A Kubernetes validating admission webhook that checks any container images in a pod against a specified policy group.
It's intended to be used alongside Rode to prevent deployments that fail to meet certain checks.
This project requires Go 1.17 or newer.
go run main.go --rode-host=rode.rode-demo.svc.cluster.local:50051 \
--rode-insecure \
--policy-group="$POLICY_GROUP" \
--tls-secret=default/enforcer-k8s \
--k8s-in-cluster=false \
--debug \
--registry-insecure-skip-verify=true
make test
to run the unit tests
make fmt
to address any formatting issuesmake license
to add the required source code headersSee the rode/charts
repository to use the Helm chart.
Option | Description | Default |
---|---|---|
--debug |
Set the log level to debug | false |
--k8s-config-file |
Path to the Kubernetes config file | $HOME/.kube/config |
--k8s-in-cluster |
Whether the enforcer should use the in-cluster Kubernetes config | true |
--policy-group |
The policy group to enforce | N/A |
--port |
The port the HTTP server should bind against | 8001 |
--registry-insecure-skip-verify |
Whether TLS should be verified when talking to container registries | false |
--rode-host |
The hostname of the Rode instance | N/A |
--rode-insecure-disable-transport-security |
Whether transport security should be verified when talking to Rode | false |