Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .cargo/audit.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# cargo-audit configuration
# https://rustsec.org/

[advisories]
# Advisories to ignore (with justification)
ignore = [
# RUSTSEC-2026-0097: rand unsound with custom logger using rand::rng()
# This is a transitive dependency from warp/tungstenite/kube-client.
# We do not use rand::rng() with a custom logger in our codebase.
# The vulnerability only affects code that:
# 1. Uses a custom global logger (not tracing-subscriber)
# 2. Calls rand::rng() from within that logger
# Neither condition applies to 5-spot.
"RUSTSEC-2026-0097",
]
2 changes: 1 addition & 1 deletion .claude/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,7 @@ Establish baseline CI/CD pipeline for the 5-spot operator using the same firesto
- `src/crd.rs`: Removed `namespace` field from `EmbeddedResource` — bootstrap and infrastructure resources are now always created in the ScheduledMachine's own namespace, preventing cross-namespace attacks
- `src/crd.rs`: Added `timezone_schema()` with `maxLength: 64` and character-class pattern constraint to block log injection via the timezone field
- `src/reconcilers/helpers.rs`: Fixed integer overflow in `parse_duration()` — now uses `checked_mul` and rejects durations exceeding 24 hours (`MAX_DURATION_SECS`)
- `src/reconcilers/helpers.rs`: Added `validate_labels()` — rejects label/annotation keys using reserved prefixes (`kubernetes.io/`, `k8s.io/`, `cluster.x-k8s.io/`, `5spot.io/`) before merging into CAPI Machine resources
- `src/reconcilers/helpers.rs`: Added `validate_labels()` — rejects label/annotation keys using reserved prefixes (`kubernetes.io/`, `k8s.io/`, `cluster.x-k8s.io/`, `5spot.finos.org/`) before merging into CAPI Machine resources
- `src/reconcilers/helpers.rs`: Added `validate_api_group()` — enforces an allowlist of permitted API groups for bootstrap and infrastructure embedded resources; blocks core Kubernetes APIs (`v1`, `rbac.authorization.k8s.io/v1`, etc.)
- `src/reconcilers/helpers.rs`: Wrapped `remove_machine_from_cluster` in `tokio::time::timeout` inside `handle_deletion` — finalizer cleanup now has a hard 10-minute deadline, preventing indefinite namespace deletion blocks
- `src/reconcilers/scheduled_machine.rs`: Added `ValidationError` and `TimeoutError` variants to `ReconcilerError`
Expand Down
8 changes: 4 additions & 4 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ Having `version` in MachineSpec created a conceptual mismatch with CAPI architec
- `CAPI_MACHINE_API_VERSION_FULL`: "cluster.x-k8s.io/v1beta1"
- `CAPI_CLUSTER_NAME_LABEL`: "cluster.x-k8s.io/cluster-name"
- `CAPI_RESOURCE_MACHINES`: "machines"
- `API_VERSION_FULL`: "capi.5spot.io/v1alpha1"
- `API_VERSION_FULL`: "5spot.finos.org/v1alpha1"

- `src/main.rs`: Implemented actual Prometheus metrics
- **Replaced** stub metrics endpoint with proper `prometheus::gather()` integration
Expand Down Expand Up @@ -204,7 +204,7 @@ where the cluster name is used by bootstrap and infrastructure providers.

### Changed
- `src/crd.rs`: **BREAKING** - Converted from k0smotron to CAPI (Cluster API) based architecture
- Changed API group from `5spot.eribourg.dev` to `capi.5spot.io`
- Changed API group from `5spot.eribourg.dev` to `5spot.finos.org`
- Added `bootstrap_ref` and `infrastructure_ref` for CAPI Machine creation
- Made `files` field non-optional in `MachineSpec`
- Renamed `FileContentFrom` types to `ContentSource` and `KeySelector` for consistency
Expand All @@ -214,7 +214,7 @@ where the cluster name is used by bootstrap and infrastructure providers.
- Changed `machine_ref` to use `ObjectReference` instead of custom `MachineRef` type

- `src/constants.rs`: Updated all constants for CAPI architecture
- Changed API group constants to `capi.5spot.io`
- Changed API group constants to `5spot.finos.org`
- Updated finalizer name to use new API group
- Added CAPI Machine phase constants (Pending, Active, ShuttingDown, Inactive, Disabled, Terminated, Error)
- Added CAPI API version constants (`cluster.x-k8s.io/v1beta1`)
Expand Down Expand Up @@ -256,7 +256,7 @@ Complete architectural shift from k0smotron-specific machine management to stand
2. **Delete old CRD**: `kubectl delete crd scheduledmachines.5spot.eribourg.dev`
3. **Deploy new CRD**: `kubectl apply -f deploy/crds/scheduledmachine.yaml`
4. **Update all ScheduledMachine manifests** to new schema:
- Change `apiVersion` from `5spot.eribourg.dev/v1alpha1` to `capi.5spot.io/v1alpha1`
- Change `apiVersion` from `5spot.eribourg.dev/v1alpha1` to `5spot.finos.org/v1alpha1`
- Add `bootstrapRef` and `infrastructureRef` fields
- Update `files` structure (now required, not optional)
- Ensure all file paths are absolute and start with `/`
Expand Down
69 changes: 37 additions & 32 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[![FINOS - Incubating](https://cdn.jsdelivr.net/gh/finos/contrib-toolbox@master/images/badge-incubating.svg)](https://community.finos.org/docs/governance/Software-Projects/stages/incubating)

# 5-Spot Machine Scheduler
# <img src="docs/src/images/5-spot-icon.svg" alt="5-Spot Logo" width="60" style="vertical-align: middle; margin-right: 5px;" /> 5-Spot Machine Scheduler

A cloud-native Kubernetes controller for managing time-based machine scheduling on physical nodes using Cluster API (CAPI).

Expand Down Expand Up @@ -81,7 +81,7 @@ kubectl apply -f examples/scheduledmachine-basic.yaml
## Example

```yaml
apiVersion: capi.5spot.io/v1alpha1
apiVersion: 5spot.finos.org/v1alpha1
kind: ScheduledMachine
metadata:
name: business-hours-machine
Expand Down Expand Up @@ -334,7 +334,7 @@ make security-scan-local
This creates a `.git/hooks/pre-commit` hook that scans staged changes before each commit.

3. **Configure allowlists** (for false positives):

Edit `.gitleaks.toml` to add exceptions:
```toml
[allowlist]
Expand Down
7 changes: 3 additions & 4 deletions deploy/admission/validatingadmissionpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# Apply with:
# kubectl apply -f deploy/admission/validatingadmissionpolicy.yaml
# kubectl apply -f deploy/admission/validatingadmissionpolicybinding.yaml
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
Expand All @@ -28,10 +27,10 @@ spec:

matchConstraints:
resourceRules:
- apiGroups: ["capi.5spot.io"]
- apiGroups: ["5spot.finos.org"]
apiVersions: ["v1alpha1"]
resources: ["scheduledmachines"]
operations: ["CREATE", "UPDATE"]
resources: ["scheduledmachines"]
operations: ["CREATE", "UPDATE"]

validations:

Expand Down
1 change: 0 additions & 1 deletion deploy/admission/validatingadmissionpolicybinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
# Apply after the ValidatingAdmissionPolicy:
# kubectl apply -f deploy/admission/validatingadmissionpolicy.yaml
# kubectl apply -f deploy/admission/validatingadmissionpolicybinding.yaml
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
Expand Down
Loading
Loading