- Expose into the chart additional runtime options

Author: gadinaor

README.md

@@ -65,7 +65,7 @@ iskan --cluster-context mycluster --api-config myconfig.yaml
           --filter-cvss float32        Include CVEs with CVSS score greater or equal than the specified number. Valid values: 0.0-10.0
           --filter-fixable-only        Include CVEs with which are fixable
           --filter-severity string     Select which severities to include. Comma seperated MINIMAL,LOW,MEDIUM,HIGH,CRITICAL
-      -f, --format string              Output format. Supported formats: json | yaml | table (default "json")
+      -f, --format string              Output format. Supported formats: json | yaml | (default "json")
       -h, --help                       help for cluster
           --namespace-exclude string   Namespaces to exclude from the scan (default "kube-system")
           --namespace-include string   Namespaces to include in the scan (default "*")

deploy/charts/iskan/README.md

@@ -1,6 +1,6 @@
 # iskan
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
 
 # Kubernetes Native Image Scanning.
 
@@ -28,10 +28,15 @@ Harness your existing Container Image Vulnerability Scanning information to your
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | cronSchedule | string | `"*/1 * * * *"` |  |
-| export.targets | list | `["file:///path/to/dir","slack://mychannel?apikey=<mykey>[&file-type=json&title=mymsgtitle]","webhook://myserver?x-headers=X-myheader:myval&token-bearer=1234"]` | Export generated report to one or more export targets  see: https://github.com/kruzio/exodus#supported-targets |
+| export.targets | list | `["file:///path/to/dir","slack://mychannel?apikey=<mykey>[&file-type=json&title=MyClusterVulnReport","webhook://myserver?x-headers=X-myheader:myval&token-bearer=1234"]` | Export generated report to one or more export targets  see: https://github.com/kruzio/exodus#supported-targets |
 | image.iskan | string | `"alcide/iskan:localscan"` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | reportPolicyFile | string | `"config/report-policy.yaml"` |  |
+| runOptions.namespacesExcluded | string | `"kube-system"` | Comma separated list of namespaces to exclude from the scan or use '-' to avoid exclusion |
+| runOptions.namespacesIncluded | string | `"*"` | Comma separated list of namespaces to scan or use '*' for all of them |
+| runOptions.reportFormat | string | `"json"` | The report format - json or yaml |
+| runOptions.scanApiBurst | int | `100` | The Vulnerability Provider API call burst limit |
+| runOptions.scanApiQPS | int | `30` | The Vulnerability Provider API call rate limit (queries-per-sec) |
 | vulnProviderCredFile | string | `"config/providers.yaml"` |  |
 
 ----------------------------------------------

deploy/charts/iskan/templates/iskan-cronjob.yaml

@@ -86,10 +86,12 @@ spec:
                   name: workspace
             args:
               - cluster
-              #- --namespace-include=alcide
-              #- --namespace-exclude=alcide
-              - --format=json
-              - --outfile=/outbox/report.json
+              - --namespace-include={{ .Values.runOptions.namespacesIncluded | quote }}
+              - --namespace-exclude={{ .Values.runOptions.namespacesExcluded | quote }}
+              - --format={{ .Values.runOptions.reportFormat }}
+              - --scan-api-burst={{ .Values.runOptions.scanApiBurst}}
+              - --scan-api-qps={{ .Values.runOptions.scanApiQPS}}
+              - --outfile=/outbox/report
               - --api-config=/creds/providers.yaml
               - --report-config=/config/report-config.yaml
               #- -v=7 # Verbose level 10 will print secrets - DO NOT USE THAT

deploy/charts/iskan/values.yaml

@@ -21,6 +21,18 @@ vulnProviderCredFile: config/providers.yaml
 # The Report Policy configuration
 reportPolicyFile: config/report-policy.yaml
 
+runOptions:
+  # -- Comma separated list of namespaces to scan or use '*' for all of them
+  namespacesIncluded: "*"
+  # -- Comma separated list of namespaces to exclude from the scan or use '-' to avoid exclusion
+  namespacesExcluded: "kube-system"
+  # -- The Vulnerability Provider API call rate limit (queries-per-sec)
+  scanApiQPS: 30
+  # -- The Vulnerability Provider API call burst limit
+  scanApiBurst: 100
+  # -- The report format - json or yaml
+  reportFormat: "json"
+
 export:
   # -- Export generated report to one or more export targets
   #  see: https://github.com/kruzio/exodus#supported-targets