fix: resolve node inventory render image

MaxRink · MaxRink · commit fceaf8cdfca6 · 2026-06-19T09:38:45.000+02:00
diff --git a/controllers/nodes/deployment_handler.go b/controllers/nodes/deployment_handler.go
@@ -11,6 +11,7 @@ import (
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
+	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	appsv1 "k8s.io/api/apps/v1"
@@ -75,6 +76,11 @@ func (n *DeploymentHandler) syncCronJob(ctx context.Context) error {
 		logger.Error(err, "Failed to resolve mondoo-client container image")
 		return err
 	}
+	renderImage, err := n.ContainerImageResolver.ContainerImage(ctx, constants.BusyBoxImage, n.MondooOperatorConfig.Spec.SkipContainerResolution)
+	if err != nil {
+		logger.Error(err, "Failed to resolve node inventory render container image")
+		return err
+	}
 
 	clusterUid, err := k8s.GetClusterUID(ctx, n.KubeClient, logger)
 	if err != nil {
@@ -109,7 +115,7 @@ func (n *DeploymentHandler) syncCronJob(ctx context.Context) error {
 			return err
 		}
 
-		desired := CronJob(mondooClientImage, node, n.Mondoo, n.IsOpenshift, *n.MondooOperatorConfig)
+		desired := CronJob(mondooClientImage, renderImage, node, n.Mondoo, n.IsOpenshift, *n.MondooOperatorConfig)
 		cronJob := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: desired.Name, Namespace: desired.Namespace}}
 		op, err := k8s.CreateOrUpdate(ctx, n.KubeClient, cronJob, n.Mondoo, logger, func() error {
 			k8s.UpdateCronJobFields(cronJob, desired)
@@ -180,6 +186,11 @@ func (n *DeploymentHandler) syncDaemonSet(ctx context.Context) error {
 		logger.Error(err, "Failed to resolve mondoo-client container image")
 		return err
 	}
+	renderImage, err := n.ContainerImageResolver.ContainerImage(ctx, constants.BusyBoxImage, n.MondooOperatorConfig.Spec.SkipContainerResolution)
+	if err != nil {
+		logger.Error(err, "Failed to resolve node inventory render container image")
+		return err
+	}
 
 	clusterUid, err := k8s.GetClusterUID(ctx, n.KubeClient, logger)
 	if err != nil {
@@ -229,7 +240,7 @@ func (n *DeploymentHandler) syncDaemonSet(ctx context.Context) error {
 		}
 	}
 
-	desired := DaemonSet(*n.Mondoo, n.IsOpenshift, mondooClientImage, *n.MondooOperatorConfig, slices.Collect(maps.Keys(tolerations)))
+	desired := DaemonSet(*n.Mondoo, n.IsOpenshift, mondooClientImage, renderImage, *n.MondooOperatorConfig, slices.Collect(maps.Keys(tolerations)))
 	ds := &appsv1.DaemonSet{ObjectMeta: metav1.ObjectMeta{Name: desired.Name, Namespace: desired.Namespace}}
 	op, err := k8s.CreateOrUpdate(ctx, n.KubeClient, ds, n.Mondoo, logger, func() error {
 		k8s.UpdateDaemonSetFields(ds, desired)
diff --git a/controllers/nodes/deployment_handler_test.go b/controllers/nodes/deployment_handler_test.go
@@ -243,7 +243,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateCronJobs() {
 		cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, n.Name), Namespace: s.auditConfig.Namespace}}
 		s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
 
-		cjExpected := CronJob(image, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+		cjExpected := CronJob(image, constants.BusyBoxImage, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 		// Make sure the env vars for both are sorted
 		utils.SortEnvVars(cjExpected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
 		utils.SortEnvVars(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
@@ -255,6 +255,40 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateCronJobs() {
 	s.Error(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(gcCj), gcCj))
 }
 
+func (s *DeploymentHandlerSuite) TestReconcile_CronJobUsesResolvedRenderImage() {
+	s.seedNodes()
+	d := s.createDeploymentHandler()
+	d.MondooOperatorConfig = &v1alpha2.MondooOperatorConfig{Spec: v1alpha2.MondooOperatorConfigSpec{
+		SkipContainerResolution: true,
+	}}
+	d.ContainerImageResolver = &fakeMondoo.ContainerImageResolverMock{
+		CnspecImageFunc: func(userImage, userTag, userDigest string, skipResolveImage bool) (string, error) {
+			return "registry.example.com/cnspec:13-rootless", nil
+		},
+		ContainerImageFunc: func(ctx context.Context, image string, skipResolveImage bool) (string, error) {
+			s.Equal(constants.BusyBoxImage, image)
+			s.True(skipResolveImage)
+			return "registry.example.com/dockerhub/library/busybox:1.36", nil
+		},
+	}
+
+	mondooAuditConfig := &s.auditConfig
+	s.NoError(d.KubeClient.Create(s.ctx, mondooAuditConfig))
+
+	result, err := d.Reconcile(s.ctx)
+	s.NoError(err)
+	s.True(result.IsZero())
+
+	nodes := &corev1.NodeList{}
+	s.NoError(d.KubeClient.List(s.ctx, nodes))
+	for _, n := range nodes.Items {
+		cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, n.Name), Namespace: s.auditConfig.Namespace}}
+		s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
+		s.Len(cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers, 1)
+		s.Equal("registry.example.com/dockerhub/library/busybox:1.36", cj.Spec.JobTemplate.Spec.Template.Spec.InitContainers[0].Image)
+	}
+}
+
 func (s *DeploymentHandlerSuite) TestReconcile_CreateCronJobs_CustomEnvVars() {
 	s.seedNodes()
 	d := s.createDeploymentHandler()
@@ -277,7 +311,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateCronJobs_CustomEnvVars() {
 		cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, n.Name), Namespace: s.auditConfig.Namespace}}
 		s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
 
-		cjExpected := CronJob(image, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+		cjExpected := CronJob(image, constants.BusyBoxImage, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 		// Make sure the env vars for both are sorted
 		utils.SortEnvVars(cjExpected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
 		utils.SortEnvVars(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
@@ -310,7 +344,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateCronJobs_Switch() {
 		cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, n.Name), Namespace: s.auditConfig.Namespace}}
 		s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
 
-		cjExpected := CronJob(image, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+		cjExpected := CronJob(image, constants.BusyBoxImage, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 		// Make sure the env vars for both are sorted
 		utils.SortEnvVars(cjExpected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
 		utils.SortEnvVars(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
@@ -350,7 +384,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_UpdateCronJobs() {
 	s.NoError(err)
 
 	// Make sure a cron job exists for one of the nodes
-	cj := CronJob(image, nodes.Items[1], &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+	cj := CronJob(image, constants.BusyBoxImage, nodes.Items[1], &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 	cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command = []string{"test-command"}
 	s.NoError(d.KubeClient.Create(s.ctx, cj))
 
@@ -362,7 +396,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_UpdateCronJobs() {
 		cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, n.Name), Namespace: s.auditConfig.Namespace}}
 		s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
 
-		cjExpected := CronJob(image, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+		cjExpected := CronJob(image, constants.BusyBoxImage, n, &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 		// Make sure the env vars for both are sorted
 		utils.SortEnvVars(cjExpected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
 		utils.SortEnvVars(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
@@ -408,7 +442,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CleanCronJobsForDeletedNodes() {
 	cj := &batchv1.CronJob{ObjectMeta: metav1.ObjectMeta{Name: CronJobName(s.auditConfig.Name, nodes.Items[0].Name), Namespace: s.auditConfig.Namespace}}
 	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(cj), cj))
 
-	cjExpected := CronJob(image, nodes.Items[0], &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
+	cjExpected := CronJob(image, constants.BusyBoxImage, nodes.Items[0], &s.auditConfig, false, v1alpha2.MondooOperatorConfig{})
 	// Make sure the env vars for both are sorted
 	utils.SortEnvVars(cjExpected.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
 	utils.SortEnvVars(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env)
@@ -436,7 +470,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateDaemonSets() {
 	ds := &appsv1.DaemonSet{ObjectMeta: metav1.ObjectMeta{Name: DaemonSetName(s.auditConfig.Name), Namespace: s.auditConfig.Namespace}}
 	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(ds), ds))
 
-	dsExpected := DaemonSet(s.auditConfig, false, image, v1alpha2.MondooOperatorConfig{},
+	dsExpected := DaemonSet(s.auditConfig, false, image, constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{},
 		[]corev1.Toleration{{Key: "node-role.kubernetes.io/master", Value: "true", Effect: corev1.TaintEffectNoExecute}})
 	// Make sure the env vars for both are sorted
 	utils.SortEnvVars(dsExpected.Spec.Template.Spec.Containers[0].Env)
@@ -469,7 +503,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateDaemonSets_Switch() {
 	ds := &appsv1.DaemonSet{ObjectMeta: metav1.ObjectMeta{Name: DaemonSetName(s.auditConfig.Name), Namespace: s.auditConfig.Namespace}}
 	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(ds), ds))
 
-	dsExpected := DaemonSet(s.auditConfig, false, image, v1alpha2.MondooOperatorConfig{},
+	dsExpected := DaemonSet(s.auditConfig, false, image, constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{},
 		[]corev1.Toleration{{Key: "node-role.kubernetes.io/master", Value: "true", Effect: corev1.TaintEffectNoExecute}})
 	s.Equal(dsExpected.Spec, ds.Spec)
 
@@ -507,7 +541,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_UpdateDaemonSets() {
 	s.NoError(err)
 
 	// Make sure a daemonset exists
-	ds := DaemonSet(s.auditConfig, false, image, v1alpha2.MondooOperatorConfig{}, nil)
+	ds := DaemonSet(s.auditConfig, false, image, constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{}, nil)
 	ds.Spec.Template.Spec.Containers[0].Command = []string{"test-command"}
 	s.NoError(d.KubeClient.Create(s.ctx, ds))
 
@@ -518,7 +552,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_UpdateDaemonSets() {
 	ds = &appsv1.DaemonSet{ObjectMeta: metav1.ObjectMeta{Name: DaemonSetName(s.auditConfig.Name), Namespace: s.auditConfig.Namespace}}
 	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(ds), ds))
 
-	depExpected := DaemonSet(s.auditConfig, false, image, v1alpha2.MondooOperatorConfig{},
+	depExpected := DaemonSet(s.auditConfig, false, image, constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{},
 		[]corev1.Toleration{{Key: "node-role.kubernetes.io/master", Value: "true", Effect: corev1.TaintEffectNoExecute}})
 	s.Equal(depExpected.Spec, ds.Spec)
 }
diff --git a/controllers/nodes/resources.go b/controllers/nodes/resources.go
@@ -44,7 +44,7 @@ const (
 )
 
 // CronJob creates a CronJob for node scanning
-func CronJob(image string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOpenshift bool, cfg v1alpha2.MondooOperatorConfig) *batchv1.CronJob {
+func CronJob(image, renderImage string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOpenshift bool, cfg v1alpha2.MondooOperatorConfig) *batchv1.CronJob {
 	ls := NodeScanningLabels(*m)
 	cmd := []string{
 		"cnspec", "scan", "local",
@@ -106,7 +106,7 @@ func CronJob(image string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOp
 							// should not be mounted at all.
 							AutomountServiceAccountToken: ptr.To(false),
 							InitContainers: []corev1.Container{
-								renderNodeInventoryInitContainer(node.Name),
+								renderNodeInventoryInitContainer(node.Name, renderImage),
 							},
 							Containers: []corev1.Container{
 								{
@@ -195,7 +195,7 @@ func CronJob(image string, node corev1.Node, m *v1alpha2.MondooAuditConfig, isOp
 }
 
 // DaemonSet creates a DaemonSet for node scanning
-func DaemonSet(m v1alpha2.MondooAuditConfig, isOpenshift bool, image string, cfg v1alpha2.MondooOperatorConfig, tolerations []corev1.Toleration) *appsv1.DaemonSet {
+func DaemonSet(m v1alpha2.MondooAuditConfig, isOpenshift bool, image, renderImage string, cfg v1alpha2.MondooOperatorConfig, tolerations []corev1.Toleration) *appsv1.DaemonSet {
 	labels := NodeScanningLabels(m)
 	cmd := []string{
 		"cnspec", "serve",
@@ -243,7 +243,7 @@ func DaemonSet(m v1alpha2.MondooAuditConfig, isOpenshift bool, image string, cfg
 					AutomountServiceAccountToken: ptr.To(false),
 					Tolerations:                  tolerations,
 					InitContainers: []corev1.Container{
-						renderNodeInventoryInitContainer(""),
+						renderNodeInventoryInitContainer("", renderImage),
 					},
 					Containers: []corev1.Container{
 						{
@@ -431,7 +431,7 @@ func Inventory(integrationMRN, clusterUID string, m v1alpha2.MondooAuditConfig)
 	return string(invBytes), nil
 }
 
-func renderNodeInventoryInitContainer(nodeName string) corev1.Container {
+func renderNodeInventoryInitContainer(nodeName, image string) corev1.Container {
 	render := fmt.Sprintf("sed \"s#%s#${NODE_NAME}#g\" %s > %s",
 		nodeInventoryNodeNamePlaceholder,
 		shellQuote(nodeInventoryTemplatePath),
@@ -450,7 +450,7 @@ func renderNodeInventoryInitContainer(nodeName string) corev1.Container {
 
 	return corev1.Container{
 		Name:            "render-node-inventory",
-		Image:           constants.BusyBoxImage,
+		Image:           image,
 		ImagePullPolicy: corev1.PullIfNotPresent,
 		Command:         []string{"/bin/sh", "-ec", render},
 		Env:             env,
diff --git a/controllers/nodes/resources_test.go b/controllers/nodes/resources_test.go
@@ -120,7 +120,7 @@ func TestResources(t *testing.T) {
 				},
 			}
 			mac := test.mondooauditconfig()
-			cj := CronJob("test123", testNode, mac, false, v1alpha2.MondooOperatorConfig{})
+			cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, v1alpha2.MondooOperatorConfig{})
 			assert.Equal(t, test.expectedResources, cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Resources)
 		})
 	}
@@ -175,7 +175,7 @@ func TestResources_GOMEMLIMIT(t *testing.T) {
 				},
 			}
 			mac := test.mondooauditconfig()
-			cj := CronJob("test123", testNode, mac, false, v1alpha2.MondooOperatorConfig{})
+			cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, v1alpha2.MondooOperatorConfig{})
 			goMemLimitEnv := corev1.EnvVar{}
 			for _, env := range cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env {
 				if env.Name == "GOMEMLIMIT" {
@@ -190,7 +190,7 @@ func TestResources_GOMEMLIMIT(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			mac := *test.mondooauditconfig()
-			ds := DaemonSet(mac, false, "test123", v1alpha2.MondooOperatorConfig{}, nil)
+			ds := DaemonSet(mac, false, "test123", constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{}, nil)
 			goMemLimitEnv := corev1.EnvVar{}
 			for _, env := range ds.Spec.Template.Spec.Containers[0].Env {
 				if env.Name == "GOMEMLIMIT" {
@@ -210,7 +210,7 @@ func TestCronJob_PrivilegedOpenshift(t *testing.T) {
 		},
 	}
 	mac := testMondooAuditConfig()
-	cj := CronJob("test123", testNode, mac, true, v1alpha2.MondooOperatorConfig{})
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, true, v1alpha2.MondooOperatorConfig{})
 	assert.True(t, *cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
 	assert.True(t, *cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation)
 }
@@ -222,7 +222,7 @@ func TestCronJob_Privileged(t *testing.T) {
 		},
 	}
 	mac := testMondooAuditConfig()
-	cj := CronJob("test123", testNode, mac, false, v1alpha2.MondooOperatorConfig{})
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, v1alpha2.MondooOperatorConfig{})
 	assert.False(t, *cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
 	assert.False(t, *cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation)
 }
@@ -278,7 +278,7 @@ func TestCronJob_WithProxy(t *testing.T) {
 		},
 	}
 
-	cj := CronJob("test123", testNode, mac, false, cfg)
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, cfg)
 	container := cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0]
 
 	cmdStr := strings.Join(container.Command, " ")
@@ -294,7 +294,7 @@ func TestCronJob_UsesInventoryFileFlag(t *testing.T) {
 	testNode := corev1.Node{ObjectMeta: metav1.ObjectMeta{Name: "test-node-name"}}
 	mac := testMondooAuditConfig()
 
-	cj := CronJob("test123", testNode, mac, false, v1alpha2.MondooOperatorConfig{})
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, v1alpha2.MondooOperatorConfig{})
 	mainCommand := strings.Join(cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command, " ")
 
 	assert.Contains(t, mainCommand, "cnspec scan local")
@@ -329,7 +329,7 @@ func TestCronJob_SkipProxyForCnspec(t *testing.T) {
 		},
 	}
 
-	cj := CronJob("test123", testNode, mac, false, cfg)
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, cfg)
 	container := cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0]
 
 	cmdStr := strings.Join(container.Command, " ")
@@ -351,7 +351,7 @@ func TestCronJob_WithImagePullSecrets(t *testing.T) {
 		},
 	}
 
-	cj := CronJob("test123", testNode, mac, false, cfg)
+	cj := CronJob("test123", constants.BusyBoxImage, testNode, mac, false, cfg)
 	secrets := cj.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets
 	require.Len(t, secrets, 1)
 	assert.Equal(t, "my-registry-secret", secrets[0].Name)
@@ -366,7 +366,7 @@ func TestDaemonSet_WithProxy(t *testing.T) {
 		},
 	}
 
-	ds := DaemonSet(mac, false, "test123", cfg, nil)
+	ds := DaemonSet(mac, false, "test123", constants.BusyBoxImage, cfg, nil)
 	container := ds.Spec.Template.Spec.Containers[0]
 
 	cmdStr := strings.Join(container.Command, " ")
@@ -381,7 +381,7 @@ func TestDaemonSet_WithProxy(t *testing.T) {
 func TestDaemonSet_UsesInventoryFileFlag(t *testing.T) {
 	mac := *testMondooAuditConfig()
 
-	ds := DaemonSet(mac, false, "test123", v1alpha2.MondooOperatorConfig{}, nil)
+	ds := DaemonSet(mac, false, "test123", constants.BusyBoxImage, v1alpha2.MondooOperatorConfig{}, nil)
 	mainCommand := strings.Join(ds.Spec.Template.Spec.Containers[0].Command, " ")
 
 	assert.Contains(t, mainCommand, "cnspec serve")
@@ -417,7 +417,7 @@ func TestDaemonSet_SkipProxyForCnspec(t *testing.T) {
 		},
 	}
 
-	ds := DaemonSet(mac, false, "test123", cfg, nil)
+	ds := DaemonSet(mac, false, "test123", constants.BusyBoxImage, cfg, nil)
 	container := ds.Spec.Template.Spec.Containers[0]
 
 	cmdStr := strings.Join(container.Command, " ")
@@ -438,7 +438,7 @@ func TestDaemonSet_WithImagePullSecrets(t *testing.T) {
 		},
 	}
 
-	ds := DaemonSet(mac, false, "test123", cfg, nil)
+	ds := DaemonSet(mac, false, "test123", constants.BusyBoxImage, cfg, nil)
 	secrets := ds.Spec.Template.Spec.ImagePullSecrets
 	require.Len(t, secrets, 1)
 	assert.Equal(t, "my-registry-secret", secrets[0].Name)
diff --git a/controllers/status/operator_status_test.go b/controllers/status/operator_status_test.go
@@ -218,6 +218,10 @@ func (m *mockContainerImageResolver) MondooOperatorImage(_ context.Context, _, _
 	return "ghcr.io/mondoohq/mondoo-operator@sha256:def456", nil
 }
 
+func (m *mockContainerImageResolver) ContainerImage(_ context.Context, image string, _ bool) (string, error) {
+	return image, nil
+}
+
 func (m *mockContainerImageResolver) WithImageRegistry(_ string) mondooutils.ContainerImageResolver {
 	return m
 }
diff --git a/docs/user-manual.md b/docs/user-manual.md
@@ -1181,7 +1181,7 @@ spec:
     enable: true
 ```
 
-Node scanning pods include a lightweight `render-node-inventory` init container that renders the node-specific inventory file before `cnspec` starts. This keeps custom scanner images simple: the scanner image must provide `cnspec`, but it does not need a POSIX shell or `sed`.
+Node scanning pods include a lightweight `render-node-inventory` init container that renders the node-specific inventory file before `cnspec` starts. This keeps custom scanner images simple: the scanner image must provide `cnspec`, but it does not need a POSIX shell or `sed`. The init container image uses the same `imageRegistry`, `registryMirrors`, `imagePullSecrets`, and `skipContainerResolution` settings as other operator-managed images.
 
 ### Why are (some of) my nodes unscored?
 
diff --git a/pkg/utils/mondoo/container_image_resolver.go b/pkg/utils/mondoo/container_image_resolver.go
diff --git a/pkg/utils/mondoo/container_image_resolver_test.go b/pkg/utils/mondoo/container_image_resolver_test.go
diff --git a/pkg/utils/mondoo/fake/container_image_resolver.go b/pkg/utils/mondoo/fake/container_image_resolver.go

Original file line number	Diff line number	Diff line change
`@@ -218,6 +218,10 @@ func (m *mockContainerImageResolver) MondooOperatorImage(_ context.Context, _, _`
`218`	`218`	`return "ghcr.io/mondoohq/mondoo-operator@sha256:def456", nil`
`219`	`219`	`}`
`220`	`220`
	`221`	`+func (m *mockContainerImageResolver) ContainerImage(_ context.Context, image string, _ bool) (string, error) {`
	`222`	`+ return image, nil`
	`223`	`+}`
	`224`	`+`
`221`	`225`	`func (m *mockContainerImageResolver) WithImageRegistry(_ string) mondooutils.ContainerImageResolver {`
`222`	`226`	`return m`
`223`	`227`	`}`