Skip to content
Merged
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 38 additions & 7 deletions docs/rfc/0008_node_scan.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,15 @@ are considered for scanning. If not specified, all the nodes are going to be sca
The `NodeScanConfiguration` is primarily used to schedule periodic scans over time
through the `scanInterval` attribute.

To trigger an immediate scan outside the regular interval, the user can annotate
the `NodeScanConfiguration` resource with `sbomscanner.kubewarden.io/node-rescan-requested: "true"`.
This will trigger a new scan immediately, and the annotation will be automatically
removed after the scan is completed.
To trigger an immediate scan outside the regular interval,
the user can annotate the `NodeScanConfiguration` resource with
`sbomscanner.kubewarden.io/node-rescan-requested: "true"`.
This bypasses the `scanInterval` timer and schedules a new `NodeScanJob`
for every node matched by the `nodeSelector`
(or every node in the cluster if no selector is set).
Nodes that already have a `NodeScanJob` in progress are skipped
so an in-flight scan is never duplicated.
The annotation is automatically removed once the corresponding `NodeScanJob` resources have been created.
Comment thread
fabriziosestito marked this conversation as resolved.
Outdated

Please, note that `NodeScanConfiguration` is a singleton resource,
meaning that there can be only one instance of it in the cluster.
Expand All @@ -69,12 +74,29 @@ meaning that there can be only one instance of it in the cluster.
For this feature we are going to add the following CRDs:

* `NodeScanConfiguration`: Defines the global scan settings.
* `enabled`: Controls whether node scanning is active.
Defaults to `true`.
When set to `false`, all node scan resources are cleaned up,
similarly to what happens when the `NodeScanConfiguration` is deleted.
* `scanInterval`: Duration between automated scans.
* `nodeSelector`: Filter which nodes are scanned.
If not specified, all the nodes are scanned.
* `skipPatterns`: A list of file/directory paths to be ignored.
This can be expressed as .gitignore-like patterns (eg. `**/tmp/**` to ignore all the `tmp` directories).
Comment thread
fabriziosestito marked this conversation as resolved.
Outdated
If not specified, no file is ignored.
If the field is left unset, a default list of container-runtime state directories is applied so that
OCI image content already covered by registry scanning is not rescanned as raw files on disk.
The defaults are:
* `/var/lib/containerd/`
* `/var/lib/docker/`
* `/var/lib/rancher/k3s/agent/containerd/`
* `/var/lib/rancher/rke2/agent/containerd/`
* `/var/lib/containers/`
* `/run/containerd/`
* `/run/k3s/containerd/`

A user-supplied list replaces the defaults entirely; there is no merging.
To scan everything (including the paths above), set `skipPatterns: []` explicitly.
An empty list is preserved by the apiserver and disables the defaults.
Comment thread
fabriziosestito marked this conversation as resolved.
Outdated
Here's an example of how to use the `skipPatterns` field:
```yaml
# Gitignore-style patterns to exclude from filesystem scans.
Expand Down Expand Up @@ -241,6 +263,15 @@ Garbage collection is crucial to prevent resource orphaning and to maintain a cl

[drawbacks]: #drawbacks

Mounting the host filesystem into a container bridges the isolation boundary and
introduces significant risk. To mitigate potential host compromise, the `DaemonSet`
Mounting the host filesystem into a container bridges the isolation boundary and
introduces significant risk. To mitigate potential host compromise, the `DaemonSet`
must mount the host root filesystem as `readOnly: true`.

The worker container also needs the `CAP_DAC_READ_SEARCH` Linux capability
(all other capabilities are dropped).
Comment thread
fabriziosestito marked this conversation as resolved.
Outdated
This capability lets the scanner bypass discretionary access-control read and
directory-search checks so that Trivy can walk the entire host filesystem.
Comment thread
fabriziosestito marked this conversation as resolved.

A further drawback is that the `DaemonSet` runs continuously on every matching node,
even though the worker only performs actual work when it receives a scan job.
In future development we can consider a mechanism to run the pod only while a scan is in progress.
Loading