Background Enforcement/Existing Resource Scans

[cmwylie19]

Is your feature request related to a problem? Please describe.

Periodic scans against existing resources against policy. Should probably use Pepr's watch

The primary risk - if there are existing resources in the cluster that violate policy. An admission-only policy engine won't ever see create/update events for them, they've already been created.

Should support changes in policy, when a policy is updated, re-evaluate existing resources.

Should have an "audit" node that will allow objects into cluster that are failing.

Describe the solution you'd like

• Given there is a need to run policy against existing resources
• When the user runs background enforcement
• Then existing resources are reported against

Describe alternatives you've considered

Might be called something like ValidateAndBackgroundWatch or ValidateAndWatch

Additional context

Add any other context or screenshots about the feature request here.

[jeff-mccoy]

I don't think watch fits this scenario, I'd much rather see a rolling schedule every X hrs (user-configurable) to get resources and stagger that so you're not loading the cluster all at once. E.g. If you have 3 policies that validate 3 different kinds of resources, evenly distribute those across the rescan interval.