CVE Operator is a Kubernetes operator designed to monitor the official CVE List github repository for new releases containing CVE (Common Vulnerabilities and Exposures) updates.
This operator is built using Kubebuilder, a framework for building Kubernetes APIs using custom resource definitions (CRDs).
Once the operator is installed on the Kubernetes cluster, it continuously monitors GitHub releases by creating a new instance of GitHubReleasesMonitor custom resource, with the URL of the repository and monitorFrom set as spec for this Kubernetes resource. The GitHubReleasesMonitor controller watches for GitHubReleasesMonitor custom resources and when it detects one it triggers the reconcile function. During the reconciliation, the controller fetches all releases from the GitHub repository specified in the spec of the custom resource. Additionally, it uses the MonitorFrom field to determine the starting point (e.g., a particular date) from which to fetch the releases and create a new GitHubRelease custom resource for each release. The creation of new GitHubRelease custom resources kicks in the GitHubRelease controller and the reconcile function creates a Kubernetes Job that processes all the CVEs present in that release.
The GitHubReleasesMonitor controller will requeue the reconciliation request after a specified duration, which is provided as an environment variable to the pod running the operator. This means that the reconciler loop will be executed at regular intervals, allowing the controller to re-check for any new releases and create a new GitHubRelease custom resource for these new releases.
Finalizers are employed to set ownership of the resources created by the operator, such as the GitHubRelease custom resources. This finalizer ensures that before the GitHubReleasesMonitor resource is deleted, the controller has a chance to perform necessary cleanup tasks like deleting all GitHubRelease resources that were created as part of monitoring the repository's releases.
Build and push your image to the location specified by IMG:
make docker-buildxNOTE: The Docker image for the operator is built using Docker Buildx which supports multi-platform builds.
Generate a consolidated YAML with CRDs and deployment:
make build-installerNOTE: A Helm chart is used to deploy the operator by installing Custom Resource Definitions (CRDs), Role/ClusterRole, RoleBinding/ClusterRoleBinding, service account, deployment, and service on the cluster.