-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #264 from jhkrug/refresh/audit-scanner
Review and refresh of audit scanner overview documents.
- Loading branch information
Showing
3 changed files
with
124 additions
and
138 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,89 +1,78 @@ | ||
--- | ||
sidebar_label: "What's it?" | ||
title: "Audit Scanner" | ||
sidebar_label: "What is the Audit Scanner?" | ||
title: "What is the Audit Scanner?" | ||
description: An overview of the Kubewarden Audit Scanner. | ||
keywords: [kubewarden, audit scanner, kubernetes] | ||
--- | ||
|
||
# Audit Scanner | ||
|
||
:::note | ||
|
||
The Audit Scanner feature is available starting from Kubewarden 1.7.0 release | ||
|
||
::: | ||
|
||
A component, called `audit-scanner`, constantly checks the | ||
resources declared in the cluster, flagging the ones that do not adhere with | ||
the deployed Kubewarden policies. | ||
|
||
Policies evolve over time: new ones are deployed and the existing ones can be | ||
updated, both in terms of version and configuration settings. This can lead to | ||
situations where resources already inside of the cluster are no longer | ||
compliant. The audit scanner feature provides Kubernetes administrators with a | ||
tool to consistently verify the compliance state of their clusters. | ||
|
||
To illustrate the usage of the audit scanner in Kubewarden, let's consider the | ||
following scenario. | ||
|
||
Assume Bob is deploying a Wordpress Pod inside of the cluster. He's new to | ||
Kubernetes, hence he makes a mistake and deploys this Pod running as a | ||
privileged container. Since there's no policy preventing that, the Pod is | ||
successfully created inside of the cluster. | ||
|
||
Some days later, Alice, the Kubernetes administrator, enforces a Kubewarden | ||
policy that prohibits the creation of privileged containers. The Pod deployed | ||
by Bob keeps running inside of the cluster. | ||
|
||
However, thanks to the report generated by the audit scanner, Alice can | ||
quickly identify all the workloads that are violating her policies; including | ||
the Wordpress Pod created by Bob. | ||
|
||
To make that happens, audit scanner get all resources that should be audited, | ||
build a fake admission request with the resource's data and send it to the | ||
policy server in a different endpoint exclusively used to audit requests. | ||
However, for the policy evaluating the request, there is no differences from a | ||
real or an audit request. The data received are the same. Furthermore, this | ||
policy server endpoint is instrumented to collect data of the evaluation as | ||
the one used to validate request from the control plane. Therefore, users can | ||
use their monitoring tools analyze this data as well. | ||
The `audit-scanner` component constantly checks resources in the cluster. | ||
It flags the ones that don't adhere with the Kubewarden policies deployed in the cluster. | ||
|
||
Policies evolve over time. | ||
New ones are deployed, existing ones are updated. | ||
Versions and configuration settings change. | ||
This can lead to situations where resources already inside the cluster are no longer compliant. | ||
The audit scanning feature provides Kubernetes administrators with a tool that constantly verifies the compliance state of their clusters. | ||
|
||
To explain the use of the audit scanner in Kubewarden, consider the following scenario. | ||
|
||
Assume Bob is deploying a WordPress Pod in the cluster. | ||
Bob is new to Kubernetes, makes a mistake and deploys the Pod running as a privileged container. | ||
At this point there's no policy preventing that so the Pod is | ||
successfully created in the cluster. | ||
|
||
Some days later, Alice, the Kubernetes administrator, enforces a Kubewarden policy that prohibits the creation of privileged containers. | ||
The Pod deployed by Bob keeps running in the cluster as it already exists. | ||
|
||
A report generated by the audit scanner lets Alice identify all the workloads that are violating creation policies. | ||
This includes the WordPress Pod created by Bob. | ||
|
||
The audit scanner operates by: | ||
|
||
- identifying all the resources to audit | ||
- for each it builds a synthetic admission request with the resource's data | ||
- it sends each admission request to a policy server endpoint which is only for audit requests | ||
|
||
For the policy evaluating the request, | ||
there are no differences between real or audit requests. | ||
The data received is the same. | ||
This auditing policy server endpoint has instrumentation to collect data of the evaluation. | ||
So, users can use their monitoring tools analyze audit scanner data. | ||
|
||
## Enable audit scanner | ||
|
||
As stated before, the audit scanner feature can be enabled starting from the | ||
Kubewarden 1.7.0 release. | ||
You can enable the audit scanner starting from the Kubewarden 1.7.0 release. | ||
|
||
Detailed installation instructions can be found | ||
[here](../howtos/audit-scanner). | ||
Detailed installation instructions are in the | ||
[audit scanner How-to](../howtos/audit-scanner). | ||
|
||
## Policies | ||
|
||
By default, every policy is evaluated by the audit scanner. Operators that want | ||
to skip a policy evaluation in the Audit scanner should set the | ||
`spec.backgroundAudit` field to `false` inside of the policy definition. | ||
Furthermore, policies in Kubewarden now support two optional annotations: | ||
`io.kubewarden.policy.severity` and `io.kubewarden.policy.category`: | ||
By default, the audit scanner evaluates every policy. | ||
Operators that want to skip a policy evaluation in the audit scanner must set the `spec.backgroundAudit` field to `false` in the policy definition. | ||
|
||
- The `io.kubewarden.policy.severity` annotation allows you to specify the | ||
severity level of the policy violation, such as `critical`, `high`, `medium`, | ||
`low` or `info`. | ||
- The `io.kubewarden.policy.category` annotation allows you to categorize the | ||
policy based on a specific domain or purpose, such as `PSP`, `compliance`, or | ||
`performance`. | ||
Also, policies in Kubewarden now support two optional annotations: | ||
|
||
See the policy authors [docs](../../writing-policies/index.md) for more info. | ||
- The `io.kubewarden.policy.severity` annotation lets you specify the severity level of the policy violation, such as `critical`, `high`, `medium`, `low` or `info`. | ||
- The `io.kubewarden.policy.category` annotation lets you categorize the policy based on a specific domain or purpose, such as `PSP`, `compliance`, or `performance`. | ||
|
||
See the policy authors [documentation](../../writing-policies/index.md) for more information. | ||
|
||
## Permissions and ServiceAccounts | ||
|
||
The audit scanner in Kubernetes requires specific RBAC configurations to be | ||
able to scan Kubernetes resources and save the results. A correct default Service | ||
Account with those permissions is created during the installation. But the user | ||
can provide their own ServiceAccount to fine tune access to resources. | ||
|
||
The default audit scanner `ServiceAccount` is bound to the `view` `ClusterRole` | ||
provided by Kubernetes. This `ClusterRole` allows read-only access to a wide | ||
range of Kubernetes resources within a namespace. You can find more details | ||
about this role in the [Kubernetes | ||
documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). | ||
|
||
In addition, the audit scanner is also bound to a `ClusterRole` that grants | ||
read access to Kubewarden resource types and read-write access to the | ||
`PolicyReport` [CRDs](policy-reports.md). These permissions enable the scanner | ||
to fetch resources for conducting audit evaluations and create policy reports | ||
based on the evaluation results. | ||
The audit scanner in Kubernetes requires specific Role Based Access Control (RBAC) configurations to be able to scan Kubernetes resources and save the results. | ||
A correct default Service Account with those permissions is created during the installation. | ||
The user can create and configure their own ServiceAccount to fine tune access to resources. | ||
|
||
The default audit scanner `ServiceAccount` is bound to the `view` `ClusterRole` provided by Kubernetes. | ||
This `ClusterRole` allows read-only access to a wide range of Kubernetes resources within a namespace. | ||
You can find more details about this role in the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). | ||
|
||
Also, the audit scanner is bound to a `ClusterRole` that grants read access to Kubewarden resource types and read-write access to the `PolicyReport` [CRDs](policy-reports.md). | ||
These permissions let the scanner fetch resources for conducting audit evaluations and creating policy reports based on the evaluation results. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters