Summary

• add external cluster OIDC refresh-token auth that generates a short-lived bearer-token kubeconfig in an init container
• keep OIDC credentials pod-local: reconciliation now checks only Secret existence and lets the init container validate the configured key
• pass proxy environment variables into the OIDC init container unless skipProxyForCnspec is set
• keep the external-cluster active deadline on external-cluster scan Jobs without applying it to the local Kubernetes resource scan CronJob
• document OIDC auth, generated kubeconfig security boundaries, and test behavior

Review fixes

• add HTTPS-only curl protocol restrictions to OIDC discovery, refresh, device token, and token-exchange calls
• replace the fragile unquoted issuer CA curl-args string with a curl_oidc helper that quotes the CA path
• pass OIDC mount paths through env vars instead of interpolating path constants into the shell script
• document that the shell JSON extractor only supports top-level simple OIDC string fields
• mount OIDC credential Secrets with mode 0440
• validate OIDC scope items in the CRD with a restrictive item pattern

Validation

• git diff --check
• make manifests
• rg -n "scopes:|pattern: \\^\\[A-Za-z0-9" config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml
• go test ./controllers/k8s_scan -run 'TestExternalClusterCronJob_OIDCAuth|TestOIDCInitContainerDefaultsCredentialKeys|TestDeploymentHandlerSuite/TestReconcile_ExternalCluster_OIDCAuth'
• go test ./controllers/k8s_scan
• go test ./controllers/k8s_scan ./pkg/utils/k8s
• make lint/actions
• make lint
• kubectl --context kind-mondoo-oidc-kind apply --dry-run=server -f config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml
• kubectl --context kind-mondoo-oidc-kind apply --dry-run=server -f config/samples/k8s_v1alpha2_mondooauditconfig.yaml

Notes

• The controller intentionally does not read refresh-token Secret data during reconciliation. Missing or empty key data is reported by the generated init container in the scanner pod.