anchore/kubernetes-admission-controller

By anchore

Updated about 1 month ago

An Admission Controller for Kubernetes Dynamic Admission Webhooks

Image
0

100K+

The Anchore Kubernetes Admission Controller

A Dynamic Admission Controller implementation that integrates Kubernetes AdmissionRequests with Anchore Engine's Policy Evaluation and Image Analysis APIs.

The image executes a single binary built from the Anchore Kubernetes Admission Controller repository, using the default Dockerfile

Environment Variables

  • CREDENTIALS_FILE_PATH: location of the credentials file, defaults to /credentials.json if not set

Format of credentials.json file:

{
  "users": [
    { "username": "user1", "password": "password"},
    { "uesrname": "user2", "password": "password2"},
    ...      
  ]
}
  • CONFIG_FILE_PATH: location of the config, defaults to /config.json if not set

Format of config.json file:

{
  "anchoreEndpoint": "https://anchore-engine-api.anchore.svc.cluster.local:8228",
  "validator": {
    "enabled": true,
    "requestAnalysis": true
  },
  "selectors": [
    {
      "selector": {
        "resourcetype": "pod",
        "selectorkeyregex": "^breakglass$",
        "selectorvalueregex": "^true"
      },
      "policyReference": {
        "username": "user1",
        "policyBundleId": "application_bundle"
      },
      "mode": "breakglass"
      }
    }
  ]
}

Options for selector resourcetype:

  • pod - Select based on pod name, or label & annotation key-value pairs
  • namespace - Select based on namespace name, or label & annotation key-value pairs.
  • image - Select based on the image pull string subject to the selectorvalueregex match

For pod and namespace metadata, the key must match the selectorkeyregex and value must match the selectorvalueregex.

Options for mode:

  • policy - Require the image to pass the policy evaluation of the given policy bundle in Anchore Engine
  • analysis - Require the image to have been analyzed by the anchore engine, analysis status must be 'analyzed' in Anchore Engine
  • breakglass - No requirement, will skip checks on the image.

requestAnalysis: If specified and the image has not been analyzed (as determined by the mode value (skipped if breakglass is set) then the image will be submitted for analysis by anchore engine. The result of that api call has no effect on the controller's validation decision.

Docker Pull Command

docker pull anchore/kubernetes-admission-controller