enforcer-k8s

A Kubernetes validating admission webhook that checks any container images in a pod against a specified policy group.

It's intended to be used alongside Rode to prevent deployments that fail to meet certain checks.

Local Development

This project requires Go 1.17 or newer.

Follow the instructions to run Rode locally

If you have Telepresence installed, run the enforcer on the host:

go run main.go --rode-host=rode.rode-demo.svc.cluster.local:50051 \
    --rode-insecure \
    --policy-group="$POLICY_GROUP" \
    --tls-secret=default/enforcer-k8s \
    --k8s-in-cluster=false \
    --debug \
    --registry-insecure-skip-verify=true

Make any changes, then use make test to run the unit tests
- If necessary, use make fmt to address any formatting issues
If new files were added, use make license to add the required source code headers

Installation

See the rode/charts repository to use the Helm chart.

Flags

Option	Description	Default
`--debug`	Set the log level to debug	`false`
`--k8s-config-file`	Path to the Kubernetes config file	`$HOME/.kube/config`
`--k8s-in-cluster`	Whether the enforcer should use the in-cluster Kubernetes config	`true`
`--policy-group`	The policy group to enforce	N/A
`--port`	The port the HTTP server should bind against	`8001`
`--registry-insecure-skip-verify`	Whether TLS should be verified when talking to container registries	`false`
`--rode-host`	The hostname of the Rode instance	N/A
`--rode-insecure-disable-transport-security`	Whether transport security should be verified when talking to Rode	`false`

rode / enforcer-k8s

readme

enforcer-k8s

Local Development

Installation

Flags