apiVersion: batch/v1
kind: CronJob
metadata:
  name: prowler
  namespace: prowler
spec:
  schedule: "0 3 * * 0"  # Sunday 3am
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 604800  # Auto-delete after 7 days
      template:
        spec:
          serviceAccountName: prowler
          containers:
            - name: prowler
              image: registry.ops.eblu.me/blumeops/prowler:kustomized
              args:
                - kubernetes
                - --compliance
                - cis_1.11_kubernetes
                - -z
                - --output-formats
                - html
                - csv
                - json-ocsf
                - --output-directory
                - /reports/prowler
              volumeMounts:
                - name: reports
                  mountPath: /reports
                - name: var-lib-kubelet
                  mountPath: /var/lib/kubelet
                  readOnly: true
                - name: etc-kubernetes
                  mountPath: /etc/kubernetes
                  readOnly: true
                - name: var-lib-etcd
                  mountPath: /var/lib/etcd
                  readOnly: true
          hostPID: true
          restartPolicy: OnFailure
          volumes:
            - name: reports
              persistentVolumeClaim:
                claimName: prowler-reports
            - name: var-lib-kubelet
              hostPath:
                path: /var/lib/kubelet
            - name: etc-kubernetes
              hostPath:
                path: /etc/kubernetes
            - name: var-lib-etcd
              hostPath:
                path: /var/lib/etcd