《OpenShift 4.x HOL教程汇总》
本文在 OpenShift 4.15 + RHACS 4.4.3 环境中进行验证。
说明,运行环境除了要安装 RHACS 外,还需要先安装好 OpenShift Pipeline Operator。
- 执行命令,下载项目代码
$ git clone https://github.com/liuxiaoyu-git/acs-automation.git
- 执行命令,部署Pipeline资源
$ oc new-project rox-ctl-pipeline
$ cd acs-automation/ci/OpenShift-Pipelines
$ oc apply -f Tasks/
$ oc apply -f Pipeline/
- 在 RHACS 控制台中的 Integrations 中创建找到 “StackRox API Token” 进入。然后创建一个名为 “pipeline-token” 的 “Continuous Integration”。
- 创建完后显示下图,复制字符串。
- 执行命令,基于前面获得的 PIPELINE-TOKEN 创建一个 secret。
$ oc create secret generic acs-secret -n rox-ctl-pipeline \
--from-literal=acs_central_endpoint=$(oc get route central -n stackrox --template='{{ .spec.host }}'):443 \
--from-literal=acs_api_token=<PIPELINE-TOKEN>
- 执行命令运行 PipelineRun。
$ oc create -f PipelineRun/
- 然后在OpenShift控制台中查看 PipelineRun 的运行情况,确认 PipelineRun 可以全部执行。
- 查看 “rox-deployment-check” 任务的执行日志,确认最后显示的是 “Setting overall result to pass”。这说明:缺省的 PipelineRun 只要 RHACS 检查 “ci/OpenShift-Pipelines/assets-for-validation/namespace.yaml”,所以可以通过安全检测。
- 修改本地的 “ci/OpenShift-Pipelines/PipelineRun/acs-pipelineRun.yaml” 文件,将以下 “fasle” 改为 “true”。
- name: recursive-search
value: "false
- 再次执行命令运行 PipelineRun。
$ oc create -f PipelineRun/
- 然后在OpenShift控制台中查看 PipelineRun 的运行情况,确认 PipelineRun 只执行完第二个任务。可以查看 “rox-deployment-check” 任务的执行日志,确认其中提示 “assets-for-validation/layer1/layer1-service.yaml”、“assets-for-validation/layer1/pod.yml”、“assets-for-validation/layer1/layer1.yaml” 都包含违规的问题,所以最后导致 “Setting overall result to fail”。
Getting roxctl
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/namespace.yaml
Flag --json has been deprecated, use the new output format which also offers JSON. NOTE: The new output format's structure has changed in a non-backward compatible way.
-- No errors found in this file --
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/layer1/layer1-service.yaml
Flag --json has been deprecated, use the new output format which also offers JSON. NOTE: The new output format's structure has changed in a non-backward compatible way.
6 alerts found ...
Alert policy name : Latest tag
Description : Alert on deployments with images using tag 'latest'
Rationale : Using latest tag can result in running heterogeneous versions of code. Many Docker hosts cache the Docker images, which means newer versions of the latest tag will not be picked up. See https://docs.docker.com/develop/dev-best-practices for more best practices.
Remediation : Consider moving to semantic versioning based on code releases (semver.org) or using the first 12 characters of the source control SHA. This will allow you to tie the Docker image to the code.
-- Policy violations will not stop the build process --
。。。。
-----------------------------------------------------
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/layer1/pod.yml
Flag --json has been deprecated, use the new output format which also offers JSON. NOTE: The new output format's structure has changed in a non-backward compatible way.
5 alerts found ...
Alert policy name : Pod Service Account Token Automatically Mounted
Description : Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.
Rationale : By default, Kubernetes automatically provisions a service account for each pod and mounts the secret at runtime. This service account is not typically used. If this pod is compromised and the compromised user has access to the service account, the service account could be used to escalate privileges within the cluster. To reduce the likelihood of privilege escalation this service account should not be mounted by default unless the pod requires direct access to the Kubernetes API as part of the pods functionality.
Remediation : Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.
-- Policy violations will not stop the build process --
。。。。
-----------------------------------------------------
Deployment check on file : /files/ci/OpenShift-Pipelines/assets-for-validation/layer1/layer1-service.yaml
Flag --json has been deprecated, use the new output format which also offers JSON. NOTE: The new output format's structure has changed in a non-backward compatible way.
-- No errors found in this file --
Setting overall result to fail
383
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
