Multi-valued Cluster Image Scanning CI filter variables
What does this MR do and why?
Provides comma-separated resource filter CI variables for Cluster Image Scanning (CIS).
Currently, CIS only supports filtering of in-cluster vulnerability reports by single values. gitlab-org/security-products/analyzers/cluster-image-scanning!22 (merged) enables the CIS analyzer to support multiple values per filter.
How to set up and validate locally
-
Create a local GitLab project and a Kubernetes cluster
-
Create the gitlab-vulnerabilities-viewer service account and populate the project's
CIS_KUBECONFIG
CI variable with it (Docs) -
Create a test vulnerability report:
# Unless starboard-operator is installed in the cluster kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/main/deploy/crd/vulnerabilityreports.crd.yaml # Dummy report containing 1 critical vuln kubectl apply -f https://gitlab.com/-/snippets/2219238/raw/main/test-vulnerabilityreport.yaml
The test report has the following labels:
starboard.container.name: alpine starboard.resource.kind: Pod starboard.resource.name: test-resource-name starboard.resource.namespace: test-namespace
-
Commit a
.gitlab-ci.yml
to the project that includes the CIS template and overrides the image:include: - template: Security/Cluster-Image-Scanning.gitlab-ci.yml cluster_image_scanning: image: "registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning/tmp:12c594da5a63bfbd799fb61b0953e4acc846734d"
-
Verify the pipeline retrieved the in-cluster report and created the vulnerability.
-
Define the following matching resource filter CI variables:
- CIS_CONTAINER_NAMES:
alpine,foobar
- CIS_RESOURCE_KINDS:
pod,node
- CIS_RESOURCE_NAMES:
test-resource-name,foo
- CIS_RESOURCE_NAMESPACES:
test-namespace,barqux
- CIS_CONTAINER_NAMES:
-
Re-run the pipeline. Verify the analyzer prints the correct label selector:
[INFO] [cluster-image-scanning] [2021-12-09T12:15:04Z] ▶ Label selectors: starboard.container.name in (alpine,foobar),starboard.resource.kind in (Node,Pod),starboard.resource.name in (foo,test-resource-name),starboard.resource.namespace in (barqux,test-namespace) [INFO] [cluster-image-scanning] [2021-12-09T12:15:04Z] ▶ Found 1 Starboard vulnerability reports
-
Change one of the resource filter CI variables so that the report does not get matched, e.g.:
- CIS_CONTAINER_NAMES:
foobar
- CIS_CONTAINER_NAMES:
-
Re-run the pipeline. Verify the analyzer prints the correct label selector, but does not retrieve the report:
[INFO] [cluster-image-scanning] [2021-12-09T12:19:10Z] ▶ Label selectors: starboard.container.name in (foobar),starboard.resource.kind in (Node,Pod),starboard.resource.name in (foo,test-resource-name),starboard.resource.namespace in (barqux,test-namespace) [INFO] [cluster-image-scanning] [2021-12-09T12:19:10Z] ▶ Found 0 Starboard vulnerability reports
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #340362 (closed)