fix: group version, namespace, vuln counter

- 7cf2316 broke install due to group version
- support separate namespace install for kubescape
- fix vulnerability counter

api/v1alpha1/groupversion_info.go

@@ -26,7 +26,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "validation.spectrocloud.labs", Version: "v1"}
+	GroupVersion = schema.GroupVersion{Group: "validation.spectrocloud.labs", Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

api/v1alpha1/kubescapevalidator_types.go

@@ -27,6 +27,9 @@ import (
 
 // KubescapeValidatorSpec defines the desired state of KubescapeValidator
 type KubescapeValidatorSpec struct {
+	//+kubebuilder:default=kubescape
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// Global Severity Limit Rule
 	SeverityLimitRule SeverityLimitRule `json:"severityLimitRule,omitempty" yaml:"severityLimitRule,omitempty"`
 	// Global Ignore CVEs
 	IgnoredCVERule []string `json:"ignoredCVERule,omitempty" yaml:"ignoredCVERule,omitempty"`
@@ -42,7 +45,13 @@ func (r FlaggedCVE) Name() string {
 
 // Increase for every rule
 func (s KubescapeValidatorSpec) ResultCount() int {
-	count := 1
+	count := 0
+	if s.SeverityLimitRule != (SeverityLimitRule{}) {
+		count++
+	}
+	count += len(s.IgnoredCVERule)
+	count += len(s.FlaggedCVERule)
+
 	return count
 }
 

config/crd/bases/validation.spectrocloud.labs_kubescapevalidators.yaml

@@ -45,7 +45,11 @@ spec:
                 items:
                   type: string
                 type: array
+              namespace:
+                default: kubescape
+                type: string
               severityLimitRule:
+                description: Global Severity Limit Rule
                 properties:
                   critical:
                     type: integer

config/default/kustomization.yaml

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: validator-plugin-kubescape-system
+namespace: validator
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named

internal/controller/kubescapevalidator_controller.go

@@ -106,7 +106,7 @@ func (r *KubescapeValidatorReconciler) Reconcile(ctx context.Context, req ctrl.R
 		ValidationRuleErrors:  make([]error, 0, vr.Spec.ExpectedResults),
 	}
 
-	kubescape, err := kubevuln.NewAPIServerStorage("kubescape")
+	kubescape, err := kubevuln.NewAPIServerStorage(validator.Spec.Namespace)
 
 	if err != nil {
 		return ctrl.Result{RequeueAfter: time.Second * 120}, errors.New("cannot connect to kubescape api storage server, is kubescape operator installed?")
@@ -168,7 +168,7 @@ func buildValidationResult(validator *kubescapevalidatorv1.KubescapeValidator) *
 		},
 		Spec: vapi.ValidationResultSpec{
 			Plugin:          constants.PluginCode,
-			ExpectedResults: 1,
+			ExpectedResults: validator.Spec.ResultCount(),
 		},
 	}
 }

internal/validators/kubescape.go

@@ -55,15 +55,20 @@ func (n *KubescapeService) Manifests() ([]kubescapev1.VulnerabilityManifest, err
 func (n *KubescapeService) ReconcileSeverityRule(nn ktypes.NamespacedName, rule validationv1.SeverityLimitRule, ignoredCVEs []string, manifests []kubescapev1.VulnerabilityManifest) (*types.ValidationRuleResult, error) {
 	vr := buildValidationResult(rule, constants.ValidationTypeSeverity)
 
-	zero := 0
+	critical := 0
+	high := 0
+	medium := 0
+	low := 0
+	unknown := 0
+	negligible := 0
 
 	foundVulns := validationv1.SeverityLimitRule{
-		Critical:   &zero,
-		High:       &zero,
-		Medium:     &zero,
-		Low:        &zero,
-		Unknown:    &zero,
-		Negligible: &zero,
+		Critical:   &critical,
+		High:       &high,
+		Medium:     &medium,
+		Low:        &low,
+		Unknown:    &unknown,
+		Negligible: &negligible,
 	}
 
 	uniqueCVEs := make(map[string]bool)