Support custom ocs trivy k8s wrapper image

Shao Ming Tanrequested to merge
smtan/set-custom-ocs-trivy-k8s-image into master

What does this do

This MR addresses Extend Gitlab Agent with trivy-k8s-wrapper opti... (gitlab-org/gitlab#472228 - closed)

It introduces a new trivy_k8s_wrapper_image field in the agent configuration for Operational Container Scanning(OCS).

This allows users to specify a Trivy K8s wrapper image that we intend to use to implement integration tests for OCS and provides an option for customers to specify an alternate repository if they are unable to pull from the default repository.

The new agent configuration format is as follows:

container_scanning:
  trivy_k8s_wrapper_image:
    repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper"
    tag: "0.3.3"

Only repository field would be communicated to be configurable by users

As discussed in this thread, the tag field will be used internally to specify the version for integration testing.

Each Gitlab Agent version depends on a specific Trivy K8s Wrapper version, so users should not be configuring the tag or it could cause unexpected errors. Instead, the tag would default to the Trivy K8s Wrapper Image version defined in the respective Gitlab Agent version.

Please see the corresponding doc update MR.

Related Issues

Improve Reliability for Operational Container S... (gitlab-org&14447)

Extend Gitlab Agent with trivy-k8s-wrapper opti... (gitlab-org/gitlab#472228 - closed)

MR that updates renovatebot Update trivy k8s wrapper field (gitlab-org/frontend/renovate-gitlab-bot!934 - merged)

Verification steps

Since this change involves modifications to agent configuration we can only test locally with GDK, as we need to start KAS with these updates.

  1. Setup OCS locally

  2. Setup KAS in GDK

  3. Stop GDK's KAS and start KAS from this branch

  4. Create a project in gdk with the following agent config

    container_scanning:
  cadence: '03 * * * *'
  vulnerability_report:
    namespaces:
      - kube-system
  trivy_k8s_wrapper_image:
     repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper/smtan-test-custom-trivy-k8s-wrapper"
     tag: "current-amd64"

  5. Verify that the OCS scan succeeds

Edited by Shao Ming Tan

Merge request reports