From 27ce6b8329ae805158c8e07f961bf92a0826e62a Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Fri, 25 Oct 2024 07:39:37 +0200 Subject: [PATCH] fixes Signed-off-by: Fabrizio Sestito --- ...001_scanner_architecture_and_design.md.md} | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) rename docs/{rfc.md => rfc/0001_scanner_architecture_and_design.md.md} (87%) diff --git a/docs/rfc.md b/docs/rfc/0001_scanner_architecture_and_design.md.md similarity index 87% rename from docs/rfc.md rename to docs/rfc/0001_scanner_architecture_and_design.md.md index 02b410c..13209ab 100644 --- a/docs/rfc.md +++ b/docs/rfc/0001_scanner_architecture_and_design.md.md @@ -1,9 +1,9 @@ | | | | :----------- | :------------------------------ | -| Feature Name | [Name] | -| Start Date | [Today] | -| Category | [Category] | -| RFC PR | [fill this in after opening PR] | +| Feature Name | Scanner architecture and design | +| Start Date | Oct 24th, 2024 | +| Category | Architecture | +| RFC PR | | | State | **ACCEPTED** | # Summary @@ -80,17 +80,17 @@ spec: Labels are used to select the image by the registry, repository, and tag. ```yaml -apiVersion: sbomscanner.rancher.io/v1alpha1 +apiVersion: scanner.rancher.io/v1alpha1 kind: Image metadata: name: "uuid" namespace: default labels: - "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image - "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image - "sbomscanner.rancher.io/registry": "registry-example" # registry name - "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace - "sbomscanner.rancher.io/repository": "prod" # repository name + "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image + "scanner.rancher.io/digest": "sha256:example" # digest of the image + "scanner.rancher.io/registry": "registry-example" # registry name + "scanner.rancher.io/registry-namespace": "default" # registry namespace + "scanner.rancher.io/repository": "prod" # repository name spec: layers: - ... @@ -102,17 +102,17 @@ spec: `SBOM` represents a Software Bill of Materials of an image. ```yaml -apiVersion: sbomscanner.rancher.io/v1alpha1 +apiVersion: canner.rancher.io/v1alpha1 kind: SBOM metadata: name: "uuid" # uuid of the image namespace: default labels: - "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image - "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image - "sbomscanner.rancher.io/registry": "registry-example" # registry name - "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace - "sbomscanner.rancher.io/repository": "prod" # repository name + "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image + "scanner.rancher.io/digest": "sha256:example" # digest of the image + "scanner.rancher.io/registry": "registry-example" # registry name + "scanner.rancher.io/registry-namespace": "default" # registry namespace + "scanner.rancher.io/repository": "prod" # repository name spec: sbom: # the SBOM content in json SPDX format @@ -129,12 +129,13 @@ apiVersion: scanner.rancher.io/v1alpha1 kind: VulnerabilityReport metadata: name: "uuid" # uuid of the image + namespace: default labels: - "sbomscanner.rancher.io/image": "nginx:v1.19.0" # tag of the image - "sbomscanner.rancher.io/digest": "sha256:example" # digest of the image - "sbomscanner.rancher.io/registry": "registry-example" # registry name - "sbomscanner.rancher.io/registry-namespace": "default" # registry namespace - "sbomscanner.rancher.io/repository": "prod" # repository name + "scanner.rancher.io/image": "nginx:v1.19.0" # tag of the image + "scanner.rancher.io/digest": "sha256:example" # digest of the image + "scanner.rancher.io/registry": "registry-example" # registry name + "scanner.rancher.io/registry-namespace": "default" # registry namespace + "scanner.rancher.io/repository": "prod" # repository name spec: report: # vulnerabilities found in the image in SARIF format @@ -213,6 +214,8 @@ An alternative to NATS would be to use Kubernetes Jobs; however, running one Pod The worker is responsible for cataloging the registry, generating the SBOMs, and scanning the images. Multiple workers can be deployed to scale the discovery and scan operations. +This allows Kubernetes to automatically scale the worker pool to match demand, using mechanism such as [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). + Workers pull jobs from the NATS queue and process them. After completing a job, the worker will create or update the related CRD with the results. @@ -228,10 +231,12 @@ As a future improvement, we can implement other adapters to use different scanne We rely on SBOMs as the primary source of truth for the CVE scanner, as they enable caching of the image inventory, eliminating the need to retrieve the image from the registry each time a scan is initiated. This approach also allows us to deduplicate images with identical SHA256 hashes but different tags. +A different scanner, such as the secret scanner, may need to pull the image from the registry. +However, this analysis is performed only once when the image is created. + Another type of optimization is to verify if the CVE database contains relevant updates for the vulnerabilities associated with the image’s dependencies, as determined from the SBOM analysis, before proceeding with the scan. - -Another type of scanner, such as the secret scanner, might need to retrieve the image from the registry instead. +For instance, when the vulnerability database is updated with new vulnerabilities for Alpine Linux, the scanner will target only the SBOMs of images that are based on Alpine Linux. ### Storage