Skip to content

Spike: Investigate possible improvements to Cluster Image Scanning feature

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Time-box: 2 days

Why are we doing this work

During the review of CI Template for Cluster Image Scanning analyzer @hfyngvason had great ideas and comments about possible improvements in that area. This issue is about exploring these options and providing improvements to the feature itself. As a outcome of this feature we should get list of implementation issues, refined and described, with improvements we are planning to implement.

  1. Consider adding Cluster Image Scanning to Auto DevOps,

    We want to evaluate if it makes sense to add this feature to Auto DevOps, especially that we have KUBECONFIG defined and can easily integrate that.

    Outcome action: If technically feasible, create an implementation issue.

  2. Consider automatically creating service account and obtaining token for https://gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning/-/blob/main/gitlab-vulnerability-viewer-service-account.yaml when user has configured Kubernetes Cluster for given project,

    This came as a result of the discussion about the designs.

    Outcome action: If technically feasible, and reasonably expected to be possible based on the permissions given to the agent, create an implementation issue.

  3. Investigate how this feature is working with a "GitLab-managed cluster" (i.e. one with a service account & namespace per environment),

    Based on the cluster role and cluster role binding, the service account would need access to specific resources. But if the resources are not in the service account's namespace, then the service account will likely not have access. (On the other hand, in a Cluster Management Project, or when using a non-managed cluster, it would have cluster admin by default.)

    Outcome actions: Test how the analyzer currently behaves with this integration. Determine if it:

    1. Works fine with current implementation
    2. Has permission issues which would merit the merging of gitlab-org/security-products/analyzers/cluster-image-scanning!6 (closed)
    3. Has permission issues but should be fixed with a different method

Relevant links

Edited by 🤖 GitLab Bot 🤖