Extend Scheduled Scan Execution Policy to enforce scans on agents
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters that are connected with GitLab through Kubernetes Agent, so they can understand their current security risk for images that were deployed without providing sensitive data to connect to the cluster.
You can find more about our motivation to work on this issue here.
This issue is about extending Scheduled Scan Execution Policy to support Cluster Image Scanning scan for agents
. In %14.3 we have introduced similar functionality, but for clusters
. Customer will be able to schedule a security scan of running containers on selected time and select which namespace and resource names should be scanned. The policy will look like the following:
scan_execution_policy:
name: Run Cluster Image Scan
description: This policy enforces container scans against a production cluster on a daily basis.
enabled: true
rules:
- type: schedule
agents:
agent-name:
namespaces: []
cadence: 0 0 * * *
actions:
- scan: cluster_image_scanning
namespaces
may optionally be provided in order to limit the scan to the given namespaces. If omitted, then all namespaces will be scanned.
Relevant links
Non-functional requirements
-
Documentation: add documentation to doc/user/application_security/policies/index.md
with information how to configure policy to enforce scan with agents, (revert !91075 (merged)) - [-] Feature flag: no feature flag is needed as this is something that users will optionally select by including the GitLab CI template
- [-] Performance:
-
Testing: - Test if you can configure policy to run on clusters connected through Kubernetes agent,
Implementation plan
Use the GitOps module as an implementation reference.
- Add a
server
package tointernal/module/starboard_vulnerability
which implements aGetSecurityPoliciesToSynchronize
rpc.- The server will poll the security policy API, checking for changes to the policies
- If the server returns 404, then it should be assumed that security policies are not available, but polling should continue.
- If there is an update available, send the new policies in the response to agentk (using new rpc objects in
internal/module/starboard_vulnerability/rpc
)
- In
internal/module/starboard_vulnerability/rpc
, create aPoliciesToSyncronizeWatcher
, which receives a gRPC request and a callback function to call with the returned data- The watcher will use the auto-generated (via protobuf) gRPC client in order to poll KAS and send any received policies to the callback function
- In
internal/module/starboard_vulnerability/agent/module.go
, add aloadSecurityPolicy
callback function which receives*agentcfg.StarboardCF
.- When this function is called, the
workerHolder
will stop all workers and then create a new ones with the received configuration.
- When this function is called, the
- In
internal/module/starboard_vulnerability/agent
, create a Syncronizer with arun
method which receives new policies on a channel.- When new policies are received on the channel, check if they would change the configuration currently held by the worker.
- If the configuration has changed, call the
loadSecurityPolicy
callback function.
- Create a new
securityPoliciesWorker
, which will be started alongside the existing worker. This worker will hold theloadSecurityPolicy
callback as a struct field. This worker should be started even when the agent's Starboard configuration is empty. When this worker is run it will:- Create a new channel to send security policies on
- Run the synchonizer, giving it the channel
- Start the watcher, passing a callback function which will send policies on the channel
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.