feat(operator): Add config to enable/disable scanners (#467)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

CONTRIBUTING.md

@@ -224,6 +224,9 @@ started with a basic development workflow. For other install modes see [Operator
    $ OPERATOR_NAMESPACE=starboard-operator \
      OPERATOR_TARGET_NAMESPACES=default \
      OPERATOR_LOG_DEV_MODE=true \
+     OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED=true \
+     OPERATOR_VULNERABILITY_SCANNER_ENABLED=true \
+     OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED=true \
      go run cmd/starboard-operator/main.go
    ```
 

deploy/helm/values.yaml

@@ -57,6 +57,8 @@ envSecret:
   stringData:
     OPERATOR_LOG_DEV_MODE: "false"
     OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED: "true"
+    OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true"
+    OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true"
 
 trivy:
   enabled: true

deploy/static/06-starboard-operator.deployment.yaml

@@ -52,6 +52,10 @@ spec:
               value: ":9090"
             - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
               value: "true"
+            - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
+              value: "true"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
+              value: "true"
           ports:
             - name: metrics
               containerPort: 8080

docs/operator/configuration.md

@@ -12,6 +12,8 @@ Configuration of the operator's pod is done via environment variables at startup
 | `OPERATOR_METRICS_BIND_ADDRESS`             | `:8080`                | The TCP address to bind to for serving [Prometheus][prometheus] metrics. It can be set to `0` to disable the metrics serving. |
 | `OPERATOR_HEALTH_PROBE_BIND_ADDRESS`        | `:9090`                | The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints. |
 | `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED` | `true`                 | The flag to enable CIS Kubernetes Benchmark reconciler |
+| `OPERATOR_VULNERABILITY_SCANNER_ENABLED`    | `true`                 | The flag to enable vulnerability scanner |
+| `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`     | `true`                 | The flag to enable configuration audit scanner |
 | `OPERATOR_LEADER_ELECTION_ENABLED`          | `false`                | The flag to enable operator replica leader election |
 | `OPERATOR_LEADER_ELECTION_ID`               | `starboard-operator`   | The name of the resource lock for leader election |
 

pkg/operator/etc/config.go

@@ -19,6 +19,8 @@ type Config struct {
 	HealthProbeBindAddress        string        `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"`
 	LogDevMode                    bool          `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"`
 	CISKubernetesBenchmarkEnabled bool          `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"true"`
+	VulnerabilityScannerEnabled   bool          `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"`
+	ConfigAuditScannerEnabled     bool          `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"true"`
 	LeaderElectionEnabled         bool          `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"`
 	LeaderElectionID              string        `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-operator"`
 }

pkg/operator/operator.go

@@ -133,36 +133,40 @@ func Run(buildInfo starboard.BuildInfo, operatorConfig etc.Config) error {
 		return err
 	}
 
-	if err = (&controller.VulnerabilityReportReconciler{
-		Logger:         ctrl.Log.WithName("reconciler").WithName("vulnerabilityreport"),
-		Config:         operatorConfig,
-		Client:         mgr.GetClient(),
-		ObjectResolver: objectResolver,
-		LimitChecker:   limitChecker,
-		LogsReader:     logsReader,
-		SecretsReader:  secretsReader,
-		Plugin:         vulnerabilityReportPlugin,
-		ReadWriter:     vulnerabilityreport.NewReadWriter(mgr.GetClient()),
-	}).SetupWithManager(mgr); err != nil {
-		return fmt.Errorf("unable to setup vulnerabilityreport reconciler: %w", err)
-	}
-
-	configAuditReportPlugin, err := plugin.GetConfigAuditReportPlugin(buildInfo, starboardConfig)
-	if err != nil {
-		return err
+	if operatorConfig.VulnerabilityScannerEnabled {
+		if err = (&controller.VulnerabilityReportReconciler{
+			Logger:         ctrl.Log.WithName("reconciler").WithName("vulnerabilityreport"),
+			Config:         operatorConfig,
+			Client:         mgr.GetClient(),
+			ObjectResolver: objectResolver,
+			LimitChecker:   limitChecker,
+			LogsReader:     logsReader,
+			SecretsReader:  secretsReader,
+			Plugin:         vulnerabilityReportPlugin,
+			ReadWriter:     vulnerabilityreport.NewReadWriter(mgr.GetClient()),
+		}).SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("unable to setup vulnerabilityreport reconciler: %w", err)
+		}
 	}
 
-	if err = (&controller.ConfigAuditReportReconciler{
-		Logger:         ctrl.Log.WithName("reconciler").WithName("configauditreport"),
-		Config:         operatorConfig,
-		Client:         mgr.GetClient(),
-		ObjectResolver: objectResolver,
-		LimitChecker:   limitChecker,
-		LogsReader:     logsReader,
-		Plugin:         configAuditReportPlugin,
-		ReadWriter:     configauditreport.NewReadWriter(mgr.GetClient()),
-	}).SetupWithManager(mgr); err != nil {
-		return fmt.Errorf("unable to setup configauditreport reconciler: %w", err)
+	if operatorConfig.ConfigAuditScannerEnabled {
+		configAuditReportPlugin, err := plugin.GetConfigAuditReportPlugin(buildInfo, starboardConfig)
+		if err != nil {
+			return err
+		}
+
+		if err = (&controller.ConfigAuditReportReconciler{
+			Logger:         ctrl.Log.WithName("reconciler").WithName("configauditreport"),
+			Config:         operatorConfig,
+			Client:         mgr.GetClient(),
+			ObjectResolver: objectResolver,
+			LimitChecker:   limitChecker,
+			LogsReader:     logsReader,
+			Plugin:         configAuditReportPlugin,
+			ReadWriter:     configauditreport.NewReadWriter(mgr.GetClient()),
+		}).SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("unable to setup configauditreport reconciler: %w", err)
+		}
 	}
 
 	if operatorConfig.CISKubernetesBenchmarkEnabled {