fixes

Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
rancher-sandbox · Oct 25, 2024 · 27ce6b8 · 27ce6b8
1 parent 0294b64
commit 27ce6b8
Showing 1 changed file with 28 additions and 23 deletions.
diff --git a/docs/rfc.md → ...001_scanner_architecture_and_design.md.md b/docs/rfc.md → ...001_scanner_architecture_and_design.md.md
@@ -1,9 +1,9 @@
 |              |                                 |
 | :----------- | :------------------------------ |
-| Feature Name | [Name]                          |
-| Start Date   | [Today]                         |
-| Category     | [Category]                      |
-| RFC PR       | [fill this in after opening PR] |
+| Feature Name | Scanner architecture and design |
+| Start Date   | Oct 24th, 2024                  |
+| Category     | Architecture                    |
+| RFC PR       |                                 |
 | State        | **ACCEPTED**                    |
 
 # Summary
@@ -80,17 +80,17 @@ spec:
 Labels are used to select the image by the registry, repository, and tag.
 
 ```yaml
-apiVersion: sbomscanner.rancher.io/v1alpha1
+apiVersion: scanner.rancher.io/v1alpha1
 kind: Image
 metadata:
   name: "uuid"
   namespace: default
   labels:
-    "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
-    "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image
-    "sbomscanner.rancher.io/registry": "registry-example" # registry name
-    "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace
-    "sbomscanner.rancher.io/repository": "prod" # repository name
+    "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
+    "scanner.rancher.io/digest": "sha256:example" # digest of the image
+    "scanner.rancher.io/registry": "registry-example" # registry name
+    "scanner.rancher.io/registry-namespace": "default" # registry namespace
+    "scanner.rancher.io/repository": "prod" # repository name
 spec:
   layers:
     - ...
@@ -102,17 +102,17 @@ spec:
 `SBOM` represents a Software Bill of Materials of an image.
 
 ```yaml
-apiVersion: sbomscanner.rancher.io/v1alpha1
+apiVersion: canner.rancher.io/v1alpha1
 kind: SBOM
 metadata:
   name: "uuid" # uuid of the image
   namespace: default
   labels:
-    "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
-    "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image
-    "sbomscanner.rancher.io/registry": "registry-example" # registry name
-    "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace
-    "sbomscanner.rancher.io/repository": "prod" # repository name
+    "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
+    "scanner.rancher.io/digest": "sha256:example" # digest of the image
+    "scanner.rancher.io/registry": "registry-example" # registry name
+    "scanner.rancher.io/registry-namespace": "default" # registry namespace
+    "scanner.rancher.io/repository": "prod" # repository name
 spec:
   sbom:
     # the SBOM content in json SPDX format
@@ -129,12 +129,13 @@ apiVersion: scanner.rancher.io/v1alpha1
 kind: VulnerabilityReport
 metadata:
   name: "uuid" # uuid of the image
+  namespace: default
   labels:
-    "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
-    "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image
-    "sbomscanner.rancher.io/registry": "registry-example" # registry name
-    "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace
-    "sbomscanner.rancher.io/repository": "prod" # repository name
+    "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image
+    "scanner.rancher.io/digest": "sha256:example" # digest of the image
+    "scanner.rancher.io/registry": "registry-example" # registry name
+    "scanner.rancher.io/registry-namespace": "default" # registry namespace
+    "scanner.rancher.io/repository": "prod" # repository name
 spec:
   report:
     # vulnerabilities found in the image in SARIF format
@@ -213,6 +214,8 @@ An alternative to NATS would be to use Kubernetes Jobs; however, running one Pod
 
 The worker is responsible for cataloging the registry, generating the SBOMs, and scanning the images.
 Multiple workers can be deployed to scale the discovery and scan operations.
+This allows Kubernetes to automatically scale the worker pool to match demand, using mechanism such as [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
+
 Workers pull jobs from the NATS queue and process them.
 After completing a job, the worker will create or update the related CRD with the results.
 
@@ -228,10 +231,12 @@ As a future improvement, we can implement other adapters to use different scanne
 We rely on SBOMs as the primary source of truth for the CVE scanner, as they enable caching of the image inventory,
 eliminating the need to retrieve the image from the registry each time a scan is initiated.
 This approach also allows us to deduplicate images with identical SHA256 hashes but different tags.
+A different scanner, such as the secret scanner, may need to pull the image from the registry.
+However, this analysis is performed only once when the image is created.
+
 Another type of optimization is to verify if the CVE database contains relevant updates for the vulnerabilities associated with the image’s dependencies,
 as determined from the SBOM analysis, before proceeding with the scan.
-
-Another type of scanner, such as the secret scanner, might need to retrieve the image from the registry instead.
+For instance, when the vulnerability database is updated with new vulnerabilities for Alpine Linux, the scanner will target only the SBOMs of images that are based on Alpine Linux.
 
 ### Storage