EPIC Compliance audit checks

[viccuad]

Add background check that inspects all resources in cluster and flags those violating currently enforced policies.
For more info, see audit checks RFC and PolicyReport RFC.

For helm charts, kwctl, policy-server, kubewarden-controller(crds), e2e tests, we may want to work against a feature branch instead of merging to main.

Task list:

• New audit-scanner CLI program and image, in go, that runs the audit algorithm:

  • Create new https://github.com/kubewarden/audit-scanner repo #316

  • audit-scanner - MVP Stage 1 - find relevant Policies for a given Namespace audit-scanner#1

  • audit-scanner - CI/CD audit-scanner#5

  • audit-scanner - MVP Stage 2 - find relevant Kubernetes resources defined inside of the given Namespace #336

  • audit-scanner - MVP Stage 3 - perform evaluations audit-scanner#10

  • audit-scanner - MVP Stage 4 - create PolicyReport audit-scanner#36

  • audit-scanner - MVP Stage 5.1 - inspect cluster wide resources audit-scanner#43

  • audit-scanner - MVP Stage 5.2 - reuse results from previous evaluations audit-scanner#44

  • audit-scanner: AdmissionPolicies annotation changes #461

  • audit-scanner - MVP Stage 6 - inspect the whole cluster audit-scanner#52

  • audit-scanner: Check ObjectSelector/LabelSelector audit-scanner#54

  • Audit scanner add policy modes to PolicyReportsResult properties audit-scanner#60: Postponed

  • Support policies that check DELETE requests audit-scanner#63: Postponed

  • Consume policy-server endpoint certs in audit-scanner audit-scanner#64

• policy-server changes:

  • New endpoint /audit #337
  • Add new metrics to Grafana for audit/ endpoint policy-server#490

• Add spec.backgroundAudit to policy CRDs #318

• kwctl:

  • Make kwctl inspect & kwctl annotate understand spec.backgroundAudit in metadata.yml kwctl#330
  • Make kwctl scaffold take into account spec.backgroundAuditAcceptance criteria kwctl#331
  • Make kwctl aware of new severity and category annotations kwctl#529

• Helm charts:

  • Expose audit feature in kubewarden controller helm charts helm-charts#237
  • Figure out how to distribute PolicyReport CRDs
    Should the PolicyReport CRDs be shipped by our CRD helm chart?
    Is there some helm chart already done by the community?
    Acceptance criteria:
    - We know how PolicyReport CRDs are going to be installed on the target cluster
  • Consume helm chart skipNamespaces in CronJob template helm-charts#254
  • Add questions.yaml with audit-scanner values to kubewarden-controller helm-charts#260

• Update all policies with new spec.backgroundAudit as needed #479

• Update all policy templates with new spec.backgroundAudit as needed. #480

• Add e2e tests for the audit feature #478

• Write docs on audit feature docs#198

• Add audit scanner in the CI to keep Kubewarden stack version in sync #484

• Release Kubewarden stack
  Acceptance criteria:

  • Release controller, audit-scanner, policy-server, kwctl, helm-charts, by merging the feat-audit branches into main where needed.
  • Do RC before final release
  • Run e2e tests for stack

• Write blogpost about new compliance audit checks feature. kubewarden.io#193

• Investigate if or how to embed policy-reporter in Kubewarden UI - Integrate policy-reporter rancher/kubewarden-ui#447

[flavio]

closing as done, we have implemented and delivered all the tasks required by the 1st iteration of this feature