Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5810

RHACS: Calling out specific K8s workloads, creating policies around specific workloads.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • RHACS
    • False
    • None
    • False
    • Not Selected

      Business Problem:

      Every resource is consumed as a deployment with ACS. CronJobs and Replicasets all show up as a deployment in the console. This is not the correct information for a "Kubernetes-centric" security solution.

      I would recommend adding a flag to the specific workloads run in Kubernetes. This would give users more context about the workloads running and hopefully avoid a significant redesign. 

      Use Cases:

      1. From Nakul: Summarizing the problem for @Mandar and @charmik: If the cron job specifies a digest hash for the image, it will correctly show up and be linked to the deployment. If the cron is allowed to run for a bit (~10s or so), it shows up. However, if the cron runs quickly and finishes (<1s), the deployment is detected, not the image. It doesn't even show up in the image view.
      2. Statefulsets are typically used for stateful workloads and require more visibility from the SecOps team as they tend to be high-priority workloads. By flagging the workload as a statefulset vs. deployment, we can help users prioritize risk more effectively.

      Key Functionality:

      • Configuration management should have a policy highlighting non-default deployments and flagging them accordingly. 
      • Possibility of vet K8s objects against what we have scanned to surface any cronjobs or other k8s objects that the scanner cannot pick up in time.
      • Policy to call out all new CronJobs as high risk.

      Benefits:

      We can claim to support all of the K8s workloads and give more context to each workload since not all deployments are created equally. 

      Acceptance criteria:

      • Risk management callout for specific workloads.
      • Policy to inform on CronJobs, StatefulSets, etc.

      Implementation Suggestions (optional):

      • Integration: [Specify any existing systems or tools that the new feature should integrate with]

       

      • Dependencies: [Describe any dependencies on other 3rd party integrations or OCP components] 

       

      • User Experience: [Provide suggestions for designing the UI to optimize usability. Highlight other relevant aspects of the user experience ]

       

      Timeline:

      [Specify the preferred implementation date or any specific deadlines for the feature implementation]

       

      Please use the following Jira fields to complete this Feature Request

      1. [Jira Field] Summary Required: [Provide a clear and concise name/description for the feature]
      2. [Jira Field] Description:
      3. [Jira Field] Component:
      4. [Jira Field] Priority: [Indicate the importance or urgency of the feature on a scale of High, Medium, or Low]
      1. [Jira Field] Supporting Documentation:
         
      1. [Attach any relevant documents, research, or supporting materials that provide additional context or information]

       

       

            bmichael@redhat.com Boaz Michaely
            mfoster@redhat.com Michael Foster
            Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: