Commit 31b725d6 authored by Dominic Bauer's avatar Dominic Bauer Committed by Stan Hu

Multi-valued Cluster Image Scanning CI filter variables

parent c88b81ff
......@@ -172,10 +172,10 @@ You can [configure](#customize-the-cluster-image-scanning-settings) analyzers by
| CI/CD Variable | Default | Description |
| ------------------------------ | ------------- | ----------- |
| `CIS_KUBECONFIG` | `""` | File used to configure access to the Kubernetes cluster. See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) for more details. |
| `CIS_CONTAINER_NAME` | `""` | Name of the container used in the Kubernetes resource you want to filter vulnerabilities for. For example, `alpine`. |
| `CIS_RESOURCE_NAME` | `""` | Name of the Kubernetes resource you want to filter vulnerabilities for. For example, `nginx`. |
| `CIS_RESOURCE_NAMESPACE` | `""` | Namespace of the Kubernetes resource you want to filter vulnerabilities for. For example, `production`. |
| `CIS_RESOURCE_KIND` | `""` | Kind of the Kubernetes resource you want to filter vulnerabilities for. For example, `deployment`. |
| `CIS_CONTAINER_NAMES` | `""` | A comma-separated list of container names used in the Kubernetes resources you want to filter vulnerabilities for. For example, `alpine,postgres`. |
| `CIS_RESOURCE_NAMES` | `""` | A comma-separated list of Kubernetes resources you want to filter vulnerabilities for. For example, `nginx,redis`. |
| `CIS_RESOURCE_NAMESPACES` | `""` | A comma-separated list of namespaces of the Kubernetes resources you want to filter vulnerabilities for. For example, `production,staging`. |
| `CIS_RESOURCE_KINDS` | `""` | A comma-separated list of the kinds of Kubernetes resources to filter vulnerabilities for. For example, `deployment,pod`. |
| `CIS_CLUSTER_IDENTIFIER` | `""` | ID of the Kubernetes cluster integrated with GitLab. This is used to map vulnerabilities to the cluster so they can be filtered in the Vulnerability Report page. |
#### Override the cluster image scanning template
......
......@@ -20,10 +20,10 @@ module Security
return SCAN_VARIABLES if resource_filters.blank?
SCAN_VARIABLES.merge({
'CIS_CONTAINER_NAME' => resource_filter_value(resource_filters[:containers]),
'CIS_RESOURCE_NAME' => resource_filter_value(resource_filters[:resources]),
'CIS_RESOURCE_NAMESPACE' => resource_filter_value(resource_filters[:namespaces]),
'CIS_RESOURCE_KIND' => resource_filter_value(resource_filters[:kinds])
'CIS_CONTAINER_NAMES' => resource_filter_value(resource_filters[:containers]),
'CIS_RESOURCE_NAMES' => resource_filter_value(resource_filters[:resources]),
'CIS_RESOURCE_NAMESPACES' => resource_filter_value(resource_filters[:namespaces]),
'CIS_RESOURCE_KINDS' => resource_filter_value(resource_filters[:kinds])
}.compact)
end
......@@ -40,12 +40,9 @@ module Security
end
def resource_filter_value(filter_values)
# TODO: Add support for multiple values in filter (modify analyzer to support that).
return if filter_values.blank?
filter_values
.compact
.first
filter_values.compact.join(",")
end
end
end
......
......@@ -34,15 +34,15 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ClusterImageScanningCiVa
subject(:generated_variables) { service.execute(action) }
shared_examples 'with cluster image scanning resource filters' do
it 'generates CI variable values with first value for each resource filter' do
it 'generates comma-separated CI variable values for each resource filter' do
ci_variables, _ = generated_variables
expect(ci_variables).to eq(
'CLUSTER_IMAGE_SCANNING_DISABLED' => nil,
'CIS_CONTAINER_NAME' => 'nginx',
'CIS_RESOURCE_NAME' => 'nginx-www',
'CIS_RESOURCE_NAMESPACE' => 'gitlab-production',
'CIS_RESOURCE_KIND' => 'deployment'
'CIS_CONTAINER_NAMES' => 'nginx,falco',
'CIS_RESOURCE_NAMES' => 'nginx-www,nginx-admin',
'CIS_RESOURCE_NAMESPACES' => 'gitlab-production,cluster-apps',
'CIS_RESOURCE_KINDS' => 'deployment,daemonset'
)
end
end
......
......@@ -103,7 +103,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CreatePipelineService do
masked: false
),
{
key: 'CIS_RESOURCE_NAMESPACE',
key: 'CIS_RESOURCE_NAMESPACES',
masked: false,
public: true,
value: 'gitlab-namespace'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment