Follow each sections below to configure Jenkins to establish connection with Container Protection.
- FortiCWP Plugin Installation
- FortiCWP Plugin Configuration
- Pipeline Configuration
- Freestyle Project Configuration
- Verify Jenkins Connection
- Vulnerability Scan Result
- Log into your Jenkins account.
- Click on Manage Jenkins at the left navigation menu.
- In Manage Jenkins page, scroll down and click Manage Plugins.
- Search for "forticwp" plugin, follow the instruction and install the plugin.
Note: If the plugin cannot be found, update the plugin list by clicking Check now at the bottom of the page.
- From Jenkins navigation menu, click Manage Jenkins.
- In System Configuration, click Configure System.
- Scroll down to FortiCWP CICD Plugin Configuration.
- Click the check box, "Enter this box and enter a host address instead of using FortiCWP default host address" if you have a host address. (Optional)
- After clicking Verify Settings, if the connection is successful, then a success message will appear with the URL: http://KUBERNETES_CLUSTER_IP _ADDRESS:30575.
- Click Save to save the configurations.
Click FortiCWP Login Region drop down menu, and select FortiCWP GLOBAL or FortiCWP EU Web Host accordingly and, click Verify Settings to check the connection to the Kubernetes agent Host Address. (Kuberenetes controller agent uses the port "30575" to connect to Jenkins.)
Note: The access token can be found in Configure > Kubernetes Cluster page on Container Protection. Click on the Actions button of the Kubernetes cluster and select View CI/CD Integration Configurations. Copy the Access Token from the CI/CD Integration Configurations.
This option can be used when Kubernetes cluster and Jenkins are not in the same network and we need a way to divert traffic through a load balancer(FortiCWP Kubernetes Agent Host). In that scenario, we need to input the Kubernetes Agent Host address instead of the FortiCWP default host address (https://www.forticwp.com or https://eu.forticwp.com).
An example of FortiCWP Kubernetes Agent Host address (Load Balancer DNS in this case):
Note: There should not be any restriction on the port "30575" which includes firewall settings, security group settings, etc. for the connection to be successful.
For Example: "Successfully connected to https://172.31.42.188:30575"
The success message indicates the Jenkins has successfully connected to the Kubernetes cluster.
Note: After the Jenkins is configured, the Kubernetes cluster and Jenkins should be in same private network. Also, the port 30575 should be exposed for connection.
When building a new pipeline, please include the following code in Pipeline script to scan images to be evaluated for vulnerabilities by container protection:
fortiCWPScanner imageName: <image name>, block: <true>
imageName: image name should be in String, separated by comma if there are more than one image.
block: set to true to return a fail status if any vulnerability is found. The default value is set to true.
- Scan the "redis:latest" image:
- Scan both the "redis:latest" and "alpine:latest" image, do not block the build if vulnerability is found.
fortiCWPScanner imageName: "redis:latest"
fortiCWPScanner imageName: "redis:latest, alpine:latest", block: false
In the case of freestyle project configuration, please add the step to scan container image in Build to scan for vulnerability.
- In freestyle project configuration page, scroll down to Build, enter execute shell commands to be executed initially.
- Click Add build step drop down button, and select Scan container images to perform the image scan.
- In the last Execute shell command field, enter the shell command that will be executed only when the image scan is successful and in compliant.
- Click Save to save the configuration.
Example of Execute shell command:
Specify the image name, for example, "redis:latest".
Check the "Fail the build if result is not compliant" checkbox to block the image from deployment if the image is not compliant.
If the image is not in compliant, the last set of commands will not be executed, and the build fails.
Example of the last Execute shell:
After you have completed all the configurations above, you can verify the connection between Jenkins and the cluster through CI/CD Integration Configurations.
Go to Configure > Kubernetes Cluster and click on Actions button, and select View CICD Integration Configurations.
The IP Connected to field will show the cluster node IP address that the Jenkins is connected to through port 30575.
After a pipeline built, the result of vulnerability scan can be viewed from the build summary.
From the build navigation menu, click on Vulnerabilities to view the Image Vulnerability Summary.
When clicking on the Policy Detail link, you will be re-directed to Policy Detail page of the CI/CD Integration in Container Protection.