This repo began as a fork from https://github.com/stefanprodan/kubesec-webhook.git. All credit goes to Stefan for 99% of this codebase.
Kubernetes validating webhook admission controller that checks if images have been signed in Grafeas.
Generate webhook configuration files with a new TLS certificate and CA Bundle:
make certs
Deploy the admission controller and webhooks in the grafeas-image-signing namespace (requires Kubernetes 1.10 or newer):
make deploy
Enable grafeas-image-signing validation by adding this label:
kubectl label namespaces default grafeas-image-signing-validation=enabled
- Install skaffold
- Have available a Kubernetes cluster, with
kubectl
configured to point to it - Grafeas running somewhere accessible from this application once deployed to the cluster
- Run
skaffold dev
It will continuously deploy to wherever your kubectl
is pointing, watching
the filesystem for changes.
Try to apply a privileged Deployment:
kubectl apply -f ./test/deployment.yaml
Error from server (InternalError): error when creating "./test/deployment.yaml":
Internal error occurred: admission webhook "deployment.admission.kubesc.io" denied the request:
deployment-test score is -30, deployment minimum accepted score is 0
Try to apply a privileged DaemonSet:
kubectl apply -f ./test/daemonset.yaml
Error from server (InternalError): error when creating "./test/daemonset.yaml":
Internal error occurred: admission webhook "daemonset.admission.kubesc.io" denied the request:
daemonset-test score is -30, daemonset minimum accepted score is 0
Try to apply a privileged StatefulSet:
kubectl apply -f ./test/statefulset.yaml
Error from server (InternalError): error when creating "./test/statefulset.yaml":
Internal error occurred: admission webhook "statefulset.admission.kubesc.io" denied the request:
statefulset-test score is -30, deployment minimum accepted score is 0
TODO
- configure URL of grafeas instance
You can set the minimum Kubesec.io score in ./deploy/webhook/yaml
:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: kubesec-webhook
labels:
app: kubesec-webhook
spec:
replicas: 1
template:
metadata:
labels:
app: kubesec-webhook
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8081"
spec:
containers:
- name: kubesec-webhook
image: stefanprodan/kubesec:0.1-dev
imagePullPolicy: Always
command:
- ./kubesec
args:
- -tls-cert-file=/etc/webhook/certs/cert.pem
- -tls-key-file=/etc/webhook/certs/key.pem
- -min-score=0
ports:
- containerPort: 8080
- containerPort: 8081
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: kubesec-webhook-certs
The admission controller exposes Prometheus RED metrics for each webhook a Grafana dashboard is available here.
Kudos to Xabier for the awesome kubewebhook library.