Skip to content

feat: configure scanner pod scheduling #1522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MaxRink wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: configure scanner pod scheduling #1522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1589116
feat: configure scanner pod scheduling
MaxRink Jun 19, 2026
44b9a8e
ci: isolate link-check configuration
MaxRink Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/link-check/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"aliveStatusCodes": [429, 200, 406]
}
"aliveStatusCodes": [200, 406, 429]
}
18 changes: 18 additions & 0 deletions api/v1alpha2/mondooauditconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,26 @@ type ConsoleIntegration struct {
Enable bool `json:"enable,omitempty"`
}

// PodScheduling defines pod placement settings for scanner workloads.
type PodScheduling struct {
// NodeSelector selects nodes where scanner pods may run.
// +optional
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// Tolerations allows scanner pods to schedule onto nodes with matching taints.
// +optional
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

// Scanner defines the settings for the Mondoo scanner that will be running in the cluster. The same scanner
// is used for scanning the Kubernetes API and the nodes.
type Scanner struct {
// +kubebuilder:default=mondoo-operator-k8s-resources-scanning
ServiceAccountName string `json:"serviceAccountName,omitempty"`
Image Image `json:"image,omitempty"`
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
// Scheduling configures pod placement for Kubernetes resource scanner workloads, including the resource watcher.
Scheduling PodScheduling `json:"scheduling,omitempty"`
// Number of replicas for the scanner.
// For enforcing mode, the minimum should be two to prevent problems during Pod failures,
// e.g. node failure, node scaling, etc.
Expand Down Expand Up @@ -433,6 +446,9 @@ const (
type Nodes struct {
Enable bool `json:"enable,omitempty"`
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
// Scheduling configures pod placement for node scanner workloads.
// CronJob style pins each scanner pod to a target node by nodeName, so nodeSelector only applies to DaemonSet style.
Scheduling PodScheduling `json:"scheduling,omitempty"`
// Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is
// used. Only applicable for CronJob style
Schedule string `json:"schedule,omitempty"`
Expand All @@ -454,6 +470,8 @@ type Nodes struct {
type Containers struct {
Enable bool `json:"enable,omitempty"`
Resources corev1.ResourceRequirements `json:"resources,omitempty"`
// Scheduling configures pod placement for container image scanner workloads.
Scheduling PodScheduling `json:"scheduling,omitempty"`
// Specify a custom crontab schedule for the container image scanning job. If not specified, the default schedule is used.
Schedule string `json:"schedule,omitempty"`
// Env allows setting extra environment variables for the node scanner. If the operator sets already an env
Expand Down
32 changes: 32 additions & 0 deletions api/v1alpha2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

157 changes: 157 additions & 0 deletions charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,58 @@ spec:
image scanning job. If not specified, the default schedule is
used.
type: string
scheduling:
description: Scheduling configures pod placement for container
image scanner workloads.
properties:
nodeSelector:
additionalProperties:
type: string
description: NodeSelector selects nodes where scanner pods
may run.
type: object
tolerations:
description: Tolerations allows scanner pods to schedule onto
nodes with matching taints.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
workloadIdentity:
description: |-
WorkloadIdentity configures Workload Identity Federation for authenticating to cloud
Expand Down Expand Up @@ -1153,6 +1205,59 @@ spec:
Schedule specifies a custom crontab schedule for the node scanning job. If not specified, the default schedule is
used. Only applicable for CronJob style
type: string
scheduling:
description: |-
Scheduling configures pod placement for node scanner workloads.
CronJob style pins each scanner pod to a target node by nodeName, so nodeSelector only applies to DaemonSet style.
properties:
nodeSelector:
additionalProperties:
type: string
description: NodeSelector selects nodes where scanner pods
may run.
type: object
tolerations:
description: Tolerations allows scanner pods to schedule onto
nodes with matching taints.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
style:
default: cronjob
description: Style specifies how node scanning is deployed. The
Expand Down Expand Up @@ -1452,6 +1557,58 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
scheduling:
description: Scheduling configures pod placement for Kubernetes
resource scanner workloads, including the resource watcher.
properties:
nodeSelector:
additionalProperties:
type: string
description: NodeSelector selects nodes where scanner pods
may run.
type: object
tolerations:
description: Tolerations allows scanner pods to schedule onto
nodes with matching taints.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
serviceAccountName:
default: mondoo-operator-k8s-resources-scanning
type: string
Expand Down
Loading
Loading