feat(configaudit): only scan current revision of deployments (#1148)

CONTRIBUTING.md

@@ -227,6 +227,7 @@ kubectl delete -k deploy/static
      OPERATOR_VULNERABILITY_SCANNER_ENABLED=true \
      OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS=false \
      OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED=false \
+     OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS=false \
      OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN=true \
      OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL="" \
      OPERATOR_BATCH_DELETE_LIMIT=3 \

deploy/helm/templates/deployment.yaml

@@ -83,6 +83,8 @@ spec:
               value: {{ .Values.operator.vulnerabilityScannerReportTTL | quote }}
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: {{ .Values.operator.configAuditScannerEnabled | quote }}
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+              value: {{ .Values.operator.configAuditScannerScanOnlyCurrentRevisions | quote }}
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
               value: {{ .Values.operator.configAuditScannerBuiltIn | quote }}
             - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED

deploy/helm/values.yaml

@@ -53,6 +53,8 @@ operator:
   batchDeleteLimit: 10
   # vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
   vulnerabilityScannerScanOnlyCurrentRevisions: false
+  # configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
+  configAuditScannerScanOnlyCurrentRevisions: false
   # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
   batchDeleteDelay: 10s
 image:

deploy/static/05-starboard-operator.deployment.yaml

@@ -87,6 +87,8 @@ spec:
               value: ""
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: "false"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+              value: "false"
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
               value: "true"
             - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED

deploy/static/starboard.yaml

@@ -1988,6 +1988,8 @@ spec:
               value: ""
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: "false"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+              value: "false"
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
               value: "true"
             - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED

docs/operator/configuration.md

@@ -17,6 +17,7 @@ Configuration of the operator's Pod is done via environment variables at startup
 | `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED`                  | `true`               | The flag to enable CIS Kubernetes Benchmark scanner                                                                                                                                                          |
 | `OPERATOR_VULNERABILITY_SCANNER_ENABLED`                     | `true`               | The flag to enable vulnerability scanner                                                                                                                                                                     |
 | `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`                      | `false`              | The flag to enable plugin-based configuration audit scanner                                                                                                                                                  |
+| `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS`  | `false`              | The flag to enable config audit scanner to only scan the current revision of a deployment                                                                                                                   |
 | `OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN`                      | `true`               | The flag to enable built-in configuration audit scanner                                                                                                                                                      |
 | `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` | `false`              | The flag to enable vulnerability scanner to only scan the current revision of a deployment                                                                                                                   |
 | `OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL`                  | `""`                 | The flag to set how long a vulnerability report should exist. When a old report is deleted a new one will be created by the controller. It can be set to `""` to disabled the TTL for vulnerability scanner. |

docs/operator/getting-started.md

@@ -116,6 +116,11 @@ as well as the ConfigAuditReport named `replicaset-nginx-78449c65d46` are automa
     of the `OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
     deployment descriptor. This is useful to identify vulnerabilities that impact only the running workloads.
 
+!!! tip
+    If you only want the latest ReplicaSet in your Deployment to be scanned for config audit, you can set the value
+    of the `OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS` environment variable to `true` in the operator's
+    deployment descriptor. This is useful to identify config issues that impact only the running workloads.
+
 !!! tip
     You can get and describe `vulnerabilityreports` and `configauditreports` as built-in Kubernetes objects:
     ```

pkg/configauditreport/controller.go

@@ -162,6 +162,18 @@ func (r *ResourceController) reconcileResource(resourceKind kube.Kind) reconcile
 			}
 		}
 
+		if r.Config.ConfigAuditScannerScanOnlyCurrentRevisions && resourceKind == kube.KindReplicaSet {
+			controller := metav1.GetControllerOf(resource)
+			activeReplicaSet, err := r.IsActiveReplicaSet(ctx, resource, controller)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed checking current revision: %w", err)
+			}
+			if !activeReplicaSet {
+				log.V(1).Info("Ignoring inactive ReplicaSet", "controllerKind", controller.Kind, "controllerName", controller.Name)
+				return ctrl.Result{}, nil
+			}
+		}
+
 		// Skip processing if a resource is a Job controlled by CronJob.
 		if resourceKind == kube.KindJob {
 			controller := metav1.GetControllerOf(resource)

pkg/operator/controller/configauditreport.go

@@ -156,6 +156,18 @@ func (r *ConfigAuditReportReconciler) reconcileResource(resourceKind kube.Kind)
 			}
 		}
 
+		if r.Config.ConfigAuditScannerScanOnlyCurrentRevisions && resourceKind == kube.KindReplicaSet {
+			controller := metav1.GetControllerOf(resource)
+			activeReplicaSet, err := r.IsActiveReplicaSet(ctx, resource, controller)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed checking current revision: %w", err)
+			}
+			if !activeReplicaSet {
+				log.V(1).Info("Ignoring inactive ReplicaSet", "controllerKind", controller.Kind, "controllerName", controller.Name)
+				return ctrl.Result{}, nil
+			}
+		}
+
 		// Skip processing if a resource is a Job controlled by CronJob.
 		if resourceKind == kube.KindJob {
 			controller := metav1.GetControllerOf(resource)

pkg/operator/etc/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	VulnerabilityScannerReportTTL                *time.Duration `env:"OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL"`
 	ClusterComplianceEnabled                     bool           `env:"OPERATOR_CLUSTER_COMPLIANCE_ENABLED" envDefault:"true"`
 	ConfigAuditScannerEnabled                    bool           `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"false"`
+	ConfigAuditScannerScanOnlyCurrentRevisions   bool           `env:"OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
 
 	// ConfigAuditScannerBuiltIn tells Starboard to use the built-in
 	// configuration audit scanner instead of Polaris or Conftest