To improve security on GitOps workflows, we have recently added Strict parser mode on Reliza CLI.
Here is how this works. Reliza CLI contains “parsetemplate” command which can resolve image tags from configuration yaml files into their versions with digests approved in Reliza Hub for specific environment.
We now added “–parsemode” flag which controls 3 possible options to do parse template:
- Extended (default mode) – this is same as old behaviour. It would try to parse all image keys and also any other locations in the file where images are present. This is the only mode that supports helm values files with arbitrary image keys and generally supports any other configuration files that contain image definitions. However, it may be a little brittle in some contents due to extended heuristics how images are resolved.
To show why it is brittle, consider following yaml entry:
While, even in extended mode nothing would happen on the parse, it is not obvious to a tool whether “postgres” here refers to an image or something else.
Therefore, we added 2 new modes as described below.
- Simple – this mode only considered keys that end with “image” and would not consider and simply skip anything else. Therefore, there is no ambiguity.
- Strict – this mode behaves in a same way as “simple” with one important distinction. If we have some “image” key in the configuration file that contains an image unknown to Reliza Hub, Reliza CLI will exit with “1” error code.
Strict mode should be specifically used with resulting k8s manifests or docker compose files. The idea behind it is simple – if used in conjunction with any CD pipeline it would block un-approved unknown images from going in. So if somehow an image called “ihackermyhack/myhackedimage” is introduced into deployment manifests, it would be stopped at the pipeline level and not allowed to go through.
For more details on using Reliza CLI in GitOps pipelines, refer to the CLI documentation.