Documentation ¶
Overview ¶
Package function contains library units for the amazon-ecr-repository-compliance-webhook Lambda function.
Index ¶
- Variables
- type Container
- func (c *Container) BatchCheckRepositoryCompliance(ctx context.Context, images []string) (bool, error)
- func (c *Container) CheckRepositoryCompliance(ctx context.Context, image string) (bool, error)
- func (c *Container) Handler() Handler
- func (c *Container) HasCriticalVulnerabilities(ctx context.Context, image string) (bool, error)
- type Handler
- type ProxiedHandler
Constants ¶
This section is empty.
Variables ¶
var ( ErrFailedCompliance = errors.New("webhook: repository fails ecr criteria") ErrImagesNotFound = errors.New("webhook: no ecr images found in pod specification") )
Errors returned when a validation expectation fails.
Functions ¶
This section is empty.
Types ¶
type Container ¶
Container contains the dependencies and business logic for the amazon-ecr-repository-compliance-webhook Lambda function.
func NewContainer ¶
NewContainer creates a new function Container.
func (*Container) BatchCheckRepositoryCompliance ¶
func (c *Container) BatchCheckRepositoryCompliance(ctx context.Context, images []string) (bool, error)
BatchCheckRepositoryCompliance checks the compliance of a given set of ECR images. False is returned if a single repository is not compliant.
func (*Container) CheckRepositoryCompliance ¶
CheckRepositoryCompliance checks if the container image that was sent to the webhook: 1. Comes from an ECR repository 2. Has image tag immutability enabled 3. Has image scan on push enabled 4. Does not contain any critical vulnerabilities
func (*Container) Handler ¶
Handler returns the function handler for the amazon-ecr-repository-compliance-webhook. 1. Extract the POST request's body that ValidatingWebhookConfiguration admission controller made to API Gateway 2. Using the request, create a response. The response must contain the same UID that we received from the cluster 3. Using the request, extract the Pod object into the same Go data type used by Kubernetes 4. Using the Pod, check if the requested creation namespace is a critical one (e.g. kube-system). 5. Using the Pod, extract all of the unique container images that are in the specification
- If no images in the specification come from ECR, deny the admission immediately
6. For every image provided, check our 4 requirements 7. If a single image didn't meet our requirements, deny the admission 8. All requirements satisfied, allow the Pod for admission
type Handler ¶
type Handler func(context.Context, events.APIGatewayProxyRequest) (*v1beta1.AdmissionReview, error)
Handler is a type alias for the Lambda handler's function signature.
func (Handler) WithLogging ¶
WithLogging is a logging middleware for the Lambda handler.
func (Handler) WithProxiedResponse ¶
func (h Handler) WithProxiedResponse() ProxiedHandler
WithProxiedResponse integrates the AdmissionReview response into an acceptable format for API Gateway proxy integrated Lambda functions.
type ProxiedHandler ¶
type ProxiedHandler func(ctx context.Context, event events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error)
ProxiedHandler is a handler that has been wrapped to respond with an API Gateway Proxy Integration. TODO: Refactor to use interface, return type of WithProxiedResponse middleware will be cleaner