add priorityclassname and use node selector for node scanning deploym…

…ents

Signed-off-by: Ivan Milchev <[email protected]>

api/v1alpha2/mondooauditconfig_types.go

@@ -112,6 +112,8 @@ type Nodes struct {
 	// +kubebuilder:validation:Enum=cronjob;deployment
 	// +kubebuilder:default=cronjob
 	Style NodeScanStyle `json:"style,omitempty"`
+	// PriorityClassName specifies the name of the PriorityClass for the node scanning workloads.
+	PriorityClassName string `json:"priorityClassName,omitempty"`
 }
 
 type Admission struct {

config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -218,6 +218,10 @@ spec:
                       node scanning. The default is "60". Only applicable for Deployment
                       style.
                     type: integer
+                  priorityClassName:
+                    description: PriorityClassName specifies the name of the PriorityClass
+                      for the node scanning workloads.
+                    type: string
                   resources:
                     description: ResourceRequirements describes the compute resource
                       requirements.

controllers/nodes/resources.go

@@ -203,7 +203,10 @@ func UpdateDeployment(
 	dep.Spec.Template.Annotations = map[string]string{
 		ignoreQueryAnnotationPrefix + "mondoo-kubernetes-security-pod-runasnonroot": ignoreAnnotationValue,
 	}
-	dep.Spec.Template.Spec.NodeName = node.Name
+	dep.Spec.Template.Spec.PriorityClassName = m.Spec.Nodes.PriorityClassName
+	dep.Spec.Template.Spec.NodeSelector = map[string]string{
+		"kubernetes.io/hostname": node.Name,
+	}
 	dep.Spec.Template.Spec.Tolerations = k8s.TaintsToTolerations(node.Spec.Taints)
 	// The node scanning does not use the Kubernetes API at all, therefore the service account token
 	// should not be mounted at all.