search

LukeShortCloud / rootpages

Root Pages is a collection of easy-to-reference tutorials and guides primarily for Linux and other UNIX-like systems.
Other
57 stars 6 forks source link

[virtualization][kubernetes_security] Disallow containers with the latest image tag #559

Open LukeShortCloud opened 3 years ago

LukeShortCloud commented 3 years ago

Use this webhook server https://github.com/flavio/kube-image-bouncer along with the ImagePolicyWebhook admission controller https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ .

LukeShortCloud commented 3 years ago

Example manifests used by KodeKloud (to be tweaked) to deploy kube-image-bouncer on Kubernetes:

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: image-bouncer-webhook
  name: image-bouncer-webhook
spec:
  type: NodePort
  ports:
    - name: https
      port: 443
      targetPort: 1323
      protocol: "TCP"
      nodePort: 30080
  selector:
    app: image-bouncer-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: image-bouncer-webhook
spec:
  selector:
    matchLabels:
      app: image-bouncer-webhook
  template:
    metadata:
      labels:
        app: image-bouncer-webhook
    spec:
      containers:
        - name: image-bouncer-webhook
          imagePullPolicy: Always
          image: "kainlite/kube-image-bouncer:latest"
          args:
            - "--cert=/etc/admission-controller/tls/tls.crt"
            - "--key=/etc/admission-controller/tls/tls.key"
            - "--debug"
            - "--registry-whitelist=docker.io,k8s.gcr.io"
          volumeMounts:
            - name: tls
              mountPath: /etc/admission-controller/tls
      volumes:
        - name: tls
          secret:
            secretName: tls-image-bouncer-webhook
LukeShortCloud commented 3 years ago

The kube-image-bouncer --registry-whitelist= argument is used to only allow images from the list of supplied registries.