Skip to content

Add scan_execution_policies endpoint to the Kubernetes internal API

Sashi Kumar Kumaresan requested to merge sk/356729-update-api into master

What does this MR do and why?

Addresses #356729 (closed)

This MR adds a new internal API endpoint (GET /api/v4/internal/kubernetes/modules/starboard_vulnerability/scan_execution_policies) for Kubernetes agent to facilitate allowing scan execution policies to enforce scans on agents.

The API returns the scan_execution_policies configured through the security policy project for the project the agent is configured to. The API skips the authorization check for :read_security_orchestration_policies as the internal API won't have current_user.

How to set up and validate locally

  1. Create a new KAS JWT using the rails console:

    JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

  2. Create a new gitlab project and configure security policy project following docs and create a new policy using the editor

  3. Create new agent:

    agent = Clusters::Agent.new(project_id: project.id, created_by_user: User.find(1), name: "test-agent")
agent.save!

  4. Create new agent token and retrieve the value

    token = Clusters::AgentToken.new(agent: agent, created_by_user: User.find(1), name: "test-agent-token")
token.save!
token.token

  5. Send the API request:

     curl --header "Gitlab-Kas-Api-Request: <JWT from step 1>" \
 --header "Authorization: Bearer <token from step 4>" \
 --header "Content-Type: application/json" \
 --url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability/scan_execution_policies" \

    Reponse:

    {
  "policies": [
    {
      "name": "Policy",
      "description": "Policy description",
      "enabled": true,
      "yaml": "---\nname: Policy\ndescription: 'Policy description'\nenabled: true\nactions:\n- scan: container_scanning\nrules:\n- type: pipeline\n  branches:\n  - main\n",
      "updated_at": "2022-06-02T05:36:26+00:00"
    }
  ]
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports