[1]Starboard: Set sane value for OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL

[cristiklein]

Is your feature request related to a problem? Please describe.

Please set a sane default value for OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL. The default value should trade two conflicting goals:

• Ensure that the Kubernetes cluster is not "littered" with vulnerability reports.
• Ensure that the vulnerability dashboards have something to report on.

Describe the solution you'd like

A value which is large enough to ensure the vulnerability dashboard always works, e.g., 2x frequency of scanning. Unfortunately, I have been unable to determine at a glance how often starboard does scanning.

Describe alternatives you've considered

• Manually remove vulnerability reports during every maintenance window. Undesirable, since it adds unnecessary admin burden.

Additional context

• https://github.com/elastisys/compliantkubernetes-apps/pull/844

Definition of done:

• starboard.vulnerabilityScanner.reportTTL in defaults/common-config.yaml is changed from "" to something like XXd.

[Pavan-Gunda]

It seems like 30 days (720h) is a good retention period for vulnerability reports and I see that the older reports are not deleted automatically, (the controller responsible for automatic deletion looks for an annotation report-ttl), as the older reports don't have the annotation. They wanted the admins to delete the reports.

So it's a bit of work for admins during the maintenance window. but I think It is only done once.

https://github.com/aquasecurity/starboard/pull/879 https://github.com/aquasecurity/starboard/pull/863 https://github.com/aquasecurity/starboard/commit/ab3974f34d367bd5fc311e8832be289430650f25#diff-d3f7d7d560e713a8e799f56e1c0316a5f024a0957d58814fde1802453266ad07R20

[cristiklein]

@Pavan-Gunda Just to make sure I understand, you recommend setting starboard.vulnerabilityScanner.reportTTL: 30d in defaults/common-config.yaml?

If yes, then it sounds good to me!