Skip to content
This repository has been archived by the owner on Feb 26, 2019. It is now read-only.

Validating webhook for checking images against Anchore Engine Policy

License

Notifications You must be signed in to change notification settings

viglesiasce/kubernetes-anchore-image-validator

Repository files navigation

Anchore Image Validator for Kubernetes

THIS IS NOT AN OFFICIAL GOOGLE PRODUCT

Intro

Anchore Engine provides a mechanism to scan Docker images and then evaluate them against a set of policies. This evaluation result can be used to gate a CI pipeline or, as used in this repo, to gate the deployment of an image into a Kubernetes cluster.

Anchore Image Validator Architecture

This repository contains a server that can be used as a Validating Webhook in your Kubernetes cluster. After its been configured, Kubernetes will send a request to this server any time a Pod is requested. The server will get container images out of the PodSpec and check them against the Anchore Engine API to see if they adhere to the policy that has been defined. If the image does not yet exist in Anchore Engine it will automatically be added and scanned. The default policy validates that there are no critical security vulnerabilities in the image.

Quick Start

NOTE: Kubernetes 1.9+ Required.

  1. Add yourself as a Cluster Admin:

    kubectl create clusterrolebinding cluster-admin-$USER --username=<your-username> --clusterrole=cluster-admin
  2. Install Helm

  3. Run hack/install.sh which installs the chart for the server.

  4. Follow the instructions output by the chart installation for installing the validating web hook.

How does it work?

This server leverages the Generic Admission Server for most of the heavy lifting of implementing the admission webhook API.

The binary from this repository is registered as an API Service and run inside of Kubernetes. Once the service is registered, a ValidatingWebhookConfiguration is created that tells the Kubernetes API server to check with the admission server before running any pods in the local cluster.

The admission server receives a request that includes the Pod specification. It takes the images from the list of containers then sends requests to the Anchore Engine API to ensure that the images are passing the evaluation of the policy defined in Anchore Engine.

About

Validating webhook for checking images against Anchore Engine Policy

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published