---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clustercompliancereports.aquasecurity.github.io
  labels:
    app.kubernetes.io/managed-by: starboard
    app.kubernetes.io/version: "0.15.3"
spec:
  group: aquasecurity.github.io
  scope: Cluster
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .metadata.creationTimestamp
          type: date
          name: Age
          description: The age of the report
        - jsonPath: .status.summary.failCount
          type: integer
          name: Fail
          priority: 1
          description: The number of checks that failed with Danger status
        - jsonPath: .status.summary.passCount
          type: integer
          name: Pass
          priority: 1
          description: The number of checks that passed
      schema:
        openAPIV3Schema:
          type: object
          required:
            - apiVersion
            - kind
            - metadata
            - spec
          properties:
            apiVersion:
              type: string
            kind:
              type: string
            metadata:
              type: object
            spec:
              type: object
              required:
                - name
                - description
                - version
                - cron
                - controls
              properties:
                name:
                  type: string
                description:
                  type: string
                version:
                  type: string
                cron:
                  type: string
                  pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$'
                  description: 'cron define the intervals for report generation'
                controls:
                  type: array
                  items:
                    type: object
                    required:
                      - name
                      - id
                      - kinds
                      - mapping
                      - severity
                    properties:
                      name:
                        type: string
                      description:
                        type: string
                      id:
                        type: string
                        description: 'id define the control check id'
                      kinds:
                        type: array
                        items:
                          type: string
                          description: 'kinds define the list of kinds control check apply on , example: Node,Workload '
                      mapping:
                        type: object
                        required:
                          - scanner
                          - checks
                        properties:
                          scanner:
                            type: string
                            pattern: '^config-audit$|^kube-bench$'
                            description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported'
                          checks:
                            type: array
                            items:
                              type: object
                              required:
                                - id
                              properties:
                                id:
                                  type: string
                                  description: 'id define the check id as produced by scanner'
                      severity:
                        type: string
                        description: 'define the severity of the control'
                        enum:
                          - CRITICAL
                          - HIGH
                          - MEDIUM
                          - LOW
                          - UNKNOWN
                      defaultStatus:
                        type: string
                        description: 'define the default value for check status in case resource not found'
                        enum:
                          - PASS
                          - WARN
                          - FAIL
            status:
              x-kubernetes-preserve-unknown-fields: true
              type: object
      subresources:
        # status enables the status subresource.
        status: { }
  names:
    singular: clustercompliancereport
    plural: clustercompliancereports
    kind: ClusterComplianceReport
    listKind: ClusterComplianceReportList
    categories: [ ]
    shortNames:
      - compliance