Skip to content

Fix container scanning via group level policy

Andy Schoenen requested to merge 404513-fix-group-level-container-scanning into master

What does this MR do and why?

This fixes a bug where container scanning didn't work when enabled via group level scan execution policy

Related issue: #404513 (closed)

How to set up and validate locally

  1. On branch master.

  2. Create a new group with a project in it.

  3. On the group page, open Security and Compliance -> Policies.

  4. Select New policy.

  5. Select Scan execution policy.

  6. Switch to yaml. mode.

  7. Paste the security policy:

    type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
  - type: schedule
    agents:
      test-agent:
        namespaces:
          - test
    cadence: 0 0 * * *
actions:
  - scan: container_scanning
    tags: []

  8. Select Configure with a merge request.

  9. Merge the MR.

  10. Open a rails console.

  11. Create a new KAS JWT using the rails console:

    JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

  12. Find the project belonging to the group project = Project.find(PROJECT_ID)

  13. Create new agent:

    agent = Clusters::Agent.new(project_id: project.id, created_by_user: User.find(1), name: "test-agent")
agent.save!

  14. Create new agent token and retrieve the value

    token = Clusters::AgentToken.new(agent: agent, created_by_user: User.find(1), name: "test-agent-token")
token.save!
token.token

  15. Send the API request (replace $KAS_JWT and $AGENT_TOKEN):

curl --include \
     --header "Gitlab-Kas-Api-Request: $KAS_JWT" \
     --header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
     --url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability/policies_configuration"
  1. This should result in an empty response {"configurations":[]}
  2. Switch to the branch 04513-fix-group-level-container-scanning
  3. Execute the curl statement again.
  4. This should now return the security policy like {"configurations":[{"cadence":"0 0 * * *","namespaces":["test"],"updated_at":"2023-05-08T09:19:52+00:00"}]}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #404513 (closed)

Edited by Andy Schoenen

Merge request reports