Add KUBE_NAMESPACE as a namespace filter (!6) · Merge requests · GitLab.org / security-products / analyzers / cluster-image-scanning

Previously discussed in gitlab-org/gitlab!64220 (comment 617813001) and gitlab-org/gitlab#335441 (comment 625771568).

Feedback from @hfyngvason:

Have you tried your suggestion with a "GitLab-managed cluster" (i.e. one with a service account & namespace per environment)? Based on the cluster role and cluster role binding, the service account would need access to specific resources. But if the resources are not in the service account's namespace, then the service account will likely not have access. (On the other hand, in a Cluster Management Project, or when using a non-managed cluster, it would have cluster admin by default.)

Then there's the question of how the feature works with multiple namespaces / environments. Using environment: staging, would the job scan all namespaces?

When using the cluster integration, the service account namespace is added as a CI variable via KUBE_NAMESPACE. This MR would restrict the cluster-image-scanning analyzer to only the service account namespace when the cluster integration is used.

Add KUBE_NAMESPACE as a namespace filter

Merge request reports