Merge preview to main

.github/workflows/ci.yaml

@@ -0,0 +1,39 @@
+# CI: fmt, vet, and unit tests on push and PR.
+name: CI
+
+on:
+  push:
+    branches: [main, preview]
+  pull_request:
+    branches: [main, preview]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: tidy
+        run: go mod tidy
+
+      - name: fmt
+        run: |
+          go fmt ./...
+          git diff --exit-code
+
+      - name: vet
+        run: go vet ./...
+
+      - name: test
+        run: go test ./... -short -coverprofile=cover.out -count=1
+
+      - name: govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          $(go env GOPATH)/bin/govulncheck ./...

.gitignore

@@ -24,3 +24,8 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+# Local agent / session continuity — do not commit (SSOT = board + issue bodies)
+READMEDEV.md
+docs/HANDOVER.md
+docs/SPRINT-*-PLAN.md

Makefile

@@ -137,7 +137,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.0.0
-CONTROLLER_TOOLS_VERSION ?= v0.16.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.2
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

cmd/main.go

@@ -31,8 +31,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	amtdv1beta1 "github.com/r6security/phoenix/api/v1beta1"
 	"github.com/r6security/phoenix/internal/controller"
@@ -120,6 +120,14 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "SecurityEvent")
 		os.Exit(1)
 	}
+	if err = (&controller.NIMReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+		Policy: controller.DefaultNIMPolicy(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "NIM")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

config/crd/bases/amtd.r6security.com_securityevents.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.0
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: securityevents.amtd.r6security.com
 spec:
   group: amtd.r6security.com

config/rbac/role.yaml

@@ -5,10 +5,9 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - amtd.r6security.com
+  - ""
   resources:
-  - adaptivemovingtargetdefenses
-  - securityevents
+  - pods
   verbs:
   - create
   - delete
@@ -18,25 +17,24 @@ rules:
   - update
   - watch
 - apiGroups:
-  - amtd.r6security.com
+  - ""
   resources:
-  - adaptivemovingtargetdefenses/finalizers
-  - securityevents/finalizers
+  - pods/finalizers
   verbs:
   - update
 - apiGroups:
-  - amtd.r6security.com
+  - ""
   resources:
-  - adaptivemovingtargetdefenses/status
-  - securityevents/status
+  - pods/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
-  - ""
+  - amtd.r6security.com
   resources:
-  - pods
+  - adaptivemovingtargetdefenses
+  - securityevents
   verbs:
   - create
   - delete
@@ -46,15 +44,17 @@ rules:
   - update
   - watch
 - apiGroups:
-  - ""
+  - amtd.r6security.com
   resources:
-  - pods/finalizers
+  - adaptivemovingtargetdefenses/finalizers
+  - securityevents/finalizers
   verbs:
   - update
 - apiGroups:
-  - ""
+  - amtd.r6security.com
   resources:
-  - pods/status
+  - adaptivemovingtargetdefenses/status
+  - securityevents/status
   verbs:
   - get
   - patch

deploy/manifests/demo-page/demo-page-deployment.yaml

@@ -25,6 +25,9 @@ spec:
       creationTimestamp: null
       labels:
         app: demo-page
+      annotations:
+        time-based-trigger.amtd.r6security.com/enabled: "true"
+        time-based-trigger.amtd.r6security.com/schedule: "30s"
     spec:
       containers:
       - image: nginx:1.25.1

docs/INSTALL.md

@@ -60,14 +60,18 @@ kubectl apply -n demo-page -f deploy/manifests/time-based-trigger-demo-amtd.yaml
 kubectl -n moving-target-defense get AdaptiveMovingTargetDefense
 ```
 
-3. Enable time backend for the demo-page deployment and schdedule the restart in every 30s:
+3. Enable the 30s time-based trigger (optional — the demo deployment already includes these annotations):
 
-```
-kubectl patch -n demo-page deployments.apps demo-page -p '"spec": {"template": { "metadata": {"annotations": {"time-based-trigger.amtd.r6security.com/schedule": "30s"}}}}'
-kubectl patch -n demo-page deployments.apps demo-page -p '"spec": {"template": { "metadata": {"annotations": {"time-based-trigger.amtd.r6security.com/enabled": "true"}}}}'
-```
+   The Time-based Trigger requires **both** annotations on the pod template: `time-based-trigger.amtd.r6security.com/enabled` and `time-based-trigger.amtd.r6security.com/schedule`. The `demo-page-deployment.yaml` in this repo already sets them. If you use a different deployment or need to change the schedule, apply **one** patch that sets both (annotations must be under `spec.template.metadata.annotations`):
+
+   ```bash
+   kubectl patch -n demo-page deployments.apps demo-page -p '{"spec":{"template":{"metadata":{"annotations":{"time-based-trigger.amtd.r6security.com/enabled":"true","time-based-trigger.amtd.r6security.com/schedule":"30s"}}}}}'
+   ```
+
+   **If the trigger doesn't run:** Check that the pod has both annotations:  
+   `kubectl get pod -n demo-page -l app=demo-page -o jsonpath='{.items[0].metadata.annotations}'`
 
-4. Watch pods to see the restarts in every 30 seconds:
+4. Watch pods to see the restarts every 30 seconds:
 
 ```
 watch kubectl -n demo-page get pods

docs/NIM.md

@@ -0,0 +1,27 @@
+# NIM (Node Infrastructure Module) add-on
+
+Phoenix includes an optional **NIM controller** that performs NIM-enhanced pod restarts when pods have **time-based** SecurityEvents applied (e.g. from a timer or the [Time-based Trigger](https://github.com/r6security/time-based-trigger)). The controller updates NIM annotations on the pod and then deletes the pod with a configurable grace period so the workload is rescheduled.
+
+## When NIM acts
+
+- The pod must have the annotation `amtd.r6security.com/applied-sec-events` set (JSON array of SecurityEvent objects), typically by the Phoenix operator or the Time-based Trigger.
+- NIM only reacts when at least one of those events has `rule.type=timed` and `rule.source=TimeBasedTrigger`.
+- Other event types are ignored.
+
+## Annotation contract
+
+| Annotation | Set by | Description |
+|------------|--------|-------------|
+| `amtd.r6security.com/applied-sec-events` | Phoenix / Time-based Trigger | JSON array of SecurityEvent objects applied to the pod. |
+| `nim.r6security.com/pod-startup-state` | NIM controller | One of `pending`, `starting`, `running`, `failed`. |
+| `nim.r6security.com/triggers-stopped` | NIM controller | Set to `true` when NIM has applied a restart. |
+| `nim.r6security.com/action-active` | NIM controller | Set to `true` when a NIM action is in progress. |
+| `nim.r6security.com/last-action-timestamp` | NIM controller | Unix timestamp of the last NIM action. |
+
+## Default behavior
+
+- Grace period for pod termination: 30 seconds.
+- Requeue interval: 10 seconds.
+- Trigger: `type=timed`, `source=TimeBasedTrigger`.
+
+These can be made configurable in a future release.

docs/REFERENCE.md

@@ -1,3 +1,9 @@
+## NIM add-on (annotation contract)
+
+The built-in NIM controller watches pods with applied SecurityEvents and performs NIM-enhanced restarts when a **time-based** trigger is present. See [NIM](NIM.md) for behavior and the annotation contract (`amtd.r6security.com/applied-sec-events`, `nim.r6security.com/*`).
+
+---
+
 ## Custom Resources 
 
 A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation, however, it can be added at any time by deploying a CustomResourceDefinition. 

docs/examples/timer-based-app-restart.md

@@ -27,15 +27,16 @@ In this tutorial you will learn how to:
 
 ## Configure Time-based Trigger
 
-- Set the timer to 30s:
-```
-kubectl patch -n demo-page deployments.apps demo-page -p '"spec": {"template": { "metadata": {"annotations": {"time-based-trigger.amtd.r6security.com/schedule": "30s"}}}}'
-```
--  Enable time-based-trigger for the pod
-```
-kubectl patch -n demo-page deployments.apps demo-page -p '"spec": {"template": { "metadata": {"annotations": {"time-based-trigger.amtd.r6security.com/enabled": "true"}}}}'
+The Time-based Trigger needs **both** annotations on the pod: `time-based-trigger.amtd.r6security.com/enabled` and `time-based-trigger.amtd.r6security.com/schedule`. Set both in one patch (under `spec.template.metadata.annotations`):
+
+```bash
+kubectl patch -n demo-page deployments.apps demo-page -p '{"spec":{"template":{"metadata":{"annotations":{"time-based-trigger.amtd.r6security.com/enabled":"true","time-based-trigger.amtd.r6security.com/schedule":"30s"}}}}}'
 ```
-Watch pods to see the restarts in every 30 seconds:
+
+If the trigger doesn't run, verify the pod has both annotations:
+`kubectl get pod -n demo-page -l app=demo-page -o jsonpath='{.items[0].metadata.annotations}'`
+
+Watch pods to see the restarts every 30 seconds:
 
 	watch kubectl -n demo-page get pods
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/r6security/phoenix
 
-go 1.24.0
+go 1.26.1
 
 require (
 	github.com/go-logr/logr v1.4.3
@@ -58,14 +58,14 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
-	go.opentelemetry.io/otel/metric v1.33.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
-	go.opentelemetry.io/otel/trace v1.33.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.4.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
@@ -76,7 +76,7 @@ require (
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/term v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.9.0 // indirect

go.sum

@@ -115,8 +115,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
@@ -134,28 +134,30 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
-go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA=
-go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
-go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
-go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM=
-go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM=
-go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
-go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg=
 go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
@@ -193,8 +195,8 @@ golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
 golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

internal/controller/constants.go

@@ -27,5 +27,5 @@ const (
 	R6_SECURITY_EVENT_RECEIVED   string = "amtd.r6security.event.received"
 
 	// R6Security label for AMTD-managed pods (GitHub issue #15)
-	R6_SECURITY_MANAGED_LABEL    string = "r6security.com/managed-by-amtd"
+	R6_SECURITY_MANAGED_LABEL string = "r6security.com/managed-by-amtd"
 )