Add a service account and permissions for the OCS scanning pod
What does this MR add?
Adds an ocs
folder in the templates directory with the following files:
-
serviceaccount.yaml
: Adds a service account for the scanning pod -
role.yaml
: Gives permissions to create configmaps on the gitlab-agent namespace -
rolebinding.yaml
: Binds the role to the scanning pod service account. -
clusterrole.yaml
: Provides cluster wide permissions. Mainlylist
capabilities for various resources. -
clusterrolebinding.yaml
: Binds the OCS cluster role to the scanning pod service account
We also add a new configuration config.operational_container_scanning.enabled: true
in values.yaml
. The default value is true
so that we always create the service account with the specific permissions for the scanning pod.
Why are we doing this change?
Operational Container Scanning in the gitlab-agent deploys a scanning pod to run a Trivy scan. We should be running the scanning pod with a dedicated service-account that has only the permissions that are needed.
Permissions
The scanning pod service account needs to:
- List resources in order to scan them. The scanning pod needs to scan resources in any namespace. For that purpose we need a
ClusterRole
and aClusterRoleBinding
. - Get a
namespace
. This is used by the trivy-k8s-wrapper image in order to verify that the gitlab-agent namespace passed as an argument exists. - Create
configmaps
. The scanning pod stores the result in chainedconfigmaps
which then it is read by the gitlab-agent. For that purpose it needs to be able to createconfigmaps
in the namespace of the gitlab-agent which is the same as the namespace running the scanning pod. For that purpose we need aRole
and aRoleBinding
.
Related
- Issue: Add required permissions to the Scanning Pod fo... (gitlab-org/gitlab#434302 - closed)
- Backend MR: gitlab-org/cluster-integration/gitlab-agent!1214 (merged)
Tests
k auth can-i list replicasets --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list deployments --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list statefulsets --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list deployments --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i get namespaces --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
Warning: resource 'namespaces' is not namespace scoped
yes
k auth can-i create configmaps -n gitlab-agent --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list pods --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list replicationcontrollers --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list cronjobs --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
k auth can-i list jobs --as=system:serviceaccount:gitlab-agent:ocs-scanning-pod-sa
yes
Edited by Hordur Freyr Yngvason