README
¶
ecr-repository-compliance-webhook
A Kubernetes ValidatingWebhookConfiguration and serverless backend: Deny Pods with container images that don't come from ECR, don't enforce tag immutability, or don't enforce scanning on push
This AWS Serverless Application Repository app will create an Amazon API Gateway and an AWS Lambda Function that act as the backend for a Kubernetes ValidatingWebhookConfiguration. The function will deny Pods that create containers using images which come from ECR repositories that:
- Do not have tag immutability enabled
- Do not have image scan on push enabled
Additionally, If the images do not come from ECR at all, they will be also be denied from running in the cluster.
Usage
To use this SAR application you will:
- Deploy the application
- Configure and deploy the
ValidatingWebhookConfigurationresource into your Kubernetes cluster (EKS or otherwise). The cluster must have this plugin enabled and be have support for the admissionregistration.k8s.io/v1beta1 API. See here for details.
1. Deploying the Lambda
It is recommended that you deploy this Lambda function directly from the AWS Serverless Application Repository. It is also possible to deploy this function using:
- The SAM CLI
- CloudFormation via the AWS CLI
- CloudFormation via the CloudFormation management console
To deploy this function from AWS GovCloud or regions in China, you must have an account with access to these regions.
| Region | Click and Deploy |
|---|---|
| US East (Ohio) (us-east-2) |  |
| US East (N. Virginia) (us-east-1) | |
| US West (N. California) (us-west-1) | |
| US West (Oregon) (us-west-2) | |
| Asia Pacific (Hong Kong) (ap-east-1) | |
| Asia Pacific (Mumbai) (ap-south-1) | |
| Asia Pacific (Seoul) (ap-northeast-2) | |
| Asia Pacific (Singapore) (ap-southeast-1) | |
| Asia Pacific (Sydney) (ap-southeast-2) | |
| Asia Pacific (Tokyo) (ap-northeast-1) | |
| Canada (Central) (ca-central-1) | |
| EU (Frankfurt) (eu-central-1) | |
| EU (Ireland) (eu-west-1) | |
| EU (London) (eu-west-2) | |
| EU (Paris) (eu-west-3) | |
| EU (Stockholm) (eu-north-1) | |
| Middle East (Bahrain) (me-south-1) | |
| South America (Sao Paulo) (sa-east-1) | |
| AWS GovCloud (US-East) (us-gov-east-1) | |
| AWS GovCloud (US-West) (us-gov-west-1) | |
2. Configuration
After deploying the SAR application from the SAR console you need to.
- Authenticate with your cluster. EKS example w/ AWS CLI:
aws eks update-kubeconfig --name your-clusters-name --region your-clusters-region kubectl apply -f validatingwebhook.yamlprovided here to deploy theValidatingWebhookConfiguration. Make any necessary additions. This webhook only validatesPods.kubectl create ns test-namespace && kubectl apply -f mydeployment.yamlprovided here to deploy a sampleDeployment. Change the image to be whatever image you would like to test. Ensure your nodes have permission to pull from the ECR repository.kubectl get ev -n test-namespaceto see if there are anyFailedCreateevents as a result of theDeployment'sReplicaSettriggeting a failure from theValidatingWebhookConfigurationwhen trying to create Pods. Example:Error creating: admission webhook "ecrpolicies.amazonaws.com" denied the request: webhook: no ecr images found in pod specification
Contributing
Have an idea for a feature to enhance this serverless application? Open an issue or pull request!
Development
This application has been developed, built, and testing against Go 1.14, the latest version of the Serverless Application Model CLI, and the latest version of the AWS CLI, Kubernetes version 1.14, Kubernetes version 1.15, and kubectl 1.17. A Makefile has been provided for convenience.
make check
make test
make build
make sam-package
make sam-deploy
make sam-tail-logs
make destroy
To Do
- [Parameter.String] RegistryID - Restrict to a single Registry
- [Parameter.CommaDelimitedList] IgnoredNamespaces - What namespaces should be ignored. Also possible to set matchers on the
ValidatingWebhookConfiguration - Authenticate the apiserver
- Emit metric on deny, to CloudWatch
- Move to the admissionregistration.k8s.io/v1 API when EKS supports k8s v1.17 and drops v1.14
References
- BanzaiCloud - In-depth introduction to Kubernetes admission webhooks: https://banzaicloud.com/blog/k8s-admission-webhooks/
- ValidatingWebhookConfiguration API Documentation - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#validatingwebhookconfiguration-v1beta1-admissionregistration-k8s-io
- Dynamic Admission Control - https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
- Official Kubernetes example: https://github.com/kubernetes/kubernetes/blob/v1.15.0/test/images/webhook/scheme.go
Acknowledgements
@jicowan for inspiration: https://github.com/jicowan/ecr-validation-webhook
License
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
function
Package function contains library units for the ecr-repository-compliance-webhook Lambda function.
|
Package function contains library units for the ecr-repository-compliance-webhook Lambda function. |
|
webhook
Package webhook contains resources for the ValidatingWebhookConfiguration.
|
Package webhook contains resources for the ValidatingWebhookConfiguration. |