From 44424052fecea79dbe4e4955b97618de778e745f Mon Sep 17 00:00:00 2001 From: Thomas Way Date: Sun, 31 Mar 2024 00:43:57 +0000 Subject: [PATCH] chore(k8s/amour): trivy operator --- k8s/amour/BUILD.bazel | 1 + k8s/amour/list.cue | 2 + k8s/amour/trivy_system/BUILD.bazel | 29 + k8s/amour/trivy_system/README.md | 5 + .../cluster_role_binding_list.cue | 25 + k8s/amour/trivy_system/cluster_role_list.cue | 217 ++ k8s/amour/trivy_system/config_map_list.cue | 151 + .../custom_resource_definition_list.cue | 3180 +++++++++++++++++ k8s/amour/trivy_system/deployment_list.cue | 98 + k8s/amour/trivy_system/list.cue | 45 + k8s/amour/trivy_system/namespace_list.cue | 19 + k8s/amour/trivy_system/role_binding_list.cue | 35 + k8s/amour/trivy_system/role_list.cue | 35 + k8s/amour/trivy_system/secret_list.cue | 14 + .../trivy_system/service_account_list.cue | 14 + k8s/amour/trivy_system/service_list.cue | 23 + .../trivy_system/vm_service_scrape_list.cue | 19 + 17 files changed, 3912 insertions(+) create mode 100644 k8s/amour/trivy_system/BUILD.bazel create mode 100644 k8s/amour/trivy_system/README.md create mode 100644 k8s/amour/trivy_system/cluster_role_binding_list.cue create mode 100644 k8s/amour/trivy_system/cluster_role_list.cue create mode 100644 k8s/amour/trivy_system/config_map_list.cue create mode 100644 k8s/amour/trivy_system/custom_resource_definition_list.cue create mode 100644 k8s/amour/trivy_system/deployment_list.cue create mode 100644 k8s/amour/trivy_system/list.cue create mode 100644 k8s/amour/trivy_system/namespace_list.cue create mode 100644 k8s/amour/trivy_system/role_binding_list.cue create mode 100644 k8s/amour/trivy_system/role_list.cue create mode 100644 k8s/amour/trivy_system/secret_list.cue create mode 100644 k8s/amour/trivy_system/service_account_list.cue create mode 100644 k8s/amour/trivy_system/service_list.cue create mode 100644 k8s/amour/trivy_system/vm_service_scrape_list.cue diff --git a/k8s/amour/BUILD.bazel b/k8s/amour/BUILD.bazel index 5d1342788..31dedea0e 100644 --- a/k8s/amour/BUILD.bazel +++ b/k8s/amour/BUILD.bazel @@ -48,6 +48,7 @@ cue_export( "//k8s/amour/speedtest_exporter:cue_speedtest_exporter_library", "//k8s/amour/tailscale:cue_tailscale_library", "//k8s/amour/thomas:cue_thomas_library", + "//k8s/amour/trivy_system:cue_trivy_system_library", "//k8s/amour/vm:cue_vm_library", "//k8s/amour/vm_operator:cue_vm_operator_library", "//k8s/amour/volsync_system:cue_volsync_system_library", diff --git a/k8s/amour/list.cue b/k8s/amour/list.cue index e3e6af96e..252fa8f85 100644 --- a/k8s/amour/list.cue +++ b/k8s/amour/list.cue @@ -29,6 +29,7 @@ import ( "github.com/uhthomas/automata/k8s/amour/speedtest_exporter" "github.com/uhthomas/automata/k8s/amour/tailscale" "github.com/uhthomas/automata/k8s/amour/thomas" + "github.com/uhthomas/automata/k8s/amour/trivy_system" "github.com/uhthomas/automata/k8s/amour/vm_operator" "github.com/uhthomas/automata/k8s/amour/vm" "github.com/uhthomas/automata/k8s/amour/volsync_system" @@ -86,6 +87,7 @@ _items: [ speedtest_exporter.#List.items, tailscale.#List.items, thomas.#List.items, + trivy_system.#List.items, vm_operator.#List.items, vm.#List.items, volsync_system.#List.items, diff --git a/k8s/amour/trivy_system/BUILD.bazel b/k8s/amour/trivy_system/BUILD.bazel new file mode 100644 index 000000000..e27dfc5c7 --- /dev/null +++ b/k8s/amour/trivy_system/BUILD.bazel @@ -0,0 +1,29 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_trivy_system_library", + srcs = [ + "cluster_role_binding_list.cue", + "cluster_role_list.cue", + "config_map_list.cue", + "custom_resource_definition_list.cue", + "deployment_list.cue", + "list.cue", + "namespace_list.cue", + "role_binding_list.cue", + "role_list.cue", + "secret_list.cue", + "service_account_list.cue", + "service_list.cue", + "vm_service_scrape_list.cue", + ], + importpath = "github.com/uhthomas/automata/k8s/amour/trivy_system", + visibility = ["//visibility:public"], + deps = [ + "//cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1:cue_v1beta1_library", + "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library", + ], +) diff --git a/k8s/amour/trivy_system/README.md b/k8s/amour/trivy_system/README.md new file mode 100644 index 000000000..b2f42b4e1 --- /dev/null +++ b/k8s/amour/trivy_system/README.md @@ -0,0 +1,5 @@ +# Trivy Operator + +[https://github.com/aquasecurity/trivy-operator](https://github.com/aquasecurity/trivy-operator) + +[Installation Instructions](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/kubectl/) diff --git a/k8s/amour/trivy_system/cluster_role_binding_list.cue b/k8s/amour/trivy_system/cluster_role_binding_list.cue new file mode 100644 index 000000000..fd222a467 --- /dev/null +++ b/k8s/amour/trivy_system/cluster_role_binding_list.cue @@ -0,0 +1,25 @@ +package trivy_system + +import rbacv1 "k8s.io/api/rbac/v1" + +#ClusterRoleBindingList: rbacv1.#ClusterRoleBindingList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRoleBindingList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRoleBinding" + }] +} + +#ClusterRoleBindingList: items: [{ + roleRef: { + apiGroup: "rbac.authorization.k8s.io" + kind: "ClusterRole" + name: #Name + } + subjects: [{ + name: #Name + namespace: #Namespace + kind: rbacv1.#ServiceAccountKind + }] +}] diff --git a/k8s/amour/trivy_system/cluster_role_list.cue b/k8s/amour/trivy_system/cluster_role_list.cue new file mode 100644 index 000000000..958e0b37d --- /dev/null +++ b/k8s/amour/trivy_system/cluster_role_list.cue @@ -0,0 +1,217 @@ +package trivy_system + +import rbacv1 "k8s.io/api/rbac/v1" + +#ClusterRoleList: rbacv1.#ClusterRoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRole" + }] +} + +#ClusterRoleList: items: [{ + rules: [{ + apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["limitranges"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list"] + }, { + apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["resourcequotas"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clustercompliancedetailreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clustercompliancereports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clustercompliancereports/status"] + verbs: ["get", "patch", "update"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clusterconfigauditreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clusterinfraassessmentreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clusterrbacassessmentreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clustersbomreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["clustervulnerabilityreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["configauditreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["exposedsecretreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["infraassessmentreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["rbacassessmentreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["sbomreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["aquasecurity.github.io"] + resources: ["vulnerabilityreports"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + }, { + apiGroups: ["batch"] + resources: ["cronjobs"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "delete", "get", "list", "watch"] + }, { + apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "update"] + }, { + apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get"] + }, { + apiGroups: [""] + resources: ["nodes/proxy"] + verbs: ["get"] + }] +}, { + metadata: { + name: "aggregate-config-audit-reports-view" + labels: { + "rbac.authorization.k8s.io/aggregate-to-view": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + "rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true" + } + } + rules: [{ + apiGroups: ["aquasecurity.github.io"] + resources: ["configauditreports"] + verbs: ["get", "list", "watch"] + }] +}, { + metadata: { + name: "aggregate-exposed-secret-reports-view" + labels: { + "rbac.authorization.k8s.io/aggregate-to-view": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + "rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true" + } + } + rules: [{ + apiGroups: ["aquasecurity.github.io"] + resources: ["exposedsecretreports"] + verbs: ["get", "list", "watch"] + }] +}, { + metadata: { + name: "aggregate-vulnerability-reports-view" + labels: { + "rbac.authorization.k8s.io/aggregate-to-view": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + "rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true" + } + } + rules: [{ + apiGroups: ["aquasecurity.github.io"] + resources: ["vulnerabilityreports"] + verbs: ["get", "list", "watch"] + }] +}] diff --git a/k8s/amour/trivy_system/config_map_list.cue b/k8s/amour/trivy_system/config_map_list.cue new file mode 100644 index 000000000..5b2c8323e --- /dev/null +++ b/k8s/amour/trivy_system/config_map_list.cue @@ -0,0 +1,151 @@ +package trivy_system + +import ( + "encoding/json" + + "k8s.io/api/core/v1" +) + +#ConfigMapList: v1.#ConfigMapList & { + apiVersion: "v1" + kind: "ConfigMapList" + items: [...{ + apiVersion: "v1" + kind: "ConfigMap" + }] +} + +#ConfigMapList: items: [{ + data: { + "nodeCollector.volumes": json.Marshal([{ + name: "var-lib-etcd" + hostPath: path: "/var/lib/etcd" + }, { + name: "var-lib-kubelet" + hostPath: path: "/var/lib/kubelet" + }, { + name: "var-lib-kube-scheduler" + hostPath: path: "/var/lib/kube-scheduler" + }, { + name: "var-lib-kube-controller-manager" + hostPath: path: "/var/lib/kube-controller-manager" + }, { + name: "etc-kubernetes" + hostPath: path: "/etc/kubernetes" + }, { + name: "etc-cni-netd" + hostPath: path: "/etc/cni/net.d/" + }]) + "nodeCollector.volumeMounts": json.Marshal([{ + name: "var-lib-etcd" + mountPath: "/var/lib/etcd" + readOnly: true + }, { + name: "var-lib-kubelet" + mountPath: "/var/lib/kubelet" + readOnly: true + }, { + name: "var-lib-kube-scheduler" + mountPath: "/var/lib/kube-scheduler" + readOnly: true + }, { + name: "var-lib-kube-controller-manager" + mountPath: "/var/lib/kube-controller-manager" + readOnly: true + }, { + name: "etc-kubernetes" + mountPath: "/etc/kubernetes" + readOnly: true + }, { + name: "etc-cni-netd" + mountPath: "/etc/cni/net.d/" + readOnly: true + }]) + "scanJob.podTemplateContainerSecurityContext": json.Marshal({ + allowPrivilegeEscalation: false + capabilities: drop: ["ALL"] + privileged: false + readOnlyRootFilesystem: true + }) + "scanJob.compressLogs": "true" + "vulnerabilityReports.scanner": "Trivy" + "configAuditReports.scanner": "Trivy" + "compliance.failEntriesLimit": "10" + "report.recordFailedChecksOnly": "true" + "node.collector.imageRef": "ghcr.io/aquasecurity/node-collector:0.1.2" + "policies.bundle.oci.ref": "ghcr.io/aquasecurity/trivy-policies:0" + "node.collector.nodeSelector": "true" + } +}, { + metadata: name: "\(#Name)-policies-config" +}, { + metadata: name: "\(#Name)-config" + data: { + OPERATOR_LOG_DEV_MODE: "false" + OPERATOR_SCAN_JOB_TTL: "" + OPERATOR_SCAN_JOB_TIMEOUT: "5m" + OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10" + OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1" + OPERATOR_SCAN_JOB_RETRY_AFTER: "30s" + OPERATOR_BATCH_DELETE_LIMIT: "10" + OPERATOR_BATCH_DELETE_DELAY: "10s" + OPERATOR_METRICS_BIND_ADDRESS: ":8080" + OPERATOR_METRICS_FINDINGS_ENABLED: "true" + OPERATOR_METRICS_VULN_ID_ENABLED: "false" + OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" + OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true" + OPERATOR_SBOM_GENERATION_ENABLED: "true" + OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false" + OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" + OPERATOR_SCANNER_REPORT_TTL: "24h" + OPERATOR_CACHE_REPORT_TTL: "120h" + CONTROLLER_CACHE_SYNC_TIMEOUT: "5m" + OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true" + OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true" + OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "true" + OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" + OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true" + OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false" + OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false" + OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false" + OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false" + OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false" + OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false" + OPERATOR_WEBHOOK_BROADCAST_URL: "" + OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s" + OPERATOR_SEND_DELETED_REPORTS: "false" + OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}" + OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true" + OPERATOR_BUILT_IN_TRIVY_SERVER: "false" + TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h" + OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false" + OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "true" + } +}, { + metadata: name: "\(#Name)-trivy-config" + data: { + "trivy.repository": "ghcr.io/aquasecurity/trivy" + "trivy.tag": "0.50.1" + "trivy.imagePullPolicy": "IfNotPresent" + "trivy.additionalVulnerabilityReportFields": "" + "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + "trivy.slow": "true" + "trivy.skipJavaDBUpdate": "false" + "trivy.includeDevDeps": "false" + "trivy.imageScanCacheDir": "/tmp/trivy/.cache" + "trivy.filesystemScanCacheDir": "/var/trivyoperator/trivy-db" + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db" + "trivy.javaDbRepository": "ghcr.io/aquasecurity/trivy-java-db" + "trivy.command": "image" + "trivy.sbomSources": "" + "trivy.dbRepositoryInsecure": "false" + "trivy.useBuiltinRegoPolicies": "true" + "trivy.supportedConfigAuditKinds": "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" + "trivy.timeout": "5m0s" + "trivy.mode": "Standalone" + "trivy.resources.requests.cpu": "1" + "trivy.resources.requests.memory": "1Gi" + "trivy.resources.limits.cpu": "1" + "trivy.resources.limits.memory": "1Gi" + } +}] diff --git a/k8s/amour/trivy_system/custom_resource_definition_list.cue b/k8s/amour/trivy_system/custom_resource_definition_list.cue new file mode 100644 index 000000000..dde9a0f97 --- /dev/null +++ b/k8s/amour/trivy_system/custom_resource_definition_list.cue @@ -0,0 +1,3180 @@ +package trivy_system + +import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + +#CustomResourceDefinitionList: apiextensionsv1.#CustomResourceDefinitionList & { + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinitionList" + items: [...{ + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + }] +} + +#CustomResourceDefinitionList: items: [{ + metadata: name: "clustercompliancereports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterComplianceReport" + listKind: "ClusterComplianceReportList" + plural: "clustercompliancereports" + shortNames: ["compliance"] + singular: "clustercompliancereport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of checks that failed" + jsonPath: ".status.summary.failCount" + name: "Fail" + priority: 1 + type: "integer" + }, { + description: "The number of checks that passed" + jsonPath: ".status.summary.passCount" + name: "Pass" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterComplianceReport is a specification for the ClusterComplianceReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + spec: { + description: "ReportSpec represent the compliance specification" + properties: { + compliance: { + properties: { + controls: { + description: "Control represent the cps controls data and mapping checks" + + items: { + description: "Control represent the cps controls data and mapping checks" + + properties: { + checks: { + items: { + description: "SpecCheck represent the scanner who perform the control check" + + properties: id: { + description: "id define the check id as produced by scanner" + + type: "string" + } + required: ["id"] + type: "object" + } + type: "array" + } + defaultStatus: { + description: "define the default value for check status in case resource not found" + + enum: [ + "PASS", + "WARN", + "FAIL", + ] + type: "string" + } + description: type: "string" + id: { + description: "id define the control check id" + type: "string" + } + name: type: "string" + severity: { + description: "define the severity of the control" + enum: [ + "CRITICAL", + "HIGH", + "MEDIUM", + "LOW", + "UNKNOWN", + ] + type: "string" + } + } + required: [ + "id", + "name", + "severity", + ] + type: "object" + } + type: "array" + } + description: type: "string" + id: type: "string" + relatedResources: { + items: type: "string" + type: "array" + } + title: type: "string" + version: type: "string" + } + required: [ + "controls", + "description", + "id", + "relatedResources", + "title", + "version", + ] + type: "object" + } + cron: { + description: "cron define the intervals for report generation" + pattern: "^(((([\\*]{1}){1})|((\\*\\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\\*]{1}){1})|((\\*\\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\\*]{1}){1})|((\\*\\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\\*]{1}){1})|((\\*\\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\\*]{1}){1})|((\\*\\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$" + + type: "string" + } + reportType: { + enum: [ + "summary", + "all", + ] + type: "string" + } + } + required: [ + "compliance", + "cron", + "reportType", + ] + type: "object" + } + status: { + properties: { + detailReport: { + description: "ComplianceReport represents a kubernetes scan report" + properties: { + description: type: "string" + id: type: "string" + relatedVersion: { + items: type: "string" + type: "array" + } + results: { + items: { + properties: { + checks: { + items: { + description: "ComplianceCheck provides the result of conducting a single compliance step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + target: type: "string" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + description: type: "string" + id: type: "string" + name: type: "string" + severity: type: "string" + status: type: "string" + } + required: ["checks"] + type: "object" + } + type: "array" + } + title: type: "string" + version: type: "string" + } + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + summary: { + properties: { + failCount: type: "integer" + passCount: type: "integer" + } + type: "object" + } + summaryReport: { + description: "SummaryReport represents a kubernetes scan report with consolidated findings" + + properties: { + controlCheck: { + items: { + properties: { + id: type: "string" + name: type: "string" + severity: type: "string" + totalFail: type: "integer" + } + type: "object" + } + type: "array" + } + id: type: "string" + title: type: "string" + } + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + updateTimestamp: { + format: "date-time" + type: "string" + } + } + required: ["updateTimestamp"] + type: "object" + } + } + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: status: {} + }] + } +}, { + metadata: name: "clusterconfigauditreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterConfigAuditReport" + listKind: "ClusterConfigAuditReportList" + plural: "clusterconfigauditreports" + shortNames: ["clusterconfigaudit"] + singular: "clusterconfigauditreport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the config audit scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "ConfigAuditSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + updateTimestamp: { + format: "date-time" + type: "string" + } + } + required: ["checks"] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "clusterinfraassessmentreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterInfraAssessmentReport" + listKind: "ClusterInfraAssessmentReportList" + plural: "clusterinfraassessmentreports" + shortNames: ["clusterinfraassessment"] + singular: "clusterinfraassessmentreport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the infra assessement scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "InfraAssessmentSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + } + required: [ + "checks", + "scanner", + "summary", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "clusterrbacassessmentreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterRbacAssessmentReport" + listKind: "ClusterRbacAssessmentReportList" + plural: "clusterrbacassessmentreports" + shortNames: ["clusterrbacassessmentreport"] + singular: "clusterrbacassessmentreport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the rbac assessment scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "RbacAssessmentSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + } + required: [ + "checks", + "scanner", + "summary", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "clustersbomreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterSbomReport" + listKind: "ClusterSbomReportList" + plural: "clustersbomreports" + shortNames: ["clustersbom"] + singular: "clustersbomreport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of image repository" + jsonPath: ".report.artifact.repository" + name: "Repository" + type: "string" + }, { + description: "The name of image tag" + jsonPath: ".report.artifact.tag" + name: "Tag" + type: "string" + }, { + description: "The name of the sbom generation scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of dependencies in bom" + jsonPath: ".report.summary.componentsCount" + name: "Components" + priority: 1 + type: "integer" + }, { + description: "The the number of components in bom" + jsonPath: ".report.summary.dependenciesCount" + name: "Dependencies" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterSbomReport summarizes components and dependencies found in container image" + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + description: "Report is the actual sbom report data." + properties: { + artifact: { + description: "Artifact represents a standalone, executable package of software that includes everything needed to run an application." + + properties: { + digest: { + description: "Digest is a unique and immutable identifier of an Artifact." + + type: "string" + } + mimeType: { + description: "MimeType represents a type and format of an Artifact." + type: "string" + } + repository: { + description: "Repository is the name of the repository in the Artifact registry." + + type: "string" + } + tag: { + description: "Tag is a mutable, human-readable string used to identify an Artifact." + + type: "string" + } + } + type: "object" + } + components: { + description: "Bom is artifact bill of materials." + properties: { + bomFormat: type: "string" + components: { + items: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + type: "array" + } + dependencies: { + items: { + properties: { + dependsOn: { + items: type: "string" + type: "array" + } + ref: type: "string" + } + type: "object" + } + type: "array" + } + metadata: { + properties: { + component: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + timestamp: type: "string" + tools: { + properties: components: { + items: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + serialNumber: type: "string" + specVersion: type: "string" + version: type: "integer" + } + required: [ + "bomFormat", + "specVersion", + ] + type: "object" + } + registry: { + description: "Registry is the registry the Artifact was pulled from." + properties: server: { + description: "Server the FQDN of registry server." + type: "string" + } + type: "object" + } + scanner: { + description: "Scanner is the scanner that generated this report." + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "Summary is a summary of sbom report." + properties: { + componentsCount: { + description: "ComponentsCount is the number of components in bom." + minimum: 0 + type: "integer" + } + dependenciesCount: { + description: "DependenciesCount is the number of dependencies in bom." + + minimum: 0 + type: "integer" + } + } + required: [ + "componentsCount", + "dependenciesCount", + ] + type: "object" + } + updateTimestamp: { + description: "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated." + + format: "date-time" + type: "string" + } + } + required: [ + "artifact", + "components", + "scanner", + "summary", + "updateTimestamp", + ] + type: "object" + } + } + required: ["report"] + type: "object" + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "clustervulnerabilityreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ClusterVulnerabilityReport" + listKind: "ClusterVulnerabilityReportList" + plural: "clustervulnerabilityreports" + shortNames: ["clustervuln"] + singular: "clustervulnerabilityreport" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of image repository" + jsonPath: ".report.artifact.repository" + name: "Repository" + type: "string" + }, { + description: "The name of image tag" + jsonPath: ".report.artifact.tag" + name: "Tag" + type: "string" + }, { + description: "The name of the vulnerability scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of critical vulnerabilities" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of high vulnerabilities" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of medium vulnerabilities" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of low vulnerabilities" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }, { + description: "The number of unknown vulnerabilities" + jsonPath: ".report.summary.unknownCount" + name: "Unknown" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + description: "Report is the actual vulnerability report data." + properties: { + artifact: { + description: "Artifact represents a standalone, executable package of software that includes everything needed to run an application." + + properties: { + digest: { + description: "Digest is a unique and immutable identifier of an Artifact." + + type: "string" + } + mimeType: { + description: "MimeType represents a type and format of an Artifact." + type: "string" + } + repository: { + description: "Repository is the name of the repository in the Artifact registry." + + type: "string" + } + tag: { + description: "Tag is a mutable, human-readable string used to identify an Artifact." + + type: "string" + } + } + type: "object" + } + os: { + description: "OS information of the artifact" + properties: { + eosl: { + description: "Eosl is true if OS version has reached end of service life" + + type: "boolean" + } + family: { + description: "Operating System Family" + type: "string" + } + name: { + description: "Name or version of the OS" + type: "string" + } + } + type: "object" + } + registry: { + description: "Registry is the registry the Artifact was pulled from." + properties: server: { + description: "Server the FQDN of registry server." + type: "string" + } + type: "object" + } + scanner: { + description: "Scanner is the scanner that generated this report." + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "Summary is a summary of Vulnerability counts grouped by Severity." + + properties: { + criticalCount: { + description: "CriticalCount is the number of vulnerabilities with Critical Severity." + + minimum: 0 + type: "integer" + } + highCount: { + description: "HighCount is the number of vulnerabilities with High Severity." + + minimum: 0 + type: "integer" + } + lowCount: { + description: "LowCount is the number of vulnerabilities with Low Severity." + + minimum: 0 + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of vulnerabilities with Medium Severity." + + minimum: 0 + type: "integer" + } + noneCount: { + description: "NoneCount is the number of packages without any vulnerability." + minimum: 0 + type: "integer" + } + unknownCount: { + description: "UnknownCount is the number of vulnerabilities with unknown severity." + + minimum: 0 + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + "unknownCount", + ] + type: "object" + } + updateTimestamp: { + description: "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated." + + format: "date-time" + type: "string" + } + vulnerabilities: { + description: "Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact." + + items: { + description: "Vulnerability is the spec for a vulnerability record." + properties: { + class: type: "string" + cvss: { + additionalProperties: { + properties: { + V2Score: type: "number" + V2Vector: type: "string" + V3Score: type: "number" + V3Vector: type: "string" + } + type: "object" + } + type: "object" + } + cvsssource: type: "string" + description: type: "string" + fixedVersion: { + description: "FixedVersion indicates the version of the Resource in which this vulnerability has been fixed." + + type: "string" + } + installedVersion: { + description: "InstalledVersion indicates the installed version of the Resource." + + type: "string" + } + lastModifiedDate: { + description: "LastModifiedDate indicates the last date CVE has been modified." + + type: "string" + } + links: { + items: type: "string" + type: "array" + } + packagePath: type: "string" + packageType: type: "string" + primaryLink: type: "string" + publishedDate: { + description: "PublishedDate indicates the date of published CVE." + type: "string" + } + resource: { + description: "Resource is a vulnerable package, application, or library." + + type: "string" + } + score: type: "number" + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + enum: [ + "CRITICAL", + "HIGH", + "MEDIUM", + "LOW", + "UNKNOWN", + ] + type: "string" + } + target: type: "string" + title: type: "string" + vulnerabilityID: { + description: "VulnerabilityID the vulnerability identifier." + type: "string" + } + } + required: [ + "fixedVersion", + "installedVersion", + "lastModifiedDate", + "publishedDate", + "resource", + "severity", + "title", + "vulnerabilityID", + ] + type: "object" + } + type: "array" + } + } + required: [ + "artifact", + "os", + "scanner", + "summary", + "updateTimestamp", + "vulnerabilities", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "configauditreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ConfigAuditReport" + listKind: "ConfigAuditReportList" + plural: "configauditreports" + shortNames: [ + "configaudit", + "configaudits", + ] + singular: "configauditreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the config audit scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ConfigAuditReport is a specification for the ConfigAuditReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "ConfigAuditSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + updateTimestamp: { + format: "date-time" + type: "string" + } + } + required: ["checks"] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "exposedsecretreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "ExposedSecretReport" + listKind: "ExposedSecretReportList" + plural: "exposedsecretreports" + shortNames: [ + "exposedsecret", + "exposedsecrets", + ] + singular: "exposedsecretreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of image repository" + jsonPath: ".report.artifact.repository" + name: "Repository" + type: "string" + }, { + description: "The name of image tag" + jsonPath: ".report.artifact.tag" + name: "Tag" + type: "string" + }, { + description: "The name of the exposed secret scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of critical exposed secrets" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of high exposed secrets" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of medium exposed secrets" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of low exposed secrets" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ExposedSecretReport summarizes exposed secrets in plaintext files built into container images." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + description: "Report is the actual exposed secret report data." + properties: { + artifact: { + description: "Artifact represents a standalone, executable package of software that includes everything needed to run an application." + + properties: { + digest: { + description: "Digest is a unique and immutable identifier of an Artifact." + + type: "string" + } + mimeType: { + description: "MimeType represents a type and format of an Artifact." + type: "string" + } + repository: { + description: "Repository is the name of the repository in the Artifact registry." + + type: "string" + } + tag: { + description: "Tag is a mutable, human-readable string used to identify an Artifact." + + type: "string" + } + } + type: "object" + } + registry: { + description: "Registry is the registry the Artifact was pulled from." + properties: server: { + description: "Server the FQDN of registry server." + type: "string" + } + type: "object" + } + scanner: { + description: "Scanner is the scanner that generated this report." + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + secrets: { + description: "Exposed secrets is a list of passwords, api keys, tokens and others items found in the Artifact." + + items: { + description: "ExposedSecret is the spec for a exposed secret record." + properties: { + category: type: "string" + match: { + description: "Match where the exposed rule matched." + type: "string" + } + ruleID: { + description: "RuleID is rule the identifier." + type: "string" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + enum: [ + "CRITICAL", + "HIGH", + "MEDIUM", + "LOW", + ] + type: "string" + } + target: { + description: "Target is where the exposed secret was found." + type: "string" + } + title: type: "string" + } + required: [ + "category", + "match", + "ruleID", + "severity", + "target", + "title", + ] + type: "object" + } + type: "array" + } + summary: { + description: "Summary is the exposed secrets counts grouped by Severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of exposed secrets with Critical Severity." + + minimum: 0 + type: "integer" + } + highCount: { + description: "HighCount is the number of exposed secrets with High Severity." + + minimum: 0 + type: "integer" + } + lowCount: { + description: "LowCount is the number of exposed secrets with Low Severity." + + minimum: 0 + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of exposed secrets with Medium Severity." + + minimum: 0 + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + updateTimestamp: { + description: "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated." + + format: "date-time" + type: "string" + } + } + required: [ + "artifact", + "scanner", + "secrets", + "summary", + "updateTimestamp", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "infraassessmentreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "InfraAssessmentReport" + listKind: "InfraAssessmentReportList" + plural: "infraassessmentreports" + shortNames: [ + "infraassessment", + "infraassessments", + ] + singular: "infraassessmentreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the infra assessment scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "InfraAssessmentReport is a specification for the InfraAssessmentReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "InfraAssessmentSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + } + required: [ + "checks", + "scanner", + "summary", + ] + type: "object" + } + } + required: ["report"] + type: "object" + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "rbacassessmentreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "RbacAssessmentReport" + listKind: "RbacAssessmentReportList" + plural: "rbacassessmentreports" + shortNames: [ + "rbacassessment", + "rbacassessments", + ] + singular: "rbacassessmentreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of the rbac assessment scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of failed checks with critical severity" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with high severity" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with medium severity" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of failed checks with low severity" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "RbacAssessmentReport is a specification for the RbacAssessmentReport resource." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + properties: { + checks: { + description: "Checks provides results of conducting audit steps." + items: { + description: "Check provides the result of conducting a single audit step." + + properties: { + category: type: "string" + checkID: type: "string" + description: type: "string" + messages: { + items: type: "string" + type: "array" + } + remediation: { + description: "Remediation provides description or links to external resources to remediate failing check." + + type: "string" + } + scope: { + description: "Scope indicates the section of config that was audited." + + properties: { + type: { + description: "Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath." + + type: "string" + } + value: { + description: "Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression" + + type: "string" + } + } + required: [ + "type", + "value", + ] + type: "object" + } + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + type: "string" + } + success: type: "boolean" + title: type: "string" + } + required: [ + "checkID", + "severity", + "success", + ] + type: "object" + } + type: "array" + } + scanner: { + description: "Scanner is the spec for a scanner generating a security assessment report." + + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "RbacAssessmentSummary counts failed checks by severity." + properties: { + criticalCount: { + description: "CriticalCount is the number of failed checks with critical severity." + + type: "integer" + } + highCount: { + description: "HighCount is the number of failed checks with high severity." + + type: "integer" + } + lowCount: { + description: "LowCount is the number of failed check with low severity." + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of failed checks with medium severity." + + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + ] + type: "object" + } + } + required: [ + "checks", + "scanner", + "summary", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "sbomreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "SbomReport" + listKind: "SbomReportList" + plural: "sbomreports" + shortNames: [ + "sbom", + "sboms", + ] + singular: "sbomreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of image repository" + jsonPath: ".report.artifact.repository" + name: "Repository" + type: "string" + }, { + description: "The name of image tag" + jsonPath: ".report.artifact.tag" + name: "Tag" + type: "string" + }, { + description: "The name of the sbom generation scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of dependencies in bom" + jsonPath: ".report.summary.componentsCount" + name: "Components" + priority: 1 + type: "integer" + }, { + description: "The the number of components in bom" + jsonPath: ".report.summary.dependenciesCount" + name: "Dependencies" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "SbomReport summarizes components and dependencies found in container image" + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + description: "Report is the actual sbom report data." + properties: { + artifact: { + description: "Artifact represents a standalone, executable package of software that includes everything needed to run an application." + + properties: { + digest: { + description: "Digest is a unique and immutable identifier of an Artifact." + + type: "string" + } + mimeType: { + description: "MimeType represents a type and format of an Artifact." + type: "string" + } + repository: { + description: "Repository is the name of the repository in the Artifact registry." + + type: "string" + } + tag: { + description: "Tag is a mutable, human-readable string used to identify an Artifact." + + type: "string" + } + } + type: "object" + } + components: { + description: "Bom is artifact bill of materials." + properties: { + bomFormat: type: "string" + components: { + items: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + type: "array" + } + dependencies: { + items: { + properties: { + dependsOn: { + items: type: "string" + type: "array" + } + ref: type: "string" + } + type: "object" + } + type: "array" + } + metadata: { + properties: { + component: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + timestamp: type: "string" + tools: { + properties: components: { + items: { + properties: { + "bom-ref": type: "string" + group: type: "string" + hashes: { + items: { + properties: { + alg: type: "string" + content: type: "string" + } + type: "object" + } + type: "array" + } + licenses: { + items: { + properties: { + expression: type: "string" + license: { + properties: { + id: type: "string" + name: type: "string" + url: type: "string" + } + type: "object" + } + } + type: "object" + } + type: "array" + } + name: type: "string" + properties: { + items: { + properties: { + name: type: "string" + value: type: "string" + } + type: "object" + } + type: "array" + } + purl: type: "string" + supplier: { + properties: { + contact: { + items: { + properties: { + email: type: "string" + name: type: "string" + phone: type: "string" + } + type: "object" + } + type: "array" + } + name: type: "string" + url: { + items: type: "string" + type: "array" + } + } + type: "object" + } + type: type: "string" + version: type: "string" + } + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + serialNumber: type: "string" + specVersion: type: "string" + version: type: "integer" + } + required: [ + "bomFormat", + "specVersion", + ] + type: "object" + } + registry: { + description: "Registry is the registry the Artifact was pulled from." + properties: server: { + description: "Server the FQDN of registry server." + type: "string" + } + type: "object" + } + scanner: { + description: "Scanner is the scanner that generated this report." + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "Summary is a summary of sbom report." + properties: { + componentsCount: { + description: "ComponentsCount is the number of components in bom." + minimum: 0 + type: "integer" + } + dependenciesCount: { + description: "DependenciesCount is the number of dependencies in bom." + + minimum: 0 + type: "integer" + } + } + required: [ + "componentsCount", + "dependenciesCount", + ] + type: "object" + } + updateTimestamp: { + description: "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated." + + format: "date-time" + type: "string" + } + } + required: [ + "artifact", + "components", + "scanner", + "summary", + "updateTimestamp", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}, { + metadata: name: "vulnerabilityreports.aquasecurity.github.io" + spec: { + group: "aquasecurity.github.io" + names: { + kind: "VulnerabilityReport" + listKind: "VulnerabilityReportList" + plural: "vulnerabilityreports" + shortNames: [ + "vuln", + "vulns", + ] + singular: "vulnerabilityreport" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "The name of image repository" + jsonPath: ".report.artifact.repository" + name: "Repository" + type: "string" + }, { + description: "The name of image tag" + jsonPath: ".report.artifact.tag" + name: "Tag" + type: "string" + }, { + description: "The name of the vulnerability scanner" + jsonPath: ".report.scanner.name" + name: "Scanner" + type: "string" + }, { + description: "The age of the report" + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }, { + description: "The number of critical vulnerabilities" + jsonPath: ".report.summary.criticalCount" + name: "Critical" + priority: 1 + type: "integer" + }, { + description: "The number of high vulnerabilities" + jsonPath: ".report.summary.highCount" + name: "High" + priority: 1 + type: "integer" + }, { + description: "The number of medium vulnerabilities" + jsonPath: ".report.summary.mediumCount" + name: "Medium" + priority: 1 + type: "integer" + }, { + description: "The number of low vulnerabilities" + jsonPath: ".report.summary.lowCount" + name: "Low" + priority: 1 + type: "integer" + }, { + description: "The number of unknown vulnerabilities" + jsonPath: ".report.summary.unknownCount" + name: "Unknown" + priority: 1 + type: "integer" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images." + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + + type: "string" + } + metadata: type: "object" + report: { + description: "Report is the actual vulnerability report data." + properties: { + artifact: { + description: "Artifact represents a standalone, executable package of software that includes everything needed to run an application." + + properties: { + digest: { + description: "Digest is a unique and immutable identifier of an Artifact." + + type: "string" + } + mimeType: { + description: "MimeType represents a type and format of an Artifact." + type: "string" + } + repository: { + description: "Repository is the name of the repository in the Artifact registry." + + type: "string" + } + tag: { + description: "Tag is a mutable, human-readable string used to identify an Artifact." + + type: "string" + } + } + type: "object" + } + os: { + description: "OS information of the artifact" + properties: { + eosl: { + description: "Eosl is true if OS version has reached end of service life" + + type: "boolean" + } + family: { + description: "Operating System Family" + type: "string" + } + name: { + description: "Name or version of the OS" + type: "string" + } + } + type: "object" + } + registry: { + description: "Registry is the registry the Artifact was pulled from." + properties: server: { + description: "Server the FQDN of registry server." + type: "string" + } + type: "object" + } + scanner: { + description: "Scanner is the scanner that generated this report." + properties: { + name: { + description: "Name the name of the scanner." + type: "string" + } + vendor: { + description: "Vendor the name of the vendor providing the scanner." + type: "string" + } + version: { + description: "Version the version of the scanner." + type: "string" + } + } + required: [ + "name", + "vendor", + "version", + ] + type: "object" + } + summary: { + description: "Summary is a summary of Vulnerability counts grouped by Severity." + + properties: { + criticalCount: { + description: "CriticalCount is the number of vulnerabilities with Critical Severity." + + minimum: 0 + type: "integer" + } + highCount: { + description: "HighCount is the number of vulnerabilities with High Severity." + + minimum: 0 + type: "integer" + } + lowCount: { + description: "LowCount is the number of vulnerabilities with Low Severity." + + minimum: 0 + type: "integer" + } + mediumCount: { + description: "MediumCount is the number of vulnerabilities with Medium Severity." + + minimum: 0 + type: "integer" + } + noneCount: { + description: "NoneCount is the number of packages without any vulnerability." + minimum: 0 + type: "integer" + } + unknownCount: { + description: "UnknownCount is the number of vulnerabilities with unknown severity." + + minimum: 0 + type: "integer" + } + } + required: [ + "criticalCount", + "highCount", + "lowCount", + "mediumCount", + "unknownCount", + ] + type: "object" + } + updateTimestamp: { + description: "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated." + + format: "date-time" + type: "string" + } + vulnerabilities: { + description: "Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact." + + items: { + description: "Vulnerability is the spec for a vulnerability record." + properties: { + class: type: "string" + cvss: { + additionalProperties: { + properties: { + V2Score: type: "number" + V2Vector: type: "string" + V3Score: type: "number" + V3Vector: type: "string" + } + type: "object" + } + type: "object" + } + cvsssource: type: "string" + description: type: "string" + fixedVersion: { + description: "FixedVersion indicates the version of the Resource in which this vulnerability has been fixed." + + type: "string" + } + installedVersion: { + description: "InstalledVersion indicates the installed version of the Resource." + + type: "string" + } + lastModifiedDate: { + description: "LastModifiedDate indicates the last date CVE has been modified." + + type: "string" + } + links: { + items: type: "string" + type: "array" + } + packagePath: type: "string" + packageType: type: "string" + primaryLink: type: "string" + publishedDate: { + description: "PublishedDate indicates the date of published CVE." + type: "string" + } + resource: { + description: "Resource is a vulnerable package, application, or library." + + type: "string" + } + score: type: "number" + severity: { + description: "Severity level of a vulnerability or a configuration audit check." + + enum: [ + "CRITICAL", + "HIGH", + "MEDIUM", + "LOW", + "UNKNOWN", + ] + type: "string" + } + target: type: "string" + title: type: "string" + vulnerabilityID: { + description: "VulnerabilityID the vulnerability identifier." + type: "string" + } + } + required: [ + "fixedVersion", + "installedVersion", + "lastModifiedDate", + "publishedDate", + "resource", + "severity", + "title", + "vulnerabilityID", + ] + type: "object" + } + type: "array" + } + } + required: [ + "artifact", + "os", + "scanner", + "summary", + "updateTimestamp", + "vulnerabilities", + ] + type: "object" + } + } + required: ["report"] + type: "object" + "x-kubernetes-preserve-unknown-fields": true + } + served: true + storage: true + subresources: {} + }] + } +}] diff --git a/k8s/amour/trivy_system/deployment_list.cue b/k8s/amour/trivy_system/deployment_list.cue new file mode 100644 index 000000000..855f2bc97 --- /dev/null +++ b/k8s/amour/trivy_system/deployment_list.cue @@ -0,0 +1,98 @@ +package trivy_system + +import ( + appsv1 "k8s.io/api/apps/v1" + "k8s.io/api/core/v1" +) + +#DeploymentList: appsv1.#DeploymentList & { + apiVersion: "apps/v1" + kind: "DeploymentList" + items: [...{ + apiVersion: "apps/v1" + kind: "Deployment" + }] +} + +#DeploymentList: items: [{ + spec: { + strategy: type: appsv1.#RecreateDeploymentStrategyType + selector: matchLabels: "app.kubernetes.io/name": #Name + template: { + metadata: labels: "app.kubernetes.io/name": #Name + spec: { + volumes: [{ + name: "policy-cache" + emptyDir: {} + }] + containers: [{ + name: "trivy-operator" + image: "ghcr.io/aquasecurity/trivy-operator:\(#Version)" + ports: [{ + name: "http-metrics" + containerPort: 8080 + }, { + name: "probes" + containerPort: 9090 + }] + envFrom: [{configMapRef: name: "trivy-operator-config"}] + env: [{ + name: "OPERATOR_NAMESPACE" + value: #Namespace + }, { + name: "OPERATOR_TARGET_NAMESPACES" + value: "" + }, { + name: "OPERATOR_EXCLUDE_NAMESPACES" + value: "" + }, { + name: "OPERATOR_TARGET_WORKLOADS" + value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" + }, { + name: "OPERATOR_SERVICE_ACCOUNT" + value: #Name + }] + resources: limits: { + (v1.#ResourceCPU): "500m" + (v1.#ResourceMemory): "512Mi" + } + volumeMounts: [{ + name: "policy-cache" + mountPath: "/tmp" + }] + + let probe = { + httpGet: port: "probes" + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + } + + readinessProbe: probe & { + httpGet: path: "/readyz" + failureThreshold: 3 + } + livenessProbe: probe & { + httpGet: path: "/healthz" + failureThreshold: 10 + } + + imagePullPolicy: v1.#PullIfNotPresent + securityContext: { + capabilities: drop: ["ALL"] + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + } + }] + serviceAccountName: #Name + securityContext: { + runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true + fsGroup: 2000 + seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault + } + } + } + } +}] diff --git a/k8s/amour/trivy_system/list.cue b/k8s/amour/trivy_system/list.cue new file mode 100644 index 000000000..80946feb7 --- /dev/null +++ b/k8s/amour/trivy_system/list.cue @@ -0,0 +1,45 @@ +package trivy_system + +import ( + "list" + + "k8s.io/api/core/v1" +) + +#Name: "trivy-operator" +#Namespace: "trivy-system" +#Version: "0.19.2" + +#List: v1.#List & { + apiVersion: "v1" + kind: "List" + items: [...{ + metadata: { + name: string | *#Name + namespace: #Namespace + labels: { + "app.kubernetes.io/name": string | *#Name + "app.kubernetes.io/instance": #Name + "app.kubernetes.io/version": #Version + "app.kubernetes.io/component": string | *#Name + } + } + }] +} + +#List: items: list.Concat(_items) + +_items: [ + #ClusterRoleBindingList.items, + #ClusterRoleList.items, + #ConfigMapList.items, + #CustomResourceDefinitionList.items, + #DeploymentList.items, + #NamespaceList.items, + #RoleBindingList.items, + #RoleList.items, + #SecretList.items, + #ServiceAccountList.items, + #ServiceList.items, + #VMServiceScrapeList.items, +] diff --git a/k8s/amour/trivy_system/namespace_list.cue b/k8s/amour/trivy_system/namespace_list.cue new file mode 100644 index 000000000..ff2fbe919 --- /dev/null +++ b/k8s/amour/trivy_system/namespace_list.cue @@ -0,0 +1,19 @@ +package trivy_system + +import "k8s.io/api/core/v1" + +#NamespaceList: v1.#NamespaceList & { + apiVersion: "v1" + kind: "NamespaceList" + items: [...{ + apiVersion: "v1" + kind: "Namespace" + }] +} + +#NamespaceList: items: [{ + metadata: { + name: #Namespace + labels: "pod-security.kubernetes.io/enforce": "privileged" + } +}] diff --git a/k8s/amour/trivy_system/role_binding_list.cue b/k8s/amour/trivy_system/role_binding_list.cue new file mode 100644 index 000000000..fc95b79b8 --- /dev/null +++ b/k8s/amour/trivy_system/role_binding_list.cue @@ -0,0 +1,35 @@ +package trivy_system + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleBindingList: rbacv1.#RoleBindingList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBindingList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBinding" + }] +} + +#RoleBindingList: items: [{ + roleRef: { + apiGroup: rbacv1.#GroupName + kind: "Role" + name: #Name + } + subjects: [{ + name: #Name + kind: rbacv1.#ServiceAccountKind + }] +}, { + metadata: name: "\(#Name)-leader-election" + roleRef: { + apiGroup: rbacv1.#GroupName + kind: "Role" + name: "\(#Name)-leader-election" + } + subjects: [{ + name: #Name + kind: rbacv1.#ServiceAccountKind + }] +}] diff --git a/k8s/amour/trivy_system/role_list.cue b/k8s/amour/trivy_system/role_list.cue new file mode 100644 index 000000000..012309ade --- /dev/null +++ b/k8s/amour/trivy_system/role_list.cue @@ -0,0 +1,35 @@ +package trivy_system + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleList: rbacv1.#RoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "Role" + }] +} + +#RoleList: items: [{ + rules: [{ + apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "delete"] + }] +}, { + metadata: name: "\(#Name)-leader-election" + rules: [{ + apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update"] + }, { + apiGroups: [""] + resources: ["events"] + verbs: ["create"] + }] +}] diff --git a/k8s/amour/trivy_system/secret_list.cue b/k8s/amour/trivy_system/secret_list.cue new file mode 100644 index 000000000..ee020867b --- /dev/null +++ b/k8s/amour/trivy_system/secret_list.cue @@ -0,0 +1,14 @@ +package trivy_system + +import "k8s.io/api/core/v1" + +#SecretList: v1.#SecretList & { + apiVersion: "v1" + kind: "SecretList" + items: [...{ + apiVersion: "v1" + kind: "Secret" + }] +} + +#SecretList: items: [{}, {metadata: name: "trivy-operator-trivy-config"}] diff --git a/k8s/amour/trivy_system/service_account_list.cue b/k8s/amour/trivy_system/service_account_list.cue new file mode 100644 index 000000000..927dbcdcc --- /dev/null +++ b/k8s/amour/trivy_system/service_account_list.cue @@ -0,0 +1,14 @@ +package trivy_system + +import "k8s.io/api/core/v1" + +#ServiceAccountList: v1.#ServiceAccountList & { + apiVersion: "v1" + kind: "ServiceAccountList" + items: [...{ + apiVersion: "v1" + kind: "ServiceAccount" + }] +} + +#ServiceAccountList: items: [{}] diff --git a/k8s/amour/trivy_system/service_list.cue b/k8s/amour/trivy_system/service_list.cue new file mode 100644 index 000000000..c1d339918 --- /dev/null +++ b/k8s/amour/trivy_system/service_list.cue @@ -0,0 +1,23 @@ +package trivy_system + +import "k8s.io/api/core/v1" + +#ServiceList: v1.#ServiceList & { + apiVersion: "v1" + kind: "ServiceList" + items: [...{ + apiVersion: "v1" + kind: "Service" + }] +} + +#ServiceList: items: [{ + spec: { + ports: [{ + name: "http-metrics" + port: 80 + targetPort: "http-metrics" + }] + selector: "app.kubernetes.io/name": #Name + } +}] diff --git a/k8s/amour/trivy_system/vm_service_scrape_list.cue b/k8s/amour/trivy_system/vm_service_scrape_list.cue new file mode 100644 index 000000000..a8c0a6f24 --- /dev/null +++ b/k8s/amour/trivy_system/vm_service_scrape_list.cue @@ -0,0 +1,19 @@ +package trivy_system + +import victoriametricsv1beta1 "github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1" + +#VMServiceScrapeList: victoriametricsv1beta1.#VMServiceScrapeList & { + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrapeList" + items: [...{ + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrape" + }] +} + +#VMServiceScrapeList: items: [{ + spec: { + endpoints: [{port: "http-metrics"}] + selector: matchLabels: "app.kubernetes.io/name": #Name + } +}]