Integration of Policy-based Rules for Resource Validation in Kyma Dashboard

[valentinvieriu]

Decision log

Name	Description
Title	Integration of Policy-based Rules for Resource Validation in Kyma Dashboard
Due date	2024-02-14
Status	Proposed on 2024-02-14
Decision type	Binary
Affected decisions	None

Decision Record: Policy-based Rules Integration for Kyma Cluster Scanning and Guidance

Decision Log

Name	Description
Title	Implementing Policy-based Rules for Kyma Cluster Scanning and Guidance
Due date	2024-03-31
Status	Proposed on 2024-02-14
Decision type	Binary
Affected decisions	None

Context

Kyma Dashboard currently has an unreleased feature, Scan My Cluster, that uses Policy-based rules imported from Datree and custom rules to scan the Kyma cluster and provide guidance on which Kubernetes resources are not following the selected rules. This feature allows for dynamic deployment of rules along with any Kyma module, enabling users to customize the scanning and guidance process based on their specific requirements.

The choice of Datree's solution was motivated by their extensive range of open-source built-in policies and the ease with which JSON Schema can be consumed on the frontend, aligning with the declarative language of Kubernetes resources.

The purpose of this decision is to determine whether to finish the implementation of this feature for Kyma Dashboard and plan to use the same mechanics for the upcoming Kyma Companion AI feature.

Decision

The decision is to proceed with the implementation of the Policy-based Rules Integration for Scan My Cluster feature for Kyma Dashboard and plan to use the same mechanics for the Kyma Companion AI feature. This decision involves:

• Selecting relevant rules from Datree
• Defining custom rules specific to the Kyma ecosystem
• Establishing a mechanism for dynamically deploying these rules alongside Kyma Modules

The integration aims to provide users with actionable feedback on resource configurations that do not align with selected rules, thereby facilitating compliance with best practices and organizational standards.

Consequences

Advantages:

• Provides a comprehensive and customizable solution for scanning and guiding Kyma cluster configurations based on user-defined rules.
• Allows for dynamic deployment of rules, enabling users to tailor the scanning and guidance process to their specific needs.
• Leverages a consistent approach for both Kyma Dashboard and Kyma Companion AI and other tools and internal automation, streamlining the development and maintenance efforts.
• Enhances the overall usability and functionality of Kyma, empowering users to manage their clusters more effectively.
• Enables adherence to best practices, improved security and compliance, and a more robust and reliable Kyma environment.
• Facilitates proactive rectification of configuration issues, reducing the risk of runtime errors or security vulnerabilities.

Disadvantages:

• Introduces potential complexity in managing and maintaining the rules and their associated logic across different Kyma components.
• Involves challenges such as continuous maintenance of the rule set, potential performance impacts during resource scanning, and the requirement for user education on interpreting and acting upon the provided guidance.

[pbochynski]

I am ok with the policy based rules, but without hard dependency to Datree project (as it seems to be not actively maintained)

[valentinvieriu]

Thank you for the confirmation. By silent agreement, this decision record is approved.

• We move forward with rolling out our Scan My Cluster feature using the Policy-based rules imported from Datree.
• We promote this feature internally only, to our module and encourage them to bring their own relevant rules so that we can determine when best practices are not being followed.
• This feature will not be communicated to the outside world so we allow ourselves the option to change the technology stack without breaking changes