Add ScheduledScan CRD to automate and centrally handle regular scan execution in one place

Author: J12934

operator/PROJECT

@@ -14,4 +14,7 @@ resources:
 - group: execution
   kind: ParseDefinition
   version: v1
+- group: execution
+  kind: ScheduledScan
+  version: v1
 version: "2"

operator/apis/execution/v1/scheduledscan_types.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2020 iteratec GmbH.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// ScheduledScanSpec defines the desired state of ScheduledScan
+type ScheduledScanSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Interval describes how often the scan should be repeated
+	// Examples: '12h', '7d', '30m' (only days, hours and minutes supported, specified as integers)
+	Interval metav1.Duration `json:"interval"`
+
+	// HistoryLimit determines how many past Scans will be kept until the oldest one will be delted, defaults to 3. When set to 0 Scans will be deleted directly after completion
+	HistoryLimit int64 `json:"historyLimit,omitempty"`
+
+	// Foo is an example field of ScheduledScan. Edit ScheduledScan_types.go to remove/update
+	ScanSpec *ScanSpec `json:"scanSpec"`
+}
+
+// ScheduledScanStatus defines the observed state of ScheduledScan
+type ScheduledScanStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// ScheduledScan is the Schema for the scheduledscans API
+type ScheduledScan struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ScheduledScanSpec   `json:"spec,omitempty"`
+	Status ScheduledScanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ScheduledScanList contains a list of ScheduledScan
+type ScheduledScanList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ScheduledScan `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ScheduledScan{}, &ScheduledScanList{})
+}

operator/apis/execution/v1/zz_generated.deepcopy.go

@@ -0,0 +1,79 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: scheduledscans.execution.experimental.securecodebox.io
+spec:
+  group: execution.experimental.securecodebox.io
+  names:
+    kind: ScheduledScan
+    plural: scheduledscans
+  scope: ""
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: ScheduledScan is the Schema for the scheduledscans API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: ScheduledScanSpec defines the desired state of ScheduledScan
+          properties:
+            historyLimit:
+              description: HistoryLimit determines how many past Scans will be kept
+                until the oldest one will be delted, defaults to 3. When set to 0
+                Scans will be deleted directly after completion
+              format: int64
+              type: integer
+            interval:
+              description: 'Interval describes how often the scan should be repeated
+                Examples: ''12h'', ''7d'', ''30m'' (only days, hours and minutes supported,
+                specified as integers)'
+              type: string
+            scanSpec:
+              description: Foo is an example field of ScheduledScan. Edit ScheduledScan_types.go
+                to remove/update
+              properties:
+                parameters:
+                  items:
+                    type: string
+                  type: array
+                scanType:
+                  type: string
+              type: object
+          required:
+          - interval
+          - scanSpec
+          type: object
+        status:
+          description: ScheduledScanStatus defines the observed state of ScheduledScan
+          properties:
+            lastScheduleTime:
+              format: date-time
+              type: string
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

operator/config/crd/bases/execution.experimental.securecodebox.io_scheduledscans.yaml

@@ -6,6 +6,7 @@ resources:
 - bases/execution.experimental.securecodebox.io_scantypes.yaml
 - bases/execution.experimental.securecodebox.io_persistenceproviders.yaml
 - bases/execution.experimental.securecodebox.io_parsedefinitions.yaml
+- bases/execution.experimental.securecodebox.io_scheduledscans.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -15,6 +16,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_scantypes.yaml
 #- patches/webhook_in_persistenceproviders.yaml
 #- patches/webhook_in_parsedefinitions.yaml
+#- patches/webhook_in_scheduledscans.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
@@ -23,6 +25,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_scantypes.yaml
 #- patches/cainjection_in_persistenceproviders.yaml
 #- patches/cainjection_in_parsedefinitions.yaml
+#- patches/cainjection_in_scheduledscans.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

operator/config/crd/kustomization.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: scheduledscans.execution.experimental.securecodebox.io

operator/config/crd/patches/cainjection_in_scheduledscans.yaml

@@ -0,0 +1,17 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: scheduledscans.execution.experimental.securecodebox.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+      caBundle: Cg==
+      service:
+        namespace: system
+        name: webhook-service
+        path: /convert

operator/config/crd/patches/webhook_in_scheduledscans.yaml

@@ -71,6 +71,26 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

operator/config/rbac/role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit scheduledscans.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scheduledscan-editor-role
+rules:
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans/status
+  verbs:
+  - get

operator/config/rbac/scheduledscan_editor_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view scheduledscans.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scheduledscan-viewer-role
+rules:
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - execution.experimental.securecodebox.io
+  resources:
+  - scheduledscans/status
+  verbs:
+  - get