You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Storing reports as Kubernetes objects makes them very easy for users and other tools to consume. The current report structure is very useful for working with Trivy Operator data, and I'm wondering if it could even be enhanced in order to re-use other tools in the ecosystem.
Currently, Trivy Operator report types can be converted into PolicyReports using the Trivy Operator PolicyReport Adapter. This makes it possible to access Trivy data via the common format, and use additional tooling like Policy Reporter to work with the data.
However, the adapter works by copying the data from the original report (e.g. a VulnerabilityReport) into a PolicyReport. This duplicates the data and the etcd space needed to store it.
If Trivy Operator were to natively support PolicyReports as an output, it would be a big improvement.
Less data would need to be duplicated in etcd when using PolicyReports
Users can consume Trivy Operator reports through Policy Reporter
Trivy Operator reports can be stored as "official" Kubernetes objects (assuming the eventual promotion of the API)
To address those limitations, PolicyReports can now optionally be stored in an external database using an extension API server. If Trivy Operator were to support PolicyReports natively, it could also get the performance benefits of using the same external storage.
As a side note, if PolicyReport support isn't feasible, please consider this a feature request for a similar external storage mechanism like the one linked above, to address the problem of report volume in large clusters.
The text was updated successfully, but these errors were encountered:
Storing reports as Kubernetes objects makes them very easy for users and other tools to consume. The current report structure is very useful for working with Trivy Operator data, and I'm wondering if it could even be enhanced in order to re-use other tools in the ecosystem.
PolicyReports are a type proposed by the Kubernetes Policy Working Group, which seeks to standardize the experience of working with policy management in Kubernetes clusters.
Currently, Trivy Operator report types can be converted into PolicyReports using the Trivy Operator PolicyReport Adapter. This makes it possible to access Trivy data via the common format, and use additional tooling like Policy Reporter to work with the data.
However, the adapter works by copying the data from the original report (e.g. a VulnerabilityReport) into a PolicyReport. This duplicates the data and the etcd space needed to store it.
If Trivy Operator were to natively support PolicyReports as an output, it would be a big improvement.
Additionally, it would enable storing reports outside of etcd. We've written a more in-depth discussion of the limitations of etcd storage for reports in large clusters, but in short, the volume of data cycling through the API server becomes too large, and even individual reports can become quite large, and exceed the maximum size tolerated by etcd (#442, #441).
To address those limitations, PolicyReports can now optionally be stored in an external database using an extension API server. If Trivy Operator were to support PolicyReports natively, it could also get the performance benefits of using the same external storage.
As a side note, if PolicyReport support isn't feasible, please consider this a feature request for a similar external storage mechanism like the one linked above, to address the problem of report volume in large clusters.
The text was updated successfully, but these errors were encountered: