Opt-in controller creating PolicyReport from CIS

[erikgb]

Is your feature request related to a problem? Please describe.

I am looking for better observability in the image scan vulnerability reports. We currently use https://github.com/kyverno/policy-reporter to provide our users (multi-tenant clusters) with policy reports from https://kyverno.io/. Policy-reporter (and Kyverno) uses the Kubernetes Policy WG APIs as backend. And in the future, we could consider migrating from CIS to the Policy WG CRDs.

But for now, I suggest an opt-in controller mirroring CIS to Policy, which means that for any CIS in the cluster, there should exist a Policy with mapped content of the corresponding CIS. We should use https://github.com/fjogeleit/trivy-operator-polr-adapter as inspiration - which is an adapter providing trivy-operator resources as WG policies.

Describe the solution you'd like

One challenge will be a type-safe Go API for Policy. We can always use Unstructured, but I would prefer type-safety here. Maybe it's possible to use Go workspaces to avoid dependency-hell? I also think we should use SSA for policies to avoid caching another set of large resources.

Describe alternatives you've considered

Additional context