image-bouncer is Kubernetes Admission webhook to reject all the pods that are using images with the latest tag.
Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1
API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
The result should be:
admissionregistration.k8s.io/v1beta1
In addition, the MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.
# Build docker image
docker build -t 314315960/image-bouncer:v1.0 .
# Push it to Docker Registry
docker push 314315960/image-bouncer:v1.0
./deployment/create-signed-cert.sh
./deployment/patch-ca-bundle.sh
- Deploy using kubectl
# Run deployment
kubectl create -f example/image-bouncer-webhook-deployment.yaml
# Create service
kubectl create -f example/image-bouncer-webhook-svc.yaml
Note: Replace ${CA_BUNDLE}
with value generated by running ./deployment/patch-ca-bundle.sh
# Configure ValidatingWebhookConfiguration
kubectl create -f ./k8s/validatingwebhook-ca-bundle.yaml
# Deploy nginx
kubectl apply -f test/nginx.yaml
- Deploy using Helm Chart