Container ssa annotate success #15031
Conversation
enoodle
changed the title
|
@miq-bot assign enoodle |
|
@moolitayer can you review this? |
app/models/miq_action.rb
Outdated
| @@ -730,7 +730,19 @@ def action_container_image_analyze(action, rec, inputs) | |||
| rec.scan | |||
| end | |||
|
|
|||
| def action_container_image_annotate_allow_execution(action, rec, inputs) | |||
| _log.info("EREZ DEBUG:: in function #{__method__}") | |||
app/models/container_image.rb
Outdated
| def annotate_allow_execution(causing_policy) | ||
| annotate_image({ | ||
| "security.manageiq.org/successful-policy" => causing_policy, | ||
| "images.openshift.io/allow-execution" => "true" |
There was a problem hiding this comment.
I see what you're asking now. It seems you don't want to overwrite an annotation. Once it's non-compliant it should stay that way. I don't see how adding another annotation helps. Now you could have both allow and deny annotations co-existing. A single boolean is cleanest implementation. How about a single method that accepts a pass/fail boolean?
def annotate_execution(causing_policy, deny_execution)
annotate_image({
"security.manageiq.org/policy" => causing_policy,
"images.openshift.io/deny-execution" => deny_execution
})
There was a problem hiding this comment.
Is allow-execution annotation even a thing? Will openshift admission plugin look at it? https://docs.openshift.com/container-platform/latest/admin_guide/image_policy.html gives me the impression only deny-execution is a thing, with value true or false.
app/models/container_image.rb
Outdated
| "security.manageiq.org/failed-policy" => causing_policy, | ||
| "images.openshift.io/deny-execution" => "true" | ||
| ) | ||
| }) |
There was a problem hiding this comment.
@aweiteka can you review these annotations?
db/fixtures/miq_policy_sets.yml
Outdated
| enabled: | ||
| MiqAction: | ||
| name: container_image_annotate_allow_execution | ||
| description: Prevent container image from running on OpenShift |
app/models/miq_action.rb
Outdated
| def action_container_image_annotate_deny_execution(action, rec, inputs) | ||
| _log.info("EREZ DEBUG:: in function #{__method__}") |
app/models/container_image.rb
Outdated
| def annotate_allow_execution(causing_policy) | ||
| annotate_image({ | ||
| "security.manageiq.org/successful-policy" => causing_policy, | ||
| "images.openshift.io/allow-execution" => "true" |
There was a problem hiding this comment.
I see what you're asking now. It seems you don't want to overwrite an annotation. Once it's non-compliant it should stay that way. I don't see how adding another annotation helps. Now you could have both allow and deny annotations co-existing. A single boolean is cleanest implementation. How about a single method that accepts a pass/fail boolean?
def annotate_execution(causing_policy, deny_execution)
annotate_image({
"security.manageiq.org/policy" => causing_policy,
"images.openshift.io/deny-execution" => deny_execution
})
|
I think compliancy cannot change from this point of view, since we only annotate openshift images, so that's fine: |
Technically that doesn't matter because other scanning tools have the same privilege to the cluster and may annotate all images in any namespace. We'll deal with this later once this PR is merged, but I wanted to clarify. |
|
My main problem with this PR is that it is not working currently.. I must have not defined something important for the policy. @moolitayer @cben if you could take a look and maybe give me a hint it would be nice. Also, is there a point of contact in ManageIQ for policies that we could ask for advice? |
|
What happens when you call the action method directly, does it work? |
enoodle
force-pushed
the
container_ssa_annotate_success
branch
2 times, most recently
from
80f8b37
to
df8b918
Compare
|
This is now successfully annotating compliant images and also adds the quality summary from #15212 This is still WIP becuase I need to understand how to map the severity levels |
enoodle
force-pushed
the
container_ssa_annotate_success
branch
from
df8b918
to
ae8017c
Compare
enoodle
force-pushed
the
container_ssa_annotate_success
branch
from
ae8017c
to
6d8b936
Compare
This is a good question. I missed that this mapping is happening. I don't see why we don't just pass the results through to the MIQ user unless we are trying to simplify (3 states vs 4?). But any interpretation we do moves us away from an "OpenSCAP provider" to an "MIQ provider (fed by OpenSCAP results)". Any change here would break backwards compatibility with the policy. Workaround would be to carry logic "critical OR high" in the policy. |
I missed it too, Sorry. Do you agree to |
|
The severity is not coming from @OpenSCAP but from the NIST XCCDF specification. There are actually 5 possible states. See https://scap.nist.gov/specifications/xccdf/xccdf_element_dictionary.html#severityEnumType Could we just use this as it is? |
|
@mpreisler We need to send it as detailed here: https://github.com/adellape/openshift-docs/blob/master/security/container_content.adoc#container-content-scanning I will use your link to make a 1-1 map of those 5 seventies that both have. Thank you. |
enoodle
force-pushed
the
container_ssa_annotate_success
branch
from
6d8b936
to
be96afc
Compare
enoodle
changed the title
|
@aweiteka @moolitayer Can you please take another look? |
enoodle
force-pushed
the
container_ssa_annotate_success
branch
from
d2346d8
to
7334216
Compare
|
Checked commits enoodle/manageiq@803fbfd~...7334216 with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0 |
|
@gtanzillo Can you review this please? It can be changed with respect to #16213 if needed. |
|
@aweiteka Please take a look |
|
@enoodle Cannot apply the following label because they are not recognized: bug gaprindashvili/yes |
|
@miq-bot add_label gaprindashvili/yes bug |
|
@enoodle Cannot apply the following label because they are not recognized: gaprindashvili/yes bug |
|
@enoodle the bot was missing a comma |
|
What release is this planned for? Any instructions how to port it back to old version of CF? |
|
@mjudeikis It is aimed for gaprindashvili. As for backports, because it is based on ManageIQ/manageiq-providers-openshift#41 which itself is based on other gaprindashvili PRs since the repositories split, backporting will not be trivial. |
|
@enoodle Is this replacing |
|
@chessbyte Yes, it is based on a change in |
|
@gtanzillo who can take a look |
|
@gtanzillo I updated the miqAction tests that were effected by this, but couldn't find any tests for miq_policy_sets.yml , do you know of any? |
|
🎉 |
Container ssa annotate success (cherry picked from commit 9835af3) https://bugzilla.redhat.com/show_bug.cgi?id=1515438
|
Gaprindashvili backport details: |
Fixes #15013
This should be merged together with ManageIQ/manageiq-providers-openshift#41
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1458678