You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/adr/adr_0017.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -124,6 +124,12 @@ spec:
124
124
```
125
125
</details>
126
126
127
+
#### Using an initContainer and use ownerReferences for the created secretes
128
+
Using the same initContainer logic described above but setting the ownerReference of the created secrets to the job/pod of the scan would result in similar behavior without the need of a sidecar.
129
+
130
+
Pros:
131
+
* No need for a sidecar while keeping the namespace clean of temporary secrets
132
+
127
133
#### Using a separate operator
128
134
Instead of creating the secrets for trivy at scan runtime all secrets could be created upon pod creation. The new proposed operator would not listen on secrets but on pods (not every secret in a namespace is automatically used as an `imagePullSecret` so it doesn't make sense to subscribe to secrets). When a pod gets created the new operator would check if it has `imagePullSecrets` defined and if so it would check if the specific container was already processed. If not then it would check which `imagePullSecret` belongs to which container and then create the trivy secrets. Similar to the container autodiscovery this new operator would only create a secret for trivy for every distinct secret. When a pod gets updated the new operator will check if the `imagePullSecrets` changed. This approach will clutter the namespace quite substantially because the trivy secrets exist continuously until the secret is not needed anymore (pod that uses the `imagePullSecrets` gets deleted). To be clear: The scheduled scans are still created by the existing autodiscovery. The existing autodiscovery will check if the new operator created a secret for the specific container it wants to scan. If a secret for the container was created the existing autodiscovery would mount this secret. There needs to be a way to tell the existing autodiscovery which pod was processed by the new operator. One could use pod annotations to mark pods as processed (processed := secret was created by the new operator).
0 commit comments