Background scanning for policy violations #98
Description
What would you like to be added:
a mechanism to scan and alert on kubernetes resources that are already deployed in the cluster (ie. past the initial admission control workflow).
- Probably needs to run in a configurable interval
- Could be background daemon or sidecar, or a completely separate pod.
- Could be a good thing to look at doing in Golang
- Maybe think through the possibility of an enforcement action in addition to alerts (ie. Scale to 0 pods on Deploymebt with privileged pod spec)
- not sure if we'd want a separate severity/deny level for the background scanning vs. the admission response flow
Why is this needed:
This would cover brownfield environments or scenarios where new policies are added/policy severity changes and resources may be long-lived/deployed infrequently