Documentation ¶
Overview ¶
Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.
Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.
Package imagepolicy checks a webhook for image admission
Index ¶
Constants ¶
const ( // ImagePolicyFailedOpenKeySuffix in an annotation indicates the image // review failed open when the image policy webhook backend connection // failed. ImagePolicyFailedOpenKeySuffix string = "failed-open" // ImagePolicyAuditRequiredKeySuffix in an annotation indicates the pod // should be audited. ImagePolicyAuditRequiredKeySuffix string = "audit-required" )
const PluginName = "ImagePolicyWebhook"
PluginName indicates name of admission plugin.
Variables ¶
var AuditKeyPrefix = strings.ToLower(PluginName) + ".image-policy.k8s.io/"
AuditKeyPrefix is used as the prefix for all audit keys handled by this pluggin. Some well known suffixes are listed below.
Functions ¶
Types ¶
type AdmissionConfig ¶
type AdmissionConfig struct {
ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
}
AdmissionConfig holds config data for admission controllers
type Plugin ¶ added in v1.9.1
Plugin is an implementation of admission.Interface.
func NewImagePolicyWebhook ¶
NewImagePolicyWebhook a new ImagePolicyWebhook plugin from the provided config file. The config file is specified by --admission-control-config-file and has the following format for a webhook:
{ "imagePolicy": { "kubeConfigFile": "path/to/kubeconfig/for/backend", "allowTTL": 30, # time in s to cache approval "denyTTL": 30, # time in s to cache denial "retryBackoff": 500, # time in ms to wait between retries "defaultAllow": true # determines behavior if the webhook backend fails } }
The config file may be json or yaml.
The kubeconfig property refers to another file in the kubeconfig format which specifies how to connect to the webhook backend.
The kubeconfig's cluster field is used to refer to the remote service, user refers to the returned authorizer.
# clusters refers to the remote service. clusters: - name: name-of-remote-imagepolicy-service cluster: certificate-authority: /path/to/ca.pem # CA for verifying the remote service. server: https://images.example.com/policy # URL of remote service to query. Must use 'https'. # users refers to the API server's webhook configuration. users: - name: name-of-api-server user: client-certificate: /path/to/cert.pem # cert for the webhook plugin to use client-key: /path/to/key.pem # key matching the cert
For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.