红帽全球峰会2.4. Integrating with your CI pipeline
After you have finished these procedures, the next step is to integrate with your CI pipeline.
Each CI system might require a slightly different configuration.
2.4.1. Using Jenkins
Use the StackRox Container Image Scanner Jenkins plugin for integrating with Jenkins. You can use this plugin in both Jenkins freestyle projects and pipelines.
2.4.2. Using CircleCI
You can integrate Red Hat Advanced Cluster Security for Kubernetes with CircleCI.
Prerequisites
-
You have a token with
readandwritepermissions for theImageresource. - You have a username and password for your Docker Hub account.
Procedure
- Log in to CircleCI and open an existing project or create a new project.
- Click Project Settings.
- Click Environment variables.
Click Add variable and create the following three environment variables:
- Name: STACKROX_CENTRAL_HOST - The DNS name or IP address of Central.
- Name: ROX_API_TOKEN - The API token to access Red Hat Advanced Cluster Security for Kubernetes.
- Name: DOCKERHUB_PASSWORD - The password for your Docker Hub account.
- Name: DOCKERHUB_USER - The username for your Docker Hub account.
-
Create a directory called
.circleciin the root directory of your local code repository for your selected project, if you do not already have a CircleCI configuration file. Create a
config.ymlconfiguration file with the following lines in the.circlecidirectory:version: 2 jobs: check-policy-compliance: docker: - image: 'circleci/node:latest' auth: username: $DOCKERHUB_USER password: $DOCKERHUB_PASSWORD steps: - checkout - run: name: Install roxctl command: | curl -H "Authorization: Bearer $ROX_API_TOKEN" https://$STACKROX_CENTRAL_HOST:443/api/cli/download/roxctl-linux -o roxctl && chmod +x ./roxctl - run: name: Scan images for policy deviations and vulnerabilities command: | ./roxctl image check --endpoint "$STACKROX_CENTRAL_HOST:443" --image "<your_registry/repo/image_name>" - run: name: Scan deployment files for policy deviations command: | ./roxctl image check --endpoint "$STACKROX_CENTRAL_HOST:443" --image "<your_deployment_file>" # Important note: This step assumes the YAML file you'd like to test is located in the project. workflows: version: 2 build_and_test: jobs: - check-policy-compliancewhere:
<your_registry/repo/image_name>- Specifies your registry and image path.
<your_deployment_file>- Specifies the path to your deployment file.
注意If you already have a
config.ymlfile for CircleCI in your repository, add a new jobs section with the specified details in your existing configuration file.- After you commit the configuration file to your repository, go to the Jobs queue in your CircleCI dashboard to verify the build policy enforcement.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}