Skip to content

Auto DevOps: image digest in container spec

Sergei Nikolaev requested to merge kinolaev/gitlab:image-digest into master

What does this MR do?

Until #18984 (closed) is implemented, a user with the developer role can deploy thier code to production environment without the maintainer approval by updating production container image in registry, and this is a security risk. This and related MRs prevents such situations by adding the image digest to the container spec when deploying to k8s. The developer can still update (or delete) the production container image in registry, but the updated image will not be deployed to the production environment.

Screenshots or Screencasts (strongly suggested)

How to setup and validate locally (strongly suggested)

nclude:
  - template: Auto-DevOps.gitlab-ci.yml

variables:
  AUTO_BUILD_IMAGE_VERSION: v1.5.0

build:
  artifacts:
    reports:
      dotenv: gl-auto-build-variables.env

.auto-deploy:
  dependencies: [build]
dast_environment_deploy:
  dependencies: [build]

citemplates Manual QA

  • .gitlab-ci.yml (identical to above)
  • Pipeline
  • Additional verification step: Verified that the deployed image has
    image: registry.gitlab.com/hfyngvason/minimal-ruby-app/main:d33e7ccf5aec2c3f473ba04b7d1b57da8e5b6412@sha256:1919656e3b9b89f256c96e238e1430a5eb79a584ba634b6d068a180feb250ca2
    (note the @sha256:... suffix.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Hordur Freyr Yngvason

Merge request reports

Loading