Add a service account and permissions for the OCS scanning pod
What does this MR add?
Adds an ocs folder in the templates directory with the following files:
-
serviceaccount.yaml: Adds a service account for the scanning pod -
role.yaml: Gives permissions to create configmaps on the gitlab-agent namespace -
rolebinding.yaml: Binds the role to the scanning pod service account. -
clusterrole.yaml: Provides cluster wide permissions. Mainlylistcapabilities for various resources. -
clusterrolebinding.yaml: Binds the OCS cluster role to the scanning pod service account
We also add a new configuration config.operational_container_scanning.enabled: true in values.yaml. The default value is true so that we always create the service account with the specific permissions for the scanning pod.
Why are we doing this change?
Operational Container Scanning in the gitlab-agent deploys a scanning pod to run a Trivy scan. We should be running the scanning pod with a dedicated service-account that has only the permissions that are needed.
Permissions
The scanning pod service account needs to:
- List resources in order to scan them. The scanning pod needs to scan resources in any namespace. For that purpose we need a
ClusterRoleand aClusterRoleBinding. - Get a
namespace. This is used by the trivy-k8s-wrapper image in order to verify that the gitlab-agent namespace passed as an argument exists. - Create
configmaps. The scanning pod stores the result in chainedconfigmapswhich then it is read by the gitlab-agent. For that purpose it needs to be able to createconfigmapsin the namespace of the gitlab-agent which is the same as the namespace running the scanning pod. For that purpose we need aRoleand aRoleBinding.
Related
- Issue: Add required permissions to the Scanning Pod fo... (gitlab-org/gitlab#434302 - closed)
- Backend MR: gitlab-org/cluster-integration/gitlab-agent!1214 (merged)
Tests
k auth can-i list replicasets --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list deployments --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list statefulsets --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list deployments --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i get namespaces --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
Warning: resource 'namespaces' is not namespace scoped
yes
k auth can-i create configmaps -n gitlab-agent --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list pods --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list replicationcontrollers --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list cronjobs --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list jobs --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yesEdited by Hordur Freyr Yngvason