[EPIC] Workload Scan

[fabriziosestito]

Description

This epic introduces the ability to automatically scan container images based on what's actually running in the cluster. Instead of requiring users to manually configure registries and image filters, the WorkloadScan controller watches running workloads (Deployments, StatefulSets, DaemonSets, etc.) and creates the necessary Registry resources on the fly.

This gives users runtime context for their vulnerability data: they can see which vulnerabilities affect their actual running pods, not just what's sitting in a registry. The controller also generates WorkloadReport resources that aggregate vulnerability findings per workload, making it easier to answer "what needs to be fixed in this deployment?"

The feature is opt-in via a cluster-scoped WorkloadScan CR, with support for namespace filtering and per-registry configuration overrides.

User stories

• As a user, I want to activate and configure the workload scan functionality.

  • Given a cluster with SBOMScanner installed, when a cluster-scoped WorkloadScan custom resource (CR) is created, then the workload scan functionality is enabled for all namespaces.
  • Given a cluster with SBOMScanner installed, when a user creates a WorkloadScan CR that specifies a namespaceSelector, then only the matching namespaces are included in the workload scan.
  • Given a cluster with SBOMScanner installed, when a user creates a WorkloadScan CR that includes global registry options (authSecret, caBundle, scanInterval), then those global settings are propagated to the Registry resources created by the operator.
  • Given a cluster with SBOMScanner installed, when a user defines per-URI registry option overrides in a WorkloadScan CR, then the override settings are applied to the Registry resources created by the operator if the registry’s URI matches the one specified in the override configuration.

• As a user, I want SBOMScanner to automatically scan the images used by my running workloads.

  • Given a namespace where WorkloadScan is enabled, when a workload is created or updated, then a corresponding immutable Registry configuration is created or updated by the operator for the matching registry URI, including filters that reflect the platforms, repositories, and image tags of the container images used by the pods scheduled by the workload.
  • Given a Registry created by the WorkloadScan reconciler, when the defined scanInterval has passed, then the images are rescanned accordingly.

• As a user, I want SBOMScanner to produce comprehensive vulnerability reports for my workloads.

  • Given a namespace where WorkloadScan is enabled, when all image scans for a workload are complete, then SBOMScanner generates a WorkloadReport in the same namespace. The report includes:

    • References to the workload’s name, kind, and group/version.
    • For each image running in the workload's pods, a reference to the corresponding VulnerabilityReport object.
    • A summary counting the total number of vulnerabilities by severity: high, medium, low, unknown, and suppressed.

[fabriziosestito]

Helm chart could have a parameter to enable the workload scan at installation time if needed, while providing a configuration for it.