Skip to content

Add pipeline execution policy schedule run

Andy Schoenen requested to merge 472671-scheduled-scan-execution-policy-poc into master

What does this MR do and why?

This is a POC to makes it possible to run pipeline execution policies on a schedule. It is behind the scheduled_pipeline_execution_policies feature flag.

I tried to re-use as much of the existing logic as possible. We already have scheduled scan execution policies, so I extended the Security::OrchestrationPolicyRuleSchedule model to work for multiple policy types. Based on this we can store and process schedule rules for pipeline execution policies.

To configure the schedule, there's a new field triggers in the pipeline execution schema. It contains a set of rules that define the cadence for the schedule and the branches it should be triggered on.

pipeline_config_strategy is not relevant for the scheduled pipelines, as the scheduled pipelines should always only run the policy jobs and should never fallback to running project jobs, should the pipeline be filtered out by workflow rules. For this reason, we may eventually remove pipeline_config_strategy as a top-level keyword and use triggers also for the triggered pipelines (regular PEPs). See this comment for more information.

Before this feature can be release on production we have to:

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag
    echo "Feature.enable(:scheduled_pipeline_execution_policies)" | rails c
  2. Create a group
  3. Create a project in the group
  4. Create a policy-ci.yml file with the following content:
    policy job:
      stage: build
      script:
        - echo "Do your policy script here"
  5. Create a .gitlab/security-policies/policy.yml file with the following content:
    ---
    pipeline_execution_policy:
    - name: pipeline execution
      description: ''
      enabled: true
      pipeline_config_strategy: override_project_ci
      triggers:
        - type: schedule
          cadence: '0 10 * * *'
          branches:
          - main
      content:
        include:
        - project: your-group/your-project
          file: policy-ci.yml
  6. Replace your-group/your-project with the path to your project.
  7. On the groups left sidebar, select Security & Compliance and Policies.
  8. Select Edit policy project
  9. Select the project you created in step 3.
  10. Create another new project for the group.
  11. Trigger the scheduled run via rails console:
    Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: 1.day.ago)
    Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  12. On the left sidebar, select Build -> Pipelines.
  13. There should be a new pipeline triggered by the security policy bot containing the policy job. It may take a few minutes for the pipeline to appear.

Related to #472671

Edited by Martin Čavoj

Merge request reports

Loading