-
Notifications
You must be signed in to change notification settings - Fork 43
Expand file tree
/
Copy pathubi-versions.sh
More file actions
executable file
·70 lines (55 loc) · 2.58 KB
/
ubi-versions.sh
File metadata and controls
executable file
·70 lines (55 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#! /bin/bash
# This script is designed to report on container images that use a specific UBI version. It is designed to be used
# with a policy that creates violations for specific versions of the `redhat-release` package.
# To use this image, set ROX_ENDPOINT to the ACS central instance and set ROX_API_TOKEN
# to an ACS 'admin' token created.
# e.g. export ROX_ENDPOINT=central-acs-central.apps.cluster1.example.com:443
# export ROX_API_TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3dGsw...
# ./ubi-versions.sh images.csv
set -e
if [[ -z "${ROX_ENDPOINT}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi
if [[ -z "${ROX_API_TOKEN}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
fi
if [[ -z "$1" ]]; then
echo >&2 "usage: ubi-versions.sh <output filename>"
exit 1
fi
output_file="$1"
echo '"Cluster Name", "Namespace", "Deployment", "Image", "UBI version"' > "${output_file}"
function curl_central() {
curl -sk -H "Authorization: Bearer ${ROX_API_TOKEN}" "https://${ROX_ENDPOINT}/$1"
}
# Collect all alerts
res="$(curl_central "v1/alerts?query=Policy%3AUBI%20version%20compliance")"
# Iterate over all deployments and get the full deployment
for deployment_id in $(echo "${res}" | jq -r .alerts[].deployment.id); do
deployment_res="$(curl_central "v1/deployments/${deployment_id}")"
if [[ "$(echo "${deployment_res}" | jq -rc .name)" == null ]]; then
continue;
fi
if [[ "$(echo "${deployment_res}" | jq '.containers | length')" == "0" ]]; then
continue;
fi
export deployment_name="$(echo "${deployment_res}" | jq -rc .name)"
export namespace="$(echo "${deployment_res}" | jq -rc .namespace)"
export clusterName="$(echo "${deployment_res}" | jq -rc .clusterName)"
# Iterate over all images within the deployment and render the CSV Lines
for image_id in $(echo "${deployment_res}" | jq -r 'select(.containers != null) | .containers[].image.id'); do
if [[ "${image_id}" != "" ]]; then
image_res="$(curl_central "v1/images/${image_id}" | jq -rc)"
if [[ "$(echo "${image_res}" | jq -rc .name)" == null ]]; then
continue;
fi
image_name="$(echo "${image_res}" | jq -rc '.name.fullName')"
export image_name
# find the redhat-release (UBI 8/9) or redhat-release-server (UBI 7) version and format lines
export ubi_version="$(echo "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release" or .name=="redhat-release-server") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )"
echo "${clusterName},${namespace},${deployment_name},${image_name},${ubi_version}" >> "${output_file}"
fi
done
done