NOTE: This applies when upgrading to the latest
v0.16.xrelease.
When migrating from Vela version v0.15 to v0.16 the Vela administrator will want to ensure the following actions are being performed:
v0.16.xintroduces a new security enhancement where privileged docker images will only be executed when the repo istrusted. This functionality will be enabled by default but can be ignored setting theVELA_EXECUTOR_ENFORCE_TRUSTED_REPOSworker flag tofalse. In order to effectively use this enhancement, the platform administrators will need to run the following query to start:
UPDATE repos SET trusted = 'false';- Further, if you would like to grant
trustedto repos that have already been using privileged images during a certain time frame, you can execute the below query:
UPDATE repos
SET trusted = 'true'
WHERE id IN (
SELECT id
FROM repos r
INNER JOIN (
SELECT
repo_id
FROM steps
WHERE image LIKE '%<your_image>%' AND
created > (
SELECT EXTRACT(EPOCH FROM (NOW() - INTERVAL '<no. of days>' DAY))
)
GROUP BY repo_id
) t
ON r.id = t.repo_id
WHERE active = 't'
);For your convenience, we've provided a vela-migration utility in this directory to help execute the database operations.
This utility supports invoking the following actions when migrating to v0.16.x:
action.all- run all supported actions (below) configured in the migration utilityaction.untrusted- runs the required queries to set all repostrustedto falseaction.update-trusted- runs the required queries to give already privileged repostrustedto true.
Options to supply:
trusted-update.privileged-images- string slice of privileged images (default ['target/vela-docker'])trusted-update.allow-personal-orgs- bool to allow personal orgs to be trusted (defaulttrue)trusted-update.days-back- string of how many days back to track repo usage of privileged images (default"90")