Open mrparkers opened 3 years ago
ChrisSchreiber
commented
3 years ago I think there is a possible use case where we would want to re-evaluate. For example if you want to enforce that containers with critical vulnerabilities never get deployed even if they were previously deployed.
I also think this could be something we handle in the evaluate policy API call by passing a flag like reevaluate-policy=always|never and let evaluate policy check for previous evaluation results.
alexashley
commented
3 years ago I think that even with a cache, it's possible that we'll see duplicate evaluations anyway.
For instance, a new version rollout could cause N pods to come up at once. If there hasn't been a previous evaluation for that image, it's likely that N evaluations would be requested.
If it's important to prevent duplicates, Rode could lock a resource at the start of an evaluation and other requests poll for the lock status and just return the result. Depending on how expensive an evaluation is, that's likely overkill.
when admitting a pod or other resource, should we query rode to see if that particular resource URI has already passed evaluation? doing this could give us some performance gains and help avoid a situation where we store a bunch of meaningless resource evaluation data within rode.