WARNING: This policy is currently in the sandbox phase. This means that it is not yet ready for production use. The policy is under active development and may change significantly.
This policy is used to enforce a maximum number of vulnerabilities of a certain severity level in an image.
The policy can be configured to allow a certain number of vulnerabilities of a certain severity level. When the threshold is exceeded, the image is not allowed to be deployed.
It's possible to provide a list of CVEs that are always allowed or denied, regardless of their severity level.
By default the policy will deny the usage of images that have not been scanned for vulnerabilities.
This behavior can be changed by setting ignoreMissingVulnerabilityReport
to true
.
This policy relies on the SBOMbastic project being installed in the cluster.
This project scans images for vulnerabilities and stores the results in a custom resource
called VulnerabilityReport
.
Requirements:
- SBOMbastic is deployed and properly configured into the cluster.
- The
ServiceAccount
used by the Kubewarden Policy Server has the necessary permissions to readVulnerabilityReport
resources. - The
VulnerabilityReport
resources are namespaced, hence the configuration of the policy must include the namespace where theVulnerabilityReport
resources are stored. - This is a context aware policy,
hence its must be deployed as a
ClusterAdmissionPolicy
and it must be granted access to theVulnerabilityReport
resources.
This policy can be configured using the following settings:
maxSeverity:
critical: # total and totalWithoutFixes are mutually exclusive
total: 10 # maximum number of critical CVEs that are allowed
totalWithoutFixes: 5 # max number of critical CVEs without fixes that are allowed
high: # total and totalWithoutFixes are mutually exclusive
total: 20 # maximum number of high CVEs that are allowed
totalWithoutFixes: 10 # max number of high CVEs without fixes that are allowed
medium: # total and totalWithoutFixes are mutually exclusive
total: 30 # maximum number of medium CVEs that are allowed
totalWithoutFixes: 15 # max number of medium CVEs without fixes that are allowed
low: # total and totalWithoutFixes are mutually exclusive
total: 40 # maximum number of low CVEs that are allowed
totalWithoutFixes: 20 # max number of low CVEs without fixes that are allowed
# List of CVEs that are always allowed, they do not count towards the
# max_cve_severity
allowAlways:
- CVE-2020-1234
- CVE-2020-5678
# List of CVEs that are always denied, they do not count towards the
# max_cve_severity
denyAlways:
- CVE-2020-1234
- CVE-2020-5678
# What to do if the image has not been scanned for CVEs
# Setting to true will accept the image, setting to false will reject the image
# Default is false
ignoreMissingVulnerabilityReport: true | false
# Namespace where VulnerabilityReport CRDs are stored
vulnerabilityReportNamespace: sbombastic
TODO