Documentation
¶
Overview ¶
Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.
Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.
Package imagepolicy checks a webhook for image admission
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewImagePolicyWebhook ¶
NewImagePolicyWebhook a new imagePolicyWebhook from the provided config file. The config file is specified by --admission-control-config-file and has the following format for a webhook:
{
"imagePolicy": {
"kubeConfigFile": "path/to/kubeconfig/for/backend",
"allowTTL": 30, # time in s to cache approval
"denyTTL": 30, # time in s to cache denial
"retryBackoff": 500, # time in ms to wait between retries
"defaultAllow": true # determines behavior if the webhook backend fails
}
}
The config file may be json or yaml.
The kubeconfig property refers to another file in the kubeconfig format which specifies how to connect to the webhook backend.
The kubeconfig's cluster field is used to refer to the remote service, user refers to the returned authorizer.
# clusters refers to the remote service.
clusters:
- name: name-of-remote-imagepolicy-service
cluster:
certificate-authority: /path/to/ca.pem # CA for verifying the remote service.
server: https://images.example.com/policy # URL of remote service to query. Must use 'https'.
# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
client-key: /path/to/key.pem # key matching the cert
For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.
Types ¶
type AdmissionConfig ¶
type AdmissionConfig struct {
ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
}
AdmissionConfig holds config data for admission controllers
Source Files