Add Cluster Image Scanning to AutoDevOps
What does this MR do and why?
Adds Cluster Image Scanning to AutoDevOps.
The desired behaviour is explained in greater detail in #346118 (closed).
This MR causes Cluster Image Scanning analyzer runs for every project with a connected Agent. Currently, we require users to provide a CIS_KUBECONFIG
. In gitlab-org/security-products/analyzers/cluster-image-scanning!28 (merged), we add support for scans through the Agent's CI tunnel.
See:
Screenshots or screen recordings
n/a
How to set up and validate locally
- Created the bauerdominic/cis-ado-sandbox repository and a GKE cluster
-
Committed a .gitlab-ci.yml that includes the Cluster Image Scanning template
- No pipeline created
-
Committed an Agent configuration
- No pipeline created
- Registered the Agent
- Manually created a pipeline
- The
cluster_image_scanning
job runs and the analyzer uses the CI tunnel context, but fails because Starboard Operator is not installed in the cluster:
[FATA] [cluster-image-scanning] [2022-01-24T11:41:47Z] ▶ error retrieving reports from Starboard: Starboard must be installed in the cluster: https://aquasecurity.github.io/starboard/latest/operator/installation/helm
- The pipeline passes, because the
cluster_image_scanning
job allows failure.
- The
- Installed Starboard Operator per its installation instructions
- Manually created a pipeline
- The
cluster_image_scanning
job runs and the analyzer uses the CI tunnel context and succeeds:
[INFO] [cluster-image-scanning] [2022-01-24T11:47:55Z] ▶ Using API server https://kas.gitlab.com/k8s-proxy as Kubernetes control plane [INFO] [cluster-image-scanning] [2022-01-24T11:47:56Z] ▶ Found 0 Starboard vulnerability reports [INFO] [cluster-image-scanning] [2022-01-24T11:47:56Z] ▶ Creating report
- The
- Created the
gitlab-vulnerability-viewer
Service Account and kubeconfig for it per our documentation. Then populated theCIS_KUBECONFIG
CI/CD project variable with it. - Manually created a pipeline
- The
cluster_image_scanning
job runs and the analyzer uses theCIS_KUBECONFIG
and succeeds:
[INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Using API server https://35.234.95.104 as Kubernetes control plane [INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Found 0 Starboard vulnerability reports [INFO] [cluster-image-scanning] [2022-01-24T11:53:19Z] ▶ Creating report
- The
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #346118 (closed)
Edited by Dominic Bauer