84 lines
2.6 KiB
Org Mode
84 lines
2.6 KiB
Org Mode
#+TITLE: Securing supply chain
|
|
#+DATE: <2024-08-28 Wed>
|
|
#+AUTHOR: James Blair
|
|
|
|
|
|
Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]]. The ~roxctl~ cli can be used to scan images for vulnerabilities or common misconfigurations.
|
|
|
|
* Configure rhacs github oidc auth
|
|
|
|
Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.
|
|
|
|
You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.
|
|
|
|
We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.
|
|
|
|
Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure-short-lived-access.html
|
|
|
|
|
|
* Create github actions pipeline
|
|
|
|
An example pipeline is included below and in this repository.
|
|
|
|
#+begin_src yaml
|
|
---
|
|
name: Secure image build
|
|
on: workflow_dispatch
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
build-and-push-image:
|
|
name: Build and push image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Build image
|
|
uses: redhat-actions/buildah-build@v2
|
|
with:
|
|
image: quay.io/rh_ee_jablair/ubi9
|
|
tags: v0.0.1-${{ github.sha }}
|
|
containerfiles: |
|
|
./2024-08-28-rhacs-actions-pipeline/Containerfile
|
|
|
|
- name: Push to quay.io
|
|
uses: redhat-actions/push-to-registry@v2
|
|
with:
|
|
image: ubi9
|
|
tags: v0.0.1-${{ github.sha }}
|
|
registry: quay.io/rh_ee_jablair
|
|
username: ${{ secrets.QUAY_USERNAME }}
|
|
password: ${{ secrets.QUAY_PASSWORD }}
|
|
|
|
|
|
scan-image:
|
|
runs-on: ubuntu-latest
|
|
needs: build-and-push-image
|
|
permissions:
|
|
id-token: write
|
|
steps:
|
|
|
|
- name: Rhacs login
|
|
uses: stackrox/central-login@v1
|
|
with:
|
|
endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
|
skip-tls-verify: true
|
|
|
|
- name: Install roxctl
|
|
uses: stackrox/roxctl-installer-action@v1
|
|
with:
|
|
central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
|
central-token: ${{ secrets.ROX_API_TOKEN }}
|
|
skip-tls-verify: true
|
|
|
|
- name: Scan image with roxctl
|
|
shell: bash
|
|
run: |
|
|
roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
|
|
roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
|
|
#+end_src
|