Extend KAS/AgentK to support fetching vulnerabilityreports.aquasecurity.github.io
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters so they can understand their current security risk not only for images that are scanned as a part of CI Pipeline, but also for images that were deployed without using GitLab CI.
You can find more about our motivation to work on this issue here.
This issue is about extending gitlab-agent
(GitLab Kubernetes Agent) project with new internal module to watch for vulnerabilities in the running cluster and create new vulnerability using internal API (introduced in #330715 (closed)) based on found report.
Relevant links
Non-functional requirements
-
Documentation: - Document new agent configuration options
-
Feature flag: -
Performance: -
Testing: - Test if you can get vulnerabilities found in the running cluster,
- Test if found vulnerability in the running cluster triggers new Vulnerability creation,
Implementation plan
Note. Take a look at gitlab-org/cluster-integration/gitlab-agent!211 (merged) for inspiration
-
backend Add new agent configuration options to agentcfg.proto and use protoc-gen-go
to regenerate the protobuf go files. These are read from config.yml and should allow for the same configuration options as the Cluster Image Scanning analyzercluster_image_scanning: namespaces: - production - staging resources: - nginx - knative containers: - nginx - knative kinds: - deployment
-
documentation Document new agent configuration options in repository.md -
backend Create a new agent module named cluster_image_scanning
-
backend In the module's worker.go
, create a new worker which will:-
Get the VulnerabilityReportList which matches the configured labels and watch it to detect when there are new vulnerability reports -
From the initial list, create new vulnerabilities from the vulnerability reports -
Whenever the watch detects new vulnerability reports, create new vulnerabilities from them -
See cluster image scanning for reference example, without watching
-
-
backend In the module's module.go
, load the configuration and create new workers -
backend In the module's factory.go
, create new instances of the module -
backend Add the factory to constructModules()
incmd/agentk/agentkapp/app.go
-
backend Use MockGen to generate mocks and write tests for modules components