Skip to content

feat: filter scheduled scans by labels #1521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MaxRink wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: filter scheduled scans by labels #1521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a7b62e4
feat: filter scheduled scans by labels
MaxRink Jun 19, 2026
0b16a53
ci: isolate link-check configuration
MaxRink Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/link-check/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"aliveStatusCodes": [429, 200, 406]
}
"aliveStatusCodes": [200, 406, 429]
}
8 changes: 8 additions & 0 deletions api/v1alpha2/mondooauditconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@ type MondooAuditConfigSpec struct {

type Filtering struct {
Namespaces FilteringSpec `json:"namespaces,omitempty"`
// NamespaceLabelSelector selects Kubernetes namespaces by their own labels.
// It is evaluated in addition to namespace include/exclude filtering.
// +optional
NamespaceLabelSelector *metav1.LabelSelector `json:"namespaceLabelSelector,omitempty"`
// ObjectLabelSelector selects Kubernetes objects by their own labels.
// It is passed to cnspec Kubernetes discovery for scheduled scans.
// +optional
ObjectLabelSelector *metav1.LabelSelector `json:"objectLabelSelector,omitempty"`
}

type FilteringSpec struct {
Expand Down
31 changes: 21 additions & 10 deletions api/v1alpha2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

195 changes: 194 additions & 1 deletion charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,54 @@ spec:
type: object
filtering:
properties:
namespaceLabelSelector:
description: |-
NamespaceLabelSelector selects Kubernetes namespaces by their own labels.
It is evaluated in addition to namespace include/exclude filtering.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
properties:
exclude:
Expand All @@ -461,6 +509,54 @@ spec:
type: string
type: array
type: object
objectLabelSelector:
description: |-
ObjectLabelSelector selects Kubernetes objects by their own labels.
It is passed to cnspec Kubernetes discovery for scheduled scans.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
kubernetesResources:
properties:
Expand All @@ -486,8 +582,57 @@ spec:
filtering:
description: |-
Filtering allows namespace filtering specific to this external cluster.
If not specified, uses the global filtering from MondooAuditConfigSpec.Filtering.
If omitted, the external cluster inherits the global filtering from MondooAuditConfigSpec.Filtering.
Set an empty filtering object to scan all namespaces for this external cluster even when global filtering is configured.
properties:
namespaceLabelSelector:
description: |-
NamespaceLabelSelector selects Kubernetes namespaces by their own labels.
It is evaluated in addition to namespace include/exclude filtering.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
properties:
exclude:
Expand All @@ -506,6 +651,54 @@ spec:
type: string
type: array
type: object
objectLabelSelector:
description: |-
ObjectLabelSelector selects Kubernetes objects by their own labels.
It is passed to cnspec Kubernetes discovery for scheduled scans.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
kubeconfigSecretRef:
description: |-
Expand Down
Loading
Loading