doop-image-checker

command

v0.0.0-...-72a32a4 Latest Latest Go to latest Published: Apr 29, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sapcc/gatekeeper-addons

Links

Open Source Insights

README ¶

doop-image-checker

This small helper program provides an HTTP endpoint that Rego expressions can call via the http.send built-in. The endpoint takes a reference to an image stored in Keppel, pulls the image and returns all the response headers from the manifest pull as JSON.

Runs in a Kubernetes cluster alongside a Gatekeeper instance.

Usage

The helper itself is completely stateless. The only configuration for production is the listen address for the HTTP server:

doop-image-checker 0.0.0.0:8080

For testing purposes a second argument can be added which points to a yaml file containing mappings from image refs to headers. The headers X-Keppel-Max-Layer-Created-At and X-Keppel-Min-Layer-Created-At have special handling that they accept durations like -1h.

doop-image-checker 0.0.0.0:8080 response-config.yaml

response-config.yaml:

keppel.example.com/vulnerability:medium:
  X-Keppel-Max-Layer-Created-At: "-1h"
  X-Keppel-Min-Layer-Created-At: "-1h"
  X-Keppel-Vulnerability-Status: Medium
keppel.example.com/vulnerability:old:
  # older than slightly over a year (~13 months)
  X-Keppel-Max-Layer-Created-At: "-10000h"
  X-Keppel-Min-Layer-Created-At: "-10000h"

API

The HTTP endpoint for header checking is GET /v1/headers?image=:image, for instance:

GET /v1/headers?image=keppel.example.com/foo/bar:latest

For each request, the respective manifest is pulled and all response headers are returns as a JSON object with keys in HTTP's canonical title case, for example:

{
  "Content-Type": "application/vnd.docker.distribution.manifest.v2+json",
  "Content-Length": "1367",
  "Docker-Content-Digest": "sha256:64278080eee0d697343d15735979ea8c1a9c3b330a5ac5195e6e713ea2f8b9ea",
  "Docker-Distribution-Api-Version": "registry/2.0",
  "X-Keppel-Vulnerability-Status": "Clean",
  ...
}

The checker may cache headers for a short period of time to avoid unreasonable load on the Keppel API.

Additionally, a health check endpoint is provided at GET /healthcheck, which always returns the plain text string "OK".

Logging

HTTP requests are logged, but by default, only failed requests (HTTP status code != 200) are logged. To enable full logging, set the environment variable LOG_ALL_REQUESTS=true.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL