Implement new analyzer to fetch vulnerabilities from running containers
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters so they can understand their current security risk not only for images that are scanned as a part of CI Pipeline, but also for images that were deployed without using GitLab CI.
You can find more about our motivation to work on this issue here.
This issue is about creating new analyzer (https://gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning) in https://gitlab.com/gitlab-org/security-products/analyzers/ group to fetch vulnerabilities from running cluster. You can see a Proof of Concept of this analyzer here: https://gitlab.com/mparuszewski/live-container-scanning.
In current iteration the analyzer will connect with kubectl
to the cluster (with KUBECONFIG
environment variable) and will be able to get all vulnerabilities for selected namespaces and resource names. Ie. You should be able to configure the analyzer to fetch vulnerabilities in namespaces that are matching production-*
wildcard and with resource names that are matching nginx-*
wildcard (vulnerabilities for all ReplicaSets with name starting with nginx-
prefix in namespaces with name starting with production-
prefix). After vulnerability reports are fetched from Kubernetes cluster, analyzer has to parse and convert found vulnerabilities to format supported in GitLab (see https://gitlab.com/gitlab-org/security-products/security-report-schemas).
Value for KUBECONFIG
variable will be provided from GitLab CI as predefined variable when Project is connected to Kubernetes cluster or as a variable provided manually by user in Project->Settings->CI Variables
.
There is no preference about the technology used in this analyzer (either Go or Ruby will work for us), however ideally (since we want to extend kas
in #330716 (closed), which is written in Go) we want to go with Go language to reuse this logic later in Kubernetes Agent.
Relevant links
Non-functional requirements
-
Documentation: should be added to document usage of new analyzer - [-] Feature flag: no feature flag is needed as this is something that users will optionally select by including the GitLab CI template
- [-] Performance:
-
Testing: - Test if you can fetch vulnerabilities from kubernetes cluster and prepare JSON report with them in GitLab format,
Implementation plan
-
backend create new project in https://gitlab.com/gitlab-org/security-products/analyzers and prepare analyzer that will fetch vulnerabilities from Kubernetes cluster for credentials provided in
KUBECONFIG
environment variable - documentation add README and documentation to document usage of new analyzer,