OpenSCAP in a Secure Environment

introduction

If you have been using CloudForms to manage the OpenShift Container Platform you're probably well aware of the container image scanning capabilities powered by OpenSCAP. If not, there's a great overview of what we can do here. In the default configuration, this requires the CloudForms appliance to have external access, both to pull down the image-inspector container image and for that image to subsequently pull the CVE information that makes the scan effective. In some environments, it may make sense to limit that external access.


what we're after

We're after two things:

  • We want to configure the solution to pull down a container image from a local registry
  • We want to configure each instance of the image-inspector to access the CVE info via a proxy

We're going to assume you have a local registry set up on something like Red Hat Satellite 6 that's already hosting the image-inspector container image. Configuration for that is outside the scope of this post, but there's plenty of info to get you started here and here. We're also going to assume you already have a corporate proxy set up.

Note: This was done and tested on CloudForms 4.2, there are some notes about the 4.5 release at the end of the post.


the code

The first, and easiest, configuration is to set up CloudForms to tell OpenShift to pull down the image-inspector container image from the local registry. That is configured here:
config/initializers/override_containers_scanning_image.rb The code looks like this:

module OverrideContainersScanningImage  
  def inspector_image
    'registry.access.redhat.com/openshift3/image-inspector:2.1'
  end
end

ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job.prepend(OverrideContainersScanningImage)  

All we need to do is change line 3 from 'registry.access.redhat.com/openshift3/image-inspector:2.1'
to the location of the image hosted locally. For this to take effect, trigger a restart.

#vmdb
#rake evm:restart

Next we want to configure the image-inspector to access the CVE information via a proxy. The tricky thing about this is that each image-inspector is ephemeral, so it gets spun up to do its task, lives for only a few moments, and disappears forever after it fulfills it's duties. In other words:

Image Inspectors are created to serve a singular purpose for which they will go to any length to fulfill. After they serve their purpose, they expire and vanish into the air, like Mr. Meeseeks.
-Ed

If you're interested in the details of the image-inspector, you can check out this code. Here, for example, you can see that the CVEurl is https://www.redhat.com/security/data/metrics/ds/ and other fun facts.

Now let's check out the code in CFME that handles this. This is located in app/models/manageiq/providers/kubernetes/container_manager/scanning/job.rb
If you take a look on line 17 you'll see the following:
PROXY_ENV_VARIABLES = %w(no_proxy http_proxy https_proxy)

This gets used further down on line 415 (or line 435 in CFME 4.5) in the inspector_proxy_env_variables method:

def inspector_proxy_env_variables  
    settings = ext_management_system.custom_attributes
    settings.where(:section => ATTRIBUTE_SECTION,
                   :name    => PROXY_ENV_VARIABLES).each_with_object([]) do |att, env|      env << {:name  => att.name.upcase,
              :value => att.value} unless att.value.blank?
    end
  end  

This is how we get the proxy details to the pod at time of creation, so now we just need to set the http_proxy variable. Like all good things, this is done in the Rails Console. Navigate to the vmdb directory using your trusty alias, and execute:

#rails c

To make it simple, first we'll create an object for the provider, then we'll add the custom attributes that job.rb is looking for.

irb: openshift = ExtManagementSystem.find_by_name("ocp.provider.name")  
irb: openshift.custom_attributes.create(:section => "cluster_settings", :name => 'http_proxy', :value => "http://your.company.proxy:1234")  

You're all set. We have now configured everything to pull down the image-inspector container image from the local registry and the pods that are created will access the CVEUrl via the proxy "http://your.company.proxy:1234".


some other things

The info in this post is applicable to CloudForms 4.2. As many of you know, CloudForms 4.5 was released yesterday. Since many of us are still tired from our all night CloudForms release parties, we haven’t had a chance to test this, but a cursory review reveals that config/initializers/override_containers_scanning_image.rb is gone. However, on lines 13-15 in config/environments/production.yml we now see this:

:ems_kubernetes:
    :image_inspector_registry: registry.access.redhat.com
    :image_inspector_repository: openshift3/image-inspector

In app/models/manageiq/providers/kubernetes/container_manager/scanning/job.rb line 6 has changed to INSPECTOR_IMAGE_TAG = '2.1'.freeze and the inspector_image method (line 429) has been changed to look like this:

def inspector_image  
    registry = ::Settings.ems.ems_kubernetes.image_inspector_registry
    repo = ::Settings.ems.ems_kubernetes.image_inspector_repository
    "#{registry}/#{repo}:#{INSPECTOR_IMAGE_TAG}"
  end 

So now it appears that you can change the info in the production.yml file and the correct location will be generated and returned by the inspector_image method. One thing to note is that the 2.1 tag is still hard coded on line 6 in job.rb, there’s a note about that on the pull request. This means that in order for this to work, your local container image will need to have that 2.1 tag, otherwise you would still need to edit the string on line 432 in job.rb.