Operational Container scanning doesn't run when enabled via group-level scan execution policy
Summary
When operational container scanning is enabled via a group-level scan execution policy, the scan never starts. However when scan execution policy is not inherited from the group, and defined in the project configuration, then it runs.
Steps to reproduce
- Create a project and install a GitLab agent for Kubernetes. Make sure agent is connected.
- Open the group that the project belongs to. Go to
Security and Compliance > Policies
and click theNew Policy
button. - Enter policy as yaml or use the policy editor. The policy.yml I have is below. Once you are done configure with new merge request and merge to master branch.
name: container scanning from group level
description: ''
enabled: true
actions:
- scan: container_scanning
rules:
- type: schedule
cadence: 41 19 * * *
agents:
dalecooper:
namespaces:
- gl-dev
- In your project created in Step 1, check if the group-level policy shows in
Security and Compliance > Policies
as inherited. - Wait until the time configured in
cadence
. However, the scan never runs. Nothing in agent logs - Go to
Infrastructure > Kubernetes clusters
. Click on the agent name and then click theSecurity
tab. There are no results. - In the project, go to
Security and Compliance > Policies
. Click onNew Policy
- Enter policy as yaml or use the policy editor. Make sure to use a different
cadence
to distinguish it from the group-level policy. Once you are done configure with new merge request and merge to master branch. My project-level policy yml is:
name: Container scanning for my agent
description: ''
enabled: true
actions:
- scan: container_scanning
rules:
- type: schedule
cadence: 27 20 * * *
agents:
dalecooper:
namespaces:
- gitlab-supermunn
- Wait until the time configured in
cadence
. You will see the cluster vulnerabilities on the Agent'sSecurity
tab.
Example Project
https://gitlab.com/gitlab-gold/emunn-test/kas/agentmgr/-/security/policies
What is the current bug behavior?
Operational scanning does not work for policies defined in the group level.
What is the expected correct behavior?
Group-level (inherited) policy should run and results should be available in the Agent's page in the Security
tab.
Output of checks
This bug happens on GitLab.com
Possible fixes
As a workaround, create scan execution policy on the project level.
Implementation Plan
-
backend Update Security::SecurityOrchestrationPolicies::OperationalVulnerabilitiesConfigurationService
to passrelationship: :inherited
paramter.
diff --git a/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
index a3bcb7396a5b..c265e6625ae2 100644
--- a/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
@@ -42,9 +42,10 @@ def rule_applicable_for_agent?(rule)
def policies
strong_memoize(:policies) do
- ::Security::ScanExecutionPoliciesFinder
- .new(agent, project, action_scan_types: %i[container_scanning cluster_image_scanning])
- .execute
+ ::Security::ScanExecutionPoliciesFinder.new(agent, project,
+ relationship: :inherited,
+ action_scan_types: %i[container_scanning cluster_image_scanning]
+ ).execute
end
end
end
Verification Steps (Staging)
-
Create a new group with a project in it.
-
On the group page, open Security and Compliance -> Policies.
-
Select New policy.
-
Select Scan execution policy.
-
Switch to yaml. mode.
-
Paste the security policy:
type: scan_execution_policy name: test description: '' enabled: true rules: - type: schedule agents: test-agent: namespaces: - test cadence: 0 0 * * * actions: - scan: container_scanning tags: []
-
Select Configure with a merge request.
-
Merge the MR.
-
Go back to the project
-
Select Infrastructure on the left sidebar
-
Select Connect a cluster (agent)
-
Type
test-agent
-
Select Create agent: test-agent
-
Select Register
-
Copy the Agent access token
-
Open a rails console.
-
Create a new KAS JWT using the rails console:
JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')
-
Send the API request (replace
$KAS_JWT
and$AGENT_TOKEN
):
curl --include \
--header "Gitlab-Kas-Api-Request: $KAS_JWT" \
--header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
--url "https://staging.gitlab.com/api/v4/internal/kubernetes/modules/starboard_vulnerability/policies_configuration"
- This should now return the security policy like
{"configurations":[{"cadence":"0 0 * * *","namespaces":["test"],"updated_at":"2023-05-08T09:19:52+00:00"}]}