mondoo-operator icon indicating copy to clipboard operation
mondoo-operator copied to clipboard
verified publisher icon mondoohq

Use a single admission controller that reports for all MondooAuditConfigs

Open imilchev opened this issue 3 years ago • 0 comments

Currently, for every MondooAuditConfig that has admission controller enabled we create new scan API and webhook instances. Because of that our operator has access to all admission controllers. This is considered a bad security practice, so we should try to avoid it.

To get around this issue, we need to make sure the mondoo client's scan API can report to multiple spaces. If that is possible, then we can have a single instance of the scan API that will be serving for all MondooAuditConfigs. In addition to this change, we will need to make sure the admission controller lists all MondooAuditConfigs and reports the scans for each of them.

Once this is all possible we should consider applying the same approach for the workload scanning.

imilchev avatar May 22 '22 12:05 imilchev