Closed flavio closed 2 years ago
There's one thing I forgot to mention. We are going to introduce an audit report feature to Kubewarden that is going to use the contents of this RFC. A background scan is going to be run at certain intervals and this is going to update PolicyReport
objects.
However, there's also something else we can do in the future that leverages these CRDs. We could for example add entries to the PolicyReport
in a live fashion to keep track of resources that have been rejected by our admission controller. This is something that kyverno does. We might want to do that too
Just sharing a thought that I'm not sure if it fits in some thread already open.
I've reviewed the last CNCF survey trying to find some additional information about cluster sizes. Trying to figure out if the report size could be a future problem. It has information about cluster sizes in terms of containers and machines running. In the survey we can see that 73.59% of the interviewees run clusters with 999 containers maximum. Let's assume for the sake of the discussion that each of the container has a resource witch is verified by all the policies (e.g. pod, deployment, etc). So, in the worst scenario, if all the policies are clusterwide, the number of entries in the report will be 999 * number of the policies
. Our recommended policy list in the kubewarden-defaults
chart has 6 policies. Which led us to 5994 possible evaluations. Is it too much? I do not know.
In the other hand, the scenario above is unlikely to happen. Because in the same survey we learn that most of organizations separate their teams and applications by namespaces or separate clusters. So, the predominant case will be multiple smaller reports.
In the other hand, the scenario above is unlikely to happen. Because in the same survey we learn that most of organizations separate their teams and applications by namespaces or separate clusters. So, the predominant case will be multiple smaller reports.
Thanks for sharing this survey data. I agree with you, I doubt all the 999 containers are going to be located into 1~5 namespaces. I've looked into the survey data, the majority of users is relying on Namespace
s to separate both applications and teams. Hence, I think we will end up with lots of smaller/medium sized reports
I've made a round of final adjustments. I think we can go ahead and merge the PR once the last open question is addressed.
Add an RFC that describes the format used to store our policy reports.
This is kinda of a split of https://github.com/kubewarden/rfc/pull/10