Skip to content

Commit

Permalink
OCPBUGS-31510: change the analysis to not include ImageStreamTag
Browse files Browse the repository at this point in the history
Signed-off-by: Paul Bastide <[email protected]>
  • Loading branch information
prb112 committed Apr 2, 2024
1 parent a3dfc44 commit 7a0f603
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ vuldiscussion: |-
The OpenShift platform can be configured to limit and control which image source repositories may be used by the platform and the users of the platform. By configuring this to only allow users to deploy images from trusted sources, lowers the risk for a user to deploy unsafe, or untested images that would be detrimental to the security and stability of the platform.
checktext: |-
To list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }) run the following command
To list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }) and (kind = DockerImage) run the following command:
> oc get imagestream --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.tags[*]}{"\t"}{.name}{": "}{.importPolicy}{"\n"}'
> oc get imagestream --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.tags[*]}{"\t"}{.name}{": "}{.importPolicy}{"\t"}{.from}{"\n"}
You will see an ouput similar to:
Expand Down
26 changes: 12 additions & 14 deletions applications/openshift/registry/imagestream_sets_schedule/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ references:
srg: SRG-APP-000456-CTR-001125

{{% set api_path = '/apis/image.openshift.io/v1/imagestreams' %}}
{{% set jqfilter = '[.items[]] | map(.spec.tags[]?.importPolicy.scheduled != true) | any' %}}
{{% set jqfilter = '[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all' %}}

ocil_clause: 'imagestream is not configured to perform periodical updates'

Expand All @@ -42,22 +42,20 @@ ocil: |-
<pre>oc get imagestream --all-namespaces -o jsonpath='{{{ jqfilter }}}'</pre>
Alternatively, to view a list of ImageStreams that do not schedule updates,
run:
<pre>oc get imagestreams -A -ojson | jq '.items[] | select(.spec.tags[]?.importPolicy.scheduled != true) | .metadata.name' | sort | uniq</pre>
<pre>oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]?.importPolicy.scheduled != true) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq</pre>
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({api_path: jqfilter}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: 'true'
filepath: |-
{{{ openshift_filtered_path(api_path, jqfilter) }}}
yamlpath: "[:]"
check_existence: "all_exist"
entity_check: "all"
values:
- value: "true"
operation: "equals"

name: yamlfile_value
vars:
ocp_data: 'true'
filepath: |-
{{{ openshift_filtered_path(api_path, jqfilter) }}}
yamlpath: "[:]"
check_existence: "only_one_exists"
values:
- value: "true"
operation: "equals"

0 comments on commit 7a0f603

Please sign in to comment.