diff --git a/apis/management.cattle.io/v3/alerting_types.go b/apis/management.cattle.io/v3/alerting_types.go
index 1f839ac2..3a608daf 100644
--- a/apis/management.cattle.io/v3/alerting_types.go
+++ b/apis/management.cattle.io/v3/alerting_types.go
@@ -161,6 +161,7 @@ type ClusterAlertRuleSpec struct {
EventRule *EventRule `json:"eventRule,omitempty"`
SystemServiceRule *SystemServiceRule `json:"systemServiceRule,omitempty"`
MetricRule *MetricRule `json:"metricRule,omitempty"`
+ ClusterScanRule *ClusterScanRule `json:"clusterScanRule,omitempty"`
}
type ProjectAlertRule struct {
@@ -199,6 +200,11 @@ type CommonRuleField struct {
TimingField
}
+type ClusterScanRule struct {
+ ScanRunType ClusterScanRunType `json:"scanRunType,omitempty" norman:"required,options=manual|scheduled,default=scheduled"`
+ FailuresOnly bool `json:"failuresOnly,omitempty"`
+}
+
type MetricRule struct {
Expression string `json:"expression,omitempty" norman:"required"`
Description string `json:"description,omitempty"`
diff --git a/apis/management.cattle.io/v3/cluster_scan_types.go b/apis/management.cattle.io/v3/cluster_scan_types.go
index e3f1e8e7..5a6cbc87 100644
--- a/apis/management.cattle.io/v3/cluster_scan_types.go
+++ b/apis/management.cattle.io/v3/cluster_scan_types.go
@@ -9,11 +9,15 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
+type ClusterScanRunType string
+type CisScanProfileType string
+
const (
ClusterScanConditionCreated condition.Cond = typescond.Created
ClusterScanConditionRunCompleted condition.Cond = typescond.RunCompleted
ClusterScanConditionCompleted condition.Cond = typescond.Completed
ClusterScanConditionFailed condition.Cond = typescond.Failed
+ ClusterScanConditionAlerted condition.Cond = typescond.Alerted
ClusterScanTypeCis = "cis"
DefaultNamespaceForCis = "security-scan"
@@ -23,6 +27,14 @@ const (
RunCisScanAnnotation = "field.cattle.io/runCisScan"
SonobuoyCompletionAnnotation = "field.cattle.io/sonobuoyDone"
CisHelmChartOwner = "field.cattle.io/clusterScanOwner"
+
+ ClusterScanRunTypeManual ClusterScanRunType = "manual"
+ ClusterScanRunTypeScheduled ClusterScanRunType = "scheduled"
+
+ CisScanProfileTypePermissive CisScanProfileType = "permissive"
+ CisScanProfileTypeHardened CisScanProfileType = "hardened"
+
+ DefaultScanOutputFileName string = "output.json"
)
type CisScanConfig struct {
@@ -30,12 +42,22 @@ type CisScanConfig struct {
OverrideSkip []string `json:"overrideSkip"`
// Override the CIS benchmark version to use for the scan (instead of latest)
OverrideBenchmarkVersion string `json:"overrideBenchmarkVersion,omitempty"`
+ // scan profile to use
+ Profile CisScanProfileType `json:"profile,omitempty" norman:"required,options=permissive|hardened,default=permissive"`
// Internal flag for debugging master component of the scan
DebugMaster bool `json:"debugMaster"`
// Internal flag for debugging worker component of the scan
DebugWorker bool `json:"debugWorker"`
}
+type CisScanStatus struct {
+ Total int `json:"total"`
+ Pass int `json:"pass"`
+ Fail int `json:"fail"`
+ Skip int `json:"skip"`
+ NotApplicable int `json:"notApplicable"`
+}
+
type ClusterScanConfig struct {
CisScanConfig *CisScanConfig `json:"cisScanConfig"`
}
@@ -59,14 +81,15 @@ type ClusterScanSpec struct {
ScanType string `json:"scanType"`
// cluster ID
ClusterID string `json:"clusterId,omitempty" norman:"required,type=reference[cluster]"`
- // manual flag
- Manual bool `yaml:"manual" json:"manual,omitempty"`
+ // Run type
+ RunType ClusterScanRunType `json:"runType,omitempty"`
// scanConfig
ScanConfig ClusterScanConfig `yaml:",omitempty" json:"scanConfig,omitempty"`
}
type ClusterScanStatus struct {
- Conditions []ClusterScanCondition `json:"conditions"`
+ Conditions []ClusterScanCondition `json:"conditions"`
+ CisScanStatus *CisScanStatus `json:"cisScanStatus"`
}
type ClusterScan struct {
@@ -80,7 +103,10 @@ type ClusterScan struct {
}
type CisBenchmarkVersionInfo struct {
- MinKubernetesVersion string `yaml:"min_kubernetes_version" json:"minKubernetesVersion"`
+ Managed bool `yaml:"managed" json:"managed"`
+ MinKubernetesVersion string `yaml:"min_kubernetes_version" json:"minKubernetesVersion"`
+ SkippedChecks map[string]string `yaml:"skipped_checks" json:"skippedChecks"`
+ NotApplicableChecks map[string]string `yaml:"not_applicable_checks" json:"notApplicableChecks"`
}
type CisConfigParams struct {
@@ -104,3 +130,22 @@ type CisBenchmarkVersion struct {
Info CisBenchmarkVersionInfo `json:"info" yaml:"info"`
}
+
+type ScheduledClusterScanConfig struct {
+ // Cron Expression for Schedule
+ CronSchedule string `yaml:"cron_schedule" json:"cronSchedule,omitempty"`
+ // Number of past scans to keep
+ Retention int `yaml:"retention" json:"retention,omitempty"`
+}
+
+type ScheduledClusterScan struct {
+ // Enable or disable scheduled scans
+ Enabled bool `yaml:"enabled" json:"enabled,omitempty" norman:"default=false"`
+ ScheduleConfig *ScheduledClusterScanConfig `yaml:"schedule_config" json:"scheduleConfig,omitempty"`
+ ScanConfig *ClusterScanConfig `yaml:"scan_config,omitempty" json:"scanConfig,omitempty"`
+}
+
+type ScheduledClusterScanStatus struct {
+ Enabled bool `yaml:"enabled" json:"enabled,omitempty"`
+ LastRunTimestamp string `yaml:"last_run_timestamp" json:"lastRunTimestamp"`
+}
diff --git a/apis/management.cattle.io/v3/cluster_types.go b/apis/management.cattle.io/v3/cluster_types.go
index 17c1d599..5a66b083 100644
--- a/apis/management.cattle.io/v3/cluster_types.go
+++ b/apis/management.cattle.io/v3/cluster_types.go
@@ -103,6 +103,7 @@ type ClusterSpecBase struct {
EnableClusterMonitoring bool `json:"enableClusterMonitoring" norman:"default=false"`
WindowsPreferedCluster bool `json:"windowsPreferedCluster" norman:"noupdate"`
LocalClusterAuthEndpoint LocalClusterAuthEndpoint `json:"localClusterAuthEndpoint,omitempty"`
+ ScheduledClusterScan *ScheduledClusterScan `json:"scheduledClusterScan,omitempty"`
}
type ClusterSpec struct {
@@ -131,27 +132,28 @@ type ClusterStatus struct {
Conditions []ClusterCondition `json:"conditions,omitempty"`
// Component statuses will represent cluster's components (etcd/controller/scheduler) health
// https://kubernetes.io/docs/api-reference/v1.8/#componentstatus-v1-core
- Driver string `json:"driver"`
- AgentImage string `json:"agentImage"`
- AgentFeatures map[string]bool `json:"agentFeatures,omitempty"`
- AuthImage string `json:"authImage"`
- ComponentStatuses []ClusterComponentStatus `json:"componentStatuses,omitempty"`
- APIEndpoint string `json:"apiEndpoint,omitempty"`
- ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
- CACert string `json:"caCert,omitempty"`
- Capacity v1.ResourceList `json:"capacity,omitempty"`
- Allocatable v1.ResourceList `json:"allocatable,omitempty"`
- AppliedSpec ClusterSpec `json:"appliedSpec,omitempty"`
- FailedSpec *ClusterSpec `json:"failedSpec,omitempty"`
- Requested v1.ResourceList `json:"requested,omitempty"`
- Limits v1.ResourceList `json:"limits,omitempty"`
- Version *version.Info `json:"version,omitempty"`
- AppliedPodSecurityPolicyTemplateName string `json:"appliedPodSecurityPolicyTemplateId"`
- AppliedEnableNetworkPolicy bool `json:"appliedEnableNetworkPolicy" norman:"nocreate,noupdate,default=false"`
- Capabilities Capabilities `json:"capabilities,omitempty"`
- MonitoringStatus *MonitoringStatus `json:"monitoringStatus,omitempty" norman:"nocreate,noupdate"`
- IstioEnabled bool `json:"istioEnabled,omitempty" norman:"nocreate,noupdate,default=false"`
- CertificatesExpiration map[string]CertExpiration `json:"certificatesExpiration,omitempty"`
+ Driver string `json:"driver"`
+ AgentImage string `json:"agentImage"`
+ AgentFeatures map[string]bool `json:"agentFeatures,omitempty"`
+ AuthImage string `json:"authImage"`
+ ComponentStatuses []ClusterComponentStatus `json:"componentStatuses,omitempty"`
+ APIEndpoint string `json:"apiEndpoint,omitempty"`
+ ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
+ CACert string `json:"caCert,omitempty"`
+ Capacity v1.ResourceList `json:"capacity,omitempty"`
+ Allocatable v1.ResourceList `json:"allocatable,omitempty"`
+ AppliedSpec ClusterSpec `json:"appliedSpec,omitempty"`
+ FailedSpec *ClusterSpec `json:"failedSpec,omitempty"`
+ Requested v1.ResourceList `json:"requested,omitempty"`
+ Limits v1.ResourceList `json:"limits,omitempty"`
+ Version *version.Info `json:"version,omitempty"`
+ AppliedPodSecurityPolicyTemplateName string `json:"appliedPodSecurityPolicyTemplateId"`
+ AppliedEnableNetworkPolicy bool `json:"appliedEnableNetworkPolicy" norman:"nocreate,noupdate,default=false"`
+ Capabilities Capabilities `json:"capabilities,omitempty"`
+ MonitoringStatus *MonitoringStatus `json:"monitoringStatus,omitempty" norman:"nocreate,noupdate"`
+ IstioEnabled bool `json:"istioEnabled,omitempty" norman:"nocreate,noupdate,default=false"`
+ CertificatesExpiration map[string]CertExpiration `json:"certificatesExpiration,omitempty"`
+ ScheduledClusterScanStatus *ScheduledClusterScanStatus `json:"scheduledClusterScanStatus,omitempty"`
}
type ClusterComponentStatus struct {
diff --git a/condition/constants.go b/condition/constants.go
index f0d94bd6..e5210e45 100644
--- a/condition/constants.go
+++ b/condition/constants.go
@@ -18,4 +18,9 @@ const (
// error type
Failed cond.Cond = "Failed"
+
+ // generic type
+ // these will not trigger any state change on the object
+
+ Alerted cond.Cond = "Alerted"
)