《OpenShift 4.x HOL教程彙總》
說明:本文已經在OpenShift 4.8環境中驗證
本節向Pipeline增加一個Task來實作對鏡像的合規掃描,合規掃描使用的是基于OpenSCAP的容器完成的。
- 執行指令建立合規掃描任務“oscap-image-scan”。合規掃描任務先下載下傳需要掃描的Image,然後使用“xccdf_org.ssgproject.content_profile_standard”合規規範對其掃描,最後将掃描結果推送到Nexus對應使用者下。
$ NEXUS_URL=$(oc get route nexus -n devsecops -ojsonpath={.spec.host})
$ oc apply -f - << EOF
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: oscap-image-scan
namespace: ${CICD}
spec:
params:
- name: xccdfProfile
description: The oscap xccdf profile to use when calling the oscap-chroot command
default: xccdf_org.ssgproject.content_profile_standard
- name: oscapProfilePath
description: The full path to the oscap content file
default: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml
- name: container-imagetag
type: string
default: latest
- name: container-image-url
type: string
default: >-
image-registry.openshift-image-registry.svc.cluster.local:5000/${CICD}/tasks
steps:
- name: scan-image
image: quay.io/redhatgov/image-scanner:latest
script: >
#!/bin/sh
echo "Pulling image \$(params.container-image-url)"
buildah from --tls-verify=false --storage-driver vfs "docker://\$(params.container-image-url):\$(params.container-imagetag)"
container_id=\$(buildah --storage-driver vfs containers -q)
echo "Container ID: \$container_id"
echo "Mounting the container..."
mount_point=\$(buildah mount --storage-driver vfs \$container_id | cut -d' ' -f2)
echo "Running oscap-chroot scan"
oscap-chroot "\$mount_point" xccdf eval --profile "\$(params.xccdfProfile)" --report /tmp/report.html "\$(params.oscapProfilePath)"
# echo "Displaying contents of /tmp/report.html"
# echo "********** START OF report.html **********"
# cat /tmp/report.html
# echo "********** END OF report.html ************"
echo "Uploading report.html to https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html"
curl -k --user 'deployment:deployment123' --upload-file /tmp/report.html https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html
EOF
- 為名為pipeline的ServiceAccount增加privileged類型的SCC(Security Context Container)。
$ oc adm policy add-scc-to-user privileged -z pipeline
- 向Pipeline追加oscap-image-scan任務。
$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS
- name: oscap-image-scan
taskRef:
kind: Task
name: oscap-image-scan
params:
- name: xccdfProfile
value: xccdf_org.ssgproject.content_profile_standard
- name: oscapProfilePath
value: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml
- name: container-imagetag
value: latest
- name: container-image-url
value: image-registry.openshift-image-registry.svc.cluster.local:5000/${USER}-cicd/tasks
runAfter:
- create-image
EOF
)"
或在OpenShift控制台上向名為tasks-dev-pipeline的Pipeline添加oscap-image-scan任務。
- 在OpenShift控制台上運作Pipeline,或執行以下指令執行Pipeline。
$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \
--resource pipeline-source=tasks-source-code \
--workspace name=local-maven-repo,claimName=maven-repo-pvc
- 确認Pipeline執行成功。
OpenShift 4 - DevSecOps Workshop (14) - 鏡像合規掃描 - 用相應使用者登入進入Nexus控制台,在Browse中可以看到oscap-reports。
OpenShift 4 - DevSecOps Workshop (14) - 鏡像合規掃描 - 在report.html說明野種進入Path後面的連結,即可看到合規掃描結果報告。
OpenShift 4 - DevSecOps Workshop (14) - 鏡像合規掃描 OpenShift 4 - DevSecOps Workshop (14) - 鏡像合規掃描