Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container ssa annotate success #15031

Merged
merged 2 commits into from
Nov 20, 2017

Conversation

enoodle
Copy link

@enoodle enoodle commented May 9, 2017

@enoodle enoodle changed the title Container ssa annotate success [WIP] Container ssa annotate success May 9, 2017
@miq-bot miq-bot added the wip label May 9, 2017
@simon3z
Copy link
Contributor

simon3z commented May 10, 2017

@miq-bot assign enoodle

@simon3z
Copy link
Contributor

simon3z commented May 17, 2017

@moolitayer can you review this?
@enoodle what does it take to finalize this?

@@ -730,7 +730,19 @@ def action_container_image_analyze(action, rec, inputs)
rec.scan
end

def action_container_image_annotate_allow_execution(action, rec, inputs)
_log.info("EREZ DEBUG:: in function #{__method__}")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

above line

def annotate_allow_execution(causing_policy)
annotate_image({
"security.manageiq.org/successful-policy" => causing_policy,
"images.openshift.io/allow-execution" => "true"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See question:
#15013 (comment)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you're asking now. It seems you don't want to overwrite an annotation. Once it's non-compliant it should stay that way. I don't see how adding another annotation helps. Now you could have both allow and deny annotations co-existing. A single boolean is cleanest implementation. How about a single method that accepts a pass/fail boolean?

  def annotate_execution(causing_policy, deny_execution)
    annotate_image({
      "security.manageiq.org/policy"        => causing_policy,
      "images.openshift.io/deny-execution"  => deny_execution
    })

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is allow-execution annotation even a thing? Will openshift admission plugin look at it? https://docs.openshift.com/container-platform/latest/admin_guide/image_policy.html gives me the impression only deny-execution is a thing, with value true or false.

"security.manageiq.org/failed-policy" => causing_policy,
"images.openshift.io/deny-execution" => "true"
)
})

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aweiteka can you review these annotations?

enabled:
MiqAction:
name: container_image_annotate_allow_execution
description: Prevent container image from running on OpenShift

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix the description

def action_container_image_annotate_deny_execution(action, rec, inputs)
_log.info("EREZ DEBUG:: in function #{__method__}")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

above

Copy link

@moolitayer moolitayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code seems good, a couple of comments and making sure an image compliancy cannot change
(this code assumes it can't)

def annotate_allow_execution(causing_policy)
annotate_image({
"security.manageiq.org/successful-policy" => causing_policy,
"images.openshift.io/allow-execution" => "true"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you're asking now. It seems you don't want to overwrite an annotation. Once it's non-compliant it should stay that way. I don't see how adding another annotation helps. Now you could have both allow and deny annotations co-existing. A single boolean is cleanest implementation. How about a single method that accepts a pass/fail boolean?

  def annotate_execution(causing_policy, deny_execution)
    annotate_image({
      "security.manageiq.org/policy"        => causing_policy,
      "images.openshift.io/deny-execution"  => deny_execution
    })

@moolitayer
Copy link

I think compliancy cannot change from this point of view, since we only annotate openshift images, so that's fine:
https://github.com/ManageIQ/manageiq/pull/15031/files#diff-b65b69c5edaddcf64ef4a666f394489eL746

@aweiteka
Copy link

we only annotate openshift images

Technically that doesn't matter because other scanning tools have the same privilege to the cluster and may annotate all images in any namespace. We'll deal with this later once this PR is merged, but I wanted to clarify.

@enoodle
Copy link
Author

enoodle commented May 23, 2017

My main problem with this PR is that it is not working currently.. I must have not defined something important for the policy. @moolitayer @cben if you could take a look and maybe give me a hint it would be nice. Also, is there a point of contact in ManageIQ for policies that we could ask for advice?

@moolitayer
Copy link

What happens when you call the action method directly, does it work?
I can probably help with the policy, also take a look at log/policy.log

@enoodle enoodle force-pushed the container_ssa_annotate_success branch 2 times, most recently from 80f8b37 to df8b918 Compare June 8, 2017 07:48
@enoodle
Copy link
Author

enoodle commented Jun 8, 2017

This is now successfully annotating compliant images and also adds the quality summary from #15212

This is still WIP becuase I need to understand how to map the severity levels critical, important, moderate, low to the ones returned from OpenSCAP High, Medium, Low. Any advice?

@enoodle enoodle force-pushed the container_ssa_annotate_success branch from df8b918 to ae8017c Compare June 8, 2017 08:02
@moolitayer
Copy link

moolitayer commented Jun 8, 2017

@enoodle Is there a documentation for what the logic is behind High, Medium, Low ?

@isimluk can you please remind me who is our contact for OpenSCAP?

@enoodle enoodle force-pushed the container_ssa_annotate_success branch from ae8017c to 6d8b936 Compare June 8, 2017 08:15
@aweiteka
Copy link

aweiteka commented Jun 8, 2017

can you please remind me who is our contact for OpenSCAP?

@mpreisler

documentation for what the logic is behind High, Medium, Low ?

This is a good question. I missed that this mapping is happening. I don't see why we don't just pass the results through to the MIQ user unless we are trying to simplify (3 states vs 4?). But any interpretation we do moves us away from an "OpenSCAP provider" to an "MIQ provider (fed by OpenSCAP results)".

Any change here would break backwards compatibility with the policy. Workaround would be to carry logic "critical OR high" in the policy.

@enoodle
Copy link
Author

enoodle commented Jun 11, 2017

@aweiteka

I missed that this mapping is happening.

I missed it too, Sorry.

Do you agree to {"Low" => "low", "Medium" => "moderate", "High" => "critical"} mapping? We have to skip one state, because we are coming out of the 3-state OpenSCAP results, and I feel like everything might be considered "important" if your definition of important is wide enough.

@mpreisler
Copy link

The severity is not coming from @OpenSCAP but from the NIST XCCDF specification. There are actually 5 possible states. See https://scap.nist.gov/specifications/xccdf/xccdf_element_dictionary.html#severityEnumType

Could we just use this as it is?

@enoodle
Copy link
Author

enoodle commented Jun 21, 2017

@mpreisler We need to send it as detailed here: https://github.com/adellape/openshift-docs/blob/master/security/container_content.adoc#container-content-scanning

I will use your link to make a 1-1 map of those 5 seventies that both have. Thank you.

@enoodle enoodle force-pushed the container_ssa_annotate_success branch from 6d8b936 to be96afc Compare June 21, 2017 14:18
@enoodle enoodle changed the title [WIP] Container ssa annotate success Container ssa annotate success Jun 21, 2017
@enoodle
Copy link
Author

enoodle commented Jun 21, 2017

@aweiteka @moolitayer Can you please take another look?

@miq-bot miq-bot removed the wip label Jun 21, 2017
@enoodle enoodle force-pushed the container_ssa_annotate_success branch from d2346d8 to 7334216 Compare October 25, 2017 14:59
@miq-bot
Copy link
Member

miq-bot commented Oct 25, 2017

Checked commits enoodle/manageiq@803fbfd~...7334216 with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0
2 files checked, 0 offenses detected
Everything looks fine. 👍

@enoodle
Copy link
Author

enoodle commented Oct 29, 2017

@gtanzillo Can you review this please? It can be changed with respect to #16213 if needed.

@moolitayer
Copy link

@aweiteka Please take a look

@enoodle
Copy link
Author

enoodle commented Oct 30, 2017

ping @Fryguy @agrare can you please take a look?
@miq-bot add_label bug gaprindashvili/yes

@miq-bot
Copy link
Member

miq-bot commented Oct 30, 2017

@enoodle Cannot apply the following label because they are not recognized: bug gaprindashvili/yes

@enoodle
Copy link
Author

enoodle commented Oct 31, 2017

@miq-bot add_label gaprindashvili/yes bug

@miq-bot
Copy link
Member

miq-bot commented Oct 31, 2017

@enoodle Cannot apply the following label because they are not recognized: gaprindashvili/yes bug

@moolitayer
Copy link

@enoodle the bot was missing a comma

@mjudeikis
Copy link

What release is this planned for? Any instructions how to port it back to old version of CF?

@enoodle
Copy link
Author

enoodle commented Nov 7, 2017

@mjudeikis It is aimed for gaprindashvili. As for backports, because it is based on ManageIQ/manageiq-providers-openshift#41 which itself is based on other gaprindashvili PRs since the repositories split, backporting will not be trivial.

@chessbyte
Copy link
Member

@enoodle Is this replacing action_container_image_annotate_deny_execution with action_container_image_annotate_scan_results?

@enoodle
Copy link
Author

enoodle commented Nov 14, 2017

@chessbyte Yes, it is based on a change in
ManageIQ/manageiq-providers-openshift#41

@bazulay
Copy link

bazulay commented Nov 19, 2017

@gtanzillo who can take a look

@enoodle
Copy link
Author

enoodle commented Nov 20, 2017

Copy link
Member

@gtanzillo gtanzillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me 👍 Is this change covered in existing tests?

@enoodle
Copy link
Author

enoodle commented Nov 20, 2017

@gtanzillo I updated the miqAction tests that were effected by this, but couldn't find any tests for miq_policy_sets.yml , do you know of any?

@gtanzillo gtanzillo added this to the Sprint 74 Ending Nov 27, 2017 milestone Nov 20, 2017
@gtanzillo gtanzillo merged commit 9835af3 into ManageIQ:master Nov 20, 2017
@moolitayer
Copy link

🎉

simaishi pushed a commit that referenced this pull request Nov 20, 2017
@simaishi
Copy link
Contributor

Gaprindashvili backport details:

$ git log -1
commit 3ec3b2e1852e8a7883a96eaeb6607e1d158bc3f6
Author: Gregg Tanzillo <[email protected]>
Date:   Mon Nov 20 09:24:08 2017 -0500

    Merge pull request #15031 from enoodle/container_ssa_annotate_success
    
    Container ssa annotate success
    (cherry picked from commit 9835af3b3e53525a3dbb6745b4718866890edd4f)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1515438

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.