mirror of
https://github.com/morten-olsen/homelab-nuclei-operator.git
synced 2026-02-07 18:06:23 +01:00
12d681ada1
This major refactor moves from synchronous subprocess-based scanning to asynchronous pod-based scanning using Kubernetes Jobs. ## Architecture Changes - Scanner jobs are now Kubernetes Jobs with TTLAfterFinished for automatic cleanup - Jobs have owner references for garbage collection when NucleiScan is deleted - Configurable concurrency limits, timeouts, and resource requirements ## New Features - Dual-mode binary: --mode=controller (default) or --mode=scanner - Annotation-based configuration for Ingress/VirtualService resources - Operator-level configuration via environment variables - Startup recovery for orphaned scans after operator restart - Periodic cleanup of stuck jobs ## New Files - DESIGN.md: Comprehensive architecture design document - internal/jobmanager/: Job Manager for creating/monitoring scanner jobs - internal/scanner/runner.go: Scanner mode implementation - internal/annotations/: Annotation parsing utilities - charts/nuclei-operator/templates/scanner-rbac.yaml: Scanner RBAC ## API Changes - Added ScannerConfig struct for per-scan scanner configuration - Added JobReference struct for tracking scanner jobs - Added ScannerConfig field to NucleiScanSpec - Added JobRef and ScanStartTime fields to NucleiScanStatus ## Supported Annotations - nuclei.homelab.mortenolsen.pro/enabled - nuclei.homelab.mortenolsen.pro/templates - nuclei.homelab.mortenolsen.pro/severity - nuclei.homelab.mortenolsen.pro/schedule - nuclei.homelab.mortenolsen.pro/timeout - nuclei.homelab.mortenolsen.pro/scanner-image ## RBAC Updates - Added Job and Pod permissions for operator - Created separate scanner service account with minimal permissions ## Documentation - Updated README, user-guide, api.md, and Helm chart README - Added example annotated Ingress resources
218 lines
4.1 KiB
YAML
218 lines
4.1 KiB
YAML
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-manager-role
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- batch
|
|
resources:
|
|
- jobs
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/log
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- networking.istio.io
|
|
resources:
|
|
- virtualservices
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.istio.io
|
|
resources:
|
|
- virtualservices/status
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- nuclei.homelab.mortenolsen.pro
|
|
resources:
|
|
- nucleiscans
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- nuclei.homelab.mortenolsen.pro
|
|
resources:
|
|
- nucleiscans/finalizers
|
|
verbs:
|
|
- update
|
|
- apiGroups:
|
|
- nuclei.homelab.mortenolsen.pro
|
|
resources:
|
|
- nucleiscans/status
|
|
verbs:
|
|
- get
|
|
- patch
|
|
- update
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-manager-rolebinding
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "nuclei-operator.fullname" . }}-manager-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "nuclei-operator.serviceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
# Leader election role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-leader-election-role
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-leader-election-rolebinding
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ include "nuclei-operator.fullname" . }}-leader-election-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "nuclei-operator.serviceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- if .Values.metrics.enabled }}
|
|
---
|
|
# Metrics auth role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-role
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- authentication.k8s.io
|
|
resources:
|
|
- tokenreviews
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- subjectaccessreviews
|
|
verbs:
|
|
- create
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-rolebinding
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "nuclei-operator.serviceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
# Metrics reader role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "nuclei-operator.fullname" . }}-metrics-reader
|
|
labels:
|
|
{{- include "nuclei-operator.labels" . | nindent 4 }}
|
|
rules:
|
|
- nonResourceURLs:
|
|
- /metrics
|
|
verbs:
|
|
- get
|
|
{{- end }} |