GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → olxbr → aegir

olxbr / aegir

Licence: other
Validation Webhook for Kubernetes based on LIVR rules (https://livr-spec.org)

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

kubernetesk8saegirlivradmission-controller

Projects that are alternatives of or similar to aegir

vault-sidecar-injector
Kubernetes admission webhook for secure, seamless and dynamic handling of secrets in your applications
Stars: ✭ 55 (+10%)
Mutual labels:  k8s, admission-controller
minio
Minio Object Storage in Kubernetes, used by Deis Workflow.
Stars: ✭ 51 (+2%)
Mutual labels:  k8s
logger
In-memory log buffer used by Deis Workflow.
Stars: ✭ 17 (-66%)
Mutual labels:  k8s
Programmer-Learning-materials
程序员 学习资料,以及一些书籍电子书,如果对您有所帮助,还希望大家多多star,更多资料请关注《Java有货》微信公众号获取
Stars: ✭ 140 (+180%)
Mutual labels:  k8s
kubeswitch
visually select kubernetes context/namespace from tree
Stars: ✭ 15 (-70%)
Mutual labels:  k8s
kube-watch
Simple tool to get webhooks on Kubernetes cluster events
Stars: ✭ 21 (-58%)
Mutual labels:  k8s
Awesome Kubernetes Notes
awesome-kubernetes-notes 🎉
Stars: ✭ 249 (+398%)
Mutual labels:  k8s
deploy
Deploy Development Builds of Open Cluster Management (OCM) on RedHat Openshift Container Platform
Stars: ✭ 133 (+166%)
Mutual labels:  k8s
kotary
Managing Kubernetes Quota with confidence
Stars: ✭ 85 (+70%)
Mutual labels:  k8s
kubedock
Kubedock is a minimal implementation of the docker api that will orchestrate containers on a Kubernetes cluster, rather than running containers locally.
Stars: ✭ 79 (+58%)
Mutual labels:  k8s
k8s-mutate-webhook
A playground to build a very crude k8s mutating webhook in Go
Stars: ✭ 55 (+10%)
Mutual labels:  k8s
helm-schema-gen
So that you don't have to write values.schema.json by hand from scratch for your Helm 3 charts. [CURRENTLY NOT MAINTAINED]
Stars: ✭ 104 (+108%)
Mutual labels:  k8s
galaxykube
PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes.
Stars: ✭ 65 (+30%)
Mutual labels:  k8s
actions
Set of actions for implementing CI/CD with werf and GitHub Actions
Stars: ✭ 67 (+34%)
Mutual labels:  k8s
k8s-digester
Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.
Stars: ✭ 65 (+30%)
Mutual labels:  k8s
cattlectl
gain control over your ranch
Stars: ✭ 33 (-34%)
Mutual labels:  k8s
micro-starter
Micro 微服务实践
Stars: ✭ 391 (+682%)
Mutual labels:  k8s
k8s-deployer
Deploy Kubernetes service and store retrieved information in the Consul K/V store
Stars: ✭ 23 (-54%)
Mutual labels:  k8s
chimera-admission
A Kubernetes dynamic admission controller that uses WebAssembly policies to validate incoming requests
Stars: ✭ 25 (-50%)
Mutual labels:  admission-controller
carvel-secretgen-controller
secretgen-controller provides CRDs to specify what secrets need to be on Kubernetes cluster (to be generated or not)
Stars: ✭ 54 (+8%)
Mutual labels:  k8s
View All Similar Projects ➔

Ægir

Aegir

Aegir is a simple and generic webhook admission controller for Kubernetes.

It allows you to write custom rules for your cluster resources. If your rule is violated, Aegir will not allow the resource to be created and will display a message on the terminal, optionally it can send a notification in a Slack channel.

Aegir uses LIVR to validate the rules. Any LIVR rule is supported.

Example of rules:

rules:
- name: required_labels
# All Namespaces
  namespace: "*"
  resource_type: "Deployment"
  rules_definitions:
  - field: "metadata.labels"
    livr_rule:
      description: "Labels should have an app label"
      rule:
      # THE LAST FIELD SHOULD ALSO BE DECLARED HERE
        labels:
        # NOW THE RULE ITSELF
          nested_object:
            app: required
            version:
            - required
            - positive_integer
  - field: "spec.template.spec.containers.#.port.#.protocol"
    livr_rule:
      description: "Containers protocol should be http or https"
      rule:
        name:
          one_of: ['https', 'http']
  slack_notification_channel: "#some_team_channel"
  # Another rule
- name: container_user_could_not_be_root
  namespace: "*"
  resource_type: "Deployment"
  rules_definitions:
  - field: "spec.template.spec.securityContext.runAsUser"
    livr_rule:
      description: "Only non-root users are allowed"
      rule:
        runAsUser:
          number_between: [1, 1000]
  slack_notification_channel: "#some_team_channel"

Usage

A generic admission controller to validate Kubernetes resources using LIVR rules.

Usage:
  aegir [command]

Available Commands:
  help        Help about any command
  server      Runs Aegir's admission controller.

Flags:
  -h, --help      help for aegir
      --version   version for aegir

Use "aegir [command] --help" for more information about a command.

Running Aegir on your Kubernetes cluster

Create a Deployment and a Service

kubectl apply -f examples/aegir-deployment.yaml
kubectl apply -f examples/aegir-service.yaml

To make aegir be able validating cluster resources create a ValidatingWebhookConfiguration like this:

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: aegir-webhook
webhooks:
  - name: aegir.example.svc
    sideEffects: NoneOnDryRun
    clientConfig:
      service:
        name: aegir
        namespace: example
        # This path should be /admission
        path: "/admission"
      caBundle: base64 encoded CA certificate
    rules:
      - apiGroups:
        - apps
        - extensions
        apiVersions:
        - v1
        - v1beta1
        operations:
        - UPDATE
        - CREATE
        resources:
        - deployments
        - services
        - ingresses

Important note

sideEffects should be set to NoneOnDryRun so Aegir can validate the rules when you run --server-dry-run with kubectl. This is useful running CI/CD pipelines or trying to validate the configuration of the object before persisting it on ETCD

Skipping some namespaces

If you have defined a rule with * this rule will run against all namespaces. Sometimes is useful to skip some namespaces, like kube-system, istio-system and etc. To do this you can set the environment variable SKIP_NAMESPACES=namespace1,namespace2,namespace3, and these namespaces will be skipped at rule evaluation.

TLS certificates

The Kubernetes API needs to trust the certificate to connect to Aegir's webhook. Use the genkey.sh script to generate self-signed certificates, passing some directory and Commom Name as parameters.

$ ./genkey.sh dir/ foobar.com

This will create some certificate files inside directory dir.

Encode the file dir/ca.crt into base64

$ base64 dir/ca.crt

Use the output to fill the field caBundle in the ValidationWebhookConfiguration

Use the files webhook-server-tls.crt and webhook-server-tls.key passing the flags:

aegir server \
--rules-file=rules.yaml \
--tls-cert-file=dir/webhook-server-tls.crt \
--tls-key-file=dir/webhook-server-tls.key

And that's it!

Limitations and Warnings

Aegir is pretty new and have some limitations for now:

  • Can't validate if a field is part of a Kubernetes Object.
  • There is no parsing or validation for the configuration file format.
  • Only a few unit tests aiming the main part of the validation rules.

All this problems will be addressed in the future.

Aegir is under development, changes and improvements will come.

In the future Aegir should be converted into CRD's.

Feedbacks and PR's are welcome.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].