search

kubewarden / audit-scanner

Reports evaluation of existing Kubernetes resources with your already deployed Kubewarden policies.
https://kubewarden.io
Apache License 2.0
7 stars 8 forks source link

audit-scanner - MVP Stage 4 - create PolicyReport #36

Closed jvanz closed 1 year ago

jvanz commented 1 year ago

Implement creation of PolicyReport inside of the namespace being analyzed, by using the kube API client and https://github.com/kubernetes-sigs/wg-policy-prototypes.

Acceptance criteria:

jvanz commented 1 year ago

@kubewarden/kubewarden-developers , I'm thinking about a conversation that I had with Flavio about storing the results on etcd (Policy Report). As it is planned now. During this conversation Flavio mentioned he has talked with a SUSE colleague and discuss the scalability issues that can impose on us

The first idea would be move away from etcd and use another database, like sqlite. I think this is fine. But we should abstract the backend database from the scanner. Therefore, we can easily extend to other types of databases on user request. But there is a thing that we need to reformulate. How users will access this information?

As we move away from the policy report format, we need to allow users to easily access this information. One option is using OTEL, Prometheus and Grafana or something similar. The good point on that is that we get a nice UI out of the box. I still need to refresh my memory to see what's the available metrics types and if they will be enough to cover the functionality that we planned to have using Policy Report. The bad side is that user must have this stack installed to visualize the information (which I think is pretty bad)

Another option is create an API to expose this to the outer world. If we do that now, we need to think of scalability again. Because the API must be up and running mos of the time. Furthermore, we need to think of a format to expose this data as well.

If we decided to go with the OTEL path, we can use the sqlite database as the cache for future evaluations and export the final result in the metrics. Another thing to remember is that with a sqlite database in the picture we start to worry about database migrations (e.g. how to add/remove a new field?, etc)

tldr: what do you think of using OTEL, Prometheus and Grafana stack to expose audit scanner reports?

Sorry for this random ideas. I would like to start the discussion with the team while I was thinking this as well.

viccuad commented 1 year ago

Sounds good, yet I would like to be convinced first that PolicyReport is not a viable solution.