Audit Scanner
Beginning with version v1.7.0, SUSE Security Admission Controller has a new feature called "Audit
Scanner". A new component, called "audit-scanner", constantly checks the
resources declared in the cluster, flagging the ones that don’t adhere with the
deployed SUSE Security Admission Controller policies and saving these results into specific report
Custom Resources.
Policies evolve over the time: you deploy new policies and update existing policies. Both version and configuration settings change. This can lead to situations where resources already in the cluster are no longer compliant.
The audit scanner feature provides Kubernetes administrators with a tool to consistently verify the compliance state of their clusters.
Installation
The audit scanner component is available since Admission Controller v1.7.0.
Therefore, make sure you are installing the Helm chart with app version
v1.7.0 or higher.
-
Install the
kubewarden-crdsHelm chart. The chart installs the neededPolicyReportCRDs by default.helm install kubewarden-crds kubewarden/kubewarden-crdsTo store the results of policy reports, you need to have the PolicyReport Custom Resource Definitions (CRDs) available. If the necessary PolicyReport CRDs are already in the cluster, you can’t install them using the kubewarden-crds chart. In that case, you can disable the installation of PolicyReport CRDs by setting
installPolicyReportCRDstofalsein the chart. This means that the Kubewarden stack won’t manage those CRDs, and the responsibility is the administrators.+ See more information about the CRDs at the policy work group repository
-
Install the
kubewarden-controllerHelm chart.helm install kubewarden-controller kubewarden/kubewarden-controllerThe audit scanner is enabled by default. To disable it, set the
auditScanner.enable=false.
|
If you want Audit Scanner to save its reports in OpenReports CRDs
instead of the default (yet marked as deprecated) PolicyReports CRDs,
set |
For more information about the installation of Admission Controller see the Quick Start guide
By default, the Audit Scanner implementation is as a Cronjob triggered every 60 minutes. You can adjust this and other audit scanner settings by changing the kubewarden-controller chart values.yaml.
See here more information about the Audit Scanner.
Policy Reporter UI (optional)
The kubewarden-controller chart comes with a subchart of the
Policy Reporter. It’s disabled by
default, and enabled by setting auditScanner.policyReporter=true. The Policy
Reporter subchart values are under the policyReporter key of the
kubewarden-controller values.
This installs only part of the Policy Reporter upstream chart, the UI, which provides a visualization of the PolicyReports and ClusterPolicyReports in a cluster. See Audit Scanner for more information about the Policy Reporter UI.
By default, the Policy Reporter UI is only exposed as a ClusterIP service with
name kubewarden-controller-ui in the installation namespace of
kubewarden-controller chart was installed.
Ingress
Users can provide their own Ingress configuration, or enable an Ingress via the subchart configuration here.
See this example of an Ingress configuration via the subchart:
auditScanner:
policyReporter: true
policy-reporter: # subchart values settings
ui:
enabled: true
ingress:
enabled: true
hosts:
- host: "*.local" # change this to your appropriate domain
paths:
- path: /
pathType: ImplementationSpecificTrigger manual run
Implementation of the audit scanner is as a Cronjob that runs every 60 minutes by default. It’s possible to trigger a manual run by running the following command:
kubectl create job \
--namespace kubewarden \
--from cronjob/audit-scanner \
audit-scanner-manual-$(date +%Y-%m-%d-%H-%M-%S)You can check the status of the job with:
kubectl get -n kubewarden jobs