diff options
| author | Philippe Lafoucrière <plafoucriere@gitlab.com> | 2019-03-30 12:05:13 -0400 |
|---|---|---|
| committer | Philippe Lafoucrière <plafoucriere@gitlab.com> | 2019-03-31 08:58:01 -0400 |
| commit | 6a25f8bc794d42a744082ae09d7fc4bbbaa5e5a4 (patch) | |
| tree | b463a743eb8f2a9b84efb60b6869e18da94e85dd | |
| parent | 50a1e01fa8959b08df8bfc18940f9310876873b3 (diff) | |
| download | gitlab-ce-fix-container-scanning-on-k8s.tar.gz | |
Fix Container Scanning for Kubernetes Runnersfix-container-scanning-on-k8s
closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6636
closes https://gitlab.com/gitlab-org/gitlab-ee/issues/5763
3 files changed, 23 insertions, 6 deletions
diff --git a/changelogs/unreleased/fix-container-scanning-on-k8s.yml b/changelogs/unreleased/fix-container-scanning-on-k8s.yml new file mode 100644 index 00000000000..f4500370a0b --- /dev/null +++ b/changelogs/unreleased/fix-container-scanning-on-k8s.yml @@ -0,0 +1,5 @@ +--- +title: Fix Container Scanning in Kubernetes Runners +merge_request: 26793 +author: +type: changed diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml index 78872b3bbe3..3116f1a136b 100644 --- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @@ -531,8 +531,8 @@ rollout 100%: touch clair-whitelist.yml retries=0 echo "Waiting for clair daemon to start" - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done + ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true } function code_quality() { @@ -800,10 +800,15 @@ rollout 100%: kubectl version --client } + # With the Kubernetes executor, 'localhost' must be used instead + # https://docs.gitlab.com/runner/executors/kubernetes.html function setup_docker() { if ! docker info &>/dev/null; then if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then export DOCKER_HOST='tcp://localhost:2375' + export DOCKER_SERVICE="localhost" + else + export DOCKER_SERVICE="docker" fi fi } diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml index ea1e6ae5fdc..0b7a531682b 100644 --- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml @@ -17,23 +17,30 @@ container_scanning: # # Container Scanning deals with Docker images only so no need to import the project's Git repository: GIT_STRATEGY: none + # Services and containers running in the same Kubernetes pod are all sharing the same localhost address + # https://docs.gitlab.com/runner/executors/kubernetes.html + DOCKER_SERVICE: docker + DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/ + # https://hub.docker.com/r/arminc/clair-local-scan/tags + CLAIR_LOCAL_SCAN_VERSION: v2.0.6 allow_failure: true services: - docker:stable-dind script: + - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi - docker run -d --name db arminc/clair-db:latest - - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6 + - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION} - apk add -U wget ca-certificates - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 - mv clair-scanner_linux_amd64 clair-scanner - chmod +x clair-scanner - touch clair-whitelist.yml - - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done + - while( ! wget -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; done - retries=0 - echo "Waiting for clair daemon to start" - - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done + - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true artifacts: reports: container_scanning: gl-container-scanning-report.json |