What is the Audit Scanner?
The Audit Scanner feature is available starting from Kubewarden 1.7.0 release
The audit-scanner component constantly checks resources in the cluster.
It flags the ones not adhering to Kubewarden policies deployed in the cluster.
Policies evolve over time. There are new policy deployments and policy updates. Versions and configuration settings change. This can lead to situations where resources already inside the cluster are no longer compliant. The audit scanning feature provides Kubernetes administrators with a tool that constantly verifies the compliance state of their clusters.
To explain the use of the audit scanner in Kubewarden, consider the following scenario:
Assume Bob is deploying a WordPress Pod in the cluster. Bob is new to Kubernetes, makes a mistake and deploys the Pod running as a privileged container. At the moment, there's no policy preventing that so the Pod is successfully created in the cluster.
A few days later, Alice, the Kubernetes administrator, enforces a Kubewarden policy that prohibits the creation of privileged containers. The Pod deployed by Bob keeps running in the cluster as it already exists.
A report generated by the audit scanner lets Alice identify all the workloads that are violating creation policies. This includes the WordPress Pod created by Bob.
The audit scanner operates by:
- identifying all the resources to audit
- for each resource, it builds a synthetic admission request with the resource's data
- it sends each admission request to a policy server endpoint which is only for audit requests
For the policy evaluating the request, there are no differences between real or audit requests. This auditing policy server endpoint has instrumentation to collect data about the evaluation. So, users can use their monitoring tools to analyze audit scanner data.
Enable audit scanner​
You can enable the audit scanner starting from the Kubewarden 1.7.0 release.
Detailed installation instructions are in the audit scanner How-to.
Policies��​
By default, the audit scanner evaluates every policy. Operators that want to
skip a policy evaluation in the audit scanner must set the
spec.backgroundAudit field to false in the policy definition.
Also, policies in Kubewarden now support two optional annotations:
- The
io.kubewarden.policy.severityannotation lets you specify the severity level of the policy violation, such ascritical,high,medium,loworinfo. - The
io.kubewarden.policy.categoryannotation lets you categorize the policy based on a specific domain or purpose, such asPSP,compliance, orperformance.
See the policy authors documentation for more information.
Permissions and ServiceAccounts​
The audit scanner in Kubewarden requires specific Role Based Access Control (RBAC) configurations to be able to scan Kubernetes resources and save the results. Installation creates a correct default Service Account with those permissions. The user can create their own ServiceAccount to configure access to resources.
The default audit scanner ServiceAccount binds to the view ClusterRole
provided by Kubernetes. This ClusterRole permits read-only access to a wide
range of Kubernetes resources within a namespace. You can find more details
about this role in the Kubernetes
documentation.
The audit scanner binds to a ClusterRole that grants read access to
Kubewarden resource types and read-write access to the PolicyReport CRDs.
These permissions let the scanner fetch resources for conducting audit
evaluations and creating policy reports based on the evaluation results.