Skip to content

Multi-valued Cluster Image Scanning CI filter variables

Dominic Bauer requested to merge 340362-add-support-for-multiple-resource-values-for-cluster-image-scanning-analyzer-and-policy into master

What does this MR do and why?

Provides comma-separated resource filter CI variables for Cluster Image Scanning (CIS).

Currently, CIS only supports filtering of in-cluster vulnerability reports by single values. gitlab-org/security-products/analyzers/cluster-image-scanning!22 (merged) enables the CIS analyzer to support multiple values per filter.

How to set up and validate locally

  1. Create a local GitLab project and a Kubernetes cluster

  2. Create the gitlab-vulnerabilities-viewer service account and populate the project's CIS_KUBECONFIG CI variable with it (Docs)

  3. Create a test vulnerability report:

    # Unless starboard-operator is installed in the cluster
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/main/deploy/crd/vulnerabilityreports.crd.yaml

# Dummy report containing 1 critical vuln
kubectl apply -f https://gitlab.com/-/snippets/2219238/raw/main/test-vulnerabilityreport.yaml

    The test report has the following labels:

    starboard.container.name: alpine
starboard.resource.kind: Pod
starboard.resource.name: test-resource-name
starboard.resource.namespace: test-namespace

  4. Commit a .gitlab-ci.yml to the project that includes the CIS template and overrides the image:

    include:
  - template: Security/Cluster-Image-Scanning.gitlab-ci.yml

cluster_image_scanning:
  image: "registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning/tmp:12c594da5a63bfbd799fb61b0953e4acc846734d"

  5. Verify the pipeline retrieved the in-cluster report and created the vulnerability.

  6. Define the following matching resource filter CI variables:

    • CIS_CONTAINER_NAMES: alpine,foobar
    • CIS_RESOURCE_KINDS: pod,node
    • CIS_RESOURCE_NAMES: test-resource-name,foo
    • CIS_RESOURCE_NAMESPACES: test-namespace,barqux

  1. Re-run the pipeline. Verify the analyzer prints the correct label selector:

    [INFO] [cluster-image-scanning] [2021-12-09T12:15:04Z] ▶ Label selectors: starboard.container.name in (alpine,foobar),starboard.resource.kind in (Node,Pod),starboard.resource.name in (foo,test-resource-name),starboard.resource.namespace in (barqux,test-namespace)
[INFO] [cluster-image-scanning] [2021-12-09T12:15:04Z] ▶ Found 1 Starboard vulnerability reports

  2. Change one of the resource filter CI variables so that the report does not get matched, e.g.:

    • CIS_CONTAINER_NAMES: foobar

  1. Re-run the pipeline. Verify the analyzer prints the correct label selector, but does not retrieve the report:

    [INFO] [cluster-image-scanning] [2021-12-09T12:19:10Z] ▶ Label selectors: starboard.container.name in (foobar),starboard.resource.kind in (Node,Pod),starboard.resource.name in (foo,test-resource-name),starboard.resource.namespace in (barqux,test-namespace)
[INFO] [cluster-image-scanning] [2021-12-09T12:19:10Z] ▶ Found 0 Starboard vulnerability reports

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #340362 (closed)

Edited by Dominic Bauer

Merge request reports