kube-bouncer

command module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2023 License: Apache-2.0 Imports: 5 Imported by: 0

README

kube-bouncer

KubeBouncer is a set of Kubernetes admission controller that denies resource deployment in specified namespaces, enforcing security policies and best practices in Kubernetes.

Currently there are two sets of validation webhooks available as part of the kubebouncer:

NamespaceBouncer /validate-namespace
  1. Checks if any requested resource action is done on a namespace provided in the webhook deployment environment variable DENY_NAMESPACES, and denies the request/action. To create a NamespaceBouncer webhook, you can use the provided YAML configuration and replace the variables with your own values.
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: nsbouncer-webhook
webhooks:
- name: ${FQDN_OF_THE_SERVICE}
  sideEffects: None
  admissionReviewVersions: ["v1"]
  timeoutSeconds: 5
  clientConfig:
    service:
      name: ${SERVICE_NAME}
      namespace: ${NAMESPACE}
      path: "/validate-namespace"
    caBundle: ${CA_BUNDLE} # Replace it with the ca.pem file which is used to generate the certificates and keys for the webhook
  rules:
    # rules can be configured based on the user requirements
    - operations: [ "CREATE" ]
      apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
PodBouncer /validate-pods
  1. Checks if the readinessProbes or livenessProbes are present in the pod spec, and denies the request if they are not. To create a PodBouncer webhook, you can use the provided YAML configuration and replace the variables with your own values.
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: podbouncer-webhook
webhooks:
- name: ${FQDN_OF_THE_SERVICE}
  sideEffects: None
  admissionReviewVersions: ["v1"]
  timeoutSeconds: 5
  clientConfig:
    service:
      name: ${SERVICE_NAME}
      namespace: ${NAMESPACE}
      path: "/validate-pods"
    caBundle: ${CA_BUNDLE} # Replace it with the ca.pem file which is used to generate the certificates and keys for the webhook
  rules:
    - operations: [ "CREATE" ]
      apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]

Note: More checks and bouncers will be added in the future, and contributions are welcome. If you have any issues or suggestions, please feel free to open an issue.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
admission
utils
webhooks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.