Merge branch 'main' into issue-390-publicecr

Author: davidcollom

.github/CODEOWNERS

@@ -1 +1 @@
-* @davidcollom
+* @davidcollom @maria-reynoso

.github/workflows/build-test.yaml

@@ -8,12 +8,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Setting some default permissions for all jobs
+permissions:
+  contents: read
+  security-events: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
-      checks: write # for golangci/golangci-lint-action to annotate Pull Requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
@@ -35,6 +38,8 @@ jobs:
   code-scan:
     name: Code Scan
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
@@ -51,13 +56,15 @@ jobs:
           severity: "CRITICAL,HIGH,MEDIUM"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: "trivy-results.sarif"
 
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
+    permissions:
+      security-events: write
     steps:
       # We only need to checkout as govuln does the go setup...
       - name: Checkout code
@@ -98,7 +105,7 @@ jobs:
         continue-on-error: true
 
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: code-coverage
           path: coverage.out

.github/workflows/helm-test.yaml

@@ -11,11 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:
@@ -28,6 +30,8 @@ jobs:
           go-version-file: go.mod
 
       - uses: azure/setup-helm@v4
+        with:
+          version: v3.19.0
 
       - run: helm lint deploy/charts/version-checker
 
@@ -44,6 +48,8 @@ jobs:
           go-version-file: go.mod
 
       - uses: azure/setup-helm@v4
+        with:
+          version: v3.19.0
 
       - name: Install helm Plugins
         run: |

.github/workflows/release-tagger.yaml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-name:
     name: Generate a clean release name from the branch/tag
@@ -110,12 +113,13 @@ jobs:
 
       - name: Build Changelog
         id: github_release
-        uses: mikepenz/release-changelog-builder-action@v5
+        uses: mikepenz/release-changelog-builder-action@v6
         with:
           ignorePreReleases: true
+          toTag: "main"
 
       - name: Create Release PR
-        uses: devops-infra/action-pull-request@v0.6.1
+        uses: devops-infra/action-pull-request@v1.0.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           target_branch: main
@@ -154,6 +158,8 @@ jobs:
 
       - name: Setup Helm
         uses: azure/setup-helm@v4
+        with:
+          version: v3.19.0
 
       # FIXME: We need a Repo Created in Quay ahead of time for this to work
       # - name: Login to Quay.io for OCI Push
@@ -207,7 +213,7 @@ jobs:
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 #v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0
         with:
           cosign-release: "v2.2.4"
 

.github/workflows/release.yaml

@@ -9,7 +9,7 @@ ARG TARGETOS TARGETARCH
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o ./bin/version-checker ./cmd/.
 
 
-FROM alpine:3.22.1
+FROM alpine:3.22.2
 LABEL description="Kubernetes utility for exposing used image versions compared to the latest version, as metrics."
 
 RUN apk --no-cache add ca-certificates

Dockerfile

@@ -22,7 +22,7 @@ verify: test build ## tests and builds version-checker
 
 image: ## build docker image
 	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -o ./bin/version-checker-linux ./cmd/.
-	docker build -t quay.io/jetstack/version-checker:v0.9.3 .
+	docker build -t quay.io/jetstack/version-checker:v0.10.0 .
 
 clean: ## clean up created files
 	rm -rf \

Makefile

@@ -6,20 +6,29 @@
 ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/jetstack/version-checker)
 
 version-checker is a Kubernetes utility for observing the current versions of
-images running in the cluster, as well as the latest available upstream. These
-checks get exposed as Prometheus metrics to be viewed on a dashboard, or _soft_
-alert cluster operators.
+images running in the cluster, as well as the latest available upstream. Additionally,
+it monitors the Kubernetes cluster version against the latest available releases
+using official Kubernetes release channels. These checks get exposed as Prometheus
+metrics to be viewed on a dashboard, or _soft_ alert cluster operators.
+
+## Features
+
+- **Container Image Version Checking**: Monitor and compare container image versions running in the cluster against their latest upstream versions
+- **Kubernetes Version Monitoring**: Track your cluster's Kubernetes version against the latest available releases from official Kubernetes channels
+- **Prometheus Metrics Integration**: Export all version information as Prometheus metrics for monitoring and alerting
+- **Flexible Channel Selection**: Configure which Kubernetes release channel to track (stable, latest, etc.)
 
 ---
 
 ## Why Use version-checker?
 
-- **Improved Security**: Ensures images are up-to-date, reducing the risk of using vulnerable or compromised versions.
-- **Enhanced Visibility**: Provides a clear overview of all running container versions across clusters.
-- **Operational Efficiency**: Automates image tracking and reduces manual intervention in version management.
-- **Compliance and Policy**: Enforcement: Helps maintain version consistency and adherence to organizational policies.
+- **Improved Security**: Ensures images and Kubernetes clusters are up-to-date, reducing the risk of using vulnerable or compromised versions.
+- **Enhanced Visibility**: Provides a clear overview of all running container versions and cluster versions across clusters.
+- **Operational Efficiency**: Automates image and Kubernetes version tracking and reduces manual intervention in version management.
+- **Compliance and Policy Enforcement**: Helps maintain version consistency and adherence to organizational policies for both applications and infrastructure.
 - **Incremental Upgrades**: Facilitates frequent, incremental updates to reduce the risk of large, disruptive upgrades.
 - **Add-On Compatibility**: Ensures compatibility with the latest versions of Kubernetes add-ons and dependencies.
+- **Proactive Cluster Management**: Stay informed about Kubernetes security updates and new features through automated version monitoring.
 
 ---
 
@@ -45,6 +54,7 @@ These registries support authentication.
 
 - [Installation Guide](docs/installation.md)
 - [Metrics](docs/metrics.md)
+- [New Features](docs/new_features.md)
 
 ---
 

README.md

@@ -110,19 +110,36 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				return fmt.Errorf("failed to setup image registry clients: %s", err)
 			}
 
-			c := controller.NewPodReconciler(opts.CacheTimeout,
+			_ = client
+
+			podController := controller.NewPodReconciler(opts.CacheTimeout,
 				metricsServer,
 				client,
 				mgr.GetClient(),
 				log,
 				opts.RequeueDuration,
 				opts.DefaultTestAll,
 			)
-
-			if err := c.SetupWithManager(mgr); err != nil {
+			if err := podController.SetupWithManager(mgr); err != nil {
 				return err
 			}
 
+			kubeController := controller.NewKubeReconciler(
+				log,
+				mgr.GetConfig(),
+				metricsServer,
+				opts.KubeInterval,
+				opts.KubeChannel,
+			)
+
+			// Only add to manager if controller was created (channel was specified)
+			if kubeController != nil {
+				if err := mgr.Add(kubeController); err != nil {
+					return err
+				}
+				log.WithField("channel", opts.KubeChannel).Info("Kubernetes version checking enabled")
+			}
+
 			// Start the manager and all controllers
 			log.Info("Starting controller manager")
 			if err := mgr.Start(ctx); err != nil {

cmd/app/app.go

@@ -75,6 +75,10 @@ type Options struct {
 	CacheSyncPeriod         time.Duration
 	RequeueDuration         time.Duration
 
+	KubeChannel  string
+	KubeInterval time.Duration
+
+	// kubeConfigFlags holds the flags for the kubernetes client
 	kubeConfigFlags *genericclioptions.ConfigFlags
 
 	selfhosted selfhosted.Options
@@ -141,7 +145,15 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) {
 
 	fs.DurationVarP(&o.CacheSyncPeriod,
 		"cache-sync-period", "", 5*time.Hour,
-		"The time in which all resources should be updated.")
+		"The duration in which all resources should be updated.")
+
+	fs.DurationVarP(&o.KubeInterval,
+		"kube-interval", "", o.CacheSyncPeriod,
+		"The time in which kubernetes channels updates are checked.")
+
+	fs.StringVarP(&o.KubeChannel,
+		"kube-channel", "", "stable",
+		"The Kubernetes channel to check against for cluster updates.")
 
 	fs.DurationVarP(&o.GracefulShutdownTimeout,
 		"graceful-shutdown-timeout", "", 10*time.Second,