feat: add network inventory scanner options#1525
Open
MaxRink wants to merge 1 commit into
Open
Conversation
Contributor
MaxRink
changed the title
MaxRink
force-pushed
the
codex/hbn-network-collector-plan
branch
from
b216762 to
02a66a8
Compare
MaxRink
force-pushed
the
codex/hbn-network-collector-plan
branch
from
02a66a8 to
f1835bf
Compare
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
MaxRink
force-pushed
the
codex/hbn-network-collector-plan
branch
from
f1835bf to
9419886
Compare
There was a problem hiding this comment.
New network inventory scanner configuration feature adds CRD fields, validation, and inventory rendering for extended Kubernetes network posture scanning.
Additional findings (file/line not in diff):
- 🔵
controllers/k8s_scan/network_inventory.go:905— Thenamespacefield onFlowEndpointSpeclacks a CRD-level validation pattern, unlikeserviceNamewhich haspattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$. While Go-side validation catches this whenenable: true, adding a matching pattern tonamespacein the CRD would give users earlier feedback. Consider addingpattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$to thenamespacefield in the API types via a+kubebuilder:validation:Patternmarker.
MaxRink
force-pushed
the
codex/hbn-network-collector-plan
branch
from
9419886 to
02e78c4
Compare
MaxRink
force-pushed
the
codex/hbn-network-collector-plan
branch
from
02e78c4 to
88aec3f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
spec.kubernetesResources.networkInventoryAPI/CRD fields for HBN, MultiNetworkPolicy, CIDR classifications, and optional flow evidence endpointskubernetesNetworkInventoryinventory options for local and external Kubernetes scansReview fixes
maxRecords: 0means omitted/defaulted in rendered inventory configlookbackandtimeoutduration strings in the CRD with CEL rulesslices.Clonefor CIDR and HBN API-group slice copiesValidation
git diff --checkmake manifestsrg -n "namespace:|pattern: \\^\\[a-z0-9\\]" config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yamlgo test ./controllers/k8s_scan -run 'TestInventoryNetworkInventory(ObservedFlows|ObservedFlowBackendEnablesParent|ObservedFlowsParentOnly|AllowsRFC1123ServiceNames|RejectsInvalidFlowEndpoint|RejectsInvalidObservedFlowConfig)|TestDiscoveryTargetsNetworkInventoryForcesClusterTarget|TestDeploymentHandlerSuite/TestReconcile_NetworkInventory'go test ./controllers/k8s_scango test ./api/...go test ./controllers/k8s_scan ./api/...go test ./controllers/k8s_scan ./api/v1alpha2go test $(go list ./... | grep -v '/tests/integration')helm lint charts/mondoo-operatorhelm template hbn-network-review charts/mondoo-operator >/tmp/mondoo-operator-hbn-network-review.yamlgo run sigs.k8s.io/kustomize/kustomize/v4@v4.5.7 build config/default >/tmp/mondoo-operator-hbn-network-kustomize.yamlmake lint/actionsmake lintFull
go test ./...still requires integration credentials/kubeconfig (MONDOO_ORG_MRNand Kubernetes client config) and is not runnable locally without that environment.