⭐️ cnspec v9 (#873)

* integrate cnspec v9

Signed-off-by: Ivan Milchev <[email protected]>

* more v9 fixes

Signed-off-by: Ivan Milchev <[email protected]>

* use latest beta

Signed-off-by: Ivan Milchev <[email protected]>

* handle http timeouts for scanapiclient and remove derecated k8s/utils/pointer usages

Signed-off-by: Ivan Milchev <[email protected]>

* always set score-threshold

Signed-off-by: Ivan Milchev <[email protected]>

* fix providertype issues

Signed-off-by: Ivan Milchev <[email protected]>

* ignore autogenerated files for copyright check

Signed-off-by: Ivan Milchev <[email protected]>

* fix tests

Signed-off-by: Ivan Milchev <[email protected]>

* increase scan api default memory limit

Signed-off-by: Ivan Milchev <[email protected]>

* update cnspec v9 version

Signed-off-by: Ivan Milchev <[email protected]>

* fix more broken tests

Signed-off-by: Ivan Milchev <[email protected]>

* do not log errors when cert manager is not installed

Signed-off-by: Ivan Milchev <[email protected]>

* switch to beta15

Signed-off-by: Ivan Milchev <[email protected]>

* push debug config

Signed-off-by: Ivan Milchev <[email protected]>

* update v9 version

Signed-off-by: Ivan Milchev <[email protected]>

* increase container scan limits

Signed-off-by: Ivan Milchev <[email protected]>

---------

Signed-off-by: Ivan Milchev <[email protected]>

.copywrite.hcl

@@ -15,5 +15,6 @@ project {
     "**/*_string.go",
     "charts/mondoo-operator/**",
     "config/**/*.yaml",
+    "controllers/admission/webhook-manifests.yaml",
   ]
 }

.vscode/launch.json

@@ -22,7 +22,19 @@
             "program": "${workspaceRoot}/cmd/mondoo-operator/main.go",
             "args": ["operator"],
             "env": {
-                "MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator"
+                "MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator",
+            }
+        },
+        {
+            "name": "operator v9",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/mondoo-operator/main.go",
+            "args": ["operator"],
+            "env": {
+                "MONDOO_NAMESPACE_OVERRIDE": "mondoo-operator",
+                "FEATURE_ENABLE_V9": "1"
             }
         },
         {

Makefile

@@ -405,15 +405,13 @@ prep/tools/ranger:
 
 prep/repos:
 	test -x cnquery || git clone https://github.com/mondoohq/cnquery.git
-# workaround for now. Needs to be removed as we move to v9
-	cd cnquery && git fetch && git checkout v8
+	cd cnquery && git fetch && git checkout main
 	test -x cnspec || git clone https://github.com/mondoohq/cnspec.git
-	cd cnspec && git fetch && git checkout v8
+	cd cnspec && git fetch && git checkout main
 
 prep/repos/update: prep/repos
-# workaround for now. Needs to be removed as we move to v9
-	cd cnquery; git fetch; git checkout v8 && git pull; cd -;
-	cd cnspec; git checkout v8 && git pull; cd -;
+	cd cnquery; git fetch; git checkout main && git pull; cd -;
+	cd cnspec; git checkout main && git pull; cd -;
 
 prep/ci/protoc:
 	curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v${PROTO_VERSION}/protoc-${PROTO_VERSION}-linux-x86_64.zip

cmd/mondoo-operator/garbage_collect/cmd.go

@@ -13,10 +13,10 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
-	"go.mondoo.com/cnquery/motor/providers"
 	"go.mondoo.com/cnspec/policy/scan"
 	"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -73,6 +73,7 @@ func init() {
 		client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
 			ApiEndpoint: *scanApiUrl,
 			Token:       token,
+			HttpTimeout: ptr.To(time.Duration((*timeout)) * time.Minute),
 		})
 		if err != nil {
 			return err
@@ -108,7 +109,7 @@ func GarbageCollectCmd(ctx context.Context, client scanapiclient.ScanApiClient,
 
 	if platformRuntime != "" {
 		switch platformRuntime {
-		case providers.RUNTIME_KUBERNETES_CLUSTER, providers.RUNTIME_DOCKER_IMAGE:
+		case "k8s", "docker-image":
 			gcOpts.PlatformRuntime = platformRuntime
 		default:
 			return fmt.Errorf("no matching platform runtime found for (%s)", platformRuntime)

cmd/mondoo-operator/k8s_scan/cmd.go

@@ -12,10 +12,10 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
-	"go.mondoo.com/cnquery/motor/providers"
 	"go.mondoo.com/mondoo-operator/cmd/mondoo-operator/garbage_collect"
 	"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -59,6 +59,7 @@ func init() {
 		client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
 			ApiEndpoint: *scanApiUrl,
 			Token:       token,
+			HttpTimeout: ptr.To(time.Duration((*timeout)) * time.Minute),
 		})
 		if err != nil {
 			return err
@@ -95,9 +96,9 @@ func init() {
 
 		// If scanning successful, now attempt some cleanup of older assets
 		if *setManagedBy != "" && *cleanupOlderThan != "" {
-			platformRuntime := providers.RUNTIME_KUBERNETES_CLUSTER
+			platformRuntime := "k8s"
 			if *scanContainerImages {
-				platformRuntime = providers.RUNTIME_DOCKER_IMAGE
+				platformRuntime = "docker-image"
 			}
 
 			err = garbage_collect.GarbageCollectCmd(ctx, client, platformRuntime, *cleanupOlderThan, *setManagedBy, make(map[string]string), logger)

cmd/mondoo-operator/operator/cmd.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -37,6 +38,7 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	"go.mondoo.com/mondoo-operator/pkg/version"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -67,15 +69,19 @@ func init() {
 
 		mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 			Scheme:                 scheme,
-			MetricsBindAddress:     *metricsAddr,
-			Port:                   9443,
+			Metrics:                metricsserver.Options{BindAddress: *metricsAddr},
+			WebhookServer:          webhook.NewServer(webhook.Options{Port: 9443}),
 			HealthProbeBindAddress: *probeAddr,
 			LeaderElection:         *enableLeaderElection,
 			LeaderElectionID:       "60679458.mondoo.com",
-			ClientDisableCacheFor: []client.Object{
-				// Don't cache so we can do a Get() on a Secret without a background List()
-				// trying to cache things we don't have access to
-				&corev1.Secret{},
+			Client: client.Options{
+				Cache: &client.CacheOptions{
+					DisableFor: []client.Object{
+						// Don't cache so we can do a Get() on a Secret without a background List()
+						// trying to cache things we don't have access to
+						&corev1.Secret{},
+					},
+				},
 			},
 		})
 		if err != nil {

config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -1,6 +1,3 @@
-# Copyright (c) Mondoo, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -104,7 +101,8 @@ spec:
                         description: "Claims lists the names of resources, defined
                           in spec.resourceClaims, that are used by this container.
                           \n This is an alpha field and requires enabling the DynamicResourceAllocation
-                          feature gate. \n This field is immutable."
+                          feature gate. \n This field is immutable. It can only be
+                          set for containers."
                         items:
                           description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                           properties:
@@ -141,7 +139,8 @@ spec:
                         description: 'Requests describes the minimum amount of compute
                           resources required. If Requests is omitted for a container,
                           it defaults to Limits if that is explicitly specified, otherwise
-                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                          to an implementation-defined value. Requests cannot exceed
+                          Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
                 type: object
@@ -211,7 +210,8 @@ spec:
                         description: "Claims lists the names of resources, defined
                           in spec.resourceClaims, that are used by this container.
                           \n This is an alpha field and requires enabling the DynamicResourceAllocation
-                          feature gate. \n This field is immutable."
+                          feature gate. \n This field is immutable. It can only be
+                          set for containers."
                         items:
                           description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                           properties:
@@ -248,7 +248,8 @@ spec:
                         description: 'Requests describes the minimum amount of compute
                           resources required. If Requests is omitted for a container,
                           it defaults to Limits if that is explicitly specified, otherwise
-                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                          to an implementation-defined value. Requests cannot exceed
+                          Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
                 type: object
@@ -407,7 +408,8 @@ spec:
                         description: "Claims lists the names of resources, defined
                           in spec.resourceClaims, that are used by this container.
                           \n This is an alpha field and requires enabling the DynamicResourceAllocation
-                          feature gate. \n This field is immutable."
+                          feature gate. \n This field is immutable. It can only be
+                          set for containers."
                         items:
                           description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                           properties:
@@ -444,7 +446,8 @@ spec:
                         description: 'Requests describes the minimum amount of compute
                           resources required. If Requests is omitted for a container,
                           it defaults to Limits if that is explicitly specified, otherwise
-                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                          to an implementation-defined value. Requests cannot exceed
+                          Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                         type: object
                     type: object
                   serviceAccountName:

config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml

@@ -1,6 +1,3 @@
-# Copyright (c) Mondoo, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

controllers/admission/cert-manager.go

@@ -6,16 +6,18 @@ package admission
 import (
 	"context"
 	_ "embed"
+	"errors"
 	"fmt"
 	"reflect"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
-	"k8s.io/apimachinery/pkg/api/errors"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	certmanagerrefv1 "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
@@ -66,6 +68,11 @@ func (c *CertManagerHandler) Cleanup(ctx context.Context) error {
 	}
 
 	if err := k8s.DeleteIfExists(ctx, c.KubeClient, certificate); err != nil {
+		// If the resource discovery failed, we assume that cert-manager is not installed
+		var discoveryErr *apiutil.ErrResourceDiscoveryFailed
+		if errors.As(err, &discoveryErr) {
+			return nil
+		}
 		certManagerLog.Error(err, "Failed to clean up cert-manager Certificate resource")
 		return err
 	}
@@ -106,7 +113,7 @@ func (c *CertManagerHandler) syncCertManagerIssuer(ctx context.Context) error {
 	}
 
 	if err := c.KubeClient.Get(ctx, client.ObjectKeyFromObject(issuer), issuer); err != nil {
-		if errors.IsNotFound(err) {
+		if kerrors.IsNotFound(err) {
 			issuer.Spec = issuerSpec
 			if err := c.KubeClient.Create(ctx, issuer); err != nil {
 				webhookLog.Error(err, "Failed to create cert-manager Issuer resource")
@@ -158,7 +165,7 @@ func (c *CertManagerHandler) syncCertManagerCertificate(ctx context.Context) err
 	}
 
 	if err := c.KubeClient.Get(ctx, client.ObjectKeyFromObject(certificate), certificate); err != nil {
-		if errors.IsNotFound(err) {
+		if kerrors.IsNotFound(err) {
 			certificate.Spec = certificateSpec
 			if err := c.KubeClient.Create(ctx, certificate); err != nil {
 				webhookLog.Error(err, "Failed to create cert-manager Certificate resource")

controllers/admission/deployment_handler.go

@@ -18,7 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	yamlutil "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -63,7 +63,7 @@ func (n *DeploymentHandler) syncValidatingWebhookConfiguration(ctx context.Conte
 		vwc.Webhooks[i].ClientConfig.Service.Namespace = n.Mondoo.Namespace
 
 		if vwc.Webhooks[i].ClientConfig.Service.Port == nil {
-			vwc.Webhooks[i].ClientConfig.Service.Port = pointer.Int32(443)
+			vwc.Webhooks[i].ClientConfig.Service.Port = ptr.To(int32(443))
 		}
 	}
 

controllers/admission/deployment_handler_test.go

@@ -20,7 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	scheme "k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -96,7 +96,7 @@ func TestReconcile(t *testing.T) {
 					Spec: mondoov1alpha2.MondooAuditConfigSpec{
 						Admission: mondoov1alpha2.Admission{
 							Mode:     mondoov1alpha2.Enforcing,
-							Replicas: pointer.Int32(1),
+							Replicas: ptr.To(int32(1)),
 						},
 					},
 				}
@@ -146,7 +146,7 @@ func TestReconcile(t *testing.T) {
 				err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
 				require.NoError(t, err, "expected Admission Deployment to exist")
 
-				assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(1))
+				assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(1)))
 				assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Enforcing), "expected Webhook mode to be set to 'enforcing'")
 
 				vwcName, err := validatingWebhookName(&mondoov1alpha2.MondooAuditConfig{
@@ -173,7 +173,7 @@ func TestReconcile(t *testing.T) {
 			mondooAuditConfigSpec: func() mondoov1alpha2.MondooAuditConfigSpec {
 				mac := testMondooAuditConfigSpec(true, false)
 				mac.Admission.Mode = mondoov1alpha2.Enforcing
-				mac.Admission.Replicas = pointer.Int32(2)
+				mac.Admission.Replicas = ptr.To(int32(2))
 				return mac
 			}(),
 			validate: func(t *testing.T, kubeClient client.Client) {
@@ -182,7 +182,7 @@ func TestReconcile(t *testing.T) {
 				err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
 				require.NoError(t, err, "expected Admission Deployment to exist")
 
-				assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(2))
+				assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(2)))
 			},
 		},
 		{
@@ -298,7 +298,7 @@ func TestReconcile(t *testing.T) {
 				err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
 				require.NoError(t, err, "expected Admission Deployment to exist")
 
-				assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(1))
+				assert.Equal(t, deployment.Spec.Replicas, ptr.To(int32(1)))
 				assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Permissive), "expected Webhook mode to be set to 'permissive'")
 			},
 		},
@@ -307,7 +307,7 @@ func TestReconcile(t *testing.T) {
 			mondooAuditConfigSpec: func() mondoov1alpha2.MondooAuditConfigSpec {
 				mac := testMondooAuditConfigSpec(true, false)
 				mac.Admission.Mode = mondoov1alpha2.Permissive
-				mac.Admission.Replicas = pointer.Int32(3)
+				mac.Admission.Replicas = ptr.To(int32(3))
 				return mac
 			}(),
 			validate: func(t *testing.T, kubeClient client.Client) {
@@ -316,7 +316,7 @@ func TestReconcile(t *testing.T) {
 				err := kubeClient.Get(context.TODO(), deploymentKey, deployment)
 				require.NoError(t, err, "expected Admission Deployment to exist")
 
-				assert.Equal(t, deployment.Spec.Replicas, pointer.Int32(3))
+				assert.Equal(t, ptr.To(int32(3)), deployment.Spec.Replicas)
 				assert.Contains(t, deployment.Spec.Template.Spec.Containers[0].Args, string(mondoov1alpha2.Permissive), "expected Webhook mode to be set to 'permissive'")
 			},
 		},
@@ -478,7 +478,10 @@ func TestReconcile(t *testing.T) {
 			if test.existingObjects != nil {
 				existingObj = append(existingObj, test.existingObjects(*auditConfig)...)
 			}
-			fakeClient := fake.NewClientBuilder().WithObjects(existingObj...).Build()
+			fakeClient := fake.NewClientBuilder().
+				WithStatusSubresource(existingObj...).
+				WithObjects(existingObj...).
+				Build()
 
 			webhooks := &DeploymentHandler{
 				Mondoo:                 auditConfig,
@@ -544,7 +547,7 @@ func testMondooAuditConfigSpec(admissionEnabled, integrationEnabled bool) mondoo
 	return mondoov1alpha2.MondooAuditConfigSpec{
 		Admission: mondoov1alpha2.Admission{
 			Enable:   admissionEnabled,
-			Replicas: pointer.Int32(1),
+			Replicas: ptr.To(int32(1)),
 		},
 		ConsoleIntegration: mondoov1alpha2.ConsoleIntegration{
 			Enable: integrationEnabled,