesResources: + enable: true + nodes: + enable: true + ``` + + Apply the configuration via: + + ```bash + kubectl apply -f mondoo-config.yaml + ``` + + 4. You can see the results in the [dashboard](https://console.mondoo.com) + displayName: mondoo-operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAABDoAAADECAYAAAB++kHDAAAACXBIWXMAAAsSAAALEgHS3X78AAAg AElEQVR4nO3daZAkV3Uv8H8NAmwMVCNs/HC4FgVgdrokgZAwppNP72M3GNsYbHcNq4QMU8OiZVrE 1NgazCamB+3SzHS2DRgDlroddjjscFjZICQhlunCKHjEM0FVNQ/MJnVpQSuT78O92Z3d00stee+5 mfn/dZwYLdNZt+pmVuY9ee7NQhiGICIiIiIiIiLKgj3SDSAiIiIiIiIiSsoZ0g3IovkZVIENgU3/ HBkDMA4A04dRsNC03JifQQ3q843+xKZ/jlQBVGL/3gHQ3mKTgf5zFcAyAEwfXvtvlID5GQQAJgC0 oD7nuLXPHap/2gBWpw+v/TciIiIiIiIAQIFTV4bnX4Ea1OC5CsDD6YPmvtWvZKJjGP4V8LDeB1F/ FC02oQc1AF+GGnwvA1iuX3naQJ124V+xlugYVJScWuuH+pVMQhERERER5RUTHX3SVRoe1gfTwwzI tsWKjt3pKo0a1vthXLRBO+tAVYEsAwhYebC7WEVHUlrY2AftBLdNRERERESOYqJjG/5MOAY1oJ7S fw5VqdGv+uECEx2b+DNhFeqz96D6wWalRtJ6UIPuBQBB/XChLdoaB/kzYYCEE4ibRMmnqA9YdUNE RERElEFMdMTMXxFWsZ7YmLT52tNXMtEBAPNXhDWoPpiC2xUbo4qqDfzpKwus9gAwf4XxRMdmS1BJ j4XpK5l4IiIiIiLKitwnOnTlRl2H2MA6zxUdunKjAZXcMFo546gO1IDbrx/Ob9LDQkXHTloAfAAL rLYhIiIiIkq33CY65mdOTUElN6xWbmxn+vCeXCU65mdOjUElNhrIduXGoKIBtz99eE+uplbMz5wK IJfoiFsEsDB9eI8v3RAiIiIiIhpcrhId/hWnqliv3nCqcqB+ZT4SHf4Vp2pYr95I85obNswDmK1f uScXVR7+Fc4kOiI9qKTTbP3KPW3ZphARERERUb9ykejwZ9YG19PSbdlOPeMVHb6qoGnArYFsWiwB 8OsZrzDw3ano2Mo8VB8E0g0hIiIiIqKdZTrR4c/8ygPQhLuDpzX1w0/KZKLDn/lVHaoPnKqgSakO gGb98JN86YaY4M/8KoD7x+oSVB8E0g0hIiIiIqKtZTLRkaYERyRriQ4mOIzKZMIjJYmOCBMeRERE RESOylSiI40JjkhWEh1McFiVqYRHyhIdESY8iIiIiIgck4lEhz/zRBVqcO3sGhy7qR8+I9WJDn/m CQ8pTTJlQAtAo374jEC6IaPwZ54IkN79ZxGqD9rSDSEiIiIiyrtUJzrmZp4Yg1rgsoGUP8Fjb0oT HboPZpHiJFOGLAJo7E3pYHsu3YmOyCEAs3sPn5GrRwMTEREREblkj3QDhuXPPOEVgOUCcLAAFAsA 0hxp5M880SgA7QIwLf35MYACMFkAlv2ZJ5q79Z2LHPj8koiDug+mEv+AiIiIiIioL6mr6JibeXwM gA9gUrgpidp7+MkF6Tb0a27m8RpUH4wLN4W21wJQ33v4ycvSDenX3MzjAdJf0RGnK2ye3JZuCBER ERFRnqSqosOfeXyqoCoIJh24c5topIU/83izAJwsAOPSnxljxxgvACf9mcdnd+hOpzjwmSUdusLm 8UaynxQREREREe0kFRUdWa3iiHO9ooNVHKmWiuqODFZ0xC1C9QHX7iAiIiIiMsz5RMfczGMe1AA7 048r3Xv4Kc4mOuZmHqtDLTia6gVfCfv3Hn6KsxUeczOPBchuogMAegCm9h5+SiDcDiIiIjKoUi55 AG4zsOlDne5K08B2iTLH6akrczOPNaG+JDKd5HDV3MxjY3Mzjy0AmAOTHFlwZG7msYW5mcfGpBuS U0UAt83NPOZssomIiIiIKAucTHToAXYA4KB0W/JqbuaxGoAAGZ4ulFOTAJZ1/5KMfXMzjwVMOBER ERERmeFcouPEzKO1EOFyiHAiRH5+XHJi5tF6iDAIEY5Lfy78MfJTCRGePDHzaF16X4sT/1Ts/kyE CNsnZh5lwomIiIiIKGFOJTrmDjw6VQgRFEJUCiGQp3DF3IFHm4UQc4UQRenPhGE85uYOPOrMNAoH Pg/bUSyEODl3wK2EExERERFR2p0h3YDIiZlHGyjgiHQ78uzEzKM+CpiWbgdZte/EzKNVAPW3HX6q 6BNBQmeX4zVu7sTMo9W3HX5qU7ohRERERERZ4ESiY+7AI34BHGBLmTvwyBiAoMBHx+bVJIBg7sAj 3t6P/JpYsqPg+BOgDDs4d+CR6t6P/FpduiFERERERGknnug4fuARH0xyiDmukxxgkiPvxgEExw88 Un/7R35tWaIBpyRe1C3Txw88UgUw9XbBhBMRERERUdqJrdFx4sAjYycOPLJcAKYLAPIeEk4ceKRW AJYLwLj0+2c4EeMFIDhx4BGRBTIdeP8uxITuAz6RhYiIiIhoSCKJjhMHHh4DwgAIx4EQDPsl+ycO PFzTfVCRf+8Mh6IIhIHaP2wTf++uxLjuAyY7iIiIiIiGYD3RoS/eA3CqhBg9iA0AFIWbQm4qAhBK dpA2DtUHTHYQEREREQ3IaqLj+IGHx0IgCIFx8XumjoUtxw88XNN9UJR+zwynoxgCwXGLyQ4H3rNr Ma77gMkOIiIiIqIBWEt0HL/84TGECBBiXHr04GRYcPzyh6u6D4ri75eRhigiRHD8ckvJDvn362KM 6z5gsoOIiIiIqE8WKzrCWXBNjh3CrOOX/3IMCBeg1mBw4P0yUhJFIAzU/mOa+Ht1NcaBMBjhgyUi IiIiyhUriY7jl//SBx8hK0YPUgNwXRQaThGApWQHbWNcf48SEREREdEuzjD9Ascu/2UTTHKICgEf THLQaMahkmXGprGEpjacHdPHLv8l3vE3T6tLN4SIiIiIyGVGKzqOXfZQHWF4EGEIxi5hrg98hOGk +PtjZCHGj132kG9sZ5V/f2mI6WOXPVQ31gdERERERBlgLNFx7PKHaihgFgWA0UcYcOzyh+ooYFr8 vTGyFNPHLn+oARPk31taYu7Y5Q95Q37KRERERESZZyTRcfzyh8YKQFAAivJjgnRE0o5f/lCtAMxJ vy9GJuPI8csfmkLCHHhfaYqF45c/VB3ukyYiIiIiyjYja3SEYbgAtYAhCTh22YPR4qNEpvjHLnuw 9o6PPr2d1AbDMExqU3lQBLBw7LIHvXd89Omr0o0hIiIiInJJ4hUdxy57cBbARNLbpYEw0USmRQNt PolFzjiAWelGEBERERG5JtFEx82XPTgVAvtCAIzBIik3X/ZgMwQmpN8PIxcxHgJNJMSB95PGmL75 sgfrw3zeRERERERZlVii4+bLHhgDQl/8sj+1MbqbL3vAA8KD8u+FkaPYd/NlDyS0Xof4e0lrzN58 2QPVIT5wIiIiIqJMSm6NjpDTJSTdfOkDYwB86XZQLvk3X/pA9Z0fe8Zoa0WECbUmf4pQ09Vq0g0h IiIiInJBIhUdN136QCPkdImRYlQh4IdARfp9MHIZxVANtEfiwPtIc4zfdOkDzcE/dSIiIiKi7Bk5 0XHzpfdXCwibBYRgDB8j9sFUAeGk9Htg5Dombr70/sYo+7ED7yHtcfDmS+9nVQcRERER5d7IU1fC ED44ZUXMTZfczykr5IrmTZfc77/r488cagoLny6bCB+cwkJEREREOTdSRcdNl95fRwETKACMEWNY BTRRQFG8/QyG2g99DEu+/VmI8ZtGrKwhIiIiIkq7oSs6brqkNwZgNsG20IBuuqTnAdgn3Q6imMmb Lul57/p4MRj4N1nSkZTmTZf0Ft718WJbuiFERERERBKGTnSEKsnBKSuCQiaayE0+gOqgv8Q0R2KK UN8NCT32l4iIiIgoXYaaunLjJb0agOmE20IDuPGSXgPAuHQ7iLZQufGSXlO6ETk3eaOq+CIiIiIi yp3hKjrCkJUEgm780OoYgKZ0O4h20LjxQ6v+uz8x1u77Nzh1JWmz4MKkRERERJRDA1d03Pih1SkA EwbaQv1rgNOGyG1FMBknbfzGD63WpRtBRERERGTbMFNXWM0h6MYPrVYBHJRuB1EfpvX+SnKa0g0g IiIiIrJtoKkrN3zwvjqAipmmUD/CMGxKt4FoAE0A9X7+YsipKyZUbvjgfc0LP/mspnRDiIiIiIhs GbSio2miEdSfGz54XxVcBJbSZVrvtySnccMH7xuTbgQRERERkS19V3Rcz2oOcSETTZROTfRR1cF6 DmOKUOv6NIXbQURERERkRd+JjgI4ZULSDR+8t1pgNQel0/QNH7y3eeEnz2zv9JcKTHWYVAcTHZlS KZfGsMtTdTrdlcBOa5JRKZeqAKq7/LXlTndl1XxrsqlSLnl9/LV2p7vSNtwU2kIf/cO+GRA/U3f1 cx4D0ncuS7s+zxOpOBf3lei4/gP31sFqDlFhiIZ0G4hG0MQuVR1cosOoyvUfuLd+0VVn+tINocHp BICno4o+n3xWKZeif1wC0AYQAAhcuKivlEs1bHxP4wP8LgC0oN7TMtT7SsVFlw2xwYOn/xzDgE/L 059xB+uf8TIc2XeyQg8moqihz6fpbeqbANz/Aax9p0T7fRUD7POxzzS+rwdJtzGv9Dlsc//0Pa6M ncv4vZ+QLc4TVQxwHtbbADZ+F7Xh2Hmi0M8CgNd/4N4AfKSsURdddWZhu/93/QfuHYPaefhIWUqz sy66avuqDn7PGNe56Kozq9KNyIvYRXc1+m+d7kpzgN8fg0oO1jHgxUcfOgAWAMzavCDRn0kD6sLK xM2TJaj3teDShZYN+rOd0pH0/hLXg/qMA6jPOReDDP35VhG7+zzI8RzbzhTUMT2ZUNPiFrG+/+el X6J9fgrJXyP3sL6f+4P+sk5k3ZZskwAAh4bZ92yL9Y0HszfLW1jvp8Dg66Se/h6rQ/WJyfNEB7pP oBIfYt9HuyY6rv/AvR7MHKgUs0uiowHgiMXmEJlw6KKrzmxu9z+Z6LDi9RdddWYg3Ygs0omJ6MJu y0FMp7uy7fd8bDtVqAooExfuW1kC0DR5gVgpl+pQ78lmZegiVCInsPiaVul9pQG1r0hV3S5iyIGg 63YbRPdzPOvtjEH1Ux32+mkegJ/F/T+WMLX1HQmopIePAZLDeUx0xI4Zqan2USJ2ttNdWRZqg1Ni yY065G6YL0J9Hy3YfuHdp66EYd18M2hHYchpK5QFOy+IybkrNjSgsuyUkKQSE7HB0MFEGta/CQC3 VcqlxBMeQgmOyCSASRPvS5oeTDTgRmI4+pxnAcxCXcy2ZZs0vNhx2EACg4JKudRMalsDmgYwnaX9 XycOmpDZ74sA9gHYVymX5gE08lI1sxuhRN52iljf91tQCQ9ftkky9Pm3AbOVG/2KzhMdrCcMrRw/ O1Z0XPf+X4wBuM9GQ/LuPZ969pZ3Bq57/y+mANxquTlEpux9z6ee7W/1P657/y8CuHHhnnVnvedT z25LNyILBh3EbHcHWF/A+5C/SASAo1ADo6EvQvQdpFm4dTwvAqineXAinDgaxDzUPtSWbsggKuVS lIwf6XjW2/LgzjENqD5J5eBcOMGxnR7UYK253V/IekVH0klBgzpQ30e+dENsSMl5ogd1jWA84bFn l/9fN/ni1Je6dAOIElSXbgCxD0ZVKZdqlXJpGar6YqQLPH0n/Da4c1GyD0CgkxUD08mfk3BrUAKo O0ptXQ2RKpVyyauUS20Ac3BnP9nJNIAfVMqlWT0YclqlXKpWyqUAaopwElUcrh3TgOqTdp9PU3CC 7pcFqM/Ste+TIoCDlXJpWVf15Yr+nm8jgXOgBRUAc5Vyqa2TAJlUKZemUnSeKELtO+1KudQ0eZ7Y saLj2v0/b8P9DysTLj7ym6fdGbh2/89ZUUNZdNbFR36zvfk/Xrv/5wHcu5jJos7FR36zKt2ItNIX SrMY4uIufgdYn9gX4O4+3wPg9TvPWb8fH2YWWUyaE3dEd6MHULNIx2e6nR5UJYEv3ZCt6IRegBGP Z72tMb0tF0rFd+L8/j9odY2wLffxLFZ0OFipNIwlqP7KxBoe+jzhw91riX50oPok8TU8tq3ouLbx 8xpCVBACDAuxlRB18XYxGMnH1mvOyLcrL1G5tvHz1N3VdoFOcsxh9CqOaEA0MXqrjCmiz8qO2PtJ y4D8YKVc8qUbsRO9ry0jPZ/pdopQd1MD1+5868/4JJKp4ogSJq4nOQCH9/9KuTSWZHWNJdE+3pRu iCm6X1ysVBrGBICTWegvnRBchtvXEv2oALi1Ui4tJF3dsdPUlXqSL0RDqUs3gMgADrLlsQ8GFEty jLqdtNz1BfpIdqTs/cRNuzjY0wOKBSSQUHPMBIBlV6YO6XaMfDzrbaUpyRFxbv/Xn2Mb6R20OZtA GoXul2WoaY1ZktqpRylNCPYjmmLqJbXBHRIdYV36tmO+YqNrGz+rAuG4fLsYjMSjcm3jZ1sMnMTb ladwYrCRFkkOiqBKTNM0IIqSHafdZUlxkiPi1GAvNqBIexXHdopQd+1mJRuhP2c/oW1FU9DSONhw Zv9PsrpGmDOfaRJi/VIRboop41AJWE+6If3KQEJwN0WoJ8El8sTRLRMd1+z72VQYohiGAMNObBaG mJJuE4NhMOpb7PMMe1G8Zt/PmOzoQ2z+axLbaiKdg9gi1GBuswDpTXJEpl1YoE4n0wJkd0ARt09P ZbG+UGlsLZkkpqtEib4099m0A4mnOpJLJLtgOiPTInxkq1+2Ew2s69IN2U2GEoL9OJJE0nDLREcB mCqoPxmWYos+qEu3icEwGKcNsh1oU96CiY7++EjuouJgQtuRMBG/w6IvQNKe5IjMDvuUmSToi9db kY+L18gEtqkUMqyJ5Pbb2QS3JWmf1JSiDA+mDyLF51jdL9PS7bBszuVqnAwmBPsxracXDX2eOGOr /xiGoTd0k2hk17zvp1Vk4+RJtJ3KNe/7ae0vP/2ctVWvd3oCFBmR2oswW/TF/4R0OxzS1BeCHrJ1 EVyESmhZT3bk9OI1Mg6V7PA63ZVV0y+mk1lJrjOQpWPAr5RLtU53pW3rBXXiNEuf4WapW9MiBU8D M226Ui6h012pSzckTlddpW5/SshI54nTKjqued9Pa0h3GV4WcABCecD9XFbxmvf9lH2wM9GSbgcV oT4TX7gdJownNSe4XzlPckSii1gblR08nrcXHdtW6H3/iK3Xo775yG+SI+LUOiv6vJTXJEdk6PPE aYmOEJgK1Z8Mi7GpDzzp9jAYFmLDINuB9uQxPNCW9IV4RbodDppGdqdYNG1NpWCSYwPjyQ5dzTFh avsZMWljCote+JH7vmP04D6Na0iZIL52DcCE4CbjUGsiDWSLNTpCT/zSO5exoQ8m5dvDYBiP8avf 95PYha14e/IYHmg7dekGkHVFAMarOvSgW/wi2jHj2HrB26RYrdZJMaP7pV7c2WQ/0xD0oH5auh2O 2Se5QGnCT3vLivFBq202JDo+/d6fjIUhJhx4IkDuItYHnnRbGAyL4UX7vgNtyWOMf/q9P6mOdNrJ IH0xPiHdDhJhdEAce1JHVqtiRjFhsGSc0/T6UzE8uEvro3gzS/d33qdGbGdO4tGzST4CO4MGeqrR xoqOEJ78DcacBvuAkc/wEJFvS15jvQ8o4kk3gMQUOdATlfjjfvVAhZ95/5omNqoHJ1xo3yGsLuvL gs2nQyX5COwMO9hvAmrT1JWwJn3Fnd9Y6wNPvi0MhrXwsEa8LXkNscdqOsyTbgCJMlLVoQd6Eya2 nTGzuqoqKV6C28qDStJ3sfWA+mCS26RE+OCAejdF2J1u1QQTgv3oKwG14fGyIe/siQtDXgRRrowf vfh/xvZd+79Ww1C6KbnlSTfAQS4kf1pQUxyWAbQBrHa6K8vA2h1qQLWzBlWWn5aL1Q7U+wqw+/vy ILMg7HilXKom+ahNDvQGEj3u10toey4cz5ElrB/XqwCWO92VVZ3Yqeq/42F9/5c6rusYYuG/HbBq wDGssBnIRKVcanS6K6bXsPHAaUT9is4TO05LPGPTv3OQLejoxf/jSbeBSEANyV5Q0WB4oXM6qc+k B3Xint1pkN3prgT6H6M/o4XLGnD3PL4EoBlr+2m2eV8e1KBr2ljLtjaFZAdnfoLbGsUSVIKprf99 Wf9Zi/1Zhfz3QpIDi2oC2xhFB+ou7UKnu7K65V9Qx3tb/2sQ/Xc9jacO+8f1tP78t2zvIPR7cOF7 qQe1vwfYeAzERft/pp/S41DiNeqTKPG3qv+5BiC6W+/pf5dO5jcr5dJCkgnwuNiUFRdsPk8EUMdF Vf97dDNC4kZE3GSlXJrqdFe2rbhZS3QcvfjHLmW8c4ol5JRLHoBATaMgCUcv/rG379rnBtLtcIHN ubibLAJoDHsRpU/0Czrh4UP+ojDSgnpfwTC/rH8v0ItUzsLeANxDQomOSrnUgGzybAFqkL1T+fWG /6ePgymoz8F2kinSrJRLfgKDbcnPvtHprvjDbkD/rq8Tfj7sDiw8JFOy30xgG8OKksd+VDm2iyD6 B30MeFDHgdQxYIpkhU0Lqk+CHfok2PwfdNXTFFTiT+KYLkJ9bqYWNm5ALnHQwfp5Iuj3l2LniSnI PZp4tlIuBdudJ9YrOkKnSvvyiX1A+aT2e+Y5JHlgVU1E4nt47yiDobhOd2VB361bgPxd+Xmogd7I d4U73ZUgNtizcUGVyGvoC8FmEtsaUAeqgsYf6pdVn/lQg+wG1EV4A3YTaNHAom7xNZOyCKCexL4P rO3/0cKRtgbdUxgx0aGrOSQGbyPt/8DaMRAlkKWOgcQJVtjMQyWcgmF+Wd8EmIUa2Nag+sJ2Amqy Ui55w76H7egkjkSFzRJUn/jD/PKm80QV6rva9jFS0a/Z3Op/ri9GGqImvyZejkP1QVW8HQyG/VhP dDCkogqSkliSI6IvCD2oi30p853uSmIDPUBdVHW6K1NQg0jjElqQ0fZFXw9qn6ommDxb7XRXmlBl y4eS2OYAphNemNSG+U53ZSrJfR9Y64c61IDRBi+BbTQT2MYgegD2J7n/A6cdA0eT2q6QpuXXWwJw tj4fBElssNNdWdbHwll6+zaZqIZpGtjmTjpQ5wkvwfNEW/AYaWx3nlhLdIQIayH4I/Wj+2BCuh38 4Y/AT0Xv//yR+2E1mYzEkxwRPcgyVWK7m5a+CDWlDjtJnJGOC13NYeQJLttYBJDoAC8uNtg7G6r8 3Jamxdca1bzhfR8Wkx2VUZJMAtUcS1D7v7FpGfoYaAB4PWQTyUOx3CdR0snrc9rQwPTg2gPwBv16 Nown+QhsfYxNJ7W9PhwFUDN8nmjA7nmiiN0qOsIQtTAEGDJx5MIfVaXbwGBIxZELf+RJtyHnIT3F IY8WTV1oRPTFpe078D0YTrDoJE7d5GtooyYAbVZz7DdRRbAVfTe1BnuVBWmp6lg0neSIacDOIGKU Y6CeVCP6cEgPqI3v/8Da2kE1WKouS1DT0ut0AHimn1Ky9mJq/aEa7A2s6wluq5ngtnYSVfslMp10 N/r6w4Pd88Rpa6ztif1zquecZUBVugFEgqrSDci7Ixf+qCrdhhzpwd4gYBb27nQBal582/SL6IGG 6UFGdcTft1HN0QPwBlsDijg9qN9v6eWall5nWDaP6SjZZ2P/GirRoRNTE8k2ZVt7daWRVbGpdLYG ciPRC1VXLLxUC6piwEgVx3ZiUzZtJDsmkpjaqAfm06M3Z1c9qMSTb+G11ghMtzvtO3EPABx59//z pG8nMkL2ASPPUXWgDXmPqqUTEanHx9q68xgtFmbl5SwPuE2/1tB3s3Vps40bSN4uT1MxSvf3Xgsv NSX4RKR+JLoeTT90ss/0AMIb8vdsTdkyNv2vX5YHcqOoW3iNFtR3ktVjIaJf14OdZEfdkW3sJkpy WE08xVk8Ruqb/0NU0eHyyYOIso9rRMhjH9hj++67n7HXAbA20DN5QTtKoqKeVCN2sFfy4jWiB5qm F58rQm7Nmd0sCSabTH+XDDs+sNFX4kmOiB7IOTuNRVfYmH5aVTRdRSTJsdYIe8mOLadKDMhGQlA0 yRGxlOyo6MqlNXsAIOT6HC6E50AbGAypGHOgDXkPJrztmBe487sMOwvn+RZeYzOjA8xhLmQtle0f cmWQBwB68TnTAz2bC7sOwvq0oYg+tk0O6AZev0k/+rNioC1x8y7t/1od7i5QaiPxZGWNoH7EFuM2 PW1z6M/V0nGy34UkR0QnO0wnoLZIdDAYDIZsVB1oQ96DFR12SN35DQxvv2VjbY4tBIa3P8xxYXpQ 0ZJYk6APdZgdWIw7uChpR3LqkOYLv/5mnuHtd+Bg0kv4SVe7qRvevlMDamBtzY664ZcZZfuj/G4/ FiXWbuqD6QTUdPxf1NQVrg/hQtQcaAODIRUVB9qQ92BFhx2B0OuavggVGezp6SuuMT3YqRve/lAs PQ3HM7z9QUknOQDD3yn6zvMgjO//rlQObKYH+6ancQ1EV6WZfLJay9EBdfQ0FpOVZhMjTF/xkmzI Jj04mAwE1hJQTZOvEZ++wooOd6LoQBsYDEaOg4xrCV6gm050BIa3vxNbjxTs14TBbR917c5pnB5Y LBl8CdfumIsnOvT+YPIO6aADOZP7/6Kjyc24Juw+6Wo3po8ZJwfUMabb5w36C7oyzWTyaVaowrIv OjFmcpqXF/3DHgAohBgrhACDwWAIxtMdaEOeY8LgSYcUyQGq6QRLlt9b35J45OAOenD/MauA2TZ6 Brc9MIcG3U4kv4ao/hiU64PqqLLJpQoHz+C2lxw6BrakB/wmF8H0LP1Ov3pwa//bTtPgtjdXdITj IfjDH/7wR/TnDPEW5PyHjGtLvbDpKgDhUvJA8LU38wxue8HVkv04PfAxVdVRtDCY7pfJypVBOZHo gNn9f9Hlu9SbzMKdqg6Tx0vT4LaT1DS4bW+I3zHZJ9YeXz8KvZiwqaqOSjSlSK/RwWAwGIzcB5kW SDfAEJcGfNI8g9tOw126iG9w264kOlxJLgDuVDVVDW7bN7jtROmBpvi0Js3UFCzpqaYAAB8jSURB VImO69UcEZ0gM7VWxzCfr8nvMN/gtpNm8pxWA4AzACDkBS4RERHRqKqGtttyeW2OLSwAmDO0bVcS Ha4kF1xiqm96DjzdZlAL2PQECNsMT6VLU+IVUP0xaWLDlXLJGzDpM2GiHUhX1ROg+uSIoW17AIJo 6gp/+MMf/kj/cOqK8M/H39Z1ZQBBlFYVQ9sNDG3XCH1H29QdVFe+p1xKPAXSDdCqhrabtiRHtDCv 9PSVqsFtBwa3bYLJfaja7180/IjswOC2E6eTMqYWE68CuqIDrOggInlPl24ADby6Pg2mLd0AMsfw 3dPUDfSgLrpN3EGtGtjmMFjRcTom+jYKYKiKoE9VQ9vtpazCDJ3uymqlXFqCmWqKqqG/O6jA4LZN WYCZ6VVVgIkOIiIiK1JWUkpuSdWgQjPVZlODaXJXIN2AIS1DNtFhqvopjd9HgGq3dKLDWEVa2pJP mqk2V4Eo0cFMBxEREdEoqoa220nDKvqbdborQaVckm4GWWKyoinFSeIAwEHB1zdVpRkY2q5pRgfV fTLVJ2ldFNxoQpyLkRIRERGNrmpou21D27WhB6CY9EYr5VItpXcvaXCm5vDT8FKXeNXa0g0wKJV9 0umutE0mxJnoICIiIiITTJWKcz2h/EjlAA7IdFUTk4zuYZ9sgVNXiIiIiNwVSDeAiFKJCcEYRxJP 7JPTmVoklouREpEzHpRuAKX3zhkRERFtYOJpFjSaqnQD8oSJDiJyxRPSDci7yz5TZekjkXuMrdJP RJlm7E55GlXKJRe+S6WfxOOiqqkNqzU6mOkgIiIiclGaS52r0g0gkuLIwNqEtH4npbXd/ahKN2AE xh4ZzsVIiYiIiNyV5otzUxewbUPbJfekOVmQ5mN3JzUAC9KNGEJW+wNIaaKjUi4Z7ZNo6koLnMdF RLI4dYWI0szU1K9UXp9VyqWqqW13uittU9umobUNbbdYKZfGOt2VNK4hleYkzU6q0g0YUlb7A2Cf bCmaupLGLw8iyhYuRiprSboBRCln7FqqUi7VOt2VtK2hk+VBBW3S6a60DT7RooZ0Pn1I+hgw9Xhn 6fc1LFPtHuS72dT3eCWlCUFTfdICdKKjwKkrLugBKEo3goiIiIbSNrhtD+YukE2ZMrRdJmXzZwrp THR4wq9vatA7ntJBtWdou4N8DiY/Mw/pm1LkGdruKgDsAYAQCEL1J0Mulh1oA4MhFR0H2pD3SNsF C5FTDE+n8Axu2xTP0Hb5XeUuU0koz9B2jdFTtyrCzTCZHDWVyDRCLwxr6oayCxUdQMr6RPMMbXcZ WFujIzT0GkREfWlLN4BSd7eYyEWm1jybTNMdVD2oMDXI43eVu0xWEFRTtjaLC4POtsFtTwHwDW4/ aXWD2273+xc73ZXVSrlkqorfhX2ub5VyaQrmkk9tYL2ig9UE8hE40AYGQyraDrQh75GKARSR40wO wusGt520hsFtM9HhLpN9Y3KfMkG8vYbX9Zk0ueBwkvSTPeqmtj/E52yqX4qVcqluaNsmGD9PqMVI T/ECl4hEtZHeFaOzgoMHotEtA5g2tO0GgFlD206MHvyY+gwAfle5zGiir1IuNdNQ1aTvVFek26Et wcyCpIBKHjQNbTtJJisHhpmuFcBsn/iGtp0YfZ4w9Rmg010JAF3R8eEvPC8w9ULUt0C6AUSC2tIN IPYBUQICg9uupORuncm7dJ2UTV/IG5OJjiIcqJLok0vtDAxuu6GrJVzXNLjtwNLv9GuiUi55Bref lKbBba8ln/as/acw7CEMwRCLtgNtYDCkou1AG3IdH/7C89oGTzpEuaBLmDsGX6Lp8sBC36XbZ/Al AoPbphHpJJTJ/b/h+nQJnYyckG5HTGBw20U4XmVWKZeaMFtdEwz6C1G1gUG+4e2PRCdipg2+RBD9 QyzRgWXpCeJ5jg9/8flt6TYwGFLx4S8+P5BuQ86Dj2skSk5gcNsVuF0q7hveftoenZhHgcFtOz2w 1klIp9qnB9U9gy8x7WoFgU6Kmayu6Y2QtFhMsiGbVHSCx1Wmj5G188RaoiMMsezATcXchu6DJel2 MBgC0dH7P0Mu2oZPOkR5Ynowvs/FgUWlXGrA7J3sXqe7wkSH+wLD2590eAqXD3NrQYzC9HHjO1pp tgCz/THK52q6Tw7qp185pVIuzcLMk8kinfjisOuJDoTLIfgj9aP7oC3dDv7wR+BnWe///JH7aRs8 6RDlih6Mm7yDCgALLpXw68TLEcMvwyRHOtjop1nXBnE60Tcp3Y5tmO6TChybLlEpl3yYHVADbic6 AHWecCYBpROUJqc2Aps+V05dcSXYB4z8hsq8yrcjzxGAiJJk+iK2CEcuYvWA08pFu4XXoBHpp6KY LMsH1P4fuJLs0AM404m+oVlKvk7q5II4nXSaNvwyI1WYWTpOKlDHiSvniTkLL+XH/2Ut0XHwlhdw 6opgAEDI6UOMfEag93+GUBy85QWBhZMPUZ7YmKc/DuGLWH3xGsB8uX6H01ZSxUZfFaGmTIgmO3SS Y06yDX3yLbzGtHSyw2LSyXdkG7tx6TxhWis+bQWIV3QAAMIlOHBrMZ8BNG99QSDfDgbDeugvJfF2 5DVaIKJE6YstG4v8Rhex1gd7erpKADtrEji1wCPtrNNd8WG+ggAQ3P+BVCU5AHvHkFiyQ7+urf4Y +fPUyVuTTymKiCU79DFyEkLniY2JjhCB/DV3TmO9D5bE28Jg2ItW89bfWwXE25HnCEBEJviWXie6 iJ2y9HrRIxtvg52L1x4cm/9PffEtvU40jcXk0zU2qJRLY5YH1SPTj/6dt/Ry05VyadnWOkK6PwKY n64SmdefZxKaCW1nN+MA2jYXstYLj9o6Rjo6wbrBhkRHGCKQLqHOa7APGDmNILbvM2RiQ5kfESVD X3TZuFsHqMHerZVyyei6HZVyqVYpl5YBHDT1GluY1fPZKV1sVuEUARzR+3/V5AvpgeIy7A2qk9S0 +FrjAJZNJ6B0xUAbZp/4tFkzqQ0JnCduq5RLs4bPE54+T5heeDSuudV/3JDoOLT4e0EYhmDYj0gY huwDRp4iiO37DOE+IKLEWbvLrE1C3bVrJnkhWymXqvoO9kmYf5JBXA+ctpJKlisIIpNQg+tE939g wzFwG9Qij6kj0CdRAqqd9COBK+XSlB5Mz8HuI32TrOaINBPe3m72wdx5YgHqGLF5ntiymgM4bY0O AJw6IRPaX/3TCwPxtjAY9iJARL4teYzWX/3TC9sgIiP0HGwba3XEFaEqLu6rlEv+KFNa9GBiAcAP IHMHm9Uc6dYUeM1o/2/r/X+k9Tv0MRBA7hhIWlPgNSsA5nTCozls1Y0eSDcq5VIbwK2wO5iONJPe oOWqjkgix4meNlSPHSMSj1hubvc/ztj8H0I18Jgw2BjaRRhiEe4+i5soKa2//ucXrl3AhqFkU3Ir kG4AUQ40oCohJExDzZfvQR3vy/rP1c2r0+uS/DEANQAe5K8FO53uSlO4DTSCTnelXSmX5iGTIChi ff/vQO33AYB2p7sSbPUL+u52DevHgAe71QLG6T45BLvTzyIV/boHdZ8sQH0ntaH6pb32F9f7oor1 /pBIbMQdMlDNEalDVULYFj9OovNEANUvaThPLG1XzQFskegAwgXI7Py0JgzARAdl36bHzzHTIYCP ayQyrNNdWa6US0dhd77yZkWo64pJ6Gu8Srkk2Jy+1KUbQIloApiCbMKgAj2YAzbs+z2oQbb0AHoQ SayrNQt1fFUS2NawKtj0nej4d1IHBqfRdborQaVckr7RHT9PAHC+T4BdpoeeNnXlr//5RcthiE4Y qjusDDsRF4ZYkG4Pg2EhFjbt9wy70fvrf35RkMBJhoh214T90uQ0O7rdXXdKF30H3NV1VopIV5ID UImZkejpYPWRW5IvdQvT6Oqw81jmrDi0ueJks9PX6AAAPmbWfsRc+S8vaiNES7xNDIa56Fz5Ly/a +OUk36a8Bas5iCzRF8jWHv+aci3IrCNAhugpSC3pdmTBbgO7AbYTADiaxLZy4JCNxCsTUANZ6mdq 4xZTV4AwDBeQjQV3UisMQx/AEel2EBly2iA7DEOJduQZEx1EFukpLPvBc/tOerBz55Tsq0PN/c/U mheWLSa5sU53paHXXEhbVYtNLZtrBXW6KwsOTHV0XQ99JoS2rOg4/K8vXgBLZ6RxEEJZ5ks3IOd6 +nueiCzqdFdmYf+Rm2nSSOqONblF92tTuh0pFxjYpgeO+bbTg/p8rOp0Vxqw/7SuNJnqd1HYLSs6 ACA8BR/MJok5/K8vbh/4399tgVlWyp7OR/7txaddyIanJJqSW0xyEMlpQK1Yz/P7Rod2Wj2f0q/T XZnVj7Fk1fhw/KQ32OmurOqqjgCstonrAfAEq8umoPqE54mN9g4yjWjrNToAAKEvPYE8X8E+YOQm thlki7crT8FEB5EQfeHsgWsWxM3zUbK50QD3/WHMmxp062qbHZ9ekUN1yeqy2HodrLZZd3TQZPi2 iY6P/NtL+PQVi7GVMIQv3S4Gw0Bsufq6A+3KS3Q+8m8vYaKDSFAs2cGLWDWAq0s3guxgom9oTZMb 1wPIvSZfI0X2dror4tdJOtHigecJQJ0nBk7G7VDRASDErPyNx5zEFv7m31+yihCL4m1jMJKLpb/5 95e0sRX5tuUl/C0/fyKySg/4asj3gI9JjhyKPYUoywO4Qwlua77fNQlGwWQHAJXk8KUbEWGyA8AI 54lt1+gAAD75Q57ug0npdhAlxN/uf/CpK9b40g0gIqXTXWnH5sfnbS42kxw5tmnfz9raEHsBtAEc TGBbPVicVtLprviVcgkAZpG9ftlJ9MQn8UqOzfQTuzyo67e8nScOjTKtcceKjo/+x0tXEWLegTuQ 2Y/t+2ABITri7WMwRo/eR//jpT62I9++PMTiR//jpe1t+4CIrIuV8if66EjH7WWSg/Td6iqyVdU0 n3BFgPXHLev2e8hPFUG08KhzSY5IrLIjS8fKbvaOunbTzlNXAIRcJ8JK7NIHs9LtYzASiC3X5ojt 5wzhPiAiGZ3uymqnuzKFZMvdXdQD8HqXSsNJVizRl4XHaSZdpXRIavCd0STUVpYAVNPwWGt9nqgh +48o7wA4O4nzxK6Jjo/950sDhOGS9NV55mMnYegjDHvibWQwRoudv7Dk25f16HzsP18aDHB+ICLL 9N2r1yObd1KjAUUg3RByix7AeQCOSrdlBEknOcSfRBQbWGc1AXuo012RfITsUPR+9gZk8zyxCKCW VOJp10QHAISAH6o/GYZiJx+77WWr7ANGymP+Y7e9rI0dONDGrEdzp8+fiNygEwFVZGcqSw/A/jQO KMgu/VSFNA7gkp6K5dT6NbEEbEe4KUlpQVUMNKUbMixd6VNDNiqhAHXMv6HTXZlK8jyx42KkkY/f 9jL/QxPfaQKoJPXCNJjwFGYB7JNuB9GQmrv9hfCUhVbkV+cTSy/zpRtBRP2JnkoRW4AurddfiwAa Np4YQdnQ6a4sVMqlKtR+7/pi/B0AUwlPe9jf6a44N800SsBWyqUm1OKoaVyotAdgNs0Jjjj9vepV yqUpqMVj03qemIc6TySeCO+rogMAwhBN+crr7MZuPrH0snYYYl66nQzGEDH/iaWdqzn0dwzDXPj9 ftcTkTs63ZWg012pQpWOp+ku9xLUWhxTTHLQoGJr1rhcRZBoiT3U+3y9i0mOOJ0kSOM6EfNQ/dWU bkjSYtUdaT1PGFtwt+9Exye//DK/gLBTQAhG8tGPAsKmdDsZjCGi2ef+zTATvQJCpy+ciGhn+uK8 CvcvZKMLV49rcdCoYom+vXAn4RElJJIqse9BHde1tBwzne5KW0+tOQvuJzzmAZylB9Nt6caYopOD TfA8sUFfU1cip06hCWDOTFNoN5/48svbH3jtf80DmJZuC1Gf5q+6/eXtfv7iKU5dMaV51e0v57x4 opTTg6omgGalXKpDlY+PS7YpZh6An5aBGqWLfvqCr/f7JmRK9DsAmgk+MagDNT1nNq1r1+jEQV1P Z6nrkOibzVL/2Q4rOk9UyqVZAFNw5zzRA7AAdQy1bb3oQImOq25/uf/B1/5XE27sxLlUUF/wTHRQ WjT7/YsFg43Isc4nb385qzmIMiY28KtCXchOwf612SLUhetC3gYTJCO233tQg+opmF8rYhFqH/cT 2NYSgEBvz/nHmfZLD1ybUAPsKah+sdE3cdFAekHqkbwu0d/JPtTxUsP68ZKr88RAiQ4ACMOwAeBW A22hPnzy9pe3P/D73z4E4KB0W4h2MX/VV1/R7vcvh2F/U7hoIE3pBqTQMtS88Cwy9b6kB7k+1ODB BKcHI3qA0QDQ0EmPKQCejqQHGS2ozzkAEKQouWFqv3dp3zD5veXS+wSwtjBmAAB6YO3pSOrO9SLW ExLtIbcR75PlFB0vI9FJhgUA0AmpKCYMvFwmE0dJ059NdJ6oYb1PPBg8T7iQcCoMM7h4/2u+HcDM Dptbn7rjFX3f0H7/a749BqCNdK54TPnQA1D91B2v6PvEzu+VxLU+dccratKNICIZOvFRhbqYHYNa rA76z+2uH1pQiatVqIFaG0CbU1IoDSrlUrSfe9i4z293bRE9mjPa15e5r5ujB9k1qO+lGlQfATtf +0V91NaxDPWdxMRGAvR5It4vVf2/MnGeGCrRsf+Cb9cAnEy+Ofl15M7+Ex0AsP+CbzcAHDHUHKJR HTpy5yuag/zC/guY6EjY64/c+YpAuhFERERERLYNlegAgP3nt2YB7Eu2Ofl15K7xgZco2H9+axlu LDBDFNc5ctd4ddBf2n9+KwATHUlZPHLX+JR0I4iIiIiIJAy8RseaEE2ohU04fUJKiAaA26SbQbRJ fajf4hIdSelBzcUkIiIiIsqloRMdR742vto4r9UAHzcr5sjXxoPGea2jYGUNuWNx9u7xYJhf5Fqk iWnO3j3elm4EEREREZGU4Ss6AMzePe7ve9VyHSw3FxOGYROsrCE39DBsNQf41JWEtI5+vcbHyRIR ERFRru0ZeQsh6gjRQwgwRoghHf16bVX3gfx7YOQ9mke/Xhv+8Wny7c9C1Af92ImIiIiIsmakig4A OPqNWvu95y43wSeAiDn6jdrCe89dXgQwKd0Wyq2lq785WiXBqTCppuTWoau/WePj1oiIiIgo90ZO dADA1d+szb7vnJNT4BQWMYUwrEM9y7gi3BTKnx6AkZ/wUeDUlVG0Pv2ts5vSjSAiIiIickEiiQ4A CENMAWiDa0WI+PS3zl5979kn6+BTWMi++tUnzx5+yorGPMfQEkk0ERERERFlRWKJjqtPnr36l+Mn 6wBuTWqbNJirT54d/OX4yUMADkq3hXLj6DWtsxeS2FB4Komt5FLjmtbZbelGEBERERG5opD0kw4u Hv/WLPi404Fd2zqnkNS2Lh7/VgBOIyLzWte2zqkltTHut0OZv7Z1Tl26EURERERELkmsoiNybeuc xsWv+FYNHLDI4TQiMi/56RKcujKoFoCGdCOIiIiIiFyTeKIDAMJTHGhLuvbb56y+52Xf8gCclG4L ZVb9uu+c005yg5y6MpAegKnrvnPOyGujEBERERFljZFEx3XfOWf1opd+0wMQgMkOEdd955zli176 zb0A5qTbQpmz//p7zk1kXY64pKfRZdzU9fec25ZuBBERERGRi/aY2vD195y7XAAaBQCM3cOE6+85 1y8A89LvjZGpmL/+nnNnYYAD7y0tsff6e84NhvyYiYiIiIgyz0hFR+S6e871L3zxN6vgU0DEXHfP ufULX/zNMQCT0m2h1Gvd8N1z66Y2fopTV/px9IbvnutLN4KIiIiIyGVGEx0AcMN3z21e+KJvVAFM m34t2kYY1qGmEY3LNoRSrAXAM/oKnLqym/kb/s8rufgoEREREdEuEn+87Hbe/cJv+GCyY1s3fu+V BZPbf/cLvzEGJjtoOD0A1Ru/90qjC1+++4XfCMCnNW2ndeP3XpnYo3yJiIiIiLLM2Bodm934vVfW oe4KkwA9SPWgBq1E/eoB8EwnOWhH5qtpiIiIiIgyxPjUlbjwVOiBVQVibvzeK1ff9YKve+DTcKg/ PQDeTf/3Vcs2Xiw8xakrW2hB9QETTUREREREfbI2dSXyzud/nVMotnDzf7/K6NSVuHc+/+s1MNlB O+sB8G7+bztJDgB45/O/HoBTV+JaUH3AJAcRERER0QCsJzoA4B3PY7Jjs2Pft5foAIB3PI/JDtpW D4B37Pv2khwA8I7nMdER04LqAyY5iIiIiIgGZG2Njrhj33/VKkJ4CLGEEGCM/JEO7Nj3X7Ws+6Al /t4ZLkUPof0kB5BY+7MQLd0HTHIQEREREQ1BpKIj7u1n3e2DT2PB8R+cZ7WiI/L2s+5mdQ1FWgDq x39wnv0kB4C3n3V3AFZ0LAGYOv6D85jkICIiIiIaktXFSLdy/Afn1d9evRtgskPE8R+ct/r26t0e mOzIuxYA73hbcIAtm3N1wfzx9nl16UYQEREREaWdeKIDAI63z6vvLd+9DOCIdFvySA9ua3vLrK7J qUUA9bmubBXBqVOSry7u0Fz3vKZ0I4iIiIiIssCJRAcAzHXPm31b6WttAD64QKaIue55dd0HB6Xb QtYcPbHy6oZ0IwCgIDyNTtDeEyuv9qUbQURERESUFeJrdGy293e/VgOwAKAi3Rab5n74apE1Oray 93e/NgUmnPJg79wP3Rlg7/3drwXI1xodPQDe3A9fLbImChERERFRVok8dWUncz989XIYohaGWAxD IC/hkrkfvnohDOGFIVrSnwvDSHTCEGe7lOQAxD8T27EUhqgyyUFERERElDznKjripn/nriZyMo1i /kfnO1PREZn+nbvGAMyC63ZkySKA+vyPznfuqR7Tv3NXgHxUdByd/9H5TkwXIiIiIiLKIqcTHQAw /dy7PKhpFBXZlpg1/2P3Eh2R6efeVYdKeHAqS7rtn//x+bPSjdjO9HMzn+joAZia//H5gXRDiIiI iIiyzPlEBwD8xW/fNQaV7JgUbooxf/sTdxMdAPAXv31XDaoP+Aja9GkBqP/tT853eprEX/x2phMd i1B94FwlDRERERFR1qQi0RH58+fcmdlFMv/upxc4neiI/Plz7mwiJ9OJMuLQ3/30gqZ0I/rx58+5 M0D2Eh09AM2/++kFzlbSEBERERFlTaoSHQDwZ791ZyarOz7zs3QkOgDgz37rTlZ3uK8FoP6Zn13g dBVH3J/9VuYSHYsAGp/52QVt6YYQEREREeVJ6hIdkbc++04PGVq747O/SE+iI/LWZ9/ZANBEBits UqwHYPazv0hHFUfcW5+dmURHB0Djs7+4YEG6IUREREREeZTaRAcAvOXMO8YANHSkerD9uXtfk7pE B7DWB3wyixsWATQ+d+9r2tINGcZbzrwjQPoTHYcAzH7u3tdwLQ4iIiIiIiGpTnRE3vqsO6pQlQWp HWx/9r50Jjoib33WHR5UH6R9oJpGLQCNz973mkC6IaN467PuCJDe/WcRqg/a0g0hIiIiIsq7TCQ6 Im8ZS+9g+3Or6U50RN4ydscUVIVHJqYUOa4DoPm51df40g1JwlvG7giQvmN3CaoPAumGEBERERGR kqlER+RPi1/1kLKEx9/3fj8TiY7Inxa/WofqAyY8ktcB0Pz73u/70g1J0p8WvxogPcfsElQfBNIN ISIiIiKijTKZ6Ii8+ZnpSXh8/v5sJToib34mEx4J6gBofv7+bCU4Im9+ZioSHUtQfRBIN4SIiIiI iLaW6URH5M3P+GoNasFSZ9fw+PwD2Ux0RN78jK9OQfWB6wNZFy0B8D//QDYTHJE3P8PpRMc8VB8E 0g0hIiIiIqKd5SLREfmT37i9CqCuw6kKg3946LWZTnRE/uQ3bo+STlNI+ZNyLJgHMPsPD712Wboh NvzJb9wewK1ERw/qEdaz//DQa9uyTSEiIiIion7lKtER98dPu30KKuExKdwUAMAXfpmPREfkj592 +xhUsqMBYFy4OS5pQQ2u/S/88rW5ekTpHz/NmUTHIoCFL/zytb50Q4iIiIiIaHC5TXRE/ujXbx/D epWH2ID7iw/nK9ER90e/7m6ljSUdAAsA/C8+nI/qja380a+LJjqiBNPCFx9m9QYRERERUZrlPtER 96anfqUKVWXgwXKlx5ce/YPcJjri3vTUr9Sg+mAK2a70aAEIAPhfevQPcpvciHvTU78SwG6iYwkq wbTwpUf/oG3xdYmIiIiIyCAmOrbxh0/5yhhUwiNKfBitNPjHx5jo2OwPn/KVKtRn7yH9a3r0oBIb CwCCf3yMA+vN/vApxhMdHWzsg1xNDSIiIiIiygsmOvr0pid/pQqgBjXoriHhAdmXHmeiYzdvevJX atjYBy5XfESD6mUAwZceZ9XGbt705MQTHVHVTNQH7QS3TUREREREjmKiYwRvfNKXo4F3FWrwXcWQ lR+3/Op1THQM4Y1P+rKH9T6I+sNm5UcPaiC9DKAd/fMtv3odqwUG9MYnfTnAcImODtRnH+g/27f8 6nVBQs0iIiIiIqKUYaLDgDfu+XIVauAdBTb9c9wEANxyiomOJL1xz5drAMagEh9j+j/H/zkyho2V IS0Am5MUq1AJjA3/fMspDqaT9MY9a4mO3fqgrWP1llOvY6UMERERERFt8P8B7iH0YENAiDsAAAAA SUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - deletecollection + - apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + - nodes + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - k8s.mondoo.com + resources: + - mondooauditconfigs + verbs: + - get + - list + - update + - watch + - apiGroups: + - k8s.mondoo.com + resources: + - mondooauditconfigs/finalizers + verbs: + - update + - apiGroups: + - k8s.mondoo.com + resources: + - mondooauditconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - k8s.mondoo.com + resources: + - mondoooperatorconfigs + verbs: + - get + - list + - watch + - apiGroups: + - k8s.mondoo.com + resources: + - mondoooperatorconfigs/finalizers + verbs: + - update + - apiGroups: + - k8s.mondoo.com + resources: + - mondoooperatorconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + serviceAccountName: mondoo-operator-controller-manager + deployments: + - label: + app.kubernetes.io/name: mondoo-operator + name: mondoo-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: mondoo-operator + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/name: mondoo-operator + spec: + containers: + - args: + - operator + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + - --leader-elect + command: + - /mondoo-operator + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/mondoohq/mondoo-operator:v11.4.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 140Mi + requests: + cpu: 100m + memory: 70Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + securityContext: + runAsNonRoot: true + serviceAccountName: mondoo-operator-controller-manager + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: mondoo-operator-controller-manager + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - policy-as-code + - CIS + - NSA + - admission + links: + - name: Mondoo + url: https://mondoo.com + maintainers: + - email: hello@mondoo.com + name: Mondoo + maturity: alpha + provider: + name: Mondoo, Inc + version: 11.4.2 + replaces: mondoo-operator.v11.4.1 diff --git a/operators/mondoo-operator/11.4.2/metadata/annotations.yaml b/operators/mondoo-operator/11.4.2/metadata/annotations.yaml new file mode 100644 index 00000000000..66319569570 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/metadata/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: mondoo-operator + operators.operatorframework.io.bundle.channels.v1: stable-v1 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.37.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/mondoo-operator/11.4.2/tests/scorecard/config.yaml b/operators/mondoo-operator/11.4.2/tests/scorecard/config.yaml new file mode 100644 index 00000000000..14c9f7c3919 --- /dev/null +++ b/operators/mondoo-operator/11.4.2/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}