Add internal API (API::Internal::Kubernetes) to create Vulnerabilities found in Running Containers
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters so they can understand their current security risk not only for images that are scanned as a part of CI Pipeline, but also for images that were deployed without using GitLab CI.
You can find more about our motivation to work on this issue here.
This issue is about extending internal GitLab API used by Kubernetes Agent to create vulnerabilities from the vulnerabilities found in the cluster. We want to expose this new API as POST internal/kubernetes/modules/starboard_vulnerability
, require vulnerability
argument with parameters required to create instance of vulnerability in database.
This is needed to support changes introduced in #330716 (closed).
Relevant links
Non-functional requirements
-
Documentation: extend Internal API documentation with information about new endpoint: doc/development/internal_api.md
, - [-] Feature flag: no feature flag is needed as this is something that users will optionally select by including the GitLab CI template
- [-] Performance:
-
Testing: - Test if you can create vulnerability from internal API,
- Test if vulnerabilities created from vulnerability API are visible on the Security Dashboard,
Implementation plan
- backend wait for !61385 (diffs) to be merged and use this service in new internal API,
-
backend Extend
ee/lib/ee/api/internal/kubernetes.rb
with new namespace (modules/starboard_vulnerability
) and add new POST method that will use service introduced in !61385 (diffs) to create vulnerability in database with properly populatedreport_type
value (cluster_image_scanning
)
Edited by Alan (Maciej) Paruszewski