Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-32874

Improvements admission controller configuration

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Admission Controller Performance Improvements
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • In Progress
    • ROX-33046 - [ENG] Admission controller improvements
    • 0% To Do, 67% In Progress, 33% Done
    • Yes

      Overview:

      A high level summary that describes the Epic in a clear, concise way. Complete during New status.

      The admission controller webhook is configured for enforcing deploy time policies, configured with enforcement enabled, and for certain runtime policies (related to user initiated k8s commands).

      Here are a list of possible optimizations that will be explored:
      1. In 4.9 the admission controller enforcement is enabled by default (to work better with ArgoCD + enforced policies). For deploy time detection, if the admission controller has been configured with "No Enforcement" (a customer is opting out), we can exit the webhook early, and have the deployment event be evaluated by the Sensor (and fall to what we have traditionally called "soft enforcement" - aka scale to 0 only on the deployment create event and not enforce on updates).  This frees up resources the admission controller to be able to respond to requests like runtime pod command events.

      2. The admission controller runs image scans even if there are no enforced policies or no enforced policies with criteria that require scan data (this encompasses signature data, image metadata from registry and actual image scan results). 

      Check for existence of atleast one enforced policy with criteria that require scan data and kick of image scans only if so.  I'd like to see if we can do this as an inferred property on the detector's policy set  - whenever that changes instead of it for each admission request.

      3. We need to look at increasing the resource limits for admission controller.

      4. Image scan invocation optimizations in the admission controller

      Requirements:

      A list of specific needs or objectives that an epic must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.

      <enter general Epic requirements here>

      Technical Scope:

      High-level list of items that are in scope; usually completed by a staff engineer or a lead from the Feature Delivery Team. Initial completion during Refinement status.

      <your text here>

      Out of Scope:

      High-level list of items that are out of scope. Initial completion during Refinement status.

      <your text here>

      Outstanding Questions (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.

      <your text here>

              ksanchet@redhat.com Khushboo Sancheti
              ksanchet@redhat.com Khushboo Sancheti
              ACS Core Workflows
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: