Audit Scanner
Beginning with version v1.7.0
, Kubewarden has a new feature called "Audit Scanner".
A new component, called "audit-scanner", constantly checks the resources declared in the
cluster, flagging the ones that do not adhere with the deployed Kubewarden policies.
Policies evolve over the time: new ones are deployed and the existing ones can be updated, both in terms of version and configuration settings. This can lead to situations where resources already inside of the cluster are no longer compliant.
The audit scanner feature provides Kubernetes administrators with a tool to consistently verify the compliance state of their clusters.
Installation
The audit scanner component is available since Kubewarden v1.7.0
. Therefore,
make sure you are installing the Helm chart with app version v1.7.0
or
higher.
-
Install the
kubewarden-crds
Helm chart. The chart install the neededPolicyReport
CRDs by default.helm install kubewarden-crds kubewarden/kubewarden-crds
To store the results of policy reports, you need to have the PolicyReport Custom Resource Definitions (CRDs) available. If the necessary PolicyReport CRDs are already in the cluster, you cannot install them using the kubewarden-crds chart. In such case, you can disable the installation of PolicyReport CRDs by setting
installPolicyReportCRDs
tofalse
in the chart. This means that the Kubewarden stack will not manage those CRDs, and the responsibility will be with the administrator.+ See more info about the CRDs at the policy work group repository
-
Install the
kubewarden-controller
Helm chart.helm install kubewarden-controller kubewarden/kubewarden-controller
The audit scanner is enabled by default. If you want to disable it, set the
auditScanner.enable=false
.For more information about the installation of Kubewarden see the Quick Start guide
By default, the Audit Scanner is implemented as a Cronjob that will be triggered every 60 minutes. You can adjust this and other audit scanner settings by changing the kubewarden-controller chart values.yaml.
See here more information about the Audit Scanner.
Policy Reporter UI (optional)
The kubewarden-controller
chart comes with a subchart of the Policy Reporter.
It is disabled by default, and can be enabled by setting auditScanner.policyReporter=true
.
The values of the Policy Reporter subchart are exposed under the policyReporter
key of
the kubewarden-controller
values.
This will install only part of the Policy Reporter upstream chart, the UI, which provides a visualization of the PolicyReports and ClusterPolicyReports in cluster. See here more information about the Policy Reporter UI.
By default, the Policy Reporter UI is only exposed as a ClusterIP service with
name kubewarden-controller-ui
in the namespace where the
kubewarden-controller
chart was installed.
Ingress
Users can provide their own Ingress configuration, or enable an Ingress via the subchart configuration (see the ingress
config of the UI subchart
here).
See this example of an Ingress configuration via the subchart:
auditScanner:
policyReporter: true
policy-reporter: # subchart values settings
ui:
enabled: true
ingress:
enabled: true
hosts:
- host: "*.local" # change this to your appropriate domain
paths:
- path: /
pathType: ImplementationSpecific
Port-forwarding
For a quick look or debugging, one can setup a port-forwarding to the service with:
kubectl port-forward service/kubewarden-controller-ui 8082:8080 -n kubewarden
Which will make the Policy Reporter UI available at http://localhost:8082.
Trigger manual run
The audit scanner is implemented as a Cronjob that runs every 60 minutes by default. It’s possible to trigger a manual run by running the following command:
kubectl create job \
--namespace kubewarden \
--from cronjob/audit-scanner \
audit-scanner-manual-$(date +%Y-%m-%d-%H-%M-%S)
The status of the job can be checked with:
kubectl get -n kubewarden jobs