mirror/catalog
1
0
Fork 0
mirror of https://github.com/tektoncd/catalog.git synced 2024-11-21 05:55:35 +00:00
Code Issues Releases Activity

task: Add generic RHACS task

Browse Source
This commit is contained in:
Yann Brillouet 2024-05-22 16:46:41 +02:00 committed by tekton-robot
parent f55c6b7c61
commit edf9ec0987
5 changed files with 470 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
task/rhacs-generic/0.1/README.md Normal file
View File

@ -0,0 +1,144 @@
# Red Hat Advanced Cluster Security generic Task
Allows users to customize and extend
[`roxctl`](https://docs.openshift.com/acs/cli/command-reference/roxctl.html)
command line based on their needs.
This task first exchanges a service account token against a short-lived RHACS
authorization token, then performs the requested action.
**Note: this Task requires a 4.4.2 roxctl image (task default) or a more recent
image version.**
## Prerequisites
This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet)
or [StackRox](https://www.stackrox.io). It also requires configuration of a
machine-to-machine integration.
<https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes>
## Install the Task
```bash
kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-generic/0.1/raw
```
## Parameters
- **`rox_central_endpoint`**: The address:port tuple for StackRox Central.
Default: **central.stackrox.svc:443**
- **`insecure-skip-tls-verify`**: Skip verification the TLS certs of the Central
endpoint and registry. Examples: _"true", **"false"**_.
- **`rox_arguments`**: The command line that you would like to enter, in array
form. (required)
- `rox_ca_cert_file`: Path to the Central CA PEM file (if certificates are
available). The path must be empty if no file is available, or prefixed with
`/workspace/ca` otherwise.
Examples: _**""**, "/workspace/ca/central-ca.pem"_
- `rox_image`: The image providing the roxctl tool (optional).
Default: quay.io/stackrox-io/roxctl:4.4.2
(this is also the minimum version working with this task).
- `output_file`: path to a file where to redirect roxctl standard output.
Default: "" (redirects to stdout).
- `error_file`: path to a file where to redirect roxctl standard error.
Default: "" (redirects to stderr).
## Workspaces
- **data**: An [optional Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#optional-workspaces)
which stores files used as parameters to the command line.
- **ca**: An [optional Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#optional-workspaces)
which stores the Red Hat Advanced Cluster Security Central CA PEM file.
It is **strongly** recommended that this workspace be bound to a Kubernetes
`Secret`.
## Usage
Check the [documentation](https://docs.openshift.com/acs/operating/manage-user-access/configure-short-lived-access.html#configure-short-lived-access_configure-short-lived-access)
to configure the trust with the OIDC token issuer. This
[example](../../rhacs-m2m-authenticate/0.1/samples/configure-m2m.md) describes
a possible RHACS machine-to-machine integration configuration.
The `roxctl` [documentation](https://docs.openshift.com/acs/cli/command-reference/roxctl.html)
describes the available commands and their options.
**Example task uses:**
Declarative configuration preparation:
```yaml
- name: create-access-scope
taskRef:
name: rhacs-generic
kind: Task
params:
- name: insecure-skip-tls-verify
value: "true"
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- declarative-config
- create
- access-scope
- --name=testScope
- --description=test access scope
- --included=testCluster=stackrox
```
Deployment check:
```yaml
tasks:
- name: check-deployment
taskRef:
name: rhacs-generic
kind: Task
params:
- name: insecure-skip-tls-verify
value: "true"
- name: rox_endpoint
value: central.stackrox.svc:443
- name: rox_arguments
value:
- deployment
- check
- --output=table
- --file=/workspace/data/$(params.deployment)
workspaces:
- name: data
workspace: shared-workspace
```
Image scan:
```yaml
tasks:
- name: scan-image
taskRef:
name: rhacs-generic
kind: Task
params:
- name: insecure-skip-tls-verify
value: "true"
- name: rox_endpoint
value: central.stackrox.svc:443
- name: rox_arguments
value:
- image
- scan
- --output=table
- --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)
runAfter:
- build-image
```
**Samples:**
* [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
* [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use
in a pipelinerun.
# Known Issues

107
task/rhacs-generic/0.1/rhacs-generic.yaml Normal file
View File

@ -0,0 +1,107 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: rhacs-generic
labels:
apps.kubernetes.io/version: "0.1"
annotations:
tekton.dev/tags: security
tekton.dev/categories: Security
tekton.dev/displayName: "Perform an action with Red Hat Advanced Cluster Security"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,darwin/amd64,darwin/arm64,windows/amd64"
tekton.dev/pipelines.minVersion: "0.50.0"
spec:
description: >-
Performs an action with Red Hat Advanced Cluster Security.
Actions are performed using the associated command line tool: roxctl.
params:
- name: rox_image
description: Image providing the roxctl tool.
default: 'quay.io/stackrox-io/roxctl:4.4.2'
- name: rox_central_endpoint
description: The address:port tuple for RHACS Stackrox Central.
type: string
default: central.stackrox.svc:443
- name: rox_arguments
description: The roxctl command line arguments.
type: array
- name: rox_ca_cert_file
description: |
Path to the central CA PEM file.
Leave empty if no file is available.
Prefix the file path with /workspace/ca when available.
type: string
default: ''
- name: insecure-skip-tls-verify
description: |
Do not verify TLS certificates.
When set to "true", skip verifying the TLS certs of the Central endpoint.
type: string
default: "false"
- name: output_file
type: string
description: |
Path to a file where to write the roxctl standard output stream.
If empty, the output stream goes to the container standard output.
default: ""
- name: error_file
description: |
Path to a file where to write the roxctl standard error stream.
If empty, the error stream goes to the container standard error.
type: string
default: ""
stepTemplate:
env:
- name: ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY
value: $(params.insecure-skip-tls-verify)
- name: ROX_CA_CERT_FILE
value: $(params.rox_ca_cert_file)
- name: ROX_ENDPOINT
value: $(params.rox_central_endpoint)
- name: ROX_CONFIG_DIR
value: /rox-config
- name: ROX_EXECUTION_ENV
value: Tekton
- name: ROX_OUTPUT_FILE
value: $(params.output_file)
- name: ROX_ERROR_FILE
value: $(params.error_file)
workspaces:
- name: ca
description: An optional workspace storing the Central CA PEM file.
optional: true
readOnly: true
- name: data
description: An optional workspace storing files to pass to the command line tool (as input or output).
optional: true
steps:
- name: exchange-service-account-token
image: $(params.rox_image)
volumeMounts:
- name: token-vol
mountPath: /service-account-token
- name: roxctl-config
mountPath: /rox-config
args:
- central
- m2m
- exchange
- --token-file=/service-account-token/token
- name: roxctl-action
image: $(params.rox_image)
volumeMounts:
- name: roxctl-config
mountPath: /rox-config
args: ["$(params.rox_arguments[*])"]
volumes:
- name: token-vol
projected:
sources:
- serviceAccountToken:
audience: rhacs
path: token
expirationSeconds: 3600
- name: roxctl-config
emptyDir: {}

185
task/rhacs-generic/0.1/samples/pipeline.yaml Normal file
View File

@ -0,0 +1,185 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: rox-pipeline
spec:
workspaces:
- name: shared-workspace
params:
- name: deployment
type: string
description: filename of the deployment to be patched
- name: git-url
type: string
description: url of the git repo for the code of deployment
- name: git-revision
type: string
description: revision to be used from repo of the code for deployment
default: main
- name: IMAGE
type: string
description: image to be build from the code
- name: rox_central_endpoint
type: string
description: The address:port tuple for RHACS Stackrox Central.
default: central.stackrox.svc:443
- name: rox_image
type: string
description: The Red Hat Advanced Cluster Security container image
default: quay.io/stackrox-io/roxctl:4.4.2
tasks:
# fetch central CA
- name: fetch-central-ca
taskRef:
name: rhacs-generic
kind: Task
workspaces:
- name: data
workspace: shared-workspace
params:
- name: insecure-skip-tls-verify
value: 'true'
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- central
- cert
- '--output=/workspace/data/central-ca.pem'
# checkout source code
- name: fetch-repository
taskRef:
name: git-clone
kind: ClusterTask
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: $(params.git-url)
- name: subdirectory
value: ""
- name: deleteExisting
value: "true"
- name: revision
value: $(params.git-revision)
runAfter:
- fetch-central-ca
# Test access scope creation
- name: create-access-scope
taskRef:
name: rhacs-generic
kind: Task
workspaces:
- name: ca
workspace: shared-workspace
params:
- name: rox_ca_cert_file
value: /workspace/ca/central-ca.pem
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- declarative-config
- create
- access-scope
- --name=testScope
- --description=test access scope
- --included=testCluster=stackrox
runAfter:
- fetch-repository
# validate deployment against defined RHACS policies
- name: police-deployment
taskRef:
name: rhacs-generic
kind: Task
params:
- name: rox_ca_cert_file
value: /workspace/ca/central-ca.pem
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- deployment
- check
- --output=table
- --file=/workspace/data/$(params.deployment)
workspaces:
- name: data
workspace: shared-workspace
- name: ca
workspace: shared-workspace
runAfter:
- fetch-repository
- build-image
- name: build-image
taskRef:
name: buildah
kind: ClusterTask
params:
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
value: "false"
workspaces:
- name: source
workspace: shared-workspace
runAfter:
- fetch-repository
# scan image for vulns using RHACS
- name: scan-image
taskRef:
name: rhacs-generic
kind: Task
workspaces:
- name: ca
workspace: shared-workspace
params:
- name: rox_ca_cert_file
value: /workspace/ca/central-ca.pem
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- image
- scan
- --output=table
- --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)
runAfter:
- build-image
# validate image against RHACS policies
- name: police-image
taskRef:
name: rhacs-generic
kind: Task
params:
- name: insecure-skip-tls-verify
value: "true"
- name: rox_endpoint
value: $(params.rox_central_endpoint)
- name: rox_image
value: $(params.rox_image)
- name: rox_arguments
value:
- image
- check
- --output=table
- --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)
runAfter:
- scan-image

28
task/rhacs-generic/0.1/samples/pipelinerun.yaml Normal file
View File

@ -0,0 +1,28 @@
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: rox-pipelinerun
spec:
pipelineRef:
name: rox-pipeline
params:
- name: deployment
value: k8s/deployment.yaml
- name: git-url
value: https://github.com/openshift/pipelines-vote-api.git
- name: git-revision
value: pipelines-1.7
- name: IMAGE
value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
- name: insecure-skip-tls-verify
value: "true"
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi

6
task/rhacs-generic/OWNERS Normal file
View File

@ -0,0 +1,6 @@
approvers:
- dhaus67
- rhybrillou
reviewers:
- dhaus67
- rhybrillou