--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clustercompliancereports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: trivy-operator app.kubernetes.io/version: "0.0.1" spec: group: aquasecurity.github.io scope: Cluster versions: - name: v1alpha1 served: true storage: true additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp type: date name: Age description: The age of the report - jsonPath: .status.summary.failCount type: integer name: Fail priority: 1 description: The number of checks that failed with Danger status - jsonPath: .status.summary.passCount type: integer name: Pass priority: 1 description: The number of checks that passed schema: openAPIV3Schema: type: object required: - apiVersion - kind - metadata - spec properties: apiVersion: type: string kind: type: string metadata: type: object spec: type: object required: - name - description - version - cron - controls properties: name: type: string description: type: string version: type: string cron: type: string pattern: '^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$' description: 'cron define the intervals for report generation' controls: type: array items: type: object required: - name - id - kinds - mapping - severity properties: name: type: string description: type: string id: type: string description: 'id define the control check id' kinds: type: array items: type: string description: 'kinds define the list of kinds control check apply on , example: Node,Workload ' mapping: type: object required: - scanner - checks properties: scanner: type: string pattern: '^config-audit$|^kube-bench$' description: 'scanner define the name of the scanner which produce data, currently only config-audit and kube-bench are supported' checks: type: array items: type: object required: - id properties: id: type: string description: 'id define the check id as produced by scanner' severity: type: string description: 'define the severity of the control' enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN defaultStatus: type: string description: 'define the default value for check status in case resource not found' enum: - PASS - WARN - FAIL status: x-kubernetes-preserve-unknown-fields: true type: object subresources: # status enables the status subresource. status: { } names: singular: clustercompliancereport plural: clustercompliancereports kind: ClusterComplianceReport listKind: ClusterComplianceReportList categories: [ ] shortNames: - compliance