search

kubewarden / rfc

Kubewarden's RFCs
https://github.com/kubewarden/
4 stars 5 forks source link

Add RFC about policy-report #13

Closed flavio closed 2 years ago

flavio commented 2 years ago

Add an RFC that describes the format used to store our policy reports.

This is kinda of a split of https://github.com/kubewarden/rfc/pull/10

flavio commented 2 years ago

There's one thing I forgot to mention. We are going to introduce an audit report feature to Kubewarden that is going to use the contents of this RFC. A background scan is going to be run at certain intervals and this is going to update PolicyReport objects.

However, there's also something else we can do in the future that leverages these CRDs. We could for example add entries to the PolicyReport in a live fashion to keep track of resources that have been rejected by our admission controller. This is something that kyverno does. We might want to do that too

jvanz commented 2 years ago

Just sharing a thought that I'm not sure if it fits in some thread already open.

I've reviewed the last CNCF survey trying to find some additional information about cluster sizes. Trying to figure out if the report size could be a future problem. It has information about cluster sizes in terms of containers and machines running. In the survey we can see that 73.59% of the interviewees run clusters with 999 containers maximum. Let's assume for the sake of the discussion that each of the container has a resource witch is verified by all the policies (e.g. pod, deployment, etc). So, in the worst scenario, if all the policies are clusterwide, the number of entries in the report will be 999 * number of the policies. Our recommended policy list in the kubewarden-defaults chart has 6 policies. Which led us to 5994 possible evaluations. Is it too much? I do not know.

In the other hand, the scenario above is unlikely to happen. Because in the same survey we learn that most of organizations separate their teams and applications by namespaces or separate clusters. So, the predominant case will be multiple smaller reports.

flavio commented 2 years ago

In the other hand, the scenario above is unlikely to happen. Because in the same survey we learn that most of organizations separate their teams and applications by namespaces or separate clusters. So, the predominant case will be multiple smaller reports.

Thanks for sharing this survey data. I agree with you, I doubt all the 999 containers are going to be located into 1~5 namespaces. I've looked into the survey data, the majority of users is relying on Namespaces to separate both applications and teams. Hence, I think we will end up with lots of smaller/medium sized reports

flavio commented 2 years ago

I've made a round of final adjustments. I think we can go ahead and merge the PR once the last open question is addressed.