You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, diki rules run independently of other diki rules. This means that rules that require the creation of a pod to run their checks, e.g. checking the file permissions on a node, have to create a new pod for each rule. This can lead to many pods being created and deleted, which is inefficient and can lead to rule failures due to resource constraints.
To address this issue, there can be a pod worker pool that can be used by multiple rules. This worker pool should:
Be created lazily, only when a rule that requires it is executed for the first time.
Be shared among all rules that require the creation of a pod to run their checks.
Use a mechanism to ensure parallel execution of rules that require the pod worker pool, e.g. mutex.
Be cleaned up after all rules of the ruleset have been executed.
Note
Currently, rules that create pods have the options to not create pods on all nodes via the nodeGroupByLabels rule options, e.g.
This rule options should be taken into account when implementing the pod worker pool, we would want to create the least amount of pods possible for a given diki run.
It might be required a global nodeGroupByLabels option to be made for the rulesets, instead of per rule, to achieve this goal.
Why is this needed:
Reduce load on scanned cluster by creating a minimal amount of required Pods there.
What would you like to be added:
Currently,
dikirules run independently of otherdikirules. This means that rules that require the creation of a pod to run their checks, e.g. checking the file permissions on a node, have to create a new pod for each rule. This can lead to many pods being created and deleted, which is inefficient and can lead to rule failures due to resource constraints.To address this issue, there can be a pod worker pool that can be used by multiple rules. This worker pool should:
Note
Currently, rules that create pods have the options to not create pods on all nodes via the
nodeGroupByLabelsrule options, e.g.diki/example/guides/disa-k8s-stig-shoot.yaml
Lines 25 to 28 in 35e63cd
This rule options should be taken into account when implementing the pod worker pool, we would want to create the least amount of pods possible for a given diki run.
It might be required a global
nodeGroupByLabelsoption to be made for the rulesets, instead of per rule, to achieve this goal.Why is this needed:
Reduce load on scanned cluster by creating a minimal amount of required Pods there.