jmhbnz/talks
1
0
Fork 0
Code Releases Activity
Files
359894065d4856c0eaf34b6e5603b9bd32370edc
talks/2024-08-28-rhacs-actions-pipeline
History

README.org

Securing supply chain

Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of open source actions. The roxctl cli can be used to scan images for vulnerabilities or common misconfigurations.

Configure rhacs github oidc auth

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.

You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.

We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.

Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure-short-lived-access.html

Create github actions pipeline

An example pipeline is included below and in this repository.

---
name: Secure image build
on: workflow_dispatch
permissions:
  contents: read

jobs:

  build-and-push-image:
    name: Build and push image
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build image
        uses: redhat-actions/buildah-build@v2
        with:
          image: quay.io/rh_ee_jablair/ubi9
          tags: v0.0.1-${{ github.sha }}
          containerfiles: |
            ./2024-08-28-rhacs-actions-pipeline/Containerfile

      - name: Push to quay.io
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ubi9
          tags: v0.0.1-${{ github.sha }}
          registry: quay.io/rh_ee_jablair
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}


  scan-image:
    runs-on: ubuntu-latest
    needs: build-and-push-image
    permissions:
      id-token: write
    steps:

      - name: Rhacs login
        uses: stackrox/central-login@v1
        with:
          endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          skip-tls-verify: true

      - name: Install roxctl
        uses: stackrox/roxctl-installer-action@v1
        with:
          central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          central-token: ${{ secrets.ROX_API_TOKEN }}
          skip-tls-verify: true

      - name: Scan image with roxctl
        shell: bash
        run: |
          roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
          roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify