imagepolicy

Documentation

Overview

Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.

Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.

Package imagepolicy checks a webhook for image admission

Index

• Constants
• Variables
• func Register(plugins *admission.Plugins)
• type AdmissionConfig
• type Plugin
  • func NewImagePolicyWebhook(configFile io.Reader) (*Plugin, error)
  • func (a *Plugin) Validate(attributes admission.Attributes) (err error)

Constants

const (
	// ImagePolicyFailedOpenKeySuffix in an annotation indicates the image
	// review failed open when the image policy webhook backend connection
	// failed.
	ImagePolicyFailedOpenKeySuffix string = "failed-open"

	// ImagePolicyAuditRequiredKeySuffix in an annotation indicates the pod
	// should be audited.
	ImagePolicyAuditRequiredKeySuffix string = "audit-required"
)

const PluginName = "ImagePolicyWebhook"

PluginName indicates name of admission plugin.

Variables

var AuditKeyPrefix = strings.ToLower(PluginName) + ".image-policy.k8s.io/"

AuditKeyPrefix is used as the prefix for all audit keys handled by this pluggin. Some well known suffixes are listed below.

Functions

func Register

func Register(plugins *admission.Plugins)

Register registers a plugin

Types

type AdmissionConfig

type AdmissionConfig struct {
	ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
}

AdmissionConfig holds config data for admission controllers

type Plugin

type Plugin struct {
	*admission.Handler
	// contains filtered or unexported fields
}

Plugin is an implementation of admission.Interface.

func NewImagePolicyWebhook

func NewImagePolicyWebhook(configFile io.Reader) (*Plugin, error)

NewImagePolicyWebhook a new ImagePolicyWebhook plugin from the provided config file. The config file is specified by --admission-control-config-file and has the following format for a webhook:

{
  "imagePolicy": {
     "kubeConfigFile": "path/to/kubeconfig/for/backend",
     "allowTTL": 30,           # time in s to cache approval
     "denyTTL": 30,            # time in s to cache denial
     "retryBackoff": 500,      # time in ms to wait between retries
     "defaultAllow": true      # determines behavior if the webhook backend fails
  }
}

The config file may be json or yaml.

The kubeconfig property refers to another file in the kubeconfig format which specifies how to connect to the webhook backend.

The kubeconfig's cluster field is used to refer to the remote service, user refers to the returned authorizer.

# clusters refers to the remote service.
clusters:
- name: name-of-remote-imagepolicy-service
  cluster:
    certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
    server: https://images.example.com/policy # URL of remote service to query. Must use 'https'.

# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
  user:
    client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
    client-key: /path/to/key.pem          # key matching the cert

For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.

func (*Plugin) Validate

func (a *Plugin) Validate(attributes admission.Attributes) (err error)

Validate makes an admission decision based on the request attributes