Add MiqAction to annotate container images as non secure at openshift

[moolitayer]

Based on:

• Add support for Patch method kubeclient#161
• Add support for image and image stream entities abonas/openshift_client#22

The metadata created by the MiqAction is meant to be used by Openshift to prevent tagged images from running.

[moolitayer]

@miq-bot add_label wip, providers/containers, control

[moolitayer]

@smarterclayton @deads2k This is the patch the annotates non secure images.

• Which label should we set here?
• Any other actions needed to prevent containers based on the image from starting on a master openshift deployed using openshift-ansible (I would like to test)

cc @simon3z

[smarterclayton]

We probably need to sort out whether others would set this annotation (a
blackduck scanner, for example), and what policy levels there are.

There are descriptive annotations "this is true for this object" (such as "
security.manageiq.org/image-has-vulnerability" = "true" and "
security.manageiq.org/detected-vulnerabilities"="[...]"), and then there
are affirmative statements ("images.openshift.io/deny-execution" =
"true"). I suspect we need both.

What information do you have at this current time around the image and its
vulnerability stance? Do we have a clear "warn / block" separation based
on vulnerability level?

On Sun, Mar 27, 2016 at 1:02 PM, ManageIQ Bot [email protected]
wrote:

Checked commit moolitayer/manageiq@f607ddf
moolitayer@f607ddf
with ruby 2.2.3, rubocop 0.37.2, and haml-lint 0.16.1
3 files checked, 1 offense detected

app/models/miq_action.rb

• [image: 🔹] - Line 832
  https://github.com/moolitayer/manageiq/blob/f607ddfaccfca8fc11f1d56030870fc47110fd26/app/models/miq_action.rb#L832,
  Col 3 - Metrics/AbcSize
  http://rubydoc.info/gems/rubocop/0.37.2/RuboCop/Cop/Metrics/AbcSize
• Assignment Branch Condition size for action_container_image_prevent is
  too high. [18.11/15]

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#7536 (comment)

[deads2k]

I suspect we need both.

I agree. I'd like to have a human-readable string annotation for us to display along with the denial. I suspect that the marking process will have better information than we'll have.

[moolitayer]

What information do you have at this current time around the image and its
vulnerability stance? Do we have a clear "warn / block" separation based
on vulnerability level?

This action is ad hock and can be executed in response to which ever condition/s the user chooses. Said condition might be OpenSCAP vulnerabilities detected OR it might be something entirely different e.g image name is X. I think the best we can do here is to name the failed ManageIQ policy, So:

"security.manageiq.org/failed-policies" = []
"security.manageiq.org/failed-policy-ids" = []
And as suggested
"images.openshift.io/deny-execution" = "true"

The deny-execution satisfy my immediate goal. Going forward I'm pretty sure I could define a parameterized action that will allow the user to select his annotations (and examples for those could be provided out of the box)

[miq-bot]

<pr_mergeability_checker />This pull request is not mergeable. Please rebase and repush.

[moolitayer]

@smarterclayton @deads2k Please review used annotations
@jrafanie Could you please review policy parts
fyi @simon3z

[smarterclayton]

This looks fine to me.

[simon3z]

@miq-bot add_label darga/yes

[moolitayer]

@simon3z I should have discovered this sooner but I don't think I can tag with our current inventory.

These are the openshift names I need to know in order to tag:

[root@oshift01 ~]# oc get images 
NAME                                                                      DOCKER REF
sha256:20098eb056620c0ceade04b4bec642fb89c8f3361e89e6ff4729b273f2c799ed   openshift/ruby-20-centos7@sha256:20098eb056620c0ceade04b4bec642fb89c8f3361e89e6ff4729b273f2c799ed
sha256:592872229633f5b906301b1880aeb45272ef83a838794a9c2e53ce07b2a5f3f0   172.30.107.74:5000/test/origin-ruby-sample@sha256:592872229633f5b906301b1880aeb45272ef83a838794a9c2e53ce07b2a5f3f0
sha256:78380eec5f83213b7ef0c0d37a5f285ebb7632ca2c7390b9bd6c07625019cf7e   172.30.107.74:5000/test/origin-ruby-sample@sha256:78380eec5f83213b7ef0c0d37a5f285ebb7632ca2c7390b9bd6c07625019cf7e
sha256:af4c1abc8797bc2df3bfdc92b3ae5fd01984fd4590ffd4899520777f9de2d674   172.30.107.74:5000/test/origin-ruby-sample@sha256:af4c1abc8797bc2df3bfdc92b3ae5fd01984fd4590ffd4899520777f9de2d674
sha256:f334f35cdafe80368b83b53144e2f9a028b2f1170b25f612ce2ad7de890abcba   centos/ruby-22-centos7@sha256:f334f35cdafe80368b83b53144e2f9a028b2f1170b25f612ce2ad7de890abcba

This is the information we look at to create our ManageIQ image inventory:

[root@oshift01 ~]# oc describe pod docker-registry-1-a8bhm|grep -i image
Image(s):           openshift/origin-docker-registry:v1.0.8
    Image:      openshift/origin-docker-registry:v1.0.8
    Image ID:       docker://3629a651e6c11d7435937bdf41da11cf87863c03f2587fa788cf5cbfe8a11b9a

fyi @zeari thoughts?

[simon3z]

@simon3z I should have discovered this sooner but I don't think I can tag with our current inventory.

Indeed.

Can't you lookup by "DOCKER REF" or "Image ID"? (cc @deads2k )
If not you have to load them all and find the image yourself (really expensive).

[moolitayer]

@simon3z I was wrong, we have digest since #4234 which is what I need. Seems to be missing most of the time (even after taking into account that most ContainerImages do not link to a Openshift image)

[moolitayer]

Added handling for images with no digest and usual testing for entity type.

Tested:

ContainerImage.find(8).prevent_from_starting("has openscap failures")

Annotations returned by Openshift:

"annotations": {
"images.openshift.io/deny-execution": "true",
"openshift.io/image.managed": "true",
"security.manageiq.org/failed-policy": "has openscap failures"
}

Another common use case would lead to a guid name (policies can have a descriptive name or a guid name)
... "security.manageiq.org/failed-policy": "2c11dc5a-c080-483e-9ee0-c9ebf6921371"
}

@simon3z Please review

[moolitayer]

ping @simon3z

[simon3z]

@moolitayer @Fryguy @gmcculloug @blomquisg can anyone (after this patch) take the refactoring of the repeating:

if inputs[:synchronous]
  log_do_something
  do_something
else
  log_queuing_do_something
  queue(do_something)
end

It seems pretty common in this module.

[moolitayer]

Sure I'll give it a try @simon3z

[moolitayer]

#8516

[simon3z]

@moolitayer: few minor naming changes.

[moolitayer]

@gmcculloug Noticed it's Now executing or Queueing in most calls

[jrafanie]

Looks good @moolitayer. I had minor comments. Once they're fixed and @simon3z gives the 👍 , I'm good with this.

Note, I don't think we have an out of box deny/stop a vm thing but it seems like they'd have similar mechanics.

[moolitayer]

Address comment

[moolitayer]

@simon3z please reivew

[blomquisg]

Looks like something that should be refactored in the future. We need to be able to define actions and action handler methods for each manager type and provider.

/cc @durandom

[simon3z]

LGTM 👍 cc @blomquisg @jrafanie @chessbyte

[blomquisg]

Based on this error message, this call is only available for OpenShift images. This should really be implemented on an OpenShift implementation of ContainerImage.

But, since ContainerImage does not yet support STI, add an error handler here in case someone calls this method directly. Stopping calls via MiqAction seems insufficient to protect this method.

[simon3z]

But, since ContainerImage does not yet support STI, add an error handler here in case someone calls this method directly. Stopping calls via MiqAction seems insufficient to protect this method.

@moolitayer can you take care of that? Thanks.

[moolitayer]

Sure

[miq-bot]

Checked commit moolitayer@97d50db with ruby 2.2.3, rubocop 0.37.2, and haml-lint 0.16.1
3 files checked, 2 offenses detected

app/models/miq_action.rb

• 🔹 - Line 851, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for action_container_image_annotate_deny_execution is too high. [37.23/15]
• 🔹 - Line 851, Col 3 - Metrics/MethodLength - Method has too many lines. [30/25]