《OpenShift 4.x HOL教程汇总》
本文在 OpenShift 4.11 + RHACS 3.71.0 环境中进行验证。
说明,运行环境除了要安装 RHACS 外,还需要安装 OpenShift Pipeline Operator。
- 执行命令,下载项目代码
$ git clone https://github.com/liuxiaoyu-git/acs-automation.git
- 执行命令,部署Pipeline资源
$ oc new-project rox-ctl-pipeline
$ cd acs-automation/ci/OpenShift-Pipelines
$ oc apply -f Tasks/
$ oc apply -f Pipeline/
- 在 RHACS 控制台中的 Integrations 中创建找到 “StackRox API Token” 进入。然后创建一个名为 “pipeline-token” 的 “Continuous Integration”。
- 创建完后显示下图,复制字符串。
- 执行命令,创建一个 secret。
$ oc create secret generic acs-secret -n rox-ctl-pipeline \
--from-literal=acs_central_endpoint=$(oc get route central -n stackrox --template='{{ .spec.host }}'):443 \
--from-literal=acs_api_token=<PIPELINE-TOKEN>
- 执行命令运行PipelineRun。
$ oc create -f PipelineRun/
- 然后在OpenShift控制台中查看 PipelineRun的运行情况,确认 PipelineRun可以全部执行。可以查看 “rox-deployment-check” 任务的执行日志,确认最后显示的是 “Setting overall result to pass”。
说明:缺省的 PipelineRun 只要 RHACS 检查 “ci/OpenShift-Pipelines/assets-for-validation/namespace.yaml”,所以可以通过安全检测。
Getting roxctl
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/namespace.yaml
-- No errors found in this file --
Setting overall result to pass
- 修改本地的 “ci/OpenShift-Pipelines/PipelineRun/acs-pipelineRun.yaml” 文件,将以下 “fasle” 改为 “true”。
- name: recursive-search
value: "false
- 再次执行命令运行PipelineRun。
$ oc create -f PipelineRun/
- 然后在OpenShift控制台中查看 PipelineRun的运行情况,确认 PipelineRun 只执行完第二个任务。可以查看 “rox-deployment-check” 任务的执行日志,确认其中提示 “assets-for-validation/layer1/layer1-service.yaml”、“assets-for-validation/layer1/pod.yml”、“assets-for-validation/layer1/layer1.yaml” 都包含违规的问题,所以最后导致 “Setting overall result to fail”。
Getting roxctl
Deployment check on file :
/files/ci/Tekton/Scenario2/assets-for-validation/namespace.yaml
-- No errors found in this file --
Deployment check on file :
/files/ci/Tekton/Scenario2/assets-for-validation/layer1/layer1-service.yaml
-- No errors found in this file --
Deployment check on file :
/files/ci/Tekton/Scenario2/assets-for-validation/layer1/pod.yml
2 alerts found ...
Alert policy name : Fixable CVSS >= 7
-- Build will be halted --
- - - - - - - - - - - - - - - - - - - - - - - - - -
2 violations found ...
violation : -- Fixable CVE-2021-28831 (CVSS 7.5) found in component 'busybox' (version 1.32.1-r3) in container 'app-container', resolved by version 1.32.1-r4
violation : -- Fixable CVE-2021-30139 (CVSS 7.5) found in component 'apk-tools' (version 2.12.1-r0) in container 'app-container', resolved by version 2.12.5-r0
- - - - - - - - - - - - - - - - -
Alert policy name : Docker CIS 4.1: Ensure That a User for the Container Has Been Created
-- Policy violations will not stop the build process --
- - - - - - - - - - - - - - - - - - - - - - - - - -
1 violation found ...
violation : -- Container 'app-container' has image with user 'root'
- - - - - - - - - - - - - - - - -
-----------------------------------------------------
Deployment check on file : /files/ci/Tekton/Scenario2/assets-for-validation/layer1/layer1.yaml
3 alerts found ...
Alert policy name : Latest tag
-- Policy violations will not stop the build process --
- - - - - - - - - - - - - - - - - - - - - - - - - -
1 violation found ...
violation : -- Container 'layer1' has image with tag 'latest'
- - - - - - - - - - - - - - - - -
Alert policy name : Fixable CVSS >= 7
-- Build will be halted --
- - - - - - - - - - - - - - - - - - - - - - - - - -
11 violations found ...
violation : -- Fixable CVE-2020-25648 (CVSS 7.5) found in component 'nss' ...
violation : -- Fixable CVE-2020-25648 (CVSS 7.5) found in ...
- - - - - - - - - - - - - - - - -
Alert policy name : No resource requests or limits specified
-- Policy violations will not stop the build process --
- - - - - - - - - - - - - - - - - - - - - - - - - -
4 violations found ...
violation : -- CPU limit set to 0 cores for container 'layer1'
violation : -- CPU request set to 0 cores for container 'layer1'
violation : -- Memory limit set to 0 MB for container 'layer1'
violation : -- Memory request set to 0 MB for container 'layer1'
- - - - - - - - - - - - - - - - -
-----------------------------------------------------
Setting overall result to fail