Skip to content

feat: add runtime image cache content#2852

Open
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:codex/runtime-cache-content-plan
Open

feat: add runtime image cache content#2852
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:codex/runtime-cache-content-plan

Conversation

@MaxRink

@MaxRink MaxRink commented Jun 16, 2026

Copy link
Copy Markdown

Summary

  • add runtime-cache inventory queries to the Kubernetes inventory querypack
  • add a preview Mondoo Kubernetes Runtime Image Cache policy for runtime delegate readiness, no-pull/read-only behavior, pod image matching, completed scan status, and immutable image identity
  • add focused bundle compile coverage for the new policy and querypack entries
  • update the runtime-cache content implementation plan

Review fixes

  • rewrite check audits to use kubectl-native verification steps
  • convert Kubernetes remediations to kubectl, manifest, and helm entries per content authoring guidance
  • align runtime-cache remediation examples with the current containerd-only operator/MQL implementation
  • add a dedicated control for matched running pod images whose runtime-cache scan status is not scanned
  • remove the local personal-fork MQL replace and restore official module checksums
  • scope the delegates-no-pull query to schedulable nodes, matching delegates-ready
  • convert Why this matters sections to the expected bullet style
  • update the generated network provider schema fixture to cnquery/v13
  • collapse duplicated schema fixture path helpers in bundle tests
  • remove the explicit os provider requirement after confirming bundle compilation succeeds with the k8s schema dependency

Dependency

This content depends on the runtime-cache MQL provider schema from mondoohq/mql#8452.

Validation

  • git diff --check
  • go test ./content -run TestRuntimeImageCacheContent
  • go test ./content

@MaxRink MaxRink changed the title docs: plan runtime cache image content feat: add runtime image cache content Jun 16, 2026
@MaxRink MaxRink marked this pull request as ready for review June 19, 2026 08:15
@MaxRink MaxRink force-pushed the codex/runtime-cache-content-plan branch from d06bfc5 to b27a6b1 Compare June 19, 2026 08:39

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New Kubernetes runtime image cache policy adds security checks for node-local image scanning coverage.

Comment thread content/mondoo-kubernetes-runtime-image-cache.mql.yaml
Comment thread content/mondoo-kubernetes-runtime-image-cache.mql.yaml
Comment thread content/testdata/schema/providers/network/resources/network.lr Outdated
@MaxRink MaxRink force-pushed the codex/runtime-cache-content-plan branch from b27a6b1 to f132401 Compare June 19, 2026 09:43

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New Kubernetes runtime image cache policy adds security checks for node-local image scanning coverage.

Comment thread content/bundles_test.go
Comment thread content/mondoo-kubernetes-runtime-image-cache.mql.yaml
@MaxRink MaxRink force-pushed the codex/runtime-cache-content-plan branch from f132401 to 642712a Compare June 19, 2026 10:04

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New Kubernetes runtime image cache policy adds five security checks for node-local image scanning coverage.

@MaxRink MaxRink force-pushed the codex/runtime-cache-content-plan branch from 642712a to 50f8569 Compare June 25, 2026 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant