Please make an External Data provider for Gatekeeper

[tspearconquest]

Hello,

I was looking into a recently added feature in the OPA Gatekeeper project wherein Gatekeeper can consume data from external sources in order to validate or mutate Kubernetes cluster resources.

https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata

The external data comes from a Provider resource, which consumes the data from an HTTP endpoint (can be in cluster or external) and uses that data when reviewing a kubernetes resource for admission control purposes.

Some example providers are able to be found online (such as the example Trivy provider) but they are simply examples for end users/teams to follow in order to implement their own providers, and not intended for production use.

This feature request is opened to request an official Trivy external data provider supported by Aqua Security which can be used to prevent images with vulnerabilities from being admitted into a cluster.

This does not need to be open source, nor does it need to be free (as in beer) -- In fact, currently we only use the open source Trivy project, but I believe I could convince my organization into paying for the Aqua platform if this were offered as part of the platform.

[itaysk]

Hi there, so I understand you are using Gatekeeper, and looking to prevent vulnerable images from being admitted to the cluster correct?

1. we don't have plans to make a gatekeeper external data source for Trivy. If someone in the community did it we would happily promote it though.
2. We talked previously about how vulnerability attestations can be used to achieve the same effect.
   1. Here's an explanation, with sigstore(rekor)+Kyverno. https://youtu.be/i_9bV08CTao and tutorial: https://aquasecurity.github.io/trivy/v0.37/tutorials/kubernetes/kyverno/
   2. In the next kubecon I have a talk about doing the same thing with OCI references+OPA gatekeeper (TBD).
   3. In the future we might be adding a built-in admission controller to Trivy Operator that does this simple common request.
3. Aqua platform has much more sophisticated controls that are based on OPA but lets you quickly configure common controls from the UI. You can get a glimpse of it here https://www.aquasec.com/products/container-security/#block_3 and if you want to get a demo I can connect you with someone that will walk you through it (on Slack).

[tspearconquest]

Sure, I'm on there. I will ping to discuss.

[itaysk]

Closing as this is currently out of scope for Trivy scanner. Feel free to keep discussing if needed