Debug School

Cover image for RH ACS Image Check on Tekton
Suyash Sambhare
Suyash Sambhare

Posted on • Updated on

RH ACS Image Check on Tekton

Tekton

Tekton is a formidable and whippy open-source framework for generating CI/CD systems, granting developers to build, test, and deploy across cloud providers and on-premise systems.

  • Standardization: Tekton standardizes CI/CD tooling and processes across vendors, languages, and deployment environments. It works well with Jenkins, Knative, and many other common CI/CD tools.
  • Built-in best practices: Tekton lets you create CI/CD systems quickly, giving you scalable, serverless, cloud-native execution out of the box.
  • Maximum flexibility: Tekton abstracts the fundamental functioning so that you can choose the build, test, and deploy workflow based on your team’s requirements.

Tekton Hub

Tekton Hub grants a central hub for exploring and sharing Tekton resources across many distributed Tekton catalogs hosted by various organizations and teams. Hub currently displays a curated set of community-contributed tasks from the Community Catalog. It allows resources to be searched by name or its “display name”, filtered by categories (cloud, cli, GitHub, etc…), and rated by users.

Red Hat Advanced Cluster Security Image Check Task

This task allows you to check an image against build-time policies and apply enforcement to fail builds. It's a companion to the rhacs-image-scan task, which sends full vulnerability scan results for an image.
Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using roxctl.

Prerequisites

This task requires an active installation of Red Hat Advanced Cluster Security (RHACS). It also requires the configuration of secrets for the Central endpoint and an API token with at least CI privileges.

Install the Task

kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
Enter fullscreen mode Exit fullscreen mode

Parameters

  1. image: Full name of image to scan. Eg: gcr.io/rox/sample:5.0-rc1, $(params.IMAGE)
  2. , $(params.IMAGE)@$(tasks.buildah.results.IMAGE\_DIGEST)
  3. insecure-skip-tls-verify: Skip verification of the TLS certs for the Central endpoint and registry. Eg: "true", "false".
  4. output_format: Eg: table, csv, json, junit
  5. rox_central_endpoint: Secret containing the address:port tuple for StackRox Central. Eg: rox-central-endpoint
  6. rox_api_token: Secret containing the StackRox API token with CI permissions. Eg: rox-API-token

Tekton

Usage

Checks images that have been pushed to a registry. This enables scanning irrespective of whether the build is using old-style Docker-based methods, hosted/SaaS-based methods where the Docker socket may not be directly available, or rootless methods like kaniko and buildah.

If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.

kubectl create secret generic rox-api-token --from-literal=rox_api_token="$ROX_API_TOKEN"
kubectl create secret generic rox-central-endpoint --from-literal=rox_central_endpoint=central.stackrox.svc:443

Eg:

      tasks:
        - name: image-check
          taskRef:
            name: rhacs-image-check
            kind: Task
          params:
            - name: image
              value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
          runAfter:
          - image-scan
Enter fullscreen mode Exit fullscreen mode

Samples:

Skipping TLS Verify is currently required. The TLS trust bundle not working for quay.io etc.

Ref: https://hub.tekton.dev/tekton/task/rhacs-image-check

Top comments (0)