admission-controller-webhook-demo

module
v0.0.0-...-30a4325 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2020 License: Apache-2.0

README

Kubernetes Admission Controller for Black Duck in Artifactory

This repository contains a small HTTP server that can be used as a Kubernetes MutatingAdmissionWebhook.

The logic of this demo webhook is fairly simple: it enforces more secure defaults for running containers if a Black Duck policy violation is present in an artifactory image. It's possible to run an artifactory image only if it's not in a Black Duck policy violation.

Prerequisites

A cluster on which this example can be tested must be running Kubernetes 1.9.0 or above, with the admissionregistration.k8s.io/v1beta1 API enabled. You can verify that by observing that the following command produces a non-empty output:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook admission controller should be added and listed in the admission-control flag of kube-apiserver.

For building the image, GNU make and Go are required.

Deploying the Artifactory Webhook Server

  1. Bring up a Kubernetes cluster satisfying the above prerequisites, and make sure it is active (i.e., either via the configuration in the default location, or by setting the KUBECONFIG environment variable).

  2. Change the artifactory credentials in cmd/webhook-server/main.go to your own. (Don't commit it)

  3. Change the docker image "gautambaghel/art-ac:latest" in auto.sh with your own docker username and image name

  4. Use the docker username and image in the deployment/deployment.yaml.template file and replace "gautambaghel/art-ac:latest"

  5. Run ./auto.sh. This will create a new go binary based on Artifactory Creds and deploy it to the image mentioned in the steps aboev it will also create a CA, a certificate and private key for the webhook server, and deploy the resources in the newly created webhook-demo namespace in your Kubernetes cluster.

Verify

  1. The webhook-server pod in the webhook-demo namespace should be running:
$ kubectl -n webhook-demo get pods
NAME                             READY     STATUS    RESTARTS   AGE
webhook-server-6f976f7bf-hssc9   1/1       Running   0          35m
  1. A MutatingWebhookConfiguration named demo-webhook should exist:
$ kubectl get mutatingwebhookconfigurations
NAME           AGE
demo-webhook   36m
  1. Deploy a pod that is in your artifactory instance with either blackduck.overallStatus not set or set to "NOT_IN_VIOLATION":
$ kubectl create -f examples/pod-with-defaults.yaml
$ pod/pod-with-defaults created
  1. Attempt to deploy a pod that is in your artifactory instance with blackduck.overallStatus set to "IN_VIOLATION":
$ kubectl create -f examples/pod-with-conflict.yaml

Error from server (InternalError): error when creating "pod-with-conflicts.yaml": Internal error occurred: admission webhook "webhook-server.webhook-demo.svc" denied the request: AC webhook: Black Duck policy violation for the image <IMAGE_NAME>:<IMAGE_VERSION>

Build the Image from Sources (optional)

An image can be built by running make. If you want to modify the webhook server for testing purposes, be sure to set and export the shell environment variable IMAGE to an image tag for which you have push access. You can then build and push the image by running make push-image. Also make sure to change the image tag in deployment/deployment.yaml.template, and if necessary, add image pull secrets.

Directories

Path Synopsis
cmd
webhook-server

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.