1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Howto
    6. Integrate Prisma Cloud scanning into the OpenShift build process
    End-of-Life (EoL)

    Integrate Prisma Cloud scanning into the OpenShift build process

    This guide demonstrates how to scan images emitted from the OpenShift (OSE) build process. You can pass or fail the build process based on the severity of the vulnerability and compliance issues uncovered by the Prisma Cloud scanner called twistcli. The scanner produces actionable data that application developers can use to resolve issues. This setup leverages the
    postCommit
     build hook to scan images before they’re pushed to the registry.
    You can also use postCommit hooks with OpenShift Jenkins pipeline builds because pipeline builds integrate with the OpenShift BuildConfig process. Examples of OpenShift Jenkins Pipeline builds can be found here.

    Background

    Every release of Prisma Cloud ships with a Prisma Cloud Jenkins plugin called twistlock-jenkins-plugin.hpi. The Prisma Cloud Jenkins plugin works with containerized local on-premises Jenkins and Cloudbees Jenkins. This plugin is designed to be integrated into Jenkins Pipeline, Freestyle and Maven build workflows. The Prisma Cloud Jenkins plugin requires that the docker socket be mounted in the Jenkins container. The docker socket is used when scanning an image that is being built by the Jenkins workflow.
    The version of Jenkins included with OpenShift is specially modified for the OpenShift Container Platform. From the OpenShift docs:
    "In addition to standard Jenkins Pipeline Syntax, the OpenShift Jenkins image provides the OpenShift Domain Specific Language (DSL) (through the OpenShift Jenkins Client Plug-in), which aims to provide a readable, concise, comprehensive, and fluent syntax for rich interactions with an OpenShift API server, allowing for even more control over the build, deployment, and promotion of applications on your OpenShift cluster."
    The Prisma Cloud Jenkins plugin does not understand the OpenShift Domain Specific Language nor does the OpenShift Jenkins Master and Slave containers mount the docker socket. Therefore, the standard configuration of the Prisma Cloud Jenkins plugin is not applicable to the OpenShift Jenkins. But the OpenShift Jenkins leverages the OpenShift BuildConfig process as part of the Jenkins build process. Prisma Cloud can scan images built via the OpenShift BuildConfig process via the postCommit build hook using the twistcli utility.
    Also from the OpenShift docs:
    "The
    postCommit
     field of a
    BuildConfig
     object executes commands inside a temporary container that is running the build output image. The hook is executed immediately after the last layer of the image has been committed and before the image is pushed to a registry.
    The hook fails if the script or command returns a non-zero exit code or if starting the temporary container fails. When the hook fails it marks the build as failed and the image is not pushed to a registry. The reason for failing can be inspected by looking at the build logs."
    The twistcli scan of the image during the postCommit phase returns either success (exit 0) or error (exit 1) upon exit. The OpenShift build process will either continue or stop based upon these exit codes. You can configure the twistcli scan to pass/fail builds passed upon the vulnerabilities discovered in the image and configuration compliance.

    Prisma Cloud Console configuration

    The Prisma Cloud scanning application is called twistcli. The twistcli scanner must authenticate to the Prisma Cloud Console’s API to assess vulnerability and compliance data. Since the CI User account is the least privileged account we will pass the credentials as part of the script in this example. The CI User account does not have the rights to authenticate to the Prisma Cloud Console’s user interface. The scanner itself accesses Console’s API via the
    twistlock-console.twislock.svc
     OSE internal DNS FQDN. You can use OpenShift secrets to protect the username/password of the CI User account. See OpenShift secret for the Prisma Cloud credentials.
    Prerequisites:
     Prisma Cloud Console is fully operational. If not, see the Prisma Cloud OpenShift deployment guide.
    Create a least privileged CI User account.
    1. Log into Prisma Cloud Console.
    2. Go to
      Manage > Authentication > Users
      .
    3. Click
      Add user
      .
      1. Username:
        bob_the_builder
      2. Password:
        twistlock2019
      3. Role:
        CI User
        If using SAML or Active Directory/OpenLDAP integration this account must be of type
        Basic

    Create and configure an OpenShift build

    Modify the BuildConfig to scan an image, then build an image and review the results.
    1. Log into OpenShift using
      oc
      .
    2. Create a new build. This example build creates an image named pfox-ose-build-scan-demo from the registry.access.redhat.com/rhel7 base image.
      $ oc new-build \
  -D $'FROM registry.access.redhat.com/rhel7' \
  --to=pfox-ose-build-scan-demo
    3. In the OpenShift Console, go to
      Project > Builds > Builds
      . If you are using a Jenkins Pipeline, go to
      Project > Builds > Pipelines
      .
    4. Click on the
      pfox-ose-build-scan-demo
       build.
    5. In the
      Actions
       drop-down list, select
      Edit YAML
      .
    6. In the
      spec: postCommit
       node, add the following
      script
      , modifying it as necessary for your environment. The >- characters are a block chomping indicator that strips the line feeds from the multi-line script string. It’s one of the ways to write multi-line strings in YAML files. For a line-by-line breakdown of how the script works, see Post commit hook script.
      postCommit:
  script: >-
    curl -k -ssl -u "bob_the_builder:twistlock2019"
    https://twistlock-console.twistlock.svc:8083/api/v1/util/twistcli -o twistcli &&
    chmod +x ./twistcli &&
    ./twistcli images scan
    --containerized
    --user bob_the_builder
    --password twistlock2019
    --address https://twistlock-console.twistlock.svc:8083
    --vulnerability-threshold high
    --details
    $OPENSHIFT_BUILD_NAME
    7. Build a new image.
      $ oc start-build pfox-ose-build-scan-demo
    8. Monitor the build logs.
      $ oc logs -f bc/pfox-ose-build-scan-demo

    Looking at the results

    Since twistcli is configured with --vulnerability-threshold high and --details, the output contains detailed information for vulnerabilities in the image.
    The pass/fail status of the twistcli scan is printed at the end of the scan.
    If you want less verbosity from the scanner, remove the --details option from the postCommit script. To push the image to registry regardless of the scanner’s findings, don’t set any thresholds by removing the --vulnerability-threshold high option.
    postCommit:
  script: >-
    curl -k -ssl -u "bob_the_builder:twistlock2019"
    https://twistlock-console.twistlock.svc:8083/api/v1/util/twistcli -o twistcli &&
    chmod +x ./twistcli &&
    ./twistcli images scan
    --containerized
    --user bob_the_builder
    --password twistlock2019
    --address https://twistlock-console.twistlock.svc:8083
    --details
    $OPENSHIFT_BUILD_NAME
    With the updated postCommit script, the scanner provides just a summary report:
    In the OpenShift Console, the build information and twistcli scan output is displayed.
    The scan results can be reviewed in Prisma Cloud Console under
    Monitor > Vulnerabilities > Twistcli Scans
    .
    Click on the image to drill down into the detailsClick on the image to drill down into the details.

    Post commit hook script

    The postCommit script runs the Prisma Cloud scanner on the image just built. This section describes how the script works.
    postCommit:
  script: >-
    curl -k -ssl -u "bob_the_builder:twistlock2019" // See 1
    https://twistlock-console.twistlock.svc:8083/api/v1/util/twistcli -o twistcli &&
    chmod +x ./twistcli && // See 2
    ./twistcli images scan // See 3
    --containerized
    --user bob_the_builder
    --password twistlock2019
    --address https://twistlock-console.twistlock.svc:8083
    --vulnerability-threshold high
    --details
    $OPENSHIFT_BUILD_NAME // See 4
    • 1
       — Pulls the twistcli binary from Prisma Cloud Console API. This guarantees that the Prisma Cloud Console and twistcli versions are synchronized. Note that if the image being built does not contain curl, then add the twistcli application to the image itself.
    • 2
       — Makes the twistcli binary executable.
    • 3
       — Scans the image within the running container. The postCommit field of a BuildConfig object executes commands inside a temporary container that is running the build output image.
    • 4
       — Name of the image being scanned based upon the build’s environment variable.
    The following options control how the scan runs: See
    twistcli images scan --help
     for additional flags and details.
    Twistcli returns an exit code of 1 if there are any high severity vulnerabilities in the image. An exit code of 1 notifies the OSE start-build process that the postCommit task has failed and that the process should stop before the image is pushed to the registry.

    OpenShift secret for the Prisma Cloud credentials

    Create an OpenShift generic secret to protect your CI User credentials. These credentials are presented as environment variables to the script run in the postCommit stage. More information about providing credentials to a BuildConfig, see OpenShift’s docs on input secrets.
    The OpenShift build process will create environment variables containing the Prisma Cloud CI User account’s username:password in the resulting image.
    1. Log into OpenShift using
      oc
      , and go to the project where you run builds.
    2. Create files for the username and password.
      $ echo -n 'bob_the_builder' > ./username.txt
$ echo -n 'twistlock2019' > ./password.txt
    3. Create an OpenShift generic secret with the username and password.
      $ oc create secret generic twistlock-scan \
  --from-file=username=./username.txt \
  --from-file=password=./password.txt
    4. Grant the builder service account access to the secret.
      $ oc secrets link builder twistlock-scan
    5. Create a new build. This example build creates an image named pfox-ose-build-scan-demo from the registry.access.redhat.com/rhel7 base image. Associate the
      twistlock-scan
       secret with the build.
      $ oc new-build \
  -D $'FROM registry.access.redhat.com/rhel7' \
  --to=pfox-ose-build-scan-demo \
  --build-secret twistlock-scan
    6. In the OpenShift Console, go to
      Project > Builds > Builds
      . If you are using a Jenkins Pipeline, go to
      Project > Builds > Pipelines
      .
    7. Click on the
      pfox-ose-build-scan-demo
       build.
    8. In the
      Actions
       drop-down list, select
      Edit YAML
      .
    9. Add in the
      postCommit
       script as instructed above.
    10. Modify the
      spec:source
       and
      spec:strategy
       nodes accordingly.
          source:
      dockerfile: FROM registry.access.redhat.com/dotnet-beta/dotnet-20-rhel7
      secrets:
        - secret:
            name: twistlock-scan
      sourceSecret:
        name: twistlock-scan
      type: Dockerfile
    strategy:
      dockerStrategy:
        env:
          - name: twistlock_scan_username
            valueFrom:
              secretKeyRef:
                key: username
                name: twistlock-scan
          - name: twistlock_scan_password
            valueFrom:
              secretKeyRef:
                key: password
                name: twistlock-scan

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo