OpenShift Security (11) - 用RHACS在DevOps的CICD中扫描部署中的安全风险

dawnsky.liu

已于 2022-08-30 14:52:48 修改

阅读量1.4k

点赞数

分类专栏： DevOps 安全 OpenShift 4 文章标签： devops 安全 docker

于 2021-12-21 18:11:00 首次发布

本文链接：https://blog.csdn.net/weixin_43902588/article/details/122051453

版权

OpenShift 4 同时被 3 个专栏收录

271 篇文章 77 订阅

订阅专栏

DevOps

89 篇文章 3 订阅

订阅专栏

安全

76 篇文章 6 订阅

订阅专栏

《OpenShift 4.x HOL教程汇总》
本文在 OpenShift 4.11 + RHACS 3.71.0 环境中进行验证。

演示视频

说明，运行环境除了要安装 RHACS 外，还需要安装 OpenShift Pipeline Operator。

执行命令，下载项目代码

$ git clone https://github.com/liuxiaoyu-git/acs-automation.git

执行命令，部署Pipeline资源

$ oc new-project rox-ctl-pipeline
$ cd acs-automation/ci/OpenShift-Pipelines
$ oc apply -f Tasks/
$ oc apply -f Pipeline/

在 RHACS 控制台中的 Integrations 中创建找到 “StackRox API Token” 进入。然后创建一个名为 “pipeline-token” 的 “Continuous Integration”。
创建完后显示下图，复制字符串。
执行命令，创建一个 secret。

$ oc create secret generic acs-secret -n rox-ctl-pipeline \
	--from-literal=acs_central_endpoint=$(oc get route central -n stackrox --template='{{ .spec.host }}'):443 \
	--from-literal=acs_api_token=<PIPELINE-TOKEN>

执行命令运行PipelineRun。

$ oc create -f PipelineRun/

然后在OpenShift控制台中查看 PipelineRun的运行情况，确认 PipelineRun可以全部执行。可以查看 “rox-deployment-check” 任务的执行日志，确认最后显示的是 “Setting overall result to pass”。
说明：缺省的 PipelineRun 只要 RHACS 检查 “ci/OpenShift-Pipelines/assets-for-validation/namespace.yaml”，所以可以通过安全检测。

Getting roxctl
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/namespace.yaml
-- No errors found in this file --
Setting overall result to pass

修改本地的 “ci/OpenShift-Pipelines/PipelineRun/acs-pipelineRun.yaml” 文件，将以下 “fasle” 改为 “true”。

 - name: recursive-search
   value: "false

再次执行命令运行PipelineRun。

$ oc create -f PipelineRun/

然后在OpenShift控制台中查看 PipelineRun的运行情况，确认 PipelineRun 只执行完第二个任务。可以查看 “rox-deployment-check” 任务的执行日志，确认其中提示 “assets-for-validation/layer1/layer1-service.yaml”、“assets-for-validation/layer1/pod.yml”、“assets-for-validation/layer1/layer1.yaml” 都包含违规的问题，所以最后导致 “Setting overall result to fail”。

 Getting roxctl
 Deployment check on file :
         /files/ci/Tekton/Scenario2/assets-for-validation/namespace.yaml
 -- No errors found in this file --
 Deployment check on file :
/files/ci/Tekton/Scenario2/assets-for-validation/layer1/layer1-service.yaml
 -- No errors found in this file --
 Deployment check on file :
/files/ci/Tekton/Scenario2/assets-for-validation/layer1/pod.yml
 2 alerts found ...
 Alert policy name : Fixable CVSS >= 7
 -- Build will be halted --
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 2 violations found ...
 violation : -- Fixable CVE-2021-28831 (CVSS 7.5) found in component 'busybox' (version 1.32.1-r3) in container 'app-container', resolved by version 1.32.1-r4
 violation : -- Fixable CVE-2021-30139 (CVSS 7.5) found in component 'apk-tools' (version 2.12.1-r0) in container 'app-container', resolved by version 2.12.5-r0
 -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 Alert policy name : Docker CIS 4.1: Ensure That a User for the Container Has Been Created
 -- Policy violations will not stop the build process --
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 1 violation found ...
 violation : -- Container 'app-container' has image with user 'root'
 -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 -----------------------------------------------------
 Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/layer1/layer1.yaml
 3 alerts found ...
 Alert policy name : Latest tag
 -- Policy violations will not stop the build process --
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 1 violation found ...
 violation : -- Container 'layer1' has image with tag 'latest'
 -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 Alert policy name : Fixable CVSS >= 7
 -- Build will be halted --
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 11 violations found ...
 violation : -- Fixable CVE-2020-25648 (CVSS 7.5) found in component 'nss' ...
 violation : -- Fixable CVE-2020-25648 (CVSS 7.5) found in ...
 -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 Alert policy name : No resource requests or limits specified
 -- Policy violations will not stop the build process --
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 4 violations found ...
 violation : -- CPU limit set to 0 cores for container 'layer1'
 violation : -- CPU request set to 0 cores for container 'layer1'
 violation : -- Memory limit set to 0 MB for container 'layer1'
 violation : -- Memory request set to 0 MB for container 'layer1'
 -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 -----------------------------------------------------
 Setting overall result to fail

dawnsky.liu

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
OpenShift Security (11) - 用RHACS在DevOps的CICD中扫描部署中的安全风险

《OpenShift 4.x HOL教程汇总》本文在 OpenShift4.9 + RHACS 环境中进行验证。说明，运行环境除了要安装RHACS外，还需要安装OpenShift Pipeline Operator。执行命令，下载项目代码$ git clone https://github.com/liuxiaoyu-git/acs-automation.git执行命令，部署Pipeline资源$ oc new-project rox-ctl-pipeline$ cd acs-aut
复制链接

扫一扫