stackrox · JoukoVirtanen · Oct 1, 2025 · Oct 1, 2025 · Sep 6, 2025 · Sep 7, 2025
@@ -65,26 +65,30 @@ type SecuredClusterSpec struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=6,displayName="Kubernetes Audit Logs Ingestion Settings"
 	AuditLogs *AuditLogsSpec `json:"auditLogs,omitempty"`
 
+	// Settings relating to process baselines.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=7,displayName="Process Baselines Settings"
+	ProcessBaselines *ProcessBaselinesSpec `json:"processBaselines,omitempty"`
+
 	// Settings for the Scanner component, which is responsible for vulnerability scanning of container
 	// images stored in a cluster-local image repository.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=7,displayName="Scanner Component Settings"
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=8,displayName="Scanner Component Settings"
 	Scanner *LocalScannerComponentSpec `json:"scanner,omitempty"`
 
 	// Settings for the Scanner V4 components, which can run in addition to the previously existing Scanner components
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=8,displayName="Scanner V4 Component Settings"
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=9,displayName="Scanner V4 Component Settings"
 	ScannerV4 *LocalScannerV4ComponentSpec `json:"scannerV4,omitempty"`
 	// Above default is necessary to make the nested default work see: https://github.com/kubernetes-sigs/controller-tools/issues/622
 
 	// Settings related to Transport Layer Security, such as Certificate Authorities.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=9
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=10
 	TLS *TLSConfig `json:"tls,omitempty"`
 
 	// Additional image pull secrets to be taken into account for pulling images.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Image Pull Secrets",order=10,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Image Pull Secrets",order=11,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	ImagePullSecrets []LocalSecretReference `json:"imagePullSecrets,omitempty"`
 
 	// Customizations to apply on all Central Services components.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Customizations,order=11,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Customizations,order=12,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	Customize *CustomizeSpec `json:"customize,omitempty"`
 
 	// Deprecated field. This field will be removed in a future release.
@@ -93,22 +97,46 @@ type SecuredClusterSpec struct {
 	Misc *MiscSpec `json:"misc,omitempty"`
 
 	// Overlays
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Overlays,order=12,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Overlays,order=13,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
 	Overlays []*K8sObjectOverlay `json:"overlays,omitempty"`
 
 	// Monitoring configuration.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=13,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=14,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	Monitoring *GlobalMonitoring `json:"monitoring,omitempty"`
 
 	// Set this parameter to override the default registry in images. For example, nginx:latest -> <registry override>/library/nginx:latest
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Custom Default Image Registry",order=14,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Custom Default Image Registry",order=15,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	RegistryOverride *string `json:"registryOverride,omitempty"`
 
 	// Network configuration.
-	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Network,order=15,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName=Network,order=16,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
 	Network *GlobalNetworkSpec `json:"network,omitempty"`
 }
 
+// ProcessBaselinesAutoLockMode is a type for values of spec.processBaselineAutoLockMode.
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type ProcessBaselinesAutoLockMode string
+
+const (
+	// ProcessBaselineLockModeEnabled means: Process baseline auto-locking will be enabled
+	ProcessBaselinesAutoLockModeEnabled ProcessBaselinesAutoLockMode = "Enabled"
+	// ProcessBaselineLockModeDisabled means: Process baseline auto-locking will be disabled
+	ProcessBaselinesAutoLockModeDisabled ProcessBaselinesAutoLockMode = "Disabled"
+)
+
+// Pointer returns the given ProcessBaselineAutoLockMode as a pointer, needed in k8s resource structs.
+func (p ProcessBaselinesAutoLockMode) Pointer() *ProcessBaselinesAutoLockMode {
+	return &p
+}
+
+// ProcessBaselinesSpec defines settings for the process baseline auto-locking feature.
+type ProcessBaselinesSpec struct {
+	// Should process baselines be automatically locked when the observation period (1 hour by default) ends.
+	// The default is: Disabled.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:select:Enabled", "urn:alm:descriptor:com.tectonic.ui:select:Disabled"}
+	AutoLock *ProcessBaselinesAutoLockMode `json:"autoLock,omitempty"`
+}
+
 // SensorComponentSpec defines settings for sensor.
 type SensorComponentSpec struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1

@@ -788,6 +788,18 @@ spec:
                     - AvoidTaints
                     type: string
                 type: object
+              processBaselines:
+                description: Settings relating to process baselines.
+                properties:
+                  autoLock:
+                    description: |-
+                      Should process baselines be automatically locked when the observation period (1 hour by default) ends.
+                      The default is: Disabled.
+                    enum:
+                    - Enabled
+                    - Disabled
+                    type: string
+                type: object
               registryOverride:
                 description: Set this parameter to override the default registry in
                   images. For example, nginx:latest -> <registry override>/library/nginx:latest

@@ -928,6 +928,14 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:select:CORE_BPF
         - urn:alm:descriptor:com.tectonic.ui:select:NoCollection
+      - description: |-
+          Should process baselines be automatically locked when the observation period (1 hour by default) ends.
+          The default is: Disabled.
+        displayName: Auto Lock
+        path: processBaselines.autoLock
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:select:Enabled
+        - urn:alm:descriptor:com.tectonic.ui:select:Disabled
       - description: Controls the number of analyzer replicas and autoscaling.
         displayName: Scaling
         path: scanner.analyzer.scaling
@@ -1158,6 +1166,9 @@ spec:
       - description: Settings relating to the ingestion of Kubernetes audit logs.
         displayName: Kubernetes Audit Logs Ingestion Settings
         path: auditLogs
+      - description: Settings relating to process baselines.
+        displayName: Process Baselines Settings
+        path: processBaselines
       - description: |-
           Settings for the Scanner component, which is responsible for vulnerability scanning of container
           images stored in a cluster-local image repository.

@@ -25,6 +25,9 @@ var staticDefaults = platform.SecuredClusterSpec{
 	AuditLogs: &platform.AuditLogsSpec{
 		Collection: platform.AuditLogsCollectionAuto.Pointer(),
 	},
+	ProcessBaselines: &platform.ProcessBaselinesSpec{
+		AutoLock: platform.ProcessBaselinesAutoLockModeDisabled.Pointer(),
+	},
 	Scanner: &platform.LocalScannerComponentSpec{
 		ScannerComponent: platform.LocalScannerComponentAutoSense.Pointer(),
 		Analyzer: &platform.ScannerAnalyzerComponent{

@@ -161,6 +161,8 @@ func (t Translator) translate(ctx context.Context, sc platform.SecuredCluster) (
 		v.AddChild("network", translation.GetGlobalNetwork(sc.Spec.Network))
 	}
 
+	v.AddChild("autoLockProcessBaselines", getProcessBaselinesValues(sc.Spec.ProcessBaselines))
+
 	return v.Build()
 }
 
@@ -362,6 +364,16 @@ func (t Translator) getAuditLogsValues(auditLogs *platform.AuditLogsSpec) *trans
 	return &cv
 }
 
+func getProcessBaselinesValues(processBaselines *platform.ProcessBaselinesSpec) *translation.ValuesBuilder {
+	if processBaselines == nil || processBaselines.AutoLock == nil {
+		return nil
+	}
+	cv := translation.NewValuesBuilder()
+	cv.SetBoolValue("enabled", *processBaselines.AutoLock == platform.ProcessBaselinesAutoLockModeEnabled)
+
+	return &cv
+}
+
 func (t Translator) getCollectorValues(perNode *platform.PerNodeSpec) *translation.ValuesBuilder {
 	cv := translation.NewValuesBuilder()
 

@@ -967,6 +967,76 @@ func (s *TranslationTestSuite) TestTranslate() {
 				},
 			},
 		},
+		"process baseline auto-locking enabled": {
+			args: args{
+				client: newDefaultFakeClient(t),
+				sc: platform.SecuredCluster{
+					ObjectMeta: metav1.ObjectMeta{Namespace: "stackrox"},
+					Spec: platform.SecuredClusterSpec{
+						ClusterName: ptr.To("test-cluster"),
+						ProcessBaselines: &platform.ProcessBaselinesSpec{
+							AutoLock: platform.ProcessBaselinesAutoLockModeEnabled.Pointer(),
+						},
+					},
+				},
+			},
+			want: chartutil.Values{
+				"clusterName":   "test-cluster",
+				"ca":            map[string]string{"cert": "ca central content"},
+				"createSecrets": false,
+				"scanner": map[string]interface{}{
+					"disable": false,
+				},
+				"sensor": map[string]interface{}{
+					"localImageScanning": map[string]string{
+						"enabled": "true",
+					},
+				},
+				"monitoring": map[string]interface{}{
+					"openshift": map[string]interface{}{
+						"enabled": true,
+					},
+				},
+				"autoLockProcessBaselines": map[string]interface{}{
+					"enabled": true,
+				},
+			},
+		},
+		"process baseline auto-locking disabled": {
+			args: args{
+				client: newDefaultFakeClient(t),
+				sc: platform.SecuredCluster{
+					ObjectMeta: metav1.ObjectMeta{Namespace: "stackrox"},
+					Spec: platform.SecuredClusterSpec{
+						ClusterName: ptr.To("test-cluster"),
+						ProcessBaselines: &platform.ProcessBaselinesSpec{
+							AutoLock: platform.ProcessBaselinesAutoLockModeDisabled.Pointer(),
+						},
+					},
+				},
+			},
+			want: chartutil.Values{
+				"clusterName":   "test-cluster",
+				"ca":            map[string]string{"cert": "ca central content"},
+				"createSecrets": false,
+				"scanner": map[string]interface{}{
+					"disable": false,
+				},
+				"sensor": map[string]interface{}{
+					"localImageScanning": map[string]string{
+						"enabled": "true",
+					},
+				},
+				"monitoring": map[string]interface{}{
+					"openshift": map[string]interface{}{
+						"enabled": true,
+					},
+				},
+				"autoLockProcessBaselines": map[string]interface{}{
+					"enabled": false,
+				},
+			},
+		},
 	}
 
 	for name, tt := range tests {