Fix container scanning via group level policy
What does this MR do and why?
This fixes a bug where container scanning didn't work when enabled via group level scan execution policy
Related issue: #404513 (closed)
How to set up and validate locally
-
On branch
master
. -
Create a new group with a project in it.
-
On the group page, open Security and Compliance -> Policies.
-
Select New policy.
-
Select Scan execution policy.
-
Switch to yaml. mode.
-
Paste the security policy:
type: scan_execution_policy name: test description: '' enabled: true rules: - type: schedule agents: test-agent: namespaces: - test cadence: 0 0 * * * actions: - scan: container_scanning tags: []
-
Select Configure with a merge request.
-
Merge the MR.
-
Open a rails console.
-
Create a new KAS JWT using the rails console:
JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')
-
Find the project belonging to the group
project = Project.find(PROJECT_ID)
-
Create new agent:
agent = Clusters::Agent.new(project_id: project.id, created_by_user: User.find(1), name: "test-agent") agent.save!
-
Create new agent token and retrieve the value
token = Clusters::AgentToken.new(agent: agent, created_by_user: User.find(1), name: "test-agent-token") token.save! token.token
-
Send the API request (replace
$KAS_JWT
and$AGENT_TOKEN
):
curl --include \
--header "Gitlab-Kas-Api-Request: $KAS_JWT" \
--header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
--url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability/policies_configuration"
- This should result in an empty response
{"configurations":[]}
- Switch to the branch
04513-fix-group-level-container-scanning
- Execute the curl statement again.
- This should now return the security policy like
{"configurations":[{"cadence":"0 0 * * *","namespaces":["test"],"updated_at":"2023-05-08T09:19:52+00:00"}]}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #404513 (closed)