apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager app.kubernetes.io/name: nuclei-operator app.kubernetes.io/managed-by: kustomize name: system --- apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager namespace: system labels: control-plane: controller-manager app.kubernetes.io/name: nuclei-operator app.kubernetes.io/managed-by: kustomize spec: selector: matchLabels: control-plane: controller-manager app.kubernetes.io/name: nuclei-operator replicas: 1 template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager app.kubernetes.io/name: nuclei-operator spec: # TODO(user): Uncomment the following code to configure the nodeAffinity expression # according to the platforms which are supported by your solution. # It is considered best practice to support multiple architectures. You can # build your manager image using the makefile target docker-buildx. # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/arch # operator: In # values: # - amd64 # - arm64 # - ppc64le # - s390x # - key: kubernetes.io/os # operator: In # values: # - linux securityContext: # Projects are configured by default to adhere to the "restricted" Pod Security Standards. # This ensures that deployments meet the highest security requirements for Kubernetes. # For more details, see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - command: - /manager args: - --leader-elect - --health-probe-bind-address=:8081 image: controller:latest name: manager ports: [] env: - name: NUCLEI_BINARY_PATH value: "/usr/local/bin/nuclei" - name: NUCLEI_TEMPLATES_PATH value: "/nuclei-templates" - name: NUCLEI_TIMEOUT value: "30m" # NUCLEI_RESCAN_AGE controls how old scan results can be before # triggering an automatic rescan. Default is 168h (1 week). # Set to "0" to disable automatic rescans based on age. - name: NUCLEI_RESCAN_AGE value: "168h" # Backoff configuration for target availability checks # NUCLEI_BACKOFF_INITIAL: Initial retry interval (default: 10s) - name: NUCLEI_BACKOFF_INITIAL value: "10s" # NUCLEI_BACKOFF_MAX: Maximum retry interval (default: 10m) - name: NUCLEI_BACKOFF_MAX value: "10m" # NUCLEI_BACKOFF_MULTIPLIER: Multiplier for exponential backoff (default: 2.0) - name: NUCLEI_BACKOFF_MULTIPLIER value: "2.0" securityContext: readOnlyRootFilesystem: false # Nuclei needs to write temporary files allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 65532 capabilities: drop: - "ALL" livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 # Resource limits appropriate for running Nuclei scans resources: limits: cpu: "2" memory: "2Gi" requests: cpu: "500m" memory: "512Mi" volumeMounts: - name: nuclei-templates mountPath: /nuclei-templates readOnly: true - name: nuclei-cache mountPath: /home/nonroot/.nuclei volumes: - name: nuclei-templates emptyDir: {} - name: nuclei-cache emptyDir: {} serviceAccountName: controller-manager terminationGracePeriodSeconds: 10