Add scan_execution_policies endpoint to the Kubernetes internal API
What does this MR do and why?
Addresses #356729 (closed)
This MR adds a new internal API endpoint (GET /api/v4/internal/kubernetes/modules/starboard_vulnerability/scan_execution_policies
) for Kubernetes agent to facilitate allowing scan execution policies to enforce scans on agents.
The API returns the scan_execution_policies
configured through the security policy project for the project the agent is configured to. The API skips the authorization check for :read_security_orchestration_policies
as the internal API won't have current_user
.
How to set up and validate locally
-
Create a new KAS JWT using the rails console:
JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')
-
Create a new gitlab project and configure security policy project following docs and create a new policy using the editor
-
Create new agent:
agent = Clusters::Agent.new(project_id: project.id, created_by_user: User.find(1), name: "test-agent") agent.save!
-
Create new agent token and retrieve the value
token = Clusters::AgentToken.new(agent: agent, created_by_user: User.find(1), name: "test-agent-token") token.save! token.token
-
Send the API request:
curl --header "Gitlab-Kas-Api-Request: <JWT from step 1>" \ --header "Authorization: Bearer <token from step 4>" \ --header "Content-Type: application/json" \ --url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability/scan_execution_policies" \
Reponse:
{ "policies": [ { "name": "Policy", "description": "Policy description", "enabled": true, "yaml": "---\nname: Policy\ndescription: 'Policy description'\nenabled: true\nactions:\n- scan: container_scanning\nrules:\n- type: pipeline\n branches:\n - main\n", "updated_at": "2022-06-02T05:36:26+00:00" } ] }
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.