Add Cluster Image Scanning to AutoDevOps

What does this MR do and why?

Adds Cluster Image Scanning to AutoDevOps.

The desired behaviour is explained in greater detail in #346118 (closed).

This MR causes Cluster Image Scanning analyzer runs for every project with a connected Agent. Currently, we require users to provide a CIS_KUBECONFIG. In gitlab-org/security-products/analyzers/cluster-image-scanning!28 (merged), we add support for scans through the Agent's CI tunnel.

See:

• #346118 (closed)
• gitlab-org/security-products/analyzers/cluster-image-scanning!28 (merged)

Screenshots or screen recordings

n/a

How to set up and validate locally

1. Created the bauerdominic/cis-ado-sandbox repository and a GKE cluster
2. Committed a .gitlab-ci.yml that includes the Cluster Image Scanning template
   • No pipeline created
3. Committed an Agent configuration
   • No pipeline created
4. Registered the Agent
5. Manually created a pipeline
   • The cluster_image_scanning job runs and the analyzer uses the CI tunnel context, but fails because Starboard Operator is not installed in the cluster:

   [FATA] [cluster-image-scanning] [2022-01-24T11:41:47Z] ▶ error retrieving reports from Starboard: Starboard must be installed in the cluster: https://aquasecurity.github.io/starboard/latest/operator/installation/helm

   • The pipeline passes, because the cluster_image_scanning job allows failure.
6. Installed Starboard Operator per its installation instructions
7. Manually created a pipeline
   • The cluster_image_scanning job runs and the analyzer uses the CI tunnel context and succeeds:

   [INFO] [cluster-image-scanning] [2022-01-24T11:47:55Z] ▶ Using API server https://kas.gitlab.com/k8s-proxy as Kubernetes control plane
   [INFO] [cluster-image-scanning] [2022-01-24T11:47:56Z] ▶ Found 0 Starboard vulnerability reports
   [INFO] [cluster-image-scanning] [2022-01-24T11:47:56Z] ▶ Creating report

8. Created the gitlab-vulnerability-viewer Service Account and kubeconfig for it per our documentation. Then populated the CIS_KUBECONFIG CI/CD project variable with it.
9. Manually created a pipeline
   • The cluster_image_scanning job runs and the analyzer uses the CIS_KUBECONFIG and succeeds:

   [INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Using API server https://35.234.95.104 as Kubernetes control plane
   [INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Found 0 Starboard vulnerability reports
   [INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Creating report

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

Related to #346118 (closed)