---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clustercompliancereports.aquasecurity.github.io
labels:
app.kubernetes.io/managed-by: starboard
app.kubernetes.io/version: "0.15.3"
spec:
group: aquasecurity.github.io
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
type: date
name: Age
description: The age of the report
- jsonPath: .status.summary.failCount
type: integer
name: Fail
priority: 1
description: The number of checks that failed with Danger status
- jsonPath: .status.summary.passCount
type: integer
name: Pass
priority: 1
description: The number of checks that passed
schema:
openAPIV3Schema:
type: object
required:
- apiVersion
- kind
- metadata
- spec
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
required:
- name
- description
- version
- cron
- controls
properties:
name:
type: string
description:
type: string
version:
type: string
cron:
type: string
pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$'
description: 'cron define the intervals for report generation'
controls:
type: array
items:
type: object
required:
- name
- id
- kinds
- mapping
- severity
properties:
name:
type: string
description:
type: string
id:
type: string
description: 'id define the control check id'
kinds:
type: array
items:
type: string
description: 'kinds define the list of kinds control check apply on , example: Node,Workload '
mapping:
type: object
required:
- scanner
- checks
properties:
scanner:
type: string
pattern: '^config-audit$|^kube-bench$'
description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported'
checks:
type: array
items:
type: object
required:
- id
properties:
id:
type: string
description: 'id define the check id as produced by scanner'
severity:
type: string
description: 'define the severity of the control'
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN
defaultStatus:
type: string
description: 'define the default value for check status in case resource not found'
enum:
- PASS
- WARN
- FAIL
status:
x-kubernetes-preserve-unknown-fields: true
type: object
subresources:
# status enables the status subresource.
status: { }
names:
singular: clustercompliancereport
plural: clustercompliancereports
kind: ClusterComplianceReport
listKind: ClusterComplianceReportList
categories: [ ]
shortNames:
- compliance