Support S3 Object Deletion When Corresponding PolicyReport is Removed

[rivera-bl]

Hi,

First of all, thanks for this great tool!

I was wondering if it would be possible to delete S3 objects when the corresponding PolicyReport in Kubernetes is removed. I don't have much experience with Go, but I'm willing to contribute if pointed in the right direction.

From looking at the code, I think it shouldn't be too difficult. Maybe changing the S3 key so that the JSON file name is the PolicyReport UID? This would ensure uniqueness, correct? Then, we could create a Delete() function that triggers when the PolicyReport is deleted.

However, I'm not sure how the application currently uploads objects to S3 automatically when a new PolicyReport is created, so I don't know how to hook into the deletion process. Would this be a suitable feature? For us, it's essential because we want to reflect the cluster's vulnerability state accurately. Our goal is to store vulnerabilities in S3 and ingest them into a visualization service.

Also, I was able to run the application locally, but for some reason, it doesn’t pick up my S3 configuration from config.yaml. It only works when running in Kubernetes. I tried setting the access keys as environment variables and directly in config.yaml, but neither worked.

Any guidance would be greatly appreciated. Thanks in advance!

[fjogeleit]

Hey, I will need to take a deeper look on this but let my summarize the challenge for this functionality.

Currently the S3 target persists not a complete PolicyReport, it persists PolicyReportResults within the PolicyReport.

A PolicyReport (in Kyverno) is removed when e.g. the related resource was deleted but a single PolicyReportResults can also be removed when a resource changed or the policy was removed. Currently we only know when a new result is added, we not always now when Result was removed, especially when - in between - Policy Reporter restarted. Because we do not sync the complete state rather then persisting violations happened after Policy Reporter started.

So what is your concrete use case, do you want reflect the complete state of your cluster in S3 and do you want to have one entry per PolicyReport rather then PolicyReportResult?