Support custom ocs trivy k8s wrapper image
What does this do
This MR addresses Extend Gitlab Agent Helm Chart with trivy-k8s-w... (gitlab-org/gitlab#472228 - closed)
It introduces a new trivy_k8s_wrapper_image
field in the agent configuration for Operational Container Scanning(OCS).
This allows users to specify a Trivy K8s wrapper image
that we intend to use to implement integration tests for OCS and provides an option for customers to specify an alternate repository if they are unable to pull from the default repository.
The new agent configuration format is as follows:
container_scanning:
trivy_k8s_wrapper_image:
repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper"
tag: "0.3.3"
Only repository field would be communicated to be configurable by users
As discussed in this thread, the tag
field will be used internally to specify the version for integration testing.
Each Gitlab Agent
version depends on a specific Trivy K8s Wrapper
version, so users should not be configuring the tag
or it could cause unexpected errors. Instead, the tag would default to the Trivy K8s Wrapper Image
version defined in the respective Gitlab Agent version.
Please see the corresponding doc update MR.
Related Issues
Improve Reliability for Operational Container S... (gitlab-org&14447)
Extend Gitlab Agent Helm Chart with trivy-k8s-w... (gitlab-org/gitlab#472228 - closed)
MR that updates renovatebot Update trivy k8s wrapper field (gitlab-org/frontend/renovate-gitlab-bot!934 - merged)
Verification steps
Since this change involves modifications to agent configuration
we can only test locally with GDK, as we need to start KAS with these updates.
-
Create a project in gdk with the following agent config
container_scanning: cadence: '03 * * * *' vulnerability_report: namespaces: - kube-system trivy_k8s_wrapper_image: repository: "registry.gitlab.com/gitlab-org/security-products/analyzers/trivy-k8s-wrapper/smtan-test-custom-trivy-k8s-wrapper" tag: "current-amd64"
- I built a custom trivy k8s image based on tag 0.3.3 to aid with testing
-
Verify that the OCS scan succeeds