Add support for Security Policies enforcing Cluster Image Scanning scan (!711) · Merge requests · GitLab.org / cluster-integration / GitLab Agent for Kubernetes

Alan (Maciej) Paruszewski requested to merge add-starboard-worker into master Aug 01, 2022

Why?

This MR adds new functionality to read scan execution policies from GitLab and enforce Cluster Image Scanning with the given policy configuration. Security policies should take precedence over the agent config.yml for security scans. The policies are retrieved from Rails via an API endpoint implemented in gitlab-org/gitlab!94218 (merged). Currently we will support only one policy created for given agent.

Screenshots / Video

Demo: https://youtu.be/tm4_SwBrwWk

How to test it?

Create local k3d cluster
In your local GDK create new project, configure your gitlab agent (remember your agent-name as it will be needed in the policy) in this repository.
Go to Security & Compliance -> Policies, click on New policy and select Scan execution policy

Create new policy and merge new MR:

type: scan_execution_policy
name: "Enforce CIS"
description: "This policy is enforcing cluster image scanning test"
enabled: true
rules:
  - type: schedule
    cadence: "0 * * * *"
    agents:
      agent-name:
        namespaces:
          - default
actions:
  - scan: cluster_image_scanning

Run kas and agent, the scan should be executed.

NOTE: You have to have gitlab-agent service account in your local cluster to create vulnerabilities in your local GitLab instance.

Edited Sep 01, 2022 by Brian Williams

Add support for Security Policies enforcing Cluster Image Scanning scan

Why?

Screenshots / Video

How to test it?

Merge request reports