jvanz
commented
2 years ago Some related links:
- https://www.infoq.com/news/2022/07/cncf-policy-management/
- https://www.cncf.io/blog/2022/01/28/announcing-the-kubernetes-policy-management-paper/
- https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/papers/policy/CNCF_Kubernetes_Policy_Management_WhitePaper_v1.pdf
- https://github.com/kubernetes-sigs/wg-policy-prototypes/blob/master/policy-report/README.md
Currently Kubewarden can be used to evaluate Kubernetes resources only when a relevant operation happens: creation, update, deletion of the resource.
Policies evolve over time; more policies can be added or they can be redeployed with different settings. As a result of that, a Kubernetes resource that was marked as valid even a couple of hours ago, could be instead rejected later on because of a policy change.
We want to implement a background check that inspects all the resources that are already present inside of the cluster and flags all the ones that are violating at least one of the currently enforced policies.
The cluster operators can then instruct alerts (maybe via a Prometheus integration) to be notified when an existing resource is flagged in such a way.
We can take a look at what Kyverno and Gatekeeper are currently doing to solve this problem.