Disable RBAC risk due to performance instability#1609
Conversation
clickboo
left a comment
There was a problem hiding this comment.
This is a customer facing change - in the sense risk scoring and risk priority will change for a customer if they upgrade to a release with this PR right? We should add a changelog and some doc?
I believe this is a purely perf issue with our risk calc algorithm and how we process risk?
Yeah I will add a changelog if we think we want to make this change |
|
Tag for build #538637 is 💻 For deploying this image using the dev scripts, run the following first: export MAIN_IMAGE_TAG='3.70.x-66-g7b06944377'🕹️ A |
|
@connorgorman Are you planning to merge this one or just testing? |
|
Can we release a patch only for the badly affected customers instead of dropping it entirely? |
|
From my prospective this seems like a change we should be making, and one of the bigger reasons it's been hard to justify is that we didn't have a concrete example of a customer being impacted negatively enough by rbac in risk calculations to the point where it should be removed. |
ead4422 to
0b5139e
Compare
CHANGELOG.md
Outdated
| - Violation tags and process tags are deprecated, and will be removed in version 3.72.0. | ||
|
|
||
| - RBAC calculation is no longer included in Risk by default, since it was not performant. Users who want it included can set | ||
| the "INCLUDE_RBAC_IN_RISK" to "true" in the Central deployment spec. |
There was a problem hiding this comment.
I think by default risk compute should be included, and the env var can be set to false if not required. I believe Kirsten had the same feedback. In her exact words:
"Also, it should not be disabled by default so as not to take aways current functionality"
| - ROX-10018: The policy `OpenShift: Kubeadmin Secret Accessed` will no longer trigger if the request was from the default OpenShift `oauth-apiserver-sa` service account, because this is an expected access pattern for the OpenShift apiserver. | ||
| - Violation tags and process tags are deprecated, and will be removed in version 3.72.0. | ||
|
|
||
| - Users who do not want to include the RBAC factor in risk calculation can set |
There was a problem hiding this comment.
Do you want it to be documented at all?
There was a problem hiding this comment.
Yeah, I think it's fine to.
54b443b to
f7460bb
Compare
Co-authored-by: Viswajith Venugopal <[email protected]> (cherry picked from commit 12266f6)
Description
12k roles, rolebindings, service accounts
11k deployments
Running for 13 minutes
which is 57 minutes of throttling which explains some of the slowness.
Checklist
If any of these don't apply, please comment below.
Testing Performed
CI should pass