Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 6 Sep 2021
GitLab / Protect Stage / 6 Sep 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Enforcing Cluster Image Scanning in Security Policy - Demo

Description

In this demo we are adding new scans to Security Policies: Cluster Image Scanning and Container Scanning. This allows us to enforce running Cluster Image Scanning and Container Scanning scans defined in the policy or schedule scans to run periodically.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/330714
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69253

A

Hello: everyone, my name, is fatih prashovsky and I'm the topic here for container security group, and today I would like to talk about extending scheduled scanning, supposedly with new analyzer, with new scan cluster event scanning.

A

um There is an openmr that soon will be reviewed and merged, and today I would like to talk about features that are introduced with this. Mr, so let's go and let's quickly create a new project for us.

A

Okay, make it public all right. Let me quickly create very simple csv file.

A

Okay, now, let's go to graphql: let's create security policy perfect for this project.

A

Okay, let's just disable protected branches for our repository, so it will be easier for us to uh to push to main without need for any additional approvals. Okay, let's go to reference three and, let's create all see some policies. First, for our project payment file.

A

Let's take a look at the examples that we currently have and then scanning will be the first one. Okay. um So for now, let's see if we already have something in cica pipelines for our project, we should have one that is running our test, say hi our job. Okay, I'm gonna! Just do that.

A

Commit changes in our main project, I'll go to cicd configuration I'll just add variables. It will allow us to run continuous scanning scan because, with this new feature, we're not only adding cluster net scanning you're, also adding regular container scanning for your static containers, so I'll just provide docker image with files through alpine 3.6.

A

um I'll just add the variable itself, then we'll go to cip pipeline and I'll trigger it. Manually you'll actually see a second job is added for continuous scanning.

A

um Okay, so I can actually do the same and modify it and instead of using the scanning scan, I can use clustermint scanning, so it will extend our pipeline either manually triggered or for your, mr, with additional job that will run cluster image scanning scan.

A

So now, if I'll go and trigger this pipeline again, it will automatically extend my pipeline. Both this cluster emits scanning job. So obviously it will not work for us uh in this case because it is not configured. We haven't added any uh like ci variable that should allow us to to perform a scan regular cluster. If you want to read more about classroom and scanning, I remember mine going to docs and there's like the whole section that allows you to how to configure a cluster and how to provide the cis config variable to your project.

A

um So it will automatically get vulnerabilities that you wanted to get right, but you see that department itself is extended. The job will fail because it was not configured for us. There is no cube config, but it was added so that that's what was important for us. um So now we can talk about actual feature that we want to add. So allow you to schedule a scan like classroom and scanning scan on your selected cluster um on set date set time um so set cadence. You can specify okay.

A

I would like to run it every five minutes or every 24 hours. So this is what we're going to do with that, to simplify things and not go to the whole, all sections that we already have here, what I'm going to do, I'm going to go to my project I'll first add a new kubernetes cluster.

A

Gonna just name it um production cluster.

A

So now one of the examples that we have here is actually how to run it on selected cluster. So I'll just do that so I'll go to my policy and I'll modify it. So I have here the advanced example we'll go to this example in a second I'm just going to remove that and leave the empty object here and I'm going to copy the name of the cluster and I'll paste it here. We're going to run container scanning scan for it will regularly extend the pipeline.

A

So when you manually trigger the scan, it will extend that with under scanning scan, then because we've added clusters uh policy engine will recognize that you want to run container scanning scan on the cluster. So it will automatically translate that clusterman scanning scan. So it will get a configuration conflict for the cluster itself. It will connect and get vulnerabilities from your cluster, and we also added additional thing here.

A

So when you're not specifying the clusters but you're specifying branches, what it will do, it will either actually run regular container scanning scan as a separate job for your project.

A

So I wanted to show you that this allows me to show that in a single um single policy, so I'll start it is added so I'll start by going to and triggering like manual uh manual job.

A

Okay, so you see, containers can goes at it and now let's wait for a few minutes to to have these policies applied. So we need to wait for a few minutes, uh so we're gonna have schedule scans for the cluster and for regular container scanning scan and it should should be added automatically.

A

All right so see we have two jobs to separate pipelines with one job with braddock, so the first one is cluster image scanning scan because we specified here that we want to run it on the clusters. So the engine responsible for running those policies understands that if you configure that for the cluster, it will actually run it on clustering and scanning scan instead of continuous scanning, but as well since we've added also that for branches it added separate uh pipeline with additional job just to run container scanning scan.

A

Additionally, so you can see we have two, so both were passed. So, let's take a look here and let's see if we have found any uh police, okay, that found seven reports, it was added. So now we can go to vulnerable to report and take a look at uh different abilities that were added so for both classroom and scanning and container scanning. We have on the baltics, they were found right. This is great, I can go and I will modify it and now enforce instead of enforcing like container scanning scan.

A

I can add first cluster with scanning scan.

A

Okay, so what it will do to actually run regular classroom scanning on this cluster, then it will automatically extend all your pipelines through it like triggered manually or or mrs and so on. uh It will extend that with this cluster and scanning scan job, or it will add additional schedule that will actually every five minutes run uh classroom and scanning scan for your project for the variable that you defined in your project. So let's assume that that we have that variable are configured here.

A

I can add the variable cis cube, config and I'll just add the configuration of it. It will add in a job that will actually take that uh configuration from that variable and it will use that to run a clustering scanning scan.

A

uh So this this is. This was added just to make sure that you explicitly want to run cluster image scanning scan if you just wanted to to handle it automatically, you can specify container scanning and then based on the role that you have. It will run proper scan for you. If you want to enforce explicitly classroom scanning scan without this auto selection, then you need to specify the clustering scanning.

A

Okay, I'll, go back to container scanning and I'll just add one machine thing, um so we'll actually filter some results based on the configuration added into into the policy.

A

So in this example, what we're gonna do we're gonna, actually I'll just comment. Those changes, we're gonna wait for a few minutes, um while waiting. I'm gonna just quickly talk about what will happen, so it will take a look at the names of the containers of the resources or namespace or the kinds and will actually filter based on those values. So, for example, let's say I have uh nginx www deployment added gitlab production namespace that it has like nginx container to only get me vulnerabilities from that container.

A

um These all are optional. You can specify, for example, I would only get variables for deployments or only for given namespace or for given resource so and for now uh and first iteration. We are supporting only the first value. So, even if you add more, it's not yet supported on the analyzer, but as soon as we are adding that analyzer, it will allow us to filter multiple values provided for a single type.

A

For now, only the first one will be taken and we don't really have on our cluster. Anything like that. So I expect that when we are going to schedule that it will actually found now affordable setup, we were waiting for some time. Let's go back to our cice and let's see if we have pipelines that are added.

A

So again we have two pipelines. We want to get it for clustering scanning and let's see what on the laser received and if those values were filtered out or not. Okay, see no reports were found because we actually have no uh no resources that are matching values that we provided here, but it it allows you to to modify it. It allows you to actually specify what you really want to get uh which variables you would like to see in your project.

A

Okay, that would be it if you have more questions, feel free to ask the issue uh or in the epic we're happy to help we're extending the help as well, to give more information about that, and we can extend that feature in the future. Thank you.