《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.8环境中验证
《OpenShift 4 - DevSecOps Workshop 系列视频 》
本节向Pipeline增加一个Task来实现对镜像的合规扫描,合规扫描使用的是基于OpenSCAP的容器完成的。
- 执行命令创建合规扫描任务“oscap-image-scan”。合规扫描任务先下载需要扫描的Image,然后使用“xccdf_org.ssgproject.content_profile_standard”合规规范对其扫描,最后将扫描结果推送到Nexus对应用户下。
$ NEXUS_URL=$(oc get route nexus -n devsecops -ojsonpath={.spec.host})
$ oc apply -f - << EOF
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: oscap-image-scan
namespace: ${CICD}
securityContext:
privileged: true
spec:
params:
- name: xccdfProfile
description: The oscap xccdf profile to use when calling the oscap-chroot command
default: xccdf_org.ssgproject.content_profile_standard
- name: oscapProfilePath
description: The full path to the oscap content file
default: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml
- name: container-imagetag
type: string
default: latest
- name: container-image-url
type: string
default: >-
image-registry.openshift-image-registry.svc.cluster.local:5000/${CICD}/tasks
steps:
- name: scan-image
image: quay.io/redhatgov/image-scanner:latest
script: >
#!/bin/sh
echo "Pulling image \$(params.container-image-url)"
buildah from --tls-verify=false --storage-driver vfs "docker://\$(params.container-image-url):\$(params.container-imagetag)"
container_id=\$(buildah --storage-driver vfs containers -q)
echo "Container ID: \$container_id"
echo "Mounting the container..."
mount_point=\$(buildah mount --storage-driver vfs \$container_id | cut -d' ' -f2)
echo "Running oscap-chroot scan"
oscap-chroot "\$mount_point" xccdf eval --fetch-remote-resources --profile "\$(params.xccdfProfile)" --report /tmp/report.html "\$(params.oscapProfilePath)"
# echo "Displaying contents of /tmp/report.html"
# echo "********** START OF report.html **********"
# cat /tmp/report.html
# echo "********** END OF report.html ************"
echo "Uploading report.html to https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html"
curl -k --user 'deployment:deployment123' --upload-file /tmp/report.html https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html
EOF
- 为名为pipeline的ServiceAccount增加privileged类型的SCC(Security Context Container)。
$ oc adm policy add-scc-to-user privileged -z pipeline -n ${USER}
- 执行命令测试oscap-image-scan任务。
$ tkn task start oscap-image-scan --showlog -n ${CICD} \
--param xccdfProfile=xccdf_org.ssgproject.content_profile_standard \
--param oscapProfilePath=/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml \
--param container-image-url=image-registry.openshift-image-registry.svc.cluster.local:5000/${DEV}/tekton-tasks \
--param container-imagetag=latest
TaskRun started: oscap-image-scan-run-g76tz
Waiting for logs to be available...
[scan-image] Pulling image image-registry.openshift-image-registry.svc.cluster.local:5000/user1-dev/tekton-tasks
[scan-image] Getting image source signatures
[scan-image] Copying blob sha256:3daa086d507c054341d9980d84f236e721560ce925004630866944a0f621328e
[scan-image] Copying blob sha256:31114e120ca0c7dc51e01721c5a689a614edb6c86de11301d503c72be1540c79
[scan-image] Copying blob sha256:2dff5290dc62e78b13a15f22e433d076e59ae6e1f25b1b0b14882ac25457c176
[scan-image] Copying blob sha256:c9281c141a1bfec06e291d2ad29bfdedfd10a99d583fc0f48d3c26723ebe0761
[scan-image] Copying config sha256:60263c74f94a0f00d680c6d1a2c5584f5eaaba301765e6265b578d11129de64e
[scan-image] Writing manifest to image destination
[scan-image] Storing signatures
[scan-image] image-registry.openshift-image-registry.svc.cluster.local-working-container
[scan-image] Container ID: 0f3b0f54f9600ac2b88ec92cf5e77a7b268856d914acbaeb2e742976088ccea4
[scan-image] Mounting the container...
[scan-image] Running oscap-chroot scan
[scan-image] Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
[scan-image] Prevent Login to Accounts With Empty Password
[scan-image] xccdf_org.ssgproject.content_rule_no_empty_passwords
[scan-imfail Result
[scan-image]
[scan-image] Ensure that Roots Path Does Not Include World or Group-Writable Directories
[scan-image] xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
[scan-impass Result
[scan-image]
[scan-image] Record Events that Modify the Systems Mandatory Access Controls
[scan-image] xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
[scan-image] notapplicable
。。。
[scan-image]
[scan-image] Uploading report.html to https://nexus-devsecops.apps.cluster-394c.394c.sandbox1709.opentlc.com/repository/oscap-reports/user1/report.html
[scan-image] % Total % Received % Xferd Average Speed Time Time Time Current
[scan-image] Dload Upload Total Spent Left Speed
100 1003k 0 0 100 1003k 0 17.8M --:--:-- --:--:-- --:--:-- 17.8M
- 向Pipeline追加oscap-image-scan任务。
$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS
- name: oscap-image-scan
taskRef:
kind: Task
name: oscap-image-scan
params:
- name: xccdfProfile
value: xccdf_org.ssgproject.content_profile_standard
- name: oscapProfilePath
value: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml
- name: container-imagetag
value: latest
- name: container-image-url
value: image-registry.openshift-image-registry.svc.cluster.local:5000/${USER}-dev/tekton-tasks
runAfter:
- create-image
EOF
)"
或在OpenShift控制台上向名为tasks-dev-pipeline的Pipeline添加oscap-image-scan任务。
- 在OpenShift控制台上运行名为tasks-dev-pipeline的Pipeline,或执行以下命令执行Pipeline。
$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \
--resource pipeline-source=tasks-source-code \
--workspace name=local-maven-repo,claimName=maven-repo-pvc
- 确认Pipeline执行成功。
- 用相应用户登录进入Nexus控制台,在Browse中可以看到oscap-reports。
- 在report.html说明野种进入Path后面的链接,即可看到合规扫描结果报告。