/image-bouncer-webhook

Kubernetes Admission Webhook to reject all the pods that are using images with the latest tag

Primary LanguageGo

image-bouncer-webhook

What does image-bouncer do?

image-bouncer is Kubernetes Admission webhook to reject all the pods that are using images with the latest tag.

Prerequisites

Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

The result should be:

admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Build and Push Docker Image

# Build docker image
docker build -t 314315960/image-bouncer:v1.0 .

# Push it to Docker Registry
docker push 314315960/image-bouncer:v1.0

Generate TLS Certs

./deployment/create-signed-cert.sh

Get CA Bundle

./deployment/patch-ca-bundle.sh

Deploy image-bouncer to Kubernetes

  • Deploy using kubectl
# Run deployment
kubectl create -f example/image-bouncer-webhook-deployment.yaml

# Create service
kubectl create -f  example/image-bouncer-webhook-svc.yaml

Configure MutatingAdmissionWebhook and ValidatingAdmissionWebhook

Note: Replace ${CA_BUNDLE} with value generated by running ./deployment/patch-ca-bundle.sh

# Configure ValidatingWebhookConfiguration
kubectl create -f ./k8s/validatingwebhook-ca-bundle.yaml

Test image-bouncer

# Deploy nginx 
kubectl apply -f test/nginx.yaml

TODO

  • Deploy using Helm Chart