ADR-0015: Kubernetes As Orchestration Engine for Scans
Status: | ACCEPTED |
Date: | 2022-09-13 |
Author(s): | Jannik Hollenbach jannick.hollenbach@iteratec.com, Sven Strittmatter sven.strittmatter@iteratec.com |
This ADR should have been written prior to implementation. But we started documenting ADR later. This ADR has therefore been written retrospectively to record the decision made at that time.
Context
secureCodeBox is merely an orchestration of various security scanners. Kubernetes is a platform to orchestrate resources. In first place designed to orchestrate data center resources, but Kubernetes extended its capabilities to define custom resources. This opens the possibility to define own resource types which will be orchestrated. Since we run all the integrated security scanners in containers anyway – a secureCodeBox scanner is merely a Docker image with a CLI scanner tool installed – it seems to be a perfect match to define these scanners as custom resources and let Kubernetes orchestrate them, instead of implementing this orchestration (with all the consequences) by our own.
Decision
We decided to use Kubernetes as underlying orchestration platform to manage the scan processes.
Consequences
- secureCodeBox is hard coupled to Kubernetes and therefore can't be run w/o a cluster.
- We need to implement an own operator with our business logic.
- Therefore, we need to learn [Go].
- We loose the web UI from version 1 and users need to use
kubectl
on command line to interact with secureCodeBox. - No backward compatibility to version 1 installations, nor an easy upgrade path.