feat: Add Pod-Informer (#151)

* feat: added pod-informer

Signed-off-by: Christian Kotzbauer <[email protected]>

* fix: lint errors

Signed-off-by: Christian Kotzbauer <[email protected]>

* fix: added logging and fixed async handling

Signed-off-by: Christian Kotzbauer <[email protected]>

* fix: several refactoring-fixes

Signed-off-by: Christian Kotzbauer <[email protected]>

* feat: add startup-sync

Signed-off-by: Christian Kotzbauer <[email protected]>

* doc: update readme

Signed-off-by: Christian Kotzbauer <[email protected]>

* feat: add new syft-formats

Signed-off-by: Christian Kotzbauer <[email protected]>

* doc: remove link

Signed-off-by: Christian Kotzbauer <[email protected]>

* fix: change reference types

Signed-off-by: Christian Kotzbauer <[email protected]>

* fix: remove add-handler, change to trace

Signed-off-by: Christian Kotzbauer <[email protected]>

* deps: cleanup go.mod

Signed-off-by: Christian Kotzbauer <[email protected]>

Signed-off-by: Christian Kotzbauer <[email protected]>

README.md

@@ -8,9 +8,9 @@
 ## Overview
 
 This operator maintains a central place to track all packages and software used in all those images in a Kubernetes cluster. For this a Software Bill of 
-Materials (SBOM) is generated from each image with Syft. They are all stored in one or more targets. Currently Git and Dependency Track is supported. 
-With this it is possible to do further analysis, vulnerability scans and much more in a single place. To prevent scans of images that have already been analyzed pods are annotated
-with the imageID of the already processed image.
+Materials (SBOM) is generated from each image with Syft. They are all stored in one or more targets. Currently Git, Dependency Track and OCI-Registry are supported. 
+With this it is possible to do further analysis, [vulnerability scans](https://github.com/ckotzbauer/vulnerability-operator) and much more in a single place. 
+To prevent scans of images that have already been analyzed pods are annotated with the imageID of the already processed image.
 
 ## Kubernetes Compatibility
 
@@ -68,38 +68,23 @@ helm install ckotzbauer/sbom-operator -f your-values.yaml
 
 ## Configuration
 
-All parameters are cli-flags.
+All parameters are cli-flags. The flags can be configured as args or as environment-variables prefixed with `SBOM_` to inject sensitive configs as secret values.
+
+### Common parameters
 
 | Parameter | Required | Default | Description |
 |-----------|----------|---------|-------------|
 | `verbosity` | `false` | `info` | Log-level (debug, info, warn, error, fatal, panic) |
-| `cron` | `false` | `@hourly` | Backround-Service interval (CRON). All options from [github.com/robfig/cron](https://github.com/robfig/cron) are allowed |
+| `cron` | `false` | `""` | Backround-Service interval (CRON). See [Trigger](#analysis-trigger) for details. |
 | `ignore-annotations` | `false` | `false` | Force analyzing of all images, including those from annotated pods. |
-| `format` | `false` | `json` | SBOM-Format. |
-| `targets` | `false` | `git` | Comma-delimited list of targets to sent the generated SBOMs to. Possible targets `git`, `dtrack`, `oci` |
-| `git-workingtree` | `false` | `/work` | Directory to place the git-repo. |
-| `git-repository` | `true` when `git` target is used. | `""` | Git-Repository-URL (HTTPS). |
-| `git-branch` | `false` | `main` | Git-Branch to checkout. |
-| `git-path` | `false` | `""` | Folder-Path inside the Git-Repository. |
-| `git-access-token` | `true` when `git` target is used. | `""` | Git-Personal-Access-Token with write-permissions. |
-| `git-author-name` | `true` when `git` target is used. | `""` | Author name to use for Git-Commits. |
-| `git-author-email` | `true` when `git` target is used. | `""` | Author email to use for Git-Commits. |
+| `format` | `false` | `json` | SBOM-Format. (One of `json`, `syftjson`, `cyclonedxjson`, `spdxjson`, `github`, `githubjson`, `cyclonedx`, `cyclone`, `cyclonedxxml`, `spdx`, `spdxtv`, `spdxtagvalue`, `text`, `table`) |
+| `targets` | `false` | `git` | Comma-delimited list of targets to sent the generated SBOMs to. Possible targets `git`, `dtrack`, `oci`. Ignored with a `job-image` |
 | `pod-label-selector` | `false` | `""` | Kubernetes Label-Selector for pods. |
 | `namespace-label-selector` | `false` | `""` | Kubernetes Label-Selector for namespaces. |
-| `dtrack-base-url` | `true` when `dtrack` target is used | `""` | Dependency-Track base URL, e.g. 'https://dtrack.example.com' |
-| `dtrack-api-key` | `true` when `dtrack` target is used | `""` | Dependency-Track API key |
-| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track or Job-Images) |
 | `fallback-image-pull-secret` | `false` | `""` | Kubernetes Pull-Secret Name to load as a fallback when all others fail (must be in the same namespace as the sbom-operator) |
-| `job-image` | `false` | `""` | Job-Image to process images with instead of Syft |
-| `job-image-pull-secret` | `false` | `""` | Pre-existing pull-secret-name for private job-images |
-| `job-timeout` | `false` | `3600` | Job-Timeout in seconds (`activeDeadlineSeconds`) |
-| `oci-registry` | `true` when `oci` target is used | `""` | OCI-Registry |
-| `oci-user` | `true` when `oci` target is used | `""` | OCI-User |
-| `oci-token` | `true` when `oci` target is used | `""` | OCI-Token |
 
-The flags can be configured as args or as environment-variables prefixed with `SBOM_` to inject sensitive configs as secret values.
 
-#### Example Helm-Config
+### Example Helm-Config
 
 ```yaml
 args:
@@ -119,22 +104,58 @@ envVars:
         key: "accessToken"
 ```
 
+## Analysis-Trigger
+
+### Cron
+
+With the `cron` flag set, the operator runs with a specified interval and checks for changed images in your cluster.
+All options from [github.com/robfig/cron](https://github.com/robfig/cron) are allowed as cron-syntax.
+
+### Real-Time
+
+When you omit the `cron` flag, the operator uses a Cache-Informer to process changed pods immediately. In this mode there's also
+a one-time analysis at startup to sync the targets with the actual cluster-state. If you configured a job-image there's no initial
+startup sync.
+
 
 ## Targets
 
-It is possible to store the generated SBOMs to different targets (even multple at once).
+It is possible to store the generated SBOMs to different targets (even multple at once). All targets are using Syft as analyzer.
+If you want to use another tool to analyze your images, then have a look at the [Job image](#job-images) section. Images which are
+not present in the cluster anymore are removed from the configured targets (except for the OCI-Target).
+
+### Dependency Track
+
+#### Dependency Track Parameter
 
-#### Dependency Track
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `dtrack-base-url` | `true` when `dtrack` target is used | `""` | Dependency-Track base URL, e.g. 'https://dtrack.example.com' |
+| `dtrack-api-key` | `true` when `dtrack` target is used | `""` | Dependency-Track API key |
+| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track or Job-Images) |
 
-Each image in the cluster is created as project with the full-image name (registry and image-path without tag) and the image-tag as project-version. 
+Each image in the cluster is created as project with the full-image name (registry and image-path without tag) and the image-tag as project-version.
+When there's no image-tag, but a digest, the digest is used as project-version.
 The `autoCreate` option of DT is used. You have to set the `--format` flag to `cyclonedx` with this target.
 
 
-#### Git
+### Git
+
+#### Git Parameter
+
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `git-workingtree` | `false` | `/work` | Directory to place the git-repo. |
+| `git-repository` | `true` when `git` target is used. | `""` | Git-Repository-URL (HTTPS). |
+| `git-branch` | `false` | `main` | Git-Branch to checkout. |
+| `git-path` | `false` | `""` | Folder-Path inside the Git-Repository. |
+| `git-access-token` | `true` when `git` target is used. | `""` | Git-Personal-Access-Token with write-permissions. |
+| `git-author-name` | `true` when `git` target is used. | `""` | Author name to use for Git-Commits. |
+| `git-author-email` | `true` when `git` target is used. | `""` | Author email to use for Git-Commits. |
 
 The operator will save all files with a specific folder structure as described below. When a `git-path` is configured, all folders above this path are not touched
 from the application. Assuming that `git-path` is set to `dev-cluster/sboms`. When no `git-path` is given, the structure below is directly in the repository-root. 
-The structure is basically `<git-path>/<registry-server>/<image-path>/<image-digest>/sbom.json`. The file-extension may differ when another output-format is configured. A token-based authentication to the git-repository is used.
+The structure is basically `<git-path>/<registry-server>/<image-path>/<image-digest>/sbom.json`. The file-extension may differ when another output-format is configured. A token-based authentication to the git-repository is used (PAT).
 
 ```
 dev-cluster
@@ -170,17 +191,36 @@ dev-cluster
                     │   sbom.json
 ```
 
-#### OCI-Registry
+### OCI-Registry
+
+#### OCI-Registry Parameter
+
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `oci-registry` | `true` when `oci` target is used | `""` | OCI-Registry |
+| `oci-user` | `true` when `oci` target is used | `""` | OCI-User |
+| `oci-token` | `true` when `oci` target is used | `""` | OCI-Token |
 
 In this mode the operator will generate a SBOM and store it into an OCI-Registry. The SBOM then can be processed by cosign, Kyverno
 or any other tool. E.g.:
 ```bash
 COSIGN_REPOSITORY=<yourregistry> cosign download sbom <your full image digest>
 ```
 
+The operator needs the Registry-URL, a user and a token as password to authenticate to the registry. Write-permissions are needed.
+
 
 ## Job-Images
 
+#### Job-Image Parameter
+
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `job-image` | `false` | `""` | Job-Image to process images with instead of Syft |
+| `job-image-pull-secret` | `false` | `""` | Pre-existing pull-secret-name for private job-images |
+| `job-timeout` | `false` | `3600` | Job-Timeout in seconds (`activeDeadlineSeconds`) |
+| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track or Job-Images) |
+
 If you don't want to use Syft to analyze your images, you can give the Job-Image feature a try. The operator creates a Kubernetes-Job
 which does the analysis with any possible tool inside. There's no target-handling done by the operator, the tool from the job has to process
 the SBOMs on its own. Currently there are two possible integrations:
@@ -214,12 +254,33 @@ All operator-environment variables prefixed with `SBOM_JOB_` are passed to the K
 The docker-image is based on `scratch` to reduce the attack-surface and keep the image small. Furthermore the image and release-artifacts are signed 
 with [cosign](https://github.com/sigstore/cosign) and attested with provenance-files. The release-process satisfies SLSA Level 2. All of those "metadata files" are 
 also stored in a dedicated repository `ghcr.io/ckotzbauer/sbom-operator-metadata`.
-Both, SLSA and the signatures are still experimental for this project.
 When discovering security issues please refer to the [Security process](https://github.com/ckotzbauer/.github/blob/main/SECURITY.md).
 
+### Signature verification
+
+```bash
+COSIGN_EXPERIMENTAL=1 COSIGN_REPOSITORY=ghcr.io/ckotzbauer/sbom-operator-metadata cosign verify ghcr.io/ckotzbauer/sbom-operator:<tag-to-verify> --certificate-github-workflow-name create-release --certificate-github-workflow-repository ckotzbauer/sbom-operator
+```
+
+### Attestation verification
+
+```bash
+COSIGN_EXPERIMENTAL=1 COSIGN_REPOSITORY=ghcr.io/ckotzbauer/sbom-operator-metadata cosign verify-attestation ghcr.io/ckotzbauer/sbom-operator:<tag-to-verify> --certificate-github-workflow-name create-release --certificate-github-workflow-repository ckotzbauer/sbom-operator
+```
+
+### Download attestation
+
+```bash
+COSIGN_REPOSITORY=ghcr.io/ckotzbauer/sbom-operator-metadata cosign download attestation ghcr.io/ckotzbauer/sbom-operator:<tag-to-verify> | jq -r '.payload' | base64 -d
+```
+
+### Download SBOM
+
+```bash
+COSIGN_REPOSITORY=ghcr.io/ckotzbauer/sbom-operator-metadata cosign download sbom ghcr.io/ckotzbauer/sbom-operator:<tag-to-verify> | jq -r '.payload' | base64 -d
+```
+
 
-[Contributing](https://github.com/ckotzbauer/sbom-operator/blob/master/CONTRIBUTING.md)
---------
 [License](https://github.com/ckotzbauer/sbom-operator/blob/master/LICENSE)
 --------
 [Changelog](https://github.com/ckotzbauer/sbom-operator/blob/master/CHANGELOG.md)

go.mod

@@ -4,16 +4,19 @@ go 1.19
 
 require (
 	github.com/anchore/syft v0.54.0
-	github.com/ckotzbauer/libk8soci v0.0.0-20220801045234-0c88accfdf59
+	github.com/ckotzbauer/libk8soci v0.0.0-20220820074711-9ebdb60394e6
 	github.com/ckotzbauer/libstandard v0.0.0-20220801044619-e3c9900286ea
+	github.com/google/uuid v1.3.0
 	github.com/novln/docker-parser v1.0.0
 	github.com/nscuro/dtrack-client v0.6.0
 	github.com/robfig/cron v1.2.0
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.5.0
 	github.com/stretchr/testify v1.8.0
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	k8s.io/api v0.24.4
 	k8s.io/apimachinery v0.24.4
+	k8s.io/client-go v0.24.4
 )
 
 require (
@@ -52,7 +55,6 @@ require (
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
@@ -107,15 +109,13 @@ require (
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
 	golang.org/x/tools v0.1.11 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
 	google.golang.org/grpc v1.48.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/client-go v0.24.3 // indirect
 	lukechampine.com/uint128 v1.1.1 // indirect
 	modernc.org/cc/v3 v3.36.0 // indirect
 	modernc.org/ccgo/v3 v3.16.6 // indirect

go.sum

@@ -145,12 +145,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 h1:kDrYkTSM9uIxaX/P9s0F4nKYNM+hnSgLJdLpqvsaQ/g=
 github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
-github.com/anchore/stereoscope v0.0.0-20220803153229-c55b13fee7e4 h1:OMc0B7MxfjfqagdgboPFVJzsDJbFk7J7NXhgTTnhvuo=
-github.com/anchore/stereoscope v0.0.0-20220803153229-c55b13fee7e4/go.mod h1:90tB0wMdDe2V8fB52tPf1xjg/ieLoWayRu8YJNd9c7w=
 github.com/anchore/stereoscope v0.0.0-20220808115346-84004345484e h1:W13WKIHqgENdcIg49GsG2GJx2BnIg5rpI/gE2Bp/IRQ=
 github.com/anchore/stereoscope v0.0.0-20220808115346-84004345484e/go.mod h1:90tB0wMdDe2V8fB52tPf1xjg/ieLoWayRu8YJNd9c7w=
-github.com/anchore/syft v0.53.4 h1:tRiKa8ZL2FpDzzrcBHms4E6lgsmOkVbITrlcM35aKc0=
-github.com/anchore/syft v0.53.4/go.mod h1:Ms14EskPVOazbPO1j38sxR8kki0uL13xzV5fcuoQDBY=
 github.com/anchore/syft v0.54.0 h1:PNG6KHsO/KIGEivZgWTgAVgwISK/TfrRzocCEwK8WCQ=
 github.com/anchore/syft v0.54.0/go.mod h1:T+cDACkaFFl+ARWxLUS2Iri5agi4017wBRQUq5ZAAmE=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
@@ -232,8 +228,8 @@ github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLI
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-github.com/ckotzbauer/libk8soci v0.0.0-20220801045234-0c88accfdf59 h1:xQP71LgWiWEemWGejG3qcWuELsnpIbZqhGCsWkUqB2I=
-github.com/ckotzbauer/libk8soci v0.0.0-20220801045234-0c88accfdf59/go.mod h1:TvU933QZzcyaCRyYl8cEK7RbKY/nPlSscc7mq9jueOU=
+github.com/ckotzbauer/libk8soci v0.0.0-20220820074711-9ebdb60394e6 h1:ZqQ3DO7vBTpfWZNZAVpqsbVT1q07IoEUbNaxbWPQTcU=
+github.com/ckotzbauer/libk8soci v0.0.0-20220820074711-9ebdb60394e6/go.mod h1:IBQEVvyUDhkBa15BRG/Bx0iojbJA+4fqj8IpppI1Ylw=
 github.com/ckotzbauer/libstandard v0.0.0-20220801044619-e3c9900286ea h1:gofNE9np8uUttsOnPSOhKrMMj0nLn4+59ZwOP+Yu7Qo=
 github.com/ckotzbauer/libstandard v0.0.0-20220801044619-e3c9900286ea/go.mod h1:u4cKHuLhOIvu/X02luI4k32oH//Hlz9PxjEA7kj0Evs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -418,8 +414,6 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful/v3 v3.8.0 h1:eCZ8ulSerjdAiaNpF7GxXIE7ZCMo1moN1qX+S609eVw=
-github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
 github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
@@ -1907,7 +1901,6 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
@@ -1971,15 +1964,11 @@ honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
 k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
 k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
 k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
-k8s.io/api v0.24.3 h1:tt55QEmKd6L2k5DP6G/ZzdMQKvG5ro4H4teClqm0sTY=
-k8s.io/api v0.24.3/go.mod h1:elGR/XSZrS7z7cSZPzVWaycpJuGIw57j9b95/1PdJNI=
 k8s.io/api v0.24.4 h1:I5Y645gJ8zWKawyr78lVfDQkZrAViSbeRXsPZWTxmXk=
 k8s.io/api v0.24.4/go.mod h1:42pVfA0NRxrtJhZQOvRSyZcJihzAdU59WBtTjYcB0/M=
 k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
-k8s.io/apimachinery v0.24.3 h1:hrFiNSA2cBZqllakVYyH/VyEh4B581bQRmqATJSeQTg=
-k8s.io/apimachinery v0.24.3/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apimachinery v0.24.4 h1:S0Ur3J/PbivTcL43EdSdPhqCqKla2NIuneNwZcTDeGQ=
 k8s.io/apimachinery v0.24.4/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
@@ -1988,8 +1977,8 @@ k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
 k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
 k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
 k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
-k8s.io/client-go v0.24.3 h1:Nl1840+6p4JqkFWEW2LnMKU667BUxw03REfLAVhuKQY=
-k8s.io/client-go v0.24.3/go.mod h1:AAovolf5Z9bY1wIg2FZ8LPQlEdKHjLI7ZD4rw920BJw=
+k8s.io/client-go v0.24.4 h1:hIAIJZIPyaw46AkxwyR0FRfM/pRxpUNTd3ysYu9vyRg=
+k8s.io/client-go v0.24.4/go.mod h1:+AxlPWw/H6f+EJhRSjIeALaJT4tbeB/8g9BNvXGPd0Y=
 k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
 k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
 k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=