anchore/kubernetes-admission-controller
An Admission Controller for Kubernetes Dynamic Admission Webhooks
100K+
A Dynamic Admission Controller implementation that integrates Kubernetes AdmissionRequests with Anchore Engine's Policy Evaluation and Image Analysis APIs.
The image executes a single binary built from the Anchore Kubernetes Admission Controller repository, using the default Dockerfile
Format of credentials.json file:
{
"users": [
{ "username": "user1", "password": "password"},
{ "uesrname": "user2", "password": "password2"},
...
]
}
Format of config.json file:
{
"anchoreEndpoint": "https://anchore-engine-api.anchore.svc.cluster.local:8228",
"validator": {
"enabled": true,
"requestAnalysis": true
},
"selectors": [
{
"selector": {
"resourcetype": "pod",
"selectorkeyregex": "^breakglass$",
"selectorvalueregex": "^true"
},
"policyReference": {
"username": "user1",
"policyBundleId": "application_bundle"
},
"mode": "breakglass"
}
}
]
}
Options for selector resourcetype:
For pod and namespace metadata, the key must match the selectorkeyregex and value must match the selectorvalueregex.
Options for mode:
requestAnalysis: If specified and the image has not been analyzed (as determined by the mode value (skipped if breakglass is set) then the image will be submitted for analysis by anchore engine. The result of that api call has no effect on the controller's validation decision.
docker pull anchore/kubernetes-admission-controller