fix(scanning): surface invalid label selectors

MaxRink · MaxRink · commit 8661e25459d6 · 2026-06-19T04:18:31.000+02:00
diff --git a/controllers/container_image/conditions.go b/controllers/container_image/conditions.go
@@ -4,6 +4,8 @@
 package container_image
 
 import (
+	"errors"
+
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
@@ -53,3 +55,21 @@ func updateImageScanningConditions(config *v1alpha2.MondooAuditConfig, degradedS
 	config.Status.Conditions = mondoo.SetMondooAuditCondition(
 		config.Status.Conditions, v1alpha2.K8sContainerImageScanningDegraded, status, reason, msg, updateCheck, affectedPods, memoryLimit)
 }
+
+func updateImageScanningConfigErrorCondition(config *v1alpha2.MondooAuditConfig, err error) {
+	reason := "KubernetesContainerImageScanConfigInvalid"
+	var labelSelectorErr invalidLabelSelectorError
+	if errors.As(err, &labelSelectorErr) {
+		reason = "InvalidLabelSelector"
+	}
+	config.Status.Conditions = mondoo.SetMondooAuditCondition(
+		config.Status.Conditions,
+		v1alpha2.K8sContainerImageScanningDegraded,
+		corev1.ConditionTrue,
+		reason,
+		err.Error(),
+		mondoo.UpdateConditionIfReasonOrMessageChange,
+		[]string{},
+		"",
+	)
+}
diff --git a/controllers/container_image/deployment_handler.go b/controllers/container_image/deployment_handler.go
@@ -152,6 +152,7 @@ func (n *DeploymentHandler) syncConfigMap(ctx context.Context, clusterUid string
 	desired, err := ConfigMap(integrationMrn, clusterUid, *n.Mondoo, *n.MondooOperatorConfig)
 	if err != nil {
 		logger.Error(err, "failed to generate desired ConfigMap with inventory")
+		updateImageScanningConfigErrorCondition(n.Mondoo, err)
 		return err
 	}
 
diff --git a/controllers/container_image/deployment_handler_test.go b/controllers/container_image/deployment_handler_test.go
@@ -380,6 +380,27 @@ func (s *DeploymentHandlerSuite) TestReconcile_K8sContainerImageScanningStatus()
 	s.Equal(corev1.ConditionFalse, condition.Status)
 }
 
+func (s *DeploymentHandlerSuite) TestReconcile_InvalidLabelSelectorCondition() {
+	s.auditConfig.Spec.Filtering.ObjectLabelSelector = &metav1.LabelSelector{
+		MatchExpressions: []metav1.LabelSelectorRequirement{
+			{Key: "track", Operator: metav1.LabelSelectorOpIn},
+		},
+	}
+	d := s.createDeploymentHandler()
+	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
+
+	result, err := d.Reconcile(s.ctx)
+	s.Error(err)
+	s.True(result.IsZero())
+
+	s.Require().Len(d.Mondoo.Status.Conditions, 1)
+	condition := d.Mondoo.Status.Conditions[0]
+	s.Equal("InvalidLabelSelector", condition.Reason)
+	s.Contains(condition.Message, "filtering.objectLabelSelector")
+	s.Equal(corev1.ConditionTrue, condition.Status)
+	s.Equal(mondoov1alpha2.K8sContainerImageScanningDegraded, condition.Type)
+}
+
 func (s *DeploymentHandlerSuite) TestReconcile_DisableContainerImageScanning() {
 	d := s.createDeploymentHandler()
 	mondooAuditConfig := &s.auditConfig
diff --git a/controllers/container_image/resources.go b/controllers/container_image/resources.go
@@ -34,6 +34,19 @@ const (
 	k8sOptionObjectLabelSelector    = "object-label-selector"
 )
 
+type invalidLabelSelectorError struct {
+	field string
+	err   error
+}
+
+func (e invalidLabelSelectorError) Error() string {
+	return e.err.Error()
+}
+
+func (e invalidLabelSelectorError) Unwrap() error {
+	return e.err
+}
+
 func CronJob(image, integrationMrn, clusterUid, privateRegistrySecretName string, m *v1alpha2.MondooAuditConfig, cfg v1alpha2.MondooOperatorConfig) *batchv1.CronJob {
 	ls := CronJobLabels(*m)
 
@@ -338,7 +351,10 @@ func addLabelSelectorOption(options map[string]string, optionName, fieldName str
 	}
 	parsed, err := metav1.LabelSelectorAsSelector(selector)
 	if err != nil {
-		return fmt.Errorf("invalid filtering.%s: %w", fieldName, err)
+		return invalidLabelSelectorError{
+			field: fieldName,
+			err:   fmt.Errorf("invalid filtering.%s: %w", fieldName, err),
+		}
 	}
 	if parsed.Empty() {
 		return nil
diff --git a/controllers/k8s_scan/conditions.go b/controllers/k8s_scan/conditions.go
@@ -4,6 +4,8 @@
 package k8s_scan
 
 import (
+	"errors"
+
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
@@ -53,3 +55,21 @@ func updateWorkloadsConditions(config *v1alpha2.MondooAuditConfig, degradedStatu
 	config.Status.Conditions = mondoo.SetMondooAuditCondition(
 		config.Status.Conditions, v1alpha2.K8sResourcesScanningDegraded, status, reason, msg, updateCheck, affectedPods, memoryLimit)
 }
+
+func updateWorkloadsConfigErrorCondition(config *v1alpha2.MondooAuditConfig, err error) {
+	reason := "KubernetesResourcesScanConfigInvalid"
+	var labelSelectorErr invalidLabelSelectorError
+	if errors.As(err, &labelSelectorErr) {
+		reason = "InvalidLabelSelector"
+	}
+	config.Status.Conditions = mondoo.SetMondooAuditCondition(
+		config.Status.Conditions,
+		v1alpha2.K8sResourcesScanningDegraded,
+		corev1.ConditionTrue,
+		reason,
+		err.Error(),
+		mondoo.UpdateConditionIfReasonOrMessageChange,
+		[]string{},
+		"",
+	)
+}
diff --git a/controllers/k8s_scan/deployment_handler.go b/controllers/k8s_scan/deployment_handler.go
@@ -269,6 +269,7 @@ func (n *DeploymentHandler) syncConfigMap(ctx context.Context, integrationMrn, c
 	desired, err := ConfigMap(integrationMrn, clusterUid, *n.Mondoo, *n.MondooOperatorConfig)
 	if err != nil {
 		logger.Error(err, "failed to generate desired ConfigMap with inventory")
+		updateWorkloadsConfigErrorCondition(n.Mondoo, err)
 		return err
 	}
 
@@ -361,6 +362,7 @@ func (n *DeploymentHandler) syncExternalClusterConfigMap(ctx context.Context, in
 	desired, err := ExternalClusterConfigMap(integrationMrn, clusterUid, cluster, *n.Mondoo, *n.MondooOperatorConfig)
 	if err != nil {
 		logger.Error(err, "failed to generate desired ConfigMap for external cluster", "cluster", cluster.Name)
+		updateWorkloadsConfigErrorCondition(n.Mondoo, err)
 		return err
 	}
 
diff --git a/controllers/k8s_scan/deployment_handler_test.go b/controllers/k8s_scan/deployment_handler_test.go
@@ -210,6 +210,59 @@ func (s *DeploymentHandlerSuite) TestReconcile_K8sResourceScanningStatus() {
 	s.Equal(corev1.ConditionFalse, condition.Status)
 }
 
+func (s *DeploymentHandlerSuite) TestReconcile_InvalidLabelSelectorCondition() {
+	s.auditConfig.Spec.Filtering.NamespaceLabelSelector = &metav1.LabelSelector{
+		MatchExpressions: []metav1.LabelSelectorRequirement{
+			{Key: "tenant", Operator: metav1.LabelSelectorOpIn},
+		},
+	}
+	d := s.createDeploymentHandler()
+	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
+
+	result, err := d.Reconcile(s.ctx)
+	s.Error(err)
+	s.True(result.IsZero())
+
+	s.Require().Len(d.Mondoo.Status.Conditions, 1)
+	condition := d.Mondoo.Status.Conditions[0]
+	s.Equal("InvalidLabelSelector", condition.Reason)
+	s.Contains(condition.Message, "filtering.namespaceLabelSelector")
+	s.Equal(corev1.ConditionTrue, condition.Status)
+	s.Equal(mondoov1alpha2.K8sResourcesScanningDegraded, condition.Type)
+}
+
+func (s *DeploymentHandlerSuite) TestReconcile_ExternalClusterInvalidLabelSelectorCondition() {
+	s.auditConfig.Spec.KubernetesResources.Enable = false
+	s.auditConfig.Spec.KubernetesResources.ExternalClusters = []mondoov1alpha2.ExternalCluster{
+		{
+			Name: "external",
+			KubeconfigSecretRef: &corev1.LocalObjectReference{
+				Name: "external-kubeconfig",
+			},
+			Filtering: &mondoov1alpha2.Filtering{
+				ObjectLabelSelector: &metav1.LabelSelector{
+					MatchExpressions: []metav1.LabelSelectorRequirement{
+						{Key: "app", Operator: metav1.LabelSelectorOpIn},
+					},
+				},
+			},
+		},
+	}
+	d := s.createDeploymentHandler()
+	s.NoError(d.KubeClient.Create(s.ctx, &s.auditConfig))
+
+	result, err := d.Reconcile(s.ctx)
+	s.Error(err)
+	s.True(result.IsZero())
+
+	s.Require().Len(d.Mondoo.Status.Conditions, 1)
+	condition := d.Mondoo.Status.Conditions[0]
+	s.Equal("InvalidLabelSelector", condition.Reason)
+	s.Contains(condition.Message, "filtering.objectLabelSelector")
+	s.Equal(corev1.ConditionTrue, condition.Status)
+	s.Equal(mondoov1alpha2.K8sResourcesScanningDegraded, condition.Type)
+}
+
 func (s *DeploymentHandlerSuite) TestReconcile_Disable() {
 	d := s.createDeploymentHandler()
 	mondooAuditConfig := &s.auditConfig
diff --git a/controllers/k8s_scan/resources.go b/controllers/k8s_scan/resources.go
@@ -32,6 +32,19 @@ const (
 	k8sOptionObjectLabelSelector    = "object-label-selector"
 )
 
+type invalidLabelSelectorError struct {
+	field string
+	err   error
+}
+
+func (e invalidLabelSelectorError) Error() string {
+	return e.err.Error()
+}
+
+func (e invalidLabelSelectorError) Unwrap() error {
+	return e.err
+}
+
 // K8sDiscoveryTargets defines explicit targets for K8s resource scanning
 // (excludes container-images which is handled by the separate containers controller)
 var K8sDiscoveryTargets = []string{
@@ -1183,7 +1196,10 @@ func addLabelSelectorOption(options map[string]string, optionName, fieldName str
 
 	parsedSelector, err := metav1.LabelSelectorAsSelector(selector)
 	if err != nil {
-		return fmt.Errorf("invalid filtering.%s: %w", fieldName, err)
+		return invalidLabelSelectorError{
+			field: fieldName,
+			err:   fmt.Errorf("invalid filtering.%s: %w", fieldName, err),
+		}
 	}
 	if !parsedSelector.Empty() {
 		options[optionName] = parsedSelector.String()

Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,7 @@ func (n *DeploymentHandler) syncConfigMap(ctx context.Context, clusterUid string`
`152`	`152`	`desired, err := ConfigMap(integrationMrn, clusterUid, n.Mondoo, n.MondooOperatorConfig)`
`153`	`153`	`if err != nil {`
`154`	`154`	`logger.Error(err, "failed to generate desired ConfigMap with inventory")`
	`155`	`+ updateImageScanningConfigErrorCondition(n.Mondoo, err)`
`155`	`156`	`return err`
`156`	`157`	`}`
`157`	`158`
Original file line number	Diff line number	Diff line change
`@@ -269,6 +269,7 @@ func (n *DeploymentHandler) syncConfigMap(ctx context.Context, integrationMrn, c`
`269`	`269`	`desired, err := ConfigMap(integrationMrn, clusterUid, n.Mondoo, n.MondooOperatorConfig)`
`270`	`270`	`if err != nil {`
`271`	`271`	`logger.Error(err, "failed to generate desired ConfigMap with inventory")`
	`272`	`+ updateWorkloadsConfigErrorCondition(n.Mondoo, err)`
`272`	`273`	`return err`
`273`	`274`	`}`
`274`	`275`
`@@ -361,6 +362,7 @@ func (n *DeploymentHandler) syncExternalClusterConfigMap(ctx context.Context, in`
`361`	`362`	`desired, err := ExternalClusterConfigMap(integrationMrn, clusterUid, cluster, n.Mondoo, n.MondooOperatorConfig)`
`362`	`363`	`if err != nil {`
`363`	`364`	`logger.Error(err, "failed to generate desired ConfigMap for external cluster", "cluster", cluster.Name)`
	`365`	`+ updateWorkloadsConfigErrorCondition(n.Mondoo, err)`
`364`	`366`	`return err`
`365`	`367`	`}`
`366`	`368`