►
From YouTube: Cluster Image Scanning - Demo
Description
Demo of new feature introduced in GitLab 14.1.
More information: https://gitlab.com/groups/gitlab-org/-/epics/3410
Documentation: https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/index.html
A
Hello:
everyone,
my
name
is
manchester
chefsky
and
backend
engineer
at
gitlab,
and
today
I
would
like
to
talk
about
cluster
image
scanning
the
new
feature
that
we
just
introduced
in
14.1.
If
your
kubernetes
cluster
is
running
lots
of
images
that
you're
not
analyzing
in
your
cicd
pipelines,
then
this
is
the
feature
for
you.
This
is
made
to
get
vulnerabilities
from
your
cluster
and
to
gitlab,
so
you
can
manage
them
as
you're,
usually
doing
for
any
other
type
of
vulnerabilities.
A
A
You
need
to
have
gitlab
runner
that
can
run
docker,
kubernetes
executor,
docker
itself
installed
in
the
same
computer
as
runner
and
server
operator
that
we're
gonna
install
and
during
this
demo,
let's
get
started
by
creating
a
new
cluster
in
google
cloud
platform
in
the
google
platform,
click
create
choose
the
standard
cluster
and
then
choose
a
name
for
your
cluster.
I've
chose
starboard
demo
and
I
just
hit
create
with
the
default
values.
A
A
Let's
create
new
deployment
servers
operator
will
work
not
only
for
deployments
that
were
scheduled
after
the
server
operator
is
installed,
but
also
for
those
that
were
already
installed
in
the
cluster.
So
I'm
going
to
choose
nginx
1.18
I'll,
get
the
deployment
ready
and
then
I'll
get
back
to
installing
the
server
operator.
A
And
I
can
get
back
to
documentation
and
I
just
need
to
click
on
starboard
link
in
the
implementation
to
know
how
to
install
the
server
operator
into
your
cluster.
So
here's
the
instructions.
If
you
need
to
know
more
about
server
operator,
I
recommend
you
to
check
this
site
you'll
be
able
to
take
a
look
at
the
configuration,
but
also
at
different
types
of
config
of
insulin,
insulating
the
starter
operator.
A
A
A
So
now
I
can
see
if
I
can
get
from
the
reports.
Yeah
there
is
already
one.
So
I
can
take
a
look
and
read
the
vulnerability
report
itself
in
cube
ctl
by
just
changing
the
output
type
to
yaml
file.
Let's
see
what
we
can
find
here
all
right.
I
have
some
vulnerabilities
now
I
want
to
get
them
into
gitlab,
so
I
can
view
them
and
manage
them
using
gitlab
in
the
documentation.
You
can
find
configuring
the
cluster
section
and
then
I'll
just
apply
step
by
step.
A
A
What
we
need
to
have
is
only
getting
watching
and
listing
multiple
reports.
Nothing
more
is
needed.
We
don't
need
to
get
more
information
about
the
cluster.
Only
those
things
on
and
you
can
specify
which
names
you
would
like
to
to
apply
as
well,
but
only
those
things
are
important
for
us
to
get
printables
into
github.
So,
let's
get
back
and
step
by
step,
get
the
api
url
token
and
certificate
okay.
I
have
the
apirl
second
variable,
then
c
certificate.
A
A
Cisdemo
finally,
I'm
gonna
create
the
project
and
then
I'll
go
directly
to
settings.
Ci
cd,
I'll
choose
the
variables,
expand
it
and
I'll.
Add
new
variable
that
I've
just
obtained
with
with
the
command
line,
so
cis
cube.
Config
is
a
as
a
variable
that
we
are
going
to
use
that
will
be
sent
to
analyzer.
Analyzer
will
use
it
to
connect
to
the
cluster
and
get
those
printabilities
into
gitlab,
and
I
can
go
back
to
documentation
and
take
a
look.
A
What
I
need
to
configure
and
how
to
configure
ci
cd
pipelines
and
gitlab
see
a
yaml
file
to
include
those
this
type
of
analyzer
in
my
in
my
pipeline.
So
let's
just
copy
it.
A
A
All
right,
the
john,
the
job
is
done,
I
can
get.
I
can
see
that
I
can
get
the
vulnerable
reports
from
starboard.
So
now
I
can
go
to
pipeline
and
take
a
look
at
the
security
tab.
If
I
have
vulnerabilities
yeah
those
were
found,
so
I
can
click
on
one
and
then
see
what's
wrong
and
which
image
and
what
I
need
to
do
to
improve
that.
Okay,
that's
great.
A
Now
I
can
create
new
deployment
with
different
type
of
image,
I'm
going
to
just
deploy
couch
base
with
quite
old
version
of
couch
base
and
then
we'll
see
if
we
can
get
the
report
as
well
into
gitlab,
let's
go
to
pipelines
and
let's
create
new
pipeline.
Let's
just
run
it
to
see
if
we
can
get
new
vulnerabilities
from
couchbase
into.
A
A
Tab:
let's
go
to
pipeline
security
tab
and
let's
look
for
from
the
properties
found
for
the
new
deployment
that
we've
just
created
for
couchbase,
and
these
are
here
on
this
page
and
you
can
see
we
can
get
some
from
the
police
as
well
from
different
deployments
that
were
deployed
after
the
support
is
deployed.
So
whenever
you
hit
the
pipeline
run,
it
will
get
the
newest
vulnerabilities
found
in
your
cluster.
Okay,
and
these
are
already
can
be
found
in
vulnerable
report
itself.
A
Okay,
let's
get
back
to
the
segmentation
and
see
what
else
we
can
do
with
our
new
feature,
so
we
can
customize
the
cluster
image
scanning
settings
by
applying
different
cx
variables.
For
example,
you
can
specify
dude
you'd
like
to
get
only
vulnerabilities
for
a
given
container
name
or
for
given
resource.
A
Name,
you
can
also
go
to
starbucks
operator
page
and
read
more
about
getting
started
and
configuration
itself,
so
it
it
can
be
configured
just
for
your
needs,
so
you
can
specify
which
namespace
you
would
like
to
scan
or
if
you'd
like,
to
scan
multiple
namespace
or
all
it's
all
in
documentation.
So
you
just
need
to
go
there
and
configure
a
config
map
to
support
that.
A
A
Okay,
it's
finished
I
can
get
back
to
to
my
pipeline
view,
get
back
to
security
tab
and
see
if
it's
indeed
only
filtering
the
results
that
I
wanted
to
get
so
only
for
couch
base.