This blog post will explain how to efficiently set up a GitLab CI pipeline using Kaniko, Twistcli, and Crane to build docker images, scan them on Prisma Cloud via twistcli, and then push them to the registry. This setup is particularly useful for environments where Docker-in-Docker (DinD) is not feasible, such as self-hosted GitLab runners on AKS pods.
Why Kaniko?
Kaniko is a tool for building container images from a Dockerfile inside a container or Kubernetes cluster. Unlike DinD, It doesn’t require privileged mode, making it a more secure alternative.
Setting Up the Pipeline
Our pipeline is split into two stages to accommodate security scanning before pushing the image:
- Build and Scan: Use Kaniko to build the image and Twistcli to scan it.
- Push: Use Crane to push the scanned image to the Azure Container Registry (ACR).
Prerequisites
- A self-hosted GitLab runner on AKS pods.
- Access to an Azure Container Registry.
- Kaniko image with Twistcli installed.
- Prisma Cloud Tenant with SCA enabled
Pipeline Configuration
Here’s a step-by-step guide to configuring your GitLab CI pipeline.
Step 1: Define Pipeline Variables
First, define the necessary variables in your .gitlab-ci.yml file.
IMAGE_NAME: "basic-image"
IMAGE_TAG: "latest"
ACR_REGISTRY: "ouracr.azurecr.io"
PRISMA_CLOUD_COMPUTE_URL: "https://northamerica-northeast1.cloud.twistlock.com/canada-550205609"
PRISMA_CLOUD_API_URL: "$PRISMA_CLOUD_COMPUTE_URL/api/v1/util"
Step 2: Authenticate with ACR
Add authentication details for your Azure Container Registry.
DOCKER_AUTH_CONFIG: |
{
"auths": {
"ouracr.azurecr.io": {
"auth": "<base64 encoded-client-id+secret>"
}
}
}
Step 3: Build Stage
Configure the build stage using Kaniko.
stages:
- test
- build
- push
docker:build:
stage: build
image: ouracr.azurecr.io/kaniko:latest #our own kaniko image with twistcli
script:
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push --destination $ACR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG --tar-path image.tar
- twistcli images scan --tarball image.tar --address $PRISMA_CLOUD_COMPUTE_URL -u $PRISMA_ACCESS_KEY -p $PRISMA_SECRET
artifacts:
paths:
- image.tar
expire_in: 1 hour
when: on_success
Step 4: Push Stage
Set up the push stage using Crane to push the image to ACR.
docker:push:
stage: push
image: gcr.io/go-containerregistry/crane:debug
script:
- crane auth login -u "$acr_sp_name" -p "$acr_sp_pass" $ACR_REGISTRY
- crane push image.tar $ACR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG
needs:
- docker:build
Conclusion
This setup ensures your images are securely built and scanned with Prisma Cloud before being pushed to the registry. Splitting the pipeline into distinct stages lets you catch security issues early, block the pipeline before pushing a vulnerable image to the registry, and maintain a clean and secure CI/CD process.
Should you have any comments/questions? You are very welcome to comment. 🙂
Happy building and deploying!
Leave a Reply