Red Hat SummitChapter 4. Checking policy compliance
You can use the roxctl CLI to check deployment YAML files and images for policy compliance.
4.1. Prerequisites
You have configured the
ROX_ENDPOINTenvironment variable using the following command:export ROX_ENDPOINT=<host:port>
$ export ROX_ENDPOINT=<host:port>1 Copy to Clipboard Copied! - 1
- The host and port information that you want to store in the
ROX_ENDPOINTenvironment variable.
4.2. Configuring output format
When you check policy compliance by using the roxctl deployment check or roxctl image check commands, you can specify the output format by using the -o option to the command and specifying the format as json, table, csv, or junit. This option determines how the output of a command is displayed in the terminal.
For example, the following command checks a deployment and then displays the result in csv format:
roxctl deployment check --file =<yaml_filename> -o csv
$ roxctl deployment check --file =<yaml_filename> -o csv
When you do not specify the -o option for the output format, the following default behavior is used:
-
The format for the
deployment checkand theimage checkcommands istable. -
The default output format for the
image scancommand isjson. This is the old JSON format output for compatibility with older versions of the CLI. To get the output in the new JSON format, specify the option with format, as-o json. Use the old JSON format output when gathering data for troubleshooting purposes.
Different options are available to configure the output. The following table lists the options and the format in which they are available.
| Option | Description | Formats |
|---|---|---|
|
| Use this option to display the JSON output in a compact format. |
|
|
| Use this option to specify custom headers. |
|
|
| Use this option to omit the header row from the output. |
|
|
| Use this option to specify GJSON paths to select specific items from the output. For example, to get the Policy name and Severity for a deployment check, use the following command: roxctl deployment check --file=<yaml_filename> \
-o table --headers POLICY-NAME,SEVERITY \
--row-jsonpath-expressions="{results..violatedPolicies..name,results..violatedPolicies..severity}"
|
|
|
| Use this options to merge table cells that have the same value. |
|
|
| Use this option to include the header row as a comment in the output. |
|
|
| Use this option to specify the name of the JUnit test suite. |
|
4.3. Checking deployment YAML files
Procedure
Run the following command to check the build-time and deploy-time violations of your security policies in YAML deployment files:
roxctl deployment check --file=<yaml_filename>
$ roxctl deployment check --file=<yaml_filename>Copy to Clipboard Copied! The format is defined in the API reference. To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the
--forceoption.NoteTo check specific image scan results, you must have a token with both
readandwritepermissions for theImageresource. The default Continuous Integration system role already has the required permissions.This command validates the following items:
- Configuration options in a YAML file, such as resource limits or privilege options
- Aspects of the images used in a YAML file, such as components or vulnerabilities
4.4. Checking images
Procedure
Run the following command to check the build-time violations of your security policies in images:
roxctl image check --image=<image_name>
$ roxctl image check --image=<image_name>Copy to Clipboard Copied! The format is defined in the API reference. To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the
--forceoption.NoteTo check specific image scan results, you must have a token with both
readandwritepermissions for theImageresource. The default Continuous Integration system role already has the required permissions.
4.5. Checking image scan results
You can also check the scan results for specific images.
Procedure
Run the following command to return the components and vulnerabilities found in the image in JSON format:
roxctl image scan --image <image_name>
$ roxctl image scan --image <image_name>Copy to Clipboard Copied! The format is defined in the API reference. To cause Red Hat Advanced Cluster Security for Kubernetes (RHACS) to re-pull image metadata and image scan results from the associated registry and scanner, add the
--forceoption.NoteTo check specific image scan results, you must have a token with both
readandwritepermissions for theImageresource. The default Continuous Integration system role already has the required permissions.
4.6. roxctl image command overview
Commands that you can run on a specific image.
Usage
roxctl image [command] [flags]
$ roxctl image [command] [flags]| Command | Description |
|---|---|
|
| Check images for build time policy violations, and report them. |
|
| Scan the specified image, and return the scan results. |
| Option | Description |
|---|---|
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
4.6.1. roxctl image command options inherited from the parent command
The roxctl image command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl image command.
4.6.2. roxctl image scan
Scan the specified image, and return the scan results.
Usage
roxctl image scan [flags]
$ roxctl image scan [flags]| Option | Description |
|---|---|
|
| Specify the cluster name or ID to which you want to delegate the image scan. |
|
|
Print JSON output in a compact format. The default value is |
|
|
Ignore Central’s cache and force a fresh re-pull from Scanner. The default value is |
|
|
Specify the headers to print in a tabular output. The default values include |
|
|
Print headers as comments in a CSV tabular output. The default value is |
|
|
Specify the image name and reference to scan. For example, |
|
|
Include snoozed and unsnoozed CVEs in the scan results. The default value is |
|
|
Merge duplicate cells in a tabular output. The default value is |
|
|
Do not print headers for a tabular output. The default value is |
|
|
Specify the output format. Output formats include |
|
|
Specify the number of retries before exiting as an error. The default value is |
|
|
Set the time to wait between retries in seconds. The default value is |
|
|
Specify JSON path expressions to create a row from the JSON object. For more details, run the |
4.6.3. roxctl image check
Check images for build time policy violations, and report them.
Usage
roxctl image check [flags]
$ roxctl image check [flags]| Option | Description |
|---|---|
|
| List of the policy categories that you want to execute. By default, all the policy categories are used. |
|
| Define the cluster name or ID that you want to use as the context for evaluation. |
|
|
Print JSON output in a compact format. The default value is |
|
|
Bypass the Central cache for the image and force a new pull from the Scanner. The default value is |
|
|
Define headers to print in a tabular output. The default values include |
|
|
Print headers as comments in a CSV tabular output. The default value is |
|
|
Specify the image name and reference. For example, |
|
|
Set the name of the JUnit test suite. Default value is |
|
|
Merge duplicate cells in a tabular output. The default value is |
|
|
Do not print headers for a tabular output. The default value is |
|
|
Choose the output format. Output formats include |
|
|
Set the number of retries before exiting as an error. The default value is |
|
|
Set the time to wait between retries in seconds. The default value is |
|
|
Create a row from the JSON object by using JSON path expression. For more details, run the |
|
|
Define whether you want to send notifications in the event of violations. The default value is |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}