diff --git a/task/rhacs-generic/0.1/README.md b/task/rhacs-generic/0.1/README.md new file mode 100644 index 00000000..2941d496 --- /dev/null +++ b/task/rhacs-generic/0.1/README.md @@ -0,0 +1,144 @@ +# Red Hat Advanced Cluster Security generic Task + +Allows users to customize and extend +[`roxctl`](https://docs.openshift.com/acs/cli/command-reference/roxctl.html) +command line based on their needs. + +This task first exchanges a service account token against a short-lived RHACS +authorization token, then performs the requested action. + +**Note: this Task requires a 4.4.2 roxctl image (task default) or a more recent +image version.** + +## Prerequisites + +This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet) +or [StackRox](https://www.stackrox.io). It also requires configuration of a +machine-to-machine integration. + + + +## Install the Task + +```bash +kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-generic/0.1/raw +``` + +## Parameters + +- **`rox_central_endpoint`**: The address:port tuple for StackRox Central. +Default: **central.stackrox.svc:443** +- **`insecure-skip-tls-verify`**: Skip verification the TLS certs of the Central +endpoint and registry. Examples: _"true", **"false"**_. +- **`rox_arguments`**: The command line that you would like to enter, in array +form. (required) +- `rox_ca_cert_file`: Path to the Central CA PEM file (if certificates are +available). The path must be empty if no file is available, or prefixed with +`/workspace/ca` otherwise. +Examples: _**""**, "/workspace/ca/central-ca.pem"_ +- `rox_image`: The image providing the roxctl tool (optional). +Default: quay.io/stackrox-io/roxctl:4.4.2 +(this is also the minimum version working with this task). +- `output_file`: path to a file where to redirect roxctl standard output. +Default: "" (redirects to stdout). +- `error_file`: path to a file where to redirect roxctl standard error. +Default: "" (redirects to stderr). + +## Workspaces + +- **data**: An [optional Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#optional-workspaces) +which stores files used as parameters to the command line. +- **ca**: An [optional Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#optional-workspaces) +which stores the Red Hat Advanced Cluster Security Central CA PEM file. +It is **strongly** recommended that this workspace be bound to a Kubernetes +`Secret`. + +## Usage + +Check the [documentation](https://docs.openshift.com/acs/operating/manage-user-access/configure-short-lived-access.html#configure-short-lived-access_configure-short-lived-access) +to configure the trust with the OIDC token issuer. This +[example](../../rhacs-m2m-authenticate/0.1/samples/configure-m2m.md) describes +a possible RHACS machine-to-machine integration configuration. + +The `roxctl` [documentation](https://docs.openshift.com/acs/cli/command-reference/roxctl.html) +describes the available commands and their options. + +**Example task uses:** + +Declarative configuration preparation: +```yaml + - name: create-access-scope + taskRef: + name: rhacs-generic + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - declarative-config + - create + - access-scope + - --name=testScope + - --description=test access scope + - --included=testCluster=stackrox +``` + +Deployment check: +```yaml + tasks: + - name: check-deployment + taskRef: + name: rhacs-generic + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_endpoint + value: central.stackrox.svc:443 + - name: rox_arguments + value: + - deployment + - check + - --output=table + - --file=/workspace/data/$(params.deployment) + workspaces: + - name: data + workspace: shared-workspace +``` + +Image scan: +```yaml + tasks: + - name: scan-image + taskRef: + name: rhacs-generic + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_endpoint + value: central.stackrox.svc:443 + - name: rox_arguments + value: + - image + - scan + - --output=table + - --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + +``` + +**Samples:** + +* [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline. +* [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use +in a pipelinerun. + +# Known Issues + diff --git a/task/rhacs-generic/0.1/rhacs-generic.yaml b/task/rhacs-generic/0.1/rhacs-generic.yaml new file mode 100644 index 00000000..78acdf6d --- /dev/null +++ b/task/rhacs-generic/0.1/rhacs-generic.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: rhacs-generic + labels: + apps.kubernetes.io/version: "0.1" + annotations: + tekton.dev/tags: security + tekton.dev/categories: Security + tekton.dev/displayName: "Perform an action with Red Hat Advanced Cluster Security" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,darwin/amd64,darwin/arm64,windows/amd64" + tekton.dev/pipelines.minVersion: "0.50.0" +spec: + description: >- + Performs an action with Red Hat Advanced Cluster Security. + + Actions are performed using the associated command line tool: roxctl. + params: + - name: rox_image + description: Image providing the roxctl tool. + default: 'quay.io/stackrox-io/roxctl:4.4.2' + - name: rox_central_endpoint + description: The address:port tuple for RHACS Stackrox Central. + type: string + default: central.stackrox.svc:443 + - name: rox_arguments + description: The roxctl command line arguments. + type: array + - name: rox_ca_cert_file + description: | + Path to the central CA PEM file. + Leave empty if no file is available. + Prefix the file path with /workspace/ca when available. + type: string + default: '' + - name: insecure-skip-tls-verify + description: | + Do not verify TLS certificates. + When set to "true", skip verifying the TLS certs of the Central endpoint. + type: string + default: "false" + - name: output_file + type: string + description: | + Path to a file where to write the roxctl standard output stream. + If empty, the output stream goes to the container standard output. + default: "" + - name: error_file + description: | + Path to a file where to write the roxctl standard error stream. + If empty, the error stream goes to the container standard error. + type: string + default: "" + stepTemplate: + env: + - name: ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY + value: $(params.insecure-skip-tls-verify) + - name: ROX_CA_CERT_FILE + value: $(params.rox_ca_cert_file) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_CONFIG_DIR + value: /rox-config + - name: ROX_EXECUTION_ENV + value: Tekton + - name: ROX_OUTPUT_FILE + value: $(params.output_file) + - name: ROX_ERROR_FILE + value: $(params.error_file) + workspaces: + - name: ca + description: An optional workspace storing the Central CA PEM file. + optional: true + readOnly: true + - name: data + description: An optional workspace storing files to pass to the command line tool (as input or output). + optional: true + steps: + - name: exchange-service-account-token + image: $(params.rox_image) + volumeMounts: + - name: token-vol + mountPath: /service-account-token + - name: roxctl-config + mountPath: /rox-config + args: + - central + - m2m + - exchange + - --token-file=/service-account-token/token + - name: roxctl-action + image: $(params.rox_image) + volumeMounts: + - name: roxctl-config + mountPath: /rox-config + args: ["$(params.rox_arguments[*])"] + volumes: + - name: token-vol + projected: + sources: + - serviceAccountToken: + audience: rhacs + path: token + expirationSeconds: 3600 + - name: roxctl-config + emptyDir: {} diff --git a/task/rhacs-generic/0.1/samples/pipeline.yaml b/task/rhacs-generic/0.1/samples/pipeline.yaml new file mode 100644 index 00000000..06073c92 --- /dev/null +++ b/task/rhacs-generic/0.1/samples/pipeline.yaml @@ -0,0 +1,185 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: rox-pipeline +spec: + workspaces: + - name: shared-workspace + params: + - name: deployment + type: string + description: filename of the deployment to be patched + - name: git-url + type: string + description: url of the git repo for the code of deployment + - name: git-revision + type: string + description: revision to be used from repo of the code for deployment + default: main + - name: IMAGE + type: string + description: image to be build from the code + - name: rox_central_endpoint + type: string + description: The address:port tuple for RHACS Stackrox Central. + default: central.stackrox.svc:443 + - name: rox_image + type: string + description: The Red Hat Advanced Cluster Security container image + default: quay.io/stackrox-io/roxctl:4.4.2 + + tasks: + # fetch central CA + - name: fetch-central-ca + taskRef: + name: rhacs-generic + kind: Task + workspaces: + - name: data + workspace: shared-workspace + params: + - name: insecure-skip-tls-verify + value: 'true' + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - central + - cert + - '--output=/workspace/data/central-ca.pem' + + # checkout source code + - name: fetch-repository + taskRef: + name: git-clone + kind: ClusterTask + workspaces: + - name: output + workspace: shared-workspace + params: + - name: url + value: $(params.git-url) + - name: subdirectory + value: "" + - name: deleteExisting + value: "true" + - name: revision + value: $(params.git-revision) + runAfter: + - fetch-central-ca + + # Test access scope creation + - name: create-access-scope + taskRef: + name: rhacs-generic + kind: Task + workspaces: + - name: ca + workspace: shared-workspace + params: + - name: rox_ca_cert_file + value: /workspace/ca/central-ca.pem + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - declarative-config + - create + - access-scope + - --name=testScope + - --description=test access scope + - --included=testCluster=stackrox + runAfter: + - fetch-repository + + # validate deployment against defined RHACS policies + - name: police-deployment + taskRef: + name: rhacs-generic + kind: Task + params: + - name: rox_ca_cert_file + value: /workspace/ca/central-ca.pem + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - deployment + - check + - --output=table + - --file=/workspace/data/$(params.deployment) + workspaces: + - name: data + workspace: shared-workspace + - name: ca + workspace: shared-workspace + runAfter: + - fetch-repository + - build-image + + - name: build-image + taskRef: + name: buildah + kind: ClusterTask + params: + - name: IMAGE + value: $(params.IMAGE) + - name: TLSVERIFY + value: "false" + workspaces: + - name: source + workspace: shared-workspace + runAfter: + - fetch-repository + + # scan image for vulns using RHACS + - name: scan-image + taskRef: + name: rhacs-generic + kind: Task + workspaces: + - name: ca + workspace: shared-workspace + params: + - name: rox_ca_cert_file + value: /workspace/ca/central-ca.pem + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - image + - scan + - --output=table + - --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + + # validate image against RHACS policies + - name: police-image + taskRef: + name: rhacs-generic + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_endpoint + value: $(params.rox_central_endpoint) + - name: rox_image + value: $(params.rox_image) + - name: rox_arguments + value: + - image + - check + - --output=table + - --image=$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - scan-image diff --git a/task/rhacs-generic/0.1/samples/pipelinerun.yaml b/task/rhacs-generic/0.1/samples/pipelinerun.yaml new file mode 100644 index 00000000..9189e321 --- /dev/null +++ b/task/rhacs-generic/0.1/samples/pipelinerun.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: rox-pipelinerun +spec: + pipelineRef: + name: rox-pipeline + params: + - name: deployment + value: k8s/deployment.yaml + - name: git-url + value: https://github.com/openshift/pipelines-vote-api.git + - name: git-revision + value: pipelines-1.7 + - name: IMAGE + value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui + - name: insecure-skip-tls-verify + value: "true" + workspaces: + - name: shared-workspace + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 500Mi diff --git a/task/rhacs-generic/OWNERS b/task/rhacs-generic/OWNERS new file mode 100644 index 00000000..ce302a94 --- /dev/null +++ b/task/rhacs-generic/OWNERS @@ -0,0 +1,6 @@ +approvers: +- dhaus67 +- rhybrillou +reviewers: +- dhaus67 +- rhybrillou