feat: make regexp for excluded namespace configurable

controllers/predicates.go

@@ -14,11 +14,11 @@ import (
 	stasv1alpha1 "github.com/statnett/image-scanner-operator/api/v1alpha1"
 )
 
-var systemNamespaceRegex = regexp.MustCompile("^(kube-|openshift-).*")
-
-var systemNamespace = predicate.NewPredicateFuncs(func(object client.Object) bool {
-	return systemNamespaceRegex.MatchString(object.GetNamespace())
-})
+func namespaceMatchRegexp(re *regexp.Regexp) predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		return re.MatchString(object.GetNamespace())
+	})
+}
 
 func podContainerStatusImagesChanged() predicate.Predicate {
 	return predicate.Funcs{

controllers/workload_controller.go

@@ -62,17 +62,21 @@ func (r *PodReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		groupKinds[i] = k.GroupKind()
 	}
 
+	predicates := []predicate.Predicate{
+		predicate.Not(managedByImageScanner),
+	}
+	if r.ScanNamespaceExcludeRegexp != nil {
+		predicates = append(predicates, predicate.Not(namespaceMatchRegexp(r.ScanNamespaceExcludeRegexp)))
+	}
+
 	bldr := ctrl.NewControllerManagedBy(mgr).
 		For(&corev1.Pod{},
 			builder.WithPredicates(
 				podContainerStatusImagesChanged(),
 				predicate.Or(controllerInKinds(groupKinds...), noController),
 				ignoreDeletionPredicate(),
 			)).
-		WithEventFilter(predicate.And(
-			predicate.Not(systemNamespace),
-			predicate.Not(managedByImageScanner),
-		)).
+		WithEventFilter(predicate.And(predicates...)).
 		Watches(&source.Kind{Type: &stasv1alpha1.ContainerImageScan{}},
 			&handler.EnqueueRequestForOwner{OwnerType: &corev1.Pod{}},
 			builder.WithPredicates(

main.go

@@ -77,6 +77,7 @@ func main() {
 
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
 	pflag.BoolVarP(&helpRequested, "help", "h", false, "print out usage and a summary of options")
+	pflag.String("scan-namespace-exclude-regex", "^(kube-|openshift-).*", "regexp for namespace to exclude from scanning")
 	pflag.Parse()
 
 	if helpRequested {

pkg/operator/config.go

@@ -1,18 +1,20 @@
 package operator
 
 import (
+	"regexp"
 	"time"
 
 	stasv1alpha1 "github.com/statnett/image-scanner-operator/api/v1alpha1"
 )
 
 type Config struct {
-	ScanInterval          time.Duration `mapstructure:"scan-interval"`
-	ScanJobNamespace      string        `mapstructure:"scan-job-namespace"`
-	ScanJobServiceAccount string        `mapstructure:"scan-job-service-account"`
-	ScanWorkloadResources []string      `mapstructure:"scan-workload-resources"`
-	TrivyImage            string        `mapstructure:"trivy-image"`
-	TrivyServer           string        `mapstructure:"trivy-server"`
+	ScanInterval               time.Duration  `mapstructure:"scan-interval"`
+	ScanJobNamespace           string         `mapstructure:"scan-job-namespace"`
+	ScanJobServiceAccount      string         `mapstructure:"scan-job-service-account"`
+	ScanNamespaceExcludeRegexp *regexp.Regexp `mapstructure:"scan-namespace-exclude-regexp"`
+	ScanWorkloadResources      []string       `mapstructure:"scan-workload-resources"`
+	TrivyImage                 string         `mapstructure:"trivy-image"`
+	TrivyServer                string         `mapstructure:"trivy-server"`
 }
 
 func (c Config) TimeUntilNextScan(cis *stasv1alpha1.ContainerImageScan) time.Duration {