GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → viglesiasce → kubernetes-anchore-image-validator

viglesiasce / kubernetes-anchore-image-validator

Licence: Apache-2.0 license
Validating webhook for checking images against Anchore Engine Policy

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Smarty
1635 projects
Dockerfile
14818 projects

Labels

dockerkubernetesanchore

Projects that are alternatives of or similar to kubernetes-anchore-image-validator

vilicus
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
Stars: ✭ 82 (+310%)
Mutual labels:  anchore
CKS-Exercises-Certified-Kubernetes-Security-Specialist
A set of curated exercises to help you prepare for the CKS exam
Stars: ✭ 124 (+520%)
Mutual labels:  anchore

Anchore Image Validator for Kubernetes

This repo has been deprecated in favor of https://github.com/anchore/kubernetes-admission-controller

THIS IS NOT AN OFFICIAL GOOGLE PRODUCT

Intro

Anchore Engine provides a mechanism to scan Docker images and then evaluate them against a set of policies. This evaluation result can be used to gate a CI pipeline or, as used in this repo, to gate the deployment of an image into a Kubernetes cluster.

Anchore Image Validator Architecture

This repository contains a server that can be used as a Validating Webhook in your Kubernetes cluster. After its been configured, Kubernetes will send a request to this server any time a Pod is requested. The server will get container images out of the PodSpec and check them against the Anchore Engine API to see if they adhere to the policy that has been defined. If the image does not yet exist in Anchore Engine it will automatically be added and scanned. The default policy validates that there are no critical security vulnerabilities in the image.

Quick Start

NOTE: Kubernetes 1.9+ Required.

  1. Add yourself as a Cluster Admin:

    kubectl create clusterrolebinding cluster-admin-$USER --username=<your-username> --clusterrole=cluster-admin

  2. Install Helm

  3. Run hack/install.sh which installs the chart for the server.

  4. Follow the instructions output by the chart installation for installing the validating web hook.

How does it work?

This server leverages the Generic Admission Server for most of the heavy lifting of implementing the admission webhook API.

The binary from this repository is registered as an API Service and run inside of Kubernetes. Once the service is registered, a ValidatingWebhookConfiguration is created that tells the Kubernetes API server to check with the admission server before running any pods in the local cluster.

The admission server receives a request that includes the Pod specification. It takes the images from the list of containers then sends requests to the Anchore Engine API to ensure that the images are passing the evaluation of the policy defined in Anchore Engine.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].