What is the Audit Scanner?
The Audit Scanner feature is available starting from Kubewarden 1.7.0 release |
The audit-scanner
component constantly checks resources in the cluster.
It flags the ones that don’t adhere to the Kubewarden policies deployed in the cluster.
Policies evolve over time. New ones are deployed, existing ones are updated. Versions and configuration settings change. This can lead to situations where resources already inside the cluster are no longer compliant. The audit scanning feature provides Kubernetes administrators with a tool that constantly verifies the compliance state of their clusters.
To explain the use of the audit scanner in Kubewarden, consider the following scenario.
Assume Bob is deploying a WordPress Pod in the cluster. Bob is new to Kubernetes, makes a mistake and deploys the Pod running as a privileged container. At this point, there’s no policy preventing that so the Pod is successfully created in the cluster.
Some days later, Alice, the Kubernetes administrator, enforces a Kubewarden policy that prohibits the creation of privileged containers. The Pod deployed by Bob keeps running in the cluster as it already exists.
A report generated by the audit scanner lets Alice identify all the workloads that are violating creation policies. This includes the WordPress Pod created by Bob.
The audit scanner operates by:
-
identifying all the resources to audit
-
for each resource, it builds a synthetic admission request with the resource’s data
-
it sends each admission request to a policy server endpoint which is only for audit requests
For the policy evaluating the request, there are no differences between real or audit requests. This auditing policy server endpoint has instrumentation to collect data about the evaluation. So, users can use their monitoring tools to analyze audit scanner data.
Enable audit scanner
You can enable the audit scanner starting from the Kubewarden 1.7.0 release.
Detailed installation instructions are in the audit scanner How-to.
Policies
By default, the audit scanner evaluates every policy.
Operators that want to skip a policy evaluation in the audit scanner must set the spec.backgroundAudit
field to false
in the policy definition.
Also, policies in Kubewarden now support two optional annotations:
-
The
io.kubewarden.policy.severity
annotation lets you specify the severity level of the policy violation, such ascritical
,high
,medium
,low
orinfo
. -
The
io.kubewarden.policy.category
annotation lets you categorize the policy based on a specific domain or purpose, such asPSP
,compliance
, orperformance
.
See the policy authors documentation for more information.
Permissions and ServiceAccounts
The audit scanner in Kubewarden requires specific Role Based Access Control (RBAC) configurations to be able to scan Kubernetes resources and save the results. A correct default Service Account with those permissions is created during the installation. The user can create their own ServiceAccount to configure access to resources.
The default audit scanner ServiceAccount
is bound to the view
ClusterRole
provided by Kubernetes.
This ClusterRole
allows read-only access to a wide range of Kubernetes resources within a namespace.
You can find more details about this role in the Kubernetes documentation.
Also, the audit scanner is bound to a ClusterRole
that grants read access to Kubewarden resource types and read-write access to the PolicyReport
CRDs.
These permissions let the scanner fetch resources for conducting audit evaluations and creating policy reports based on the evaluation results.