Skip to content

feat: suspend scheduled scans #1520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MaxRink wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: suspend scheduled scans #1520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1bc597a
feat: suspend scheduled scans
MaxRink Jun 19, 2026
f3f1051
ci: isolate link-check configuration
MaxRink Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/link-check/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"aliveStatusCodes": [429, 200, 406]
}
"aliveStatusCodes": [200, 406, 429]
}
12 changes: 12 additions & 0 deletions api/v1alpha2/mondooauditconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ type KubernetesResources struct {
ContainerImageScanning bool `json:"containerImageScanning,omitempty"`
// Specify a custom crontab schedule for the Kubernetes resource scanning job. If not specified, the default schedule is used.
Schedule string `json:"schedule,omitempty"`
// Suspend pauses scheduled Kubernetes resource scan CronJobs without deleting the generated resources.
// External cluster scan CronJobs inherit this value and can also be paused individually.
Suspend bool `json:"suspend,omitempty"`

// ResourceWatcher configures real-time resource watching and scanning.
// When enabled, a deployment will be created that watches for K8s resource changes
Expand Down Expand Up @@ -192,6 +195,11 @@ type ExternalCluster struct {
// +optional
Schedule string `json:"schedule,omitempty"`

// Suspend pauses the scheduled scan CronJob for this external cluster.
// The CronJob is also paused when KubernetesResources.Suspend is true.
// +optional
Suspend bool `json:"suspend,omitempty"`

// Filtering allows namespace filtering specific to this external cluster.
// If omitted, the external cluster inherits the global filtering from MondooAuditConfigSpec.Filtering.
// Set an empty filtering object to scan all namespaces for this external cluster even when global filtering is configured.
Expand Down Expand Up @@ -436,6 +444,8 @@ type Nodes struct {
// Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is
// used. Only applicable for CronJob style
Schedule string `json:"schedule,omitempty"`
// Suspend pauses scheduled node scan CronJobs without deleting generated resources. Only applicable for CronJob style.
Suspend bool `json:"suspend,omitempty"`
// IntervalTimer is the interval (in minutes) for the node scanning. The default is "60". Only applicable for Deployment
// style.
// +kubebuilder:default=60
Expand All @@ -456,6 +466,8 @@ type Containers struct {
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
// Specify a custom crontab schedule for the container image scanning job. If not specified, the default schedule is used.
Schedule string `json:"schedule,omitempty"`
// Suspend pauses scheduled container image scan CronJobs without deleting generated resources.
Suspend bool `json:"suspend,omitempty"`
// Env allows setting extra environment variables for the node scanner. If the operator sets already an env
// variable with the same name, the value specified here will override it.
Env []corev1.EnvVar `json:"env,omitempty"`
Expand Down
18 changes: 18 additions & 0 deletions charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,10 @@ spec:
image scanning job. If not specified, the default schedule is
used.
type: string
suspend:
description: Suspend pauses scheduled container image scan CronJobs
without deleting generated resources.
type: boolean
workloadIdentity:
description: |-
WorkloadIdentity configures Workload Identity Federation for authenticating to cloud
Expand Down Expand Up @@ -630,6 +634,11 @@ spec:
- server
- trustBundleSecretRef
type: object
suspend:
description: |-
Suspend pauses the scheduled scan CronJob for this external cluster.
The CronJob is also paused when KubernetesResources.Suspend is true.
type: boolean
vaultAuth:
description: |-
VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
Expand Down Expand Up @@ -881,6 +890,11 @@ spec:
resource scanning job. If not specified, the default schedule
is used.
type: string
suspend:
description: |-
Suspend pauses scheduled Kubernetes resource scan CronJobs without deleting the generated resources.
External cluster scan CronJobs inherit this value and can also be paused individually.
type: boolean
type: object
mondooCredsSecretRef:
description: Config is an example field of MondooAuditConfig. Edit
Expand Down Expand Up @@ -1163,6 +1177,10 @@ spec:
- deployment
- daemonset
type: string
suspend:
description: Suspend pauses scheduled node scan CronJobs without
deleting generated resources. Only applicable for CronJob style.
type: boolean
type: object
scanner:
description: |-
Expand Down
60 changes: 60 additions & 0 deletions charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,10 @@ spec:
image scanning job. If not specified, the default schedule is
used.
type: string
suspend:
description: Suspend pauses scheduled container image scan CronJobs
without deleting generated resources.
type: boolean
workloadIdentity:
description: |-
WorkloadIdentity configures Workload Identity Federation for authenticating to cloud
Expand All @@ -341,6 +345,13 @@ spec:
clusterName:
description: ClusterName is the AKS cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
loginServer:
description: |-
LoginServer is the ACR login server URL (e.g., "myregistry.azurecr.io").
Expand Down Expand Up @@ -370,6 +381,13 @@ spec:
clusterName:
description: ClusterName is the EKS cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
region:
description: Region is the AWS region.
type: string
Expand All @@ -395,6 +413,13 @@ spec:
clusterName:
description: ClusterName is the GKE cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
googleServiceAccount:
description: |-
GoogleServiceAccount is the Google service account to impersonate.
Expand Down Expand Up @@ -609,6 +634,11 @@ spec:
- server
- trustBundleSecretRef
type: object
suspend:
description: |-
Suspend pauses the scheduled scan CronJob for this external cluster.
The CronJob is also paused when KubernetesResources.Suspend is true.
type: boolean
vaultAuth:
description: |-
VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
Expand Down Expand Up @@ -708,6 +738,13 @@ spec:
clusterName:
description: ClusterName is the AKS cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
loginServer:
description: |-
LoginServer is the ACR login server URL (e.g., "myregistry.azurecr.io").
Expand Down Expand Up @@ -737,6 +774,13 @@ spec:
clusterName:
description: ClusterName is the EKS cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
region:
description: Region is the AWS region.
type: string
Expand All @@ -762,6 +806,13 @@ spec:
clusterName:
description: ClusterName is the GKE cluster name.
type: string
endpoint:
description: |-
Endpoint optionally overrides the Kubernetes API server endpoint URL.
When set, the init container uses this URL instead of the auto-discovered endpoint.
Must start with "https://".
pattern: ^https://
type: string
googleServiceAccount:
description: |-
GoogleServiceAccount is the Google service account to impersonate.
Expand Down Expand Up @@ -839,6 +890,11 @@ spec:
resource scanning job. If not specified, the default schedule
is used.
type: string
suspend:
description: |-
Suspend pauses scheduled Kubernetes resource scan CronJobs without deleting the generated resources.
External cluster scan CronJobs inherit this value and can also be paused individually.
type: boolean
type: object
mondooCredsSecretRef:
description: Config is an example field of MondooAuditConfig. Edit
Expand Down Expand Up @@ -1121,6 +1177,10 @@ spec:
- deployment
- daemonset
type: string
suspend:
description: Suspend pauses scheduled node scan CronJobs without
deleting generated resources. Only applicable for CronJob style.
type: boolean
type: object
scanner:
description: |-
Expand Down
18 changes: 18 additions & 0 deletions config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,10 @@ spec:
image scanning job. If not specified, the default schedule is
used.
type: string
suspend:
description: Suspend pauses scheduled container image scan CronJobs
without deleting generated resources.
type: boolean
workloadIdentity:
description: |-
WorkloadIdentity configures Workload Identity Federation for authenticating to cloud
Expand Down Expand Up @@ -631,6 +635,11 @@ spec:
- server
- trustBundleSecretRef
type: object
suspend:
description: |-
Suspend pauses the scheduled scan CronJob for this external cluster.
The CronJob is also paused when KubernetesResources.Suspend is true.
type: boolean
vaultAuth:
description: |-
VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
Expand Down Expand Up @@ -882,6 +891,11 @@ spec:
resource scanning job. If not specified, the default schedule
is used.
type: string
suspend:
description: |-
Suspend pauses scheduled Kubernetes resource scan CronJobs without deleting the generated resources.
External cluster scan CronJobs inherit this value and can also be paused individually.
type: boolean
type: object
mondooCredsSecretRef:
description: Config is an example field of MondooAuditConfig. Edit
Expand Down Expand Up @@ -1164,6 +1178,10 @@ spec:
- deployment
- daemonset
type: string
suspend:
description: Suspend pauses scheduled node scan CronJobs without
deleting generated resources. Only applicable for CronJob style.
type: boolean
type: object
scanner:
description: |-
Expand Down
8 changes: 8 additions & 0 deletions config/samples/k8s_v1alpha2_mondooauditconfig.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ spec:
enable: true
# Cron schedule (default: random minute each hour)
# schedule: "0 * * * *"
# Pause scheduled Kubernetes resource scan CronJobs without deleting them.
# suspend: true

# Real-time resource watching (alternative to CronJob scheduling)
# When enabled, resources are scanned immediately when they change
Expand Down Expand Up @@ -80,6 +82,8 @@ spec:
# name: prod-kubeconfig
# # Optional: override schedule for this cluster
# # schedule: "0 */2 * * *"
# # Optional: pause this external cluster scan CronJob
# # suspend: true
# # Optional: cluster-specific filtering
# # filtering:
# # namespaces:
Expand Down Expand Up @@ -146,6 +150,8 @@ spec:
enable: true
# Cron schedule (default: daily)
# schedule: "0 0 * * *"
# Pause scheduled container image scan CronJobs without deleting them.
# suspend: true
resources:
requests:
cpu: 100m
Expand All @@ -161,6 +167,8 @@ spec:
style: cronjob
# Cron schedule (only for cronjob style)
# schedule: "0 * * * *"
# Pause scheduled node scan CronJobs without deleting them.
# suspend: true
# Interval in minutes (only for deployment style)
# intervalTimer: 60
resources:
Expand Down
1 change: 1 addition & 0 deletions controllers/container_image/resources.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func CronJob(image, integrationMrn, clusterUid, privateRegistrySecretName string
},
Spec: batchv1.CronJobSpec{
Schedule: m.Spec.Containers.Schedule,
Suspend: ptr.To(m.Spec.Containers.Suspend),
ConcurrencyPolicy: batchv1.ForbidConcurrent,
JobTemplate: batchv1.JobTemplateSpec{
ObjectMeta: metav1.ObjectMeta{Labels: ls},
Expand Down
11 changes: 11 additions & 0 deletions controllers/container_image/resources_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,17 @@ func TestCronJob_WIF_EKS(t *testing.T) {
assert.Equal(t, "arn:aws:iam::123456789012:role/ecr-reader", initEnv["ROLE_ARN"])
}

func TestCronJob_Suspend(t *testing.T) {
m := testAuditConfig()
m.Spec.Containers.Suspend = true
cfg := v1alpha2.MondooOperatorConfig{}

cj := CronJob("test-image:latest", "", testClusterUID, "", m, cfg)

require.NotNil(t, cj.Spec.Suspend)
assert.True(t, *cj.Spec.Suspend)
}

func TestCronJob_WIF_AKS(t *testing.T) {
m := testAuditConfig()
m.Spec.Containers.WorkloadIdentity = &v1alpha2.WorkloadIdentityConfig{
Expand Down
2 changes: 2 additions & 0 deletions controllers/k8s_scan/resources.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ func CronJob(image string, m *v1alpha2.MondooAuditConfig, cfg v1alpha2.MondooOpe
},
Spec: batchv1.CronJobSpec{
Schedule: m.Spec.KubernetesResources.Schedule,
Suspend: ptr.To(m.Spec.KubernetesResources.Suspend),
ConcurrencyPolicy: batchv1.ForbidConcurrent,
JobTemplate: batchv1.JobTemplateSpec{
ObjectMeta: metav1.ObjectMeta{Labels: ls},
Expand Down Expand Up @@ -433,6 +434,7 @@ func ExternalClusterCronJob(image string, cluster v1alpha2.ExternalCluster, m *v
},
Spec: batchv1.CronJobSpec{
Schedule: schedule,
Suspend: ptr.To(m.Spec.KubernetesResources.Suspend || cluster.Suspend),
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
ConcurrencyPolicy: batchv1.ForbidConcurrent,
JobTemplate: batchv1.JobTemplateSpec{
ObjectMeta: metav1.ObjectMeta{Labels: ls},
Expand Down
Loading
Loading