CUSTOMER PROBLEM

As a customer with numerous deployments, I want Red Hat ACS to intelligently establish (and reliably) and maintain an automatically enforced process baseline, so that I can eliminate the time-consuming manual management of process baselines by adding/removing entries or potentially having to declare them.

This should consider as well upcoming AI type workloads. If AI models are run in Kubernetes, the process baseline must be exceptionally reliable to ensure predictable and secure operations.

While several customers have expressed interest in Declarative Process Baselining within ACS, we don't believe it's the optimal path forward. Instead, we propose an alternative approach: investigating the use of tools like SBOMs (Software Bill of Materials) or artifact components to intelligently define baselines.

The primary challenges with a declarative approach to process baselining include:

• Extensive bookkeeping: It demands significant administrative overhead.

• Deep application knowledge: Users need a comprehensive understanding of their applications.

• Application ownership: Effective declaration requires direct ownership of the application.

Furthermore, the features of an intelligent, artifact-based baselining solution should be robust enough to convince customers that runtime malware scanning on a running image is not required. By shifting the security and verification process left—to the build and registry stage—the integrity of the image can be assured and automatically enforced, making expensive and redundant malware scanning at runtime on the container unnecessary.