✨ add garbage collection for stale node scan assets (#1435)

* 🐛 fix(bump) cnspec version

* 🧹bump mql version v13.1.1

* ✨ add garbage collection for stale node scan assets

fix: update MondooClientBuilder reference and clarify garbage collection comment
refactor: streamline garbage collection logic for nodes and K8s resources
refactor: simplify garbage collection logic by removing cluster UID dependency
fix: platform runtime for nodes

* ✨ refactor: use ManagedByLabel for consistency in asset management

* fix: replace gopkg.in/yaml.v2 with sigs.k8s.io/yaml to fix ManagedBy propagation

The ManagedBy field on the protobuf Asset struct has only a JSON tag
(json:"managed_by,omitempty") but no yaml tag. gopkg.in/yaml.v2
serializes it as "managedby" (lowercase field name fallback), while
cnspec reads inventories with sigs.k8s.io/yaml which expects
"managed_by" (from JSON tags). This caused ManagedBy to be silently
lost during serialization for k8s resource and container image scans.

Node scans already used sigs.k8s.io/yaml, which is why they were
unaffected. This also removes the gopkg.in/yaml.v2 dependency entirely.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: slntopp

api/v1alpha2/mondooauditconfig_types.go

@@ -483,6 +483,11 @@ type MondooAuditConfigStatus struct {
 	// garbage collection of stale K8s resource scan assets.
 	// +optional
 	LastK8sResourceGarbageCollectionTime *metav1.Time `json:"lastK8sResourceGarbageCollectionTime,omitempty"`
+
+	// LastNodeScanGarbageCollectionTime tracks the last time the operator performed
+	// garbage collection of stale node scan assets.
+	// +optional
+	LastNodeScanGarbageCollectionTime *metav1.Time `json:"lastNodeScanGarbageCollectionTime,omitempty"`
 }
 
 type MondooAuditConfigCondition struct {

api/v1alpha2/zz_generated.deepcopy.go

@@ -1366,6 +1366,12 @@ spec:
                   garbage collection of stale K8s resource scan assets.
                 format: date-time
                 type: string
+              lastNodeScanGarbageCollectionTime:
+                description: |-
+                  LastNodeScanGarbageCollectionTime tracks the last time the operator performed
+                  garbage collection of stale node scan assets.
+                format: date-time
+                type: string
               pods:
                 description: Pods store the name of the pods which are running mondoo
                   instances

charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -1366,6 +1366,12 @@ spec:
                   garbage collection of stale K8s resource scan assets.
                 format: date-time
                 type: string
+              lastNodeScanGarbageCollectionTime:
+                description: |-
+                  LastNodeScanGarbageCollectionTime tracks the last time the operator performed
+                  garbage collection of stale node scan assets.
+                format: date-time
+                type: string
               pods:
                 description: Pods store the name of the pods which are running mondoo
                   instances

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -31,7 +30,6 @@ func init() {
 	filterPlatformRuntime := Cmd.Flags().String("filter-platform-runtime", "", "Cleanup assets by an asset's PlatformRuntime (k8s-cluster or docker-image).")
 	filterManagedBy := Cmd.Flags().String("filter-managed-by", "", "Cleanup assets with matching ManagedBy field.")
 	filterOlderThan := Cmd.Flags().String("filter-older-than", "", "Cleanup assets which have not been updated in over the time provided (eg 12m or 48h or anything time.ParseDuration() accepts).")
-	labelsInput := Cmd.Flags().StringSlice("labels", []string{}, "Cleanup assets with matching labels (eg --labels key1=value1,key2=value2).")
 	Cmd.RunE = func(cmd *cobra.Command, args []string) error {
 		log.SetLogger(logger.NewLogger())
 		logger := log.Log.WithName("garbage-collect")
@@ -43,15 +41,6 @@ func init() {
 			return fmt.Errorf("--timeout must be greater than 0")
 		}
 
-		labels := make(map[string]string)
-		for _, l := range *labelsInput {
-			split := strings.Split(l, "=")
-			if len(split) != 2 {
-				return fmt.Errorf("invalid label provided %s. Labels should be in the form of key=value", l)
-			}
-			labels[split[0]] = split[1]
-		}
-
 		// Read the service account credentials from the config file
 		configData, err := os.ReadFile(*configPath)
 		if err != nil {
@@ -88,14 +77,18 @@ func init() {
 			return fmt.Errorf("no filters provided to garbage collect by")
 		}
 
-		return GarbageCollectCmd(ctx, client, *filterPlatformRuntime, *filterOlderThan, *filterManagedBy, labels, logger)
+		spaceMrn := serviceAccount.SpaceMrn
+		if spaceMrn == "" {
+			spaceMrn = mondoo.SpaceMrnFromServiceAccountMrn(serviceAccount.Mrn)
+		}
+		return GarbageCollectCmd(ctx, client, spaceMrn, *filterPlatformRuntime, *filterOlderThan, *filterManagedBy, logger)
 	}
 }
 
-func GarbageCollectCmd(ctx context.Context, client mondooclient.MondooClient, platformRuntime, olderThan, managedBy string, labels map[string]string, logger logr.Logger) error {
-	gcOpts := &mondooclient.GarbageCollectOptions{
+func GarbageCollectCmd(ctx context.Context, client mondooclient.MondooClient, spaceMrn, platformRuntime, olderThan, managedBy string, logger logr.Logger) error {
+	req := &mondooclient.DeleteAssetsRequest{
+		SpaceMrn:  spaceMrn,
 		ManagedBy: managedBy,
-		Labels:    labels,
 	}
 
 	if olderThan != "" {
@@ -105,19 +98,23 @@ func GarbageCollectCmd(ctx context.Context, client mondooclient.MondooClient, pl
 			return err
 		}
 
-		gcOpts.OlderThan = timestamp
+		req.DateFilter = &mondooclient.DateFilter{
+			Timestamp:  timestamp,
+			Comparison: mondooclient.Comparison_LESS_THAN,
+			Field:      mondooclient.DateFilterField_FILTER_LAST_UPDATED,
+		}
 	}
 
 	if platformRuntime != "" {
 		switch platformRuntime {
 		case "k8s-cluster", "docker-image":
-			gcOpts.PlatformRuntime = platformRuntime
+			req.PlatformRuntime = platformRuntime
 		default:
 			return fmt.Errorf("no matching platform runtime found for (%s)", platformRuntime)
 		}
 	}
 
-	err := client.GarbageCollectAssets(ctx, gcOpts)
+	resp, err := client.DeleteAssets(ctx, req)
 	if err != nil {
 		if errors.Is(err, context.DeadlineExceeded) {
 			logger.Error(err, "failed to receive a response before timeout was exceeded")
@@ -127,6 +124,13 @@ func GarbageCollectCmd(ctx context.Context, client mondooclient.MondooClient, pl
 		return err
 	}
 
+	if len(resp.AssetMrns) > 0 {
+		logger.Info("Deleted assets", "count", len(resp.AssetMrns))
+	}
+	if len(resp.Errors) > 0 {
+		logger.Info("DeleteAssets completed with errors", "errors", resp.Errors)
+	}
+
 	return nil
 }
 

cmd/mondoo-operator/garbage_collect/cmd.go

@@ -1366,6 +1366,12 @@ spec:
                   garbage collection of stale K8s resource scan assets.
                 format: date-time
                 type: string
+              lastNodeScanGarbageCollectionTime:
+                description: |-
+                  LastNodeScanGarbageCollectionTime tracks the last time the operator performed
+                  garbage collection of stale node scan assets.
+                format: date-time
+                type: string
               pods:
                 description: Pods store the name of the pods which are running mondoo
                   instances

config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -13,12 +13,13 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/feature_flags"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
+	mondoo "go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
-	"gopkg.in/yaml.v2"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 )
 
 const (
@@ -233,7 +234,7 @@ func Inventory(integrationMRN, clusterUID string, m v1alpha2.MondooAuditConfig,
 					Labels: map[string]string{
 						"k8s.mondoo.com/kind": "node",
 					},
-					ManagedBy: "mondoo-operator-" + clusterUID,
+					ManagedBy: mondoo.ManagedByLabel(clusterUID),
 				},
 			},
 		},

controllers/container_image/resources.go

@@ -9,10 +9,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"

controllers/container_image/resources_test.go

@@ -20,7 +20,6 @@ import (
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
-	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 )
@@ -599,8 +598,7 @@ func (n *DeploymentHandler) garbageCollectIfNeeded(ctx context.Context, clusterU
 		return
 	}
 
-	managedBy := "mondoo-operator-" + clusterUid
-	if err := n.performGarbageCollection(ctx, managedBy); err != nil {
+	if err := n.performGarbageCollection(ctx, mondoo.ManagedByLabel(clusterUid)); err != nil {
 		logger.Error(err, "Failed to perform garbage collection of K8s resource scan assets")
 	}
 
@@ -610,61 +608,20 @@ func (n *DeploymentHandler) garbageCollectIfNeeded(ctx context.Context, clusterU
 	n.Mondoo.Status.LastK8sResourceGarbageCollectionTime = &now
 }
 
-// performGarbageCollection calls the Mondoo API to garbage collect stale K8s resource scan assets.
+// performGarbageCollection calls the Mondoo API to delete stale K8s resource scan assets.
 func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, managedBy string) error {
-	if n.MondooClientBuilder == nil {
-		logger.Info("MondooClientBuilder not configured, skipping garbage collection")
-		return nil
-	}
-
-	// Read service account credentials from the creds secret
-	credsSecret := &corev1.Secret{}
-	credsSecretKey := client.ObjectKey{
-		Namespace: n.Mondoo.Namespace,
-		Name:      n.Mondoo.Spec.MondooCredsSecretRef.Name,
-	}
-	if err := n.KubeClient.Get(ctx, credsSecretKey, credsSecret); err != nil {
-		return fmt.Errorf("failed to get credentials secret: %w", err)
-	}
-
-	saData, ok := credsSecret.Data[constants.MondooCredsSecretServiceAccountKey]
-	if !ok {
-		return fmt.Errorf("credentials secret missing key %q", constants.MondooCredsSecretServiceAccountKey)
-	}
-
-	sa, err := mondoo.LoadServiceAccountFromFile(saData)
-	if err != nil {
-		return fmt.Errorf("failed to load service account: %w", err)
-	}
-
-	token, err := mondoo.GenerateTokenFromServiceAccount(*sa, logger)
-	if err != nil {
-		return fmt.Errorf("failed to generate token: %w", err)
-	}
-
-	opts := mondooclient.MondooClientOptions{
-		ApiEndpoint: sa.ApiEndpoint,
-		Token:       token,
-	}
-	if n.MondooOperatorConfig != nil {
-		opts.HttpProxy = n.MondooOperatorConfig.Spec.HttpProxy
-		opts.HttpsProxy = n.MondooOperatorConfig.Spec.HttpsProxy
-		opts.NoProxy = n.MondooOperatorConfig.Spec.NoProxy
-	}
-
-	mondooClient, err := n.MondooClientBuilder(opts)
-	if err != nil {
-		return fmt.Errorf("failed to create mondoo client: %w", err)
-	}
-
-	gcOpts := &mondooclient.GarbageCollectOptions{
+	req := &mondooclient.DeleteAssetsRequest{
 		ManagedBy:       managedBy,
 		PlatformRuntime: "k8s-cluster",
-		OlderThan:       time.Now().Add(-2 * time.Hour).Format(time.RFC3339),
+		DateFilter: &mondooclient.DateFilter{
+			Timestamp:  time.Now().Add(-mondoo.GCOlderThan()).Format(time.RFC3339),
+			Comparison: mondooclient.Comparison_LESS_THAN,
+			Field:      mondooclient.DateFilterField_FILTER_LAST_UPDATED,
+		},
 	}
 
-	if err := mondooClient.GarbageCollectAssets(ctx, gcOpts); err != nil {
-		return fmt.Errorf("garbage collection API call failed: %w", err)
+	if err := mondoo.DeleteStaleAssets(ctx, n.KubeClient, n.Mondoo, n.MondooOperatorConfig, n.MondooClientBuilder, req, logger); err != nil {
+		return err
 	}
 
 	logger.Info("Successfully performed garbage collection of K8s resource scan assets")

controllers/k8s_scan/deployment_handler.go

@@ -1528,11 +1528,14 @@ func TestExternalClusterNaming(t *testing.T) {
 
 func (s *DeploymentHandlerSuite) TestGarbageCollection_RunsAfterSuccessfulScan() {
 	gcCalled := false
-	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, opts *mondooclient.GarbageCollectOptions) error {
+	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, req *mondooclient.DeleteAssetsRequest) error {
 		gcCalled = true
-		s.Equal("k8s-cluster", opts.PlatformRuntime)
-		s.Contains(opts.ManagedBy, "mondoo-operator-")
-		s.NotEmpty(opts.OlderThan)
+		s.Equal("k8s-cluster", req.PlatformRuntime)
+		s.Contains(req.ManagedBy, "mondoo-operator-")
+		s.NotNil(req.DateFilter)
+		s.NotEmpty(req.DateFilter.Timestamp)
+		s.Equal(mondooclient.Comparison_LESS_THAN, req.DateFilter.Comparison)
+		s.Equal(mondooclient.DateFilterField_FILTER_LAST_UPDATED, req.DateFilter.Field)
 		return nil
 	})
 	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
@@ -1556,13 +1559,13 @@ func (s *DeploymentHandlerSuite) TestGarbageCollection_RunsAfterSuccessfulScan()
 	s.NoError(err)
 	s.True(result.IsZero())
 
-	s.True(gcCalled, "GarbageCollectAssets should have been called")
+	s.True(gcCalled, "DeleteAssets should have been called")
 	s.NotNil(d.Mondoo.Status.LastK8sResourceGarbageCollectionTime, "GC timestamp should be set in status")
 }
 
 func (s *DeploymentHandlerSuite) TestGarbageCollection_SkipsWhenAlreadyRun() {
 	gcCalled := false
-	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, opts *mondooclient.GarbageCollectOptions) error {
+	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, opts *mondooclient.DeleteAssetsRequest) error {
 		gcCalled = true
 		return nil
 	})
@@ -1591,11 +1594,11 @@ func (s *DeploymentHandlerSuite) TestGarbageCollection_SkipsWhenAlreadyRun() {
 	s.NoError(err)
 	s.True(result.IsZero())
 
-	s.False(gcCalled, "GarbageCollectAssets should NOT have been called")
+	s.False(gcCalled, "DeleteAssets should NOT have been called")
 }
 
 func (s *DeploymentHandlerSuite) TestGarbageCollection_FailureStillUpdatesTimestamp() {
-	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, opts *mondooclient.GarbageCollectOptions) error {
+	d := s.createDeploymentHandlerWithGCMock(func(ctx context.Context, opts *mondooclient.DeleteAssetsRequest) error {
 		return fmt.Errorf("API error")
 	})
 	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
@@ -1624,8 +1627,8 @@ func (s *DeploymentHandlerSuite) TestGarbageCollection_FailureStillUpdatesTimest
 }
 
 // createDeploymentHandlerWithGCMock creates a DeploymentHandler with a mock MondooClientBuilder
-// that captures calls to GarbageCollectAssets.
-func (s *DeploymentHandlerSuite) createDeploymentHandlerWithGCMock(gcFunc func(context.Context, *mondooclient.GarbageCollectOptions) error) DeploymentHandler {
+// that captures calls to DeleteAssets.
+func (s *DeploymentHandlerSuite) createDeploymentHandlerWithGCMock(gcFunc func(context.Context, *mondooclient.DeleteAssetsRequest) error) DeploymentHandler {
 	// Create a mock credentials secret so GC can read it
 	key := credentials.MondooServiceAccount(s.T())
 	mockSA := mondooclient.ServiceAccountCredentials{
@@ -1660,14 +1663,14 @@ func (s *DeploymentHandlerSuite) createDeploymentHandlerWithGCMock(gcFunc func(c
 // fakeMondooClient implements just enough of MondooClient to test GC
 type fakeMondooClient struct {
 	mondooclient.MondooClient
-	gcFunc func(context.Context, *mondooclient.GarbageCollectOptions) error
+	gcFunc func(context.Context, *mondooclient.DeleteAssetsRequest) error
 }
 
-func (f *fakeMondooClient) GarbageCollectAssets(ctx context.Context, opts *mondooclient.GarbageCollectOptions) error {
+func (f *fakeMondooClient) DeleteAssets(ctx context.Context, req *mondooclient.DeleteAssetsRequest) (*mondooclient.DeleteAssetsConfirmation, error) {
 	if f.gcFunc != nil {
-		return f.gcFunc(ctx, opts)
+		return &mondooclient.DeleteAssetsConfirmation{}, f.gcFunc(ctx, req)
 	}
-	return nil
+	return &mondooclient.DeleteAssetsConfirmation{}, nil
 }
 
 func TestDeploymentHandlerSuite(t *testing.T) {