From 7165ecb7a04fb303438bd0f5e8d95f3495846afd Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Fri, 31 Aug 2018 12:53:46 +0200
Subject: [PATCH 01/66] inital commit of anchore-policy-validator
---
.helmignore | 22 +++++
Chart.yaml | 4 +
clenup.sh | 14 ++++
requirements.yaml | 5 ++
templates/NOTES.txt | 1 +
templates/_helpers.tpl | 16 ++++
templates/default-policy/configmap.yaml | 107 ++++++++++++++++++++++++
templates/default-policy/job.yaml | 45 ++++++++++
templates/deployment.yaml | 61 ++++++++++++++
templates/init-ca/init-ca-hook.yaml | 33 ++++++++
templates/init-ca/init-ca-script.yaml | 106 +++++++++++++++++++++++
templates/init-ca/rbac.yaml | 68 +++++++++++++++
templates/rbac.yaml | 81 ++++++++++++++++++
templates/service.yaml | 19 +++++
templates/validatingwebhook.yaml | 25 ++++++
values.yaml | 23 +++++
16 files changed, 630 insertions(+)
create mode 100644 .helmignore
create mode 100644 Chart.yaml
create mode 100755 clenup.sh
create mode 100644 requirements.yaml
create mode 100644 templates/NOTES.txt
create mode 100644 templates/_helpers.tpl
create mode 100644 templates/default-policy/configmap.yaml
create mode 100644 templates/default-policy/job.yaml
create mode 100644 templates/deployment.yaml
create mode 100644 templates/init-ca/init-ca-hook.yaml
create mode 100644 templates/init-ca/init-ca-script.yaml
create mode 100644 templates/init-ca/rbac.yaml
create mode 100644 templates/rbac.yaml
create mode 100644 templates/service.yaml
create mode 100644 templates/validatingwebhook.yaml
create mode 100644 values.yaml
diff --git a/.helmignore b/.helmignore
new file mode 100644
index 0000000..1c17e63
--- /dev/null
+++ b/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+cleanup.sh
diff --git a/Chart.yaml b/Chart.yaml
new file mode 100644
index 0000000..38fbcf6
--- /dev/null
+++ b/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: anchore-policy-validator
+version: 0.1.0
diff --git a/clenup.sh b/clenup.sh
new file mode 100755
index 0000000..f5d28d0
--- /dev/null
+++ b/clenup.sh
@@ -0,0 +1,14 @@
+#!/bin/zsh
+
+RELEASE_NAME=$1
+
+helm delete --purge ${RELEASE_NAME}
+kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca
+kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin
+kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy
+kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy
+kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
+kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
+kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io
+kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca
+kubectl delete apiservice v1beta1.admission.example.com
diff --git a/requirements.yaml b/requirements.yaml
new file mode 100644
index 0000000..b9ad081
--- /dev/null
+++ b/requirements.yaml
@@ -0,0 +1,5 @@
+dependencies:
+- name: anchore-engine
+ version: 0.2.x
+ repository: alias:banzaicloud-anchore
+ condition: anchore-engine.enabled
\ No newline at end of file
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
new file mode 100644
index 0000000..a922c2a
--- /dev/null
+++ b/templates/NOTES.txt
@@ -0,0 +1 @@
+validatingwebhookConfigureation created :{{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
new file mode 100644
index 0000000..a2e0765
--- /dev/null
+++ b/templates/_helpers.tpl
@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "anchore-policy-validator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "anchore-policy-validator.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/templates/default-policy/configmap.yaml b/templates/default-policy/configmap.yaml
new file mode 100644
index 0000000..a81e871
--- /dev/null
+++ b/templates/default-policy/configmap.yaml
@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{.Release.Name}}-default-policy
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+data:
+ default-policy.json: |-
+ {
+ "id": "0a869a39-1b20-4ce7-bc00-3a7d88271f08",
+ "version": "1_0",
+ "name": "AnchoreUserDefault",
+ "policies": [
+ {
+ "comment": "",
+ "id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c",
+ "name": "default",
+ "rules": [
+ {
+ "action": "WARN",
+ "gate": "DOCKERFILECHECK",
+ "id": "ce7b8000-829b-4c27-8122-69cd59018400",
+ "params": [
+ {
+ "name": "DENIEDPORTS",
+ "value": "22"
+ }
+ ],
+ "trigger": "EXPOSE"
+ },
+ {
+ "action": "WARN",
+ "gate": "DOCKERFILECHECK",
+ "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb",
+ "params": [],
+ "trigger": "NOHEALTHCHECK"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa",
+ "params": [
+ {
+ "name": "MAXAGE",
+ "value": "2"
+ }
+ ],
+ "trigger": "FEEDOUTOFDATE"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e",
+ "params": [],
+ "trigger": "UNSUPPORTEDDISTRO"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "6063fdde-b1c5-46af-973a-915739451ac4",
+ "params": [],
+ "trigger": "VULNMEDIUM"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5",
+ "params": [],
+ "trigger": "VULNHIGH"
+ },
+ {
+ "action": "STOP",
+ "gate": "ANCHORESEC",
+ "id": "295adc9f-28b9-4aab-a5d6-833cf7727db7",
+ "params": [],
+ "trigger": "VULNCRITICAL"
+ }
+ ],
+ "version": "1_0"
+ }
+ ],
+ "whitelists": [
+ {
+ "comment": "Default Global Whitelist",
+ "id": "912937b6-05fb-472f-bfbe-834c3562f32d",
+ "items": [],
+ "name": "Global Whitelist",
+ "version": "1_0"
+ }
+ ],
+ "mappings": [
+ {
+ "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611",
+ "image": {
+ "type": "tag",
+ "value": "*"
+ },
+ "name": "default",
+ "policy_id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c",
+ "registry": "*",
+ "repository": "*",
+ "whitelist_ids": [
+ "912937b6-05fb-472f-bfbe-834c3562f32d"
+ ]
+ }
+ ]
+ }
\ No newline at end of file
diff --git a/templates/default-policy/job.yaml b/templates/default-policy/job.yaml
new file mode 100644
index 0000000..5b6f6b0
--- /dev/null
+++ b/templates/default-policy/job.yaml
@@ -0,0 +1,45 @@
+{{- $anchoreEngineValues := index .Values "anchore-engine" }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "{{ .Release.Name }}-default-policy"
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}-default-policy
+ spec:
+ restartPolicy: OnFailure
+ volumes:
+ - name: default-policy
+ configMap:
+ name: {{.Release.Name}}-default-policy
+ containers:
+ - name: default-policy
+ image: "anchore/engine-cli"
+ volumeMounts:
+ - name: default-policy
+ mountPath: /policy
+ env:
+ - name: ANCHORE_CLI_USER
+ value: admin
+ - name: ANCHORE_CLI_PASS
+ value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
+ - name: ANCHORE_CLI_URL
+ {{ if $anchoreEngineValues.enabled }}
+ value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
+ {{ else }}
+ value: {{ $anchoreEngineValues.external }}
+ {{ end }}
+ command:
+ - "sh"
+ - "-c"
+ - |
+ set -ex
+ anchore-cli policy add /policy/default-policy.json
+ anchore-cli policy activate 0a869a39-1b20-4ce7-bc00-3a7d88271f08
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
new file mode 100644
index 0000000..63e9f93
--- /dev/null
+++ b/templates/deployment.yaml
@@ -0,0 +1,61 @@
+{{- $anchoreEngineValues := index .Values "anchore-engine" }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}
+ labels:
+ app: {{ template "anchore-policy-validator.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.name" . }}
+ release: {{ .Release.Name }}
+ spec:
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
+ volumes:
+ - name: serving-cert
+ secret:
+ defaultMode: 420
+ secretName: {{ template "anchore-policy-validator.name" . }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "/anchore-image-admission-server"
+ - "--audit-log-path=-"
+ - "--tls-cert-file=/var/serving-cert/tls.crt"
+ - "--tls-private-key-file=/var/serving-cert/tls.key"
+ - "--v={{ .Values.logVerbosity }}"
+ env:
+ - name: ANCHORE_ENGINE_USERNAME
+ value: admin
+ - name: ANCHORE_ENGINE_PASSWORD
+ value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
+ - name: ANCHORE_ENGINE_URL
+ {{ if $anchoreEngineValues.enabled }}
+ value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
+ {{ else }}
+ value: {{ $anchoreEngineValues.external }}
+ {{ end }}
+ ports:
+ - containerPort: {{ .Values.service.internalPort }}
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: {{ .Values.service.internalPort }}
+ scheme: HTTPS
+ volumeMounts:
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ resources:
+{{ toYaml .Values.resources | indent 12 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end }}
diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca/init-ca-hook.yaml
new file mode 100644
index 0000000..ba025ab
--- /dev/null
+++ b/templates/init-ca/init-ca-hook.yaml
@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "{{ .Release.Name }}-init-ca"
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: admission-server
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: admission-server
+ spec:
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-init-ca
+ restartPolicy: OnFailure
+ volumes:
+ - name: init-ca-script
+ configMap:
+ name: {{.Release.Name}}-init-ca
+ containers:
+ - name: create-ca
+ image: "cfssl/cfssl:latest"
+ command:
+ - bash
+ - -xe
+ - /scripts/init-ca.sh
+ volumeMounts:
+ - name: init-ca-script
+ mountPath: /scripts
diff --git a/templates/init-ca/init-ca-script.yaml b/templates/init-ca/init-ca-script.yaml
new file mode 100644
index 0000000..95c2ef6
--- /dev/null
+++ b/templates/init-ca/init-ca-script.yaml
@@ -0,0 +1,106 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{.Release.Name}}-init-ca
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "-5"
+data:
+ init-ca.sh: |-
+ #!/bin/bash -xe
+ # Adapted from https://github.com/openshift/kubernetes-namespace-reservation/blob/master/hack/install-kube.sh
+ apt-get update && apt-get install -y jq
+
+ curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+ chmod +x ./kubectl
+ mv ./kubectl /usr/bin
+
+ # creates a client CA, args are sudo, dest-dir, ca-id, purpose
+ # purpose is dropped in after "key encipherment", you usually want
+ # '"client auth"'
+ # '"server auth"'
+ # '"client auth","server auth"'
+ function kube::util::create_signing_certkey {
+ local sudo=$1
+ local dest_dir=$2
+ local id=$3
+ local purpose=$4
+ # Create client ca
+ ${sudo} /bin/bash -e < "${dest_dir}/${id}-ca-config.json"
+ EOF
+ }
+
+ # signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts...
+ function kube::util::create_serving_certkey {
+ local sudo=$1
+ local dest_dir=$2
+ local ca=$3
+ local id=$4
+ local cn=${5:-$4}
+ local hosts=""
+ local SEP=""
+ shift 5
+ while [ -n "${1:-}" ]; do
+ hosts+="${SEP}\"$1\""
+ SEP=","
+ shift 1
+ done
+ ${sudo} /bin/bash -e </dev/null || { echo "Please install jq (https://stedolan.github.io/jq/)."; exit 1; }
+ which cfssljson &>/dev/null || { echo "Please install cfssljson (https://github.com/cloudflare/cfssl))."; exit 1; }
+
+ # create necessary TLS certificates:
+ # - a local CA key and cert
+ # - a webhook server key and cert signed by the local CA
+ rm -rf ./_output/
+ CERT_DIR=_output/tmp/certs
+ mkdir -p "${CERT_DIR}"
+ kube::util::create_signing_certkey "" "${CERT_DIR}" serving '"server auth"'
+
+ # create webhook server key and cert
+ kube::util::create_serving_certkey "" "${CERT_DIR}" "serving-ca" {{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc"
+
+ cat > secret.yaml < api-service.yaml <
Date: Mon, 3 Sep 2018 15:01:16 +0200
Subject: [PATCH 02/66] fix external anchore values
---
templates/default-policy/job.yaml | 16 ++++++++++++----
templates/deployment.yaml | 16 ++++++++++++----
values.yaml | 8 ++++++--
3 files changed, 30 insertions(+), 10 deletions(-)
diff --git a/templates/default-policy/job.yaml b/templates/default-policy/job.yaml
index 5b6f6b0..5cfc66a 100644
--- a/templates/default-policy/job.yaml
+++ b/templates/default-policy/job.yaml
@@ -27,15 +27,23 @@ spec:
mountPath: /policy
env:
- name: ANCHORE_CLI_USER
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchoreUser }}
+ {{- else }}
value: admin
+ {{- end }}
- name: ANCHORE_CLI_PASS
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchorePass }}
+ {{- else }}
value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
+ {{- end }}
- name: ANCHORE_CLI_URL
- {{ if $anchoreEngineValues.enabled }}
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchoreHost }}
+ {{- else }}
value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
- {{ else }}
- value: {{ $anchoreEngineValues.external }}
- {{ end }}
+ {{- end }}
command:
- "sh"
- "-c"
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index 63e9f93..cf0da09 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -34,15 +34,23 @@ spec:
- "--v={{ .Values.logVerbosity }}"
env:
- name: ANCHORE_ENGINE_USERNAME
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchoreUser }}
+ {{- else }}
value: admin
+ {{- end }}
- name: ANCHORE_ENGINE_PASSWORD
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchorePass }}
+ {{- else }}
value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
+ {{- end }}
- name: ANCHORE_ENGINE_URL
- {{ if $anchoreEngineValues.enabled }}
+ {{- if .Values.externalAnchore.enabled }}
+ value: {{ .Values.externalAnchore.anchoreHost }}
+ {{- else }}
value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
- {{ else }}
- value: {{ $anchoreEngineValues.external }}
- {{ end }}
+ {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
diff --git a/values.yaml b/values.yaml
index ea859a6..9dc86fc 100644
--- a/values.yaml
+++ b/values.yaml
@@ -18,6 +18,10 @@ anchore-engine:
users:
admin:
password: foobar
- external: ""
+externalAnchore:
+ enabled: true
+ anchoreHost: "http://anchore-anchore-engine:8228"
+ anchoreUser: "poke232"
+ anchorePass: "password"
resources: {}
-k8sCAbubdle: ""
\ No newline at end of file
+k8sCAbundle: ""
From b718c819dd65d64dde4b798811f6ca69885b841d Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 3 Sep 2018 19:37:07 +0200
Subject: [PATCH 03/66] create validationwebhook with job
---
clenup.sh | 6 ++-
templates/init-ca/init-ca-hook.yaml | 2 +-
templates/validatingwebhook.yaml | 25 -----------
templates/validatingwebhook/rbac.yaml | 24 ++++++++++
.../validatingwebhook-job.yaml | 33 ++++++++++++++
.../validetingwebhook-script.yaml | 44 +++++++++++++++++++
values.yaml | 1 -
7 files changed, 106 insertions(+), 29 deletions(-)
delete mode 100644 templates/validatingwebhook.yaml
create mode 100644 templates/validatingwebhook/rbac.yaml
create mode 100644 templates/validatingwebhook/validatingwebhook-job.yaml
create mode 100644 templates/validatingwebhook/validetingwebhook-script.yaml
diff --git a/clenup.sh b/clenup.sh
index f5d28d0..f6d2c9d 100755
--- a/clenup.sh
+++ b/clenup.sh
@@ -5,10 +5,12 @@ RELEASE_NAME=$1
helm delete --purge ${RELEASE_NAME}
kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca
kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin
-kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy
-kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy
+kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-validatingwebhook
+kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-create-validatingwebhook
kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io
kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca
kubectl delete apiservice v1beta1.admission.example.com
+kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding
+kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator
diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca/init-ca-hook.yaml
index ba025ab..466a473 100644
--- a/templates/init-ca/init-ca-hook.yaml
+++ b/templates/init-ca/init-ca-hook.yaml
@@ -20,7 +20,7 @@ spec:
volumes:
- name: init-ca-script
configMap:
- name: {{.Release.Name}}-init-ca
+ name: {{ .Release.Name }}-init-ca
containers:
- name: create-ca
image: "cfssl/cfssl:latest"
diff --git a/templates/validatingwebhook.yaml b/templates/validatingwebhook.yaml
deleted file mode 100644
index ff47df7..0000000
--- a/templates/validatingwebhook.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
- annotations:
- "helm.sh/hook": post-install
- "helm.sh/hook-weight": "1"
-webhooks:
-- name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
- clientConfig:
- service:
- namespace: default
- name: kubernetes
- path: /apis/admission.anchore.io/v1beta1/imagechecks
- caBundle: {{ .Values.k8sCAbundle }}
- rules:
- - operations:
- - CREATE
- apiGroups:
- - ""
- apiVersions:
- - "*"
- resources:
- - pods
- failurePolicy: Fail
diff --git a/templates/validatingwebhook/rbac.yaml b/templates/validatingwebhook/rbac.yaml
new file mode 100644
index 0000000..117b68d
--- /dev/null
+++ b/templates/validatingwebhook/rbac.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "-6"
+ name: {{ template "anchore-policy-validator.fullname" . }}-validator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "-6"
+ name: {{ template "anchore-policy-validator.fullname" . }}-validator-binding
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: cluster-admin
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}-validator
\ No newline at end of file
diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validatingwebhook/validatingwebhook-job.yaml
new file mode 100644
index 0000000..a645a52
--- /dev/null
+++ b/templates/validatingwebhook/validatingwebhook-job.yaml
@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "{{ .Release.Name }}-create-validatingwebhook"
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: validating-webhook
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-weight": "1"
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: validating-webhook
+ spec:
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator
+ restartPolicy: OnFailure
+ volumes:
+ - name: create-validatingwebhook
+ configMap:
+ name: {{ .Release.Name }}-validatingwebhook
+ containers:
+ - name: create-validatingwebhook
+ image: "ubuntu"
+ command:
+ - bash
+ - -xe
+ - /scripts/create-validatingwebhook.sh
+ volumeMounts:
+ - name: create-validatingwebhook
+ mountPath: /scripts
diff --git a/templates/validatingwebhook/validetingwebhook-script.yaml b/templates/validatingwebhook/validetingwebhook-script.yaml
new file mode 100644
index 0000000..04ea828
--- /dev/null
+++ b/templates/validatingwebhook/validetingwebhook-script.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Release.Name }}-validatingwebhook
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "-5"
+data:
+ create-validatingwebhook.sh: |-
+ #!/bin/bash -xe
+ apt-get update && apt-get install -y jq curl
+
+ curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+ chmod +x ./kubectl
+ mv ./kubectl /usr/bin
+
+ cat > validatingwebhook.yaml <
Date: Mon, 3 Sep 2018 23:13:43 +0200
Subject: [PATCH 04/66] fix repo in requirements
---
requirements.yaml | 2 +-
values.yaml | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/requirements.yaml b/requirements.yaml
index b9ad081..28eb2d6 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -1,5 +1,5 @@
dependencies:
- name: anchore-engine
version: 0.2.x
- repository: alias:banzaicloud-anchore
+ repository: alias:banzaicloud-stable
condition: anchore-engine.enabled
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index e391aa2..957faf4 100644
--- a/values.yaml
+++ b/values.yaml
@@ -13,14 +13,14 @@ service:
externalPort: 443
internalPort: 443
anchore-engine:
- enabled: false
+ enabled: true
globalConfig:
users:
admin:
password: foobar
externalAnchore:
- enabled: true
- anchoreHost: "http://anchore-anchore-engine:8228"
- anchoreUser: "poke232"
- anchorePass: "password"
+ enabled: false
+ anchoreHost: ""
+ anchoreUser: ""
+ anchorePass: ""
resources: {}
From 883733bac80b22d85ee030c1c165e02f74d26086 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 4 Sep 2018 12:48:24 +0200
Subject: [PATCH 05/66] add missing job delete
---
templates/validatingwebhook/validatingwebhook-job.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validatingwebhook/validatingwebhook-job.yaml
index a645a52..13f6300 100644
--- a/templates/validatingwebhook/validatingwebhook-job.yaml
+++ b/templates/validatingwebhook/validatingwebhook-job.yaml
@@ -8,6 +8,7 @@ metadata:
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "1"
+ "helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
From b9325f4d36f05cbc952c97437658adeddf0d5feb Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 5 Sep 2018 10:06:45 +0200
Subject: [PATCH 06/66] add readme to anchore-policy validator
---
README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
values.yaml | 2 +-
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644 README.md
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..590e987
--- /dev/null
+++ b/README.md
@@ -0,0 +1,50 @@
+# anchore-policy-validator
+
+This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creations is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request.
+
+## Installing the Chart
+
+```bash
+$ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master
+$ helm repo update
+```
+
+Deploying Anchore-engine as a dependency managed in the chart:
+
+```bash
+$ helm install --name stable/anchore-policy-validator
+```
+
+
+Using external Anchore-engine service:
+
+```bash
+$ helm install --name --set externalAnchore.enabled=True --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator
+```
+
+## Configuration
+
+The following tables lists configurable parameters of the anchore-policy-validator chart and their default values.
+
+| Parameter | Description | Default |
+| ----------------------------------- | ------------------------------------------- | -----------------------------------------|
+|replicaCount |number of replicas |1 |
+|logVerbosity |log verbosity level |8 |
+|apiService.group |group of registered api service |admission.anchore.io |
+|apiService.version |version of registered api service |v1beta1 |
+|image.repository |admission-server image repo |viglesiasce/anchore-image-admission-server|
+|image.tag |admission-server image tag |latest |
+|image.pullPolicy |admission-server image pull policy |IfNotPresent |
+|service.name |validation sevice name |anchoreimagecheck |
+|service.type |validation service type |ClusterIP |
+|service.externalPort |validation service external port |443 |
+|service.internalPort |validation service external port |443 |
+|anchore-engine.enabled |enable anchore-engine deploy |true |
+|externalAnchore.enabled |enable external anchore-engine usage |false |
+|externalAnchore.anchoreHost |external anchore-engine host |"" |
+|externalAnchore.anchoreUser |external anchore-engine username |"" |
+|externalAnchore.anchorePass |external anchore-engine password |"" |
+
+
+This chart based on:
+[Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator)
diff --git a/values.yaml b/values.yaml
index 957faf4..8d1384a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -6,7 +6,7 @@ apiService:
image:
repository: viglesiasce/anchore-image-admission-server
tag: latest
- pullPolicy: Always
+ pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
type: ClusterIP
From 30b76dd6aa957312bebd1af10699ff5ab3dc9920 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 5 Sep 2018 10:09:18 +0200
Subject: [PATCH 07/66] fix typo
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 590e987..9791560 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# anchore-policy-validator
-This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creations is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request.
+This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request.
## Installing the Chart
From 9553efe642ef3045db02a5745e7b5ca088444275 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 5 Sep 2018 14:36:05 +0200
Subject: [PATCH 08/66] remove anchore-engine dependency and fix templates
based on Chart style guide
---
.helmignore | 1 -
Chart.yaml | 9 +++
clenup.sh => README-dev.md | 9 ++-
README.md | 16 +---
requirements.yaml | 5 --
templates/_helpers.tpl | 4 +
...map.yaml => default-policy-configmap.yaml} | 4 +
.../job.yaml => default-policy-job.yaml} | 16 +---
...-ca-script.yaml => init-ca-configmap.yaml} | 4 +
.../init-ca-hook.yaml => init-ca-job.yaml} | 3 +
.../{init-ca/rbac.yaml => init-ca-rbac.yaml} | 2 +-
templates/rbac.yaml | 81 -------------------
...yaml => validating-webhook-configmap.yaml} | 4 +
...k-job.yaml => validating-webhook-job.yaml} | 3 +
...rbac.yaml => validating-webhook-rbac.yaml} | 0
...loyment.yaml => validator-deployment.yaml} | 16 +---
templates/validator-rbac.yaml | 72 +++++++++++++++++
.../{service.yaml => validator-service.yaml} | 3 +-
values.yaml | 7 --
19 files changed, 122 insertions(+), 137 deletions(-)
rename clenup.sh => README-dev.md (84%)
delete mode 100644 requirements.yaml
rename templates/{default-policy/configmap.yaml => default-policy-configmap.yaml} (94%)
rename templates/{default-policy/job.yaml => default-policy-job.yaml} (71%)
rename templates/{init-ca/init-ca-script.yaml => init-ca-configmap.yaml} (96%)
rename templates/{init-ca/init-ca-hook.yaml => init-ca-job.yaml} (86%)
rename templates/{init-ca/rbac.yaml => init-ca-rbac.yaml} (97%)
delete mode 100644 templates/rbac.yaml
rename templates/{validatingwebhook/validetingwebhook-script.yaml => validating-webhook-configmap.yaml} (89%)
rename templates/{validatingwebhook/validatingwebhook-job.yaml => validating-webhook-job.yaml} (87%)
rename templates/{validatingwebhook/rbac.yaml => validating-webhook-rbac.yaml} (100%)
rename templates/{deployment.yaml => validator-deployment.yaml} (75%)
create mode 100644 templates/validator-rbac.yaml
rename templates/{service.yaml => validator-service.yaml} (85%)
diff --git a/.helmignore b/.helmignore
index 1c17e63..f0c1319 100644
--- a/.helmignore
+++ b/.helmignore
@@ -19,4 +19,3 @@
.project
.idea/
*.tmproj
-cleanup.sh
diff --git a/Chart.yaml b/Chart.yaml
index 38fbcf6..c5fac9f 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -2,3 +2,12 @@ apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
version: 0.1.0
+keywords:
+ - analysis
+ - "anchore-policy-validator"
+ - image
+ - security
+maintainers:
+- name: Banzai Cloud
+ email: info@banzaicloud.com
+engine: gotpl
diff --git a/clenup.sh b/README-dev.md
similarity index 84%
rename from clenup.sh
rename to README-dev.md
index f6d2c9d..417fa3b 100755
--- a/clenup.sh
+++ b/README-dev.md
@@ -1,7 +1,9 @@
-#!/bin/zsh
-
-RELEASE_NAME=$1
+# Dev helper
+Due to some resource create with specific deployment method (eg.: create via k8s job), resources has to be deleted by manually.
+
+```bash
+export RELEASE_NAME=
helm delete --purge ${RELEASE_NAME}
kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca
kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin
@@ -14,3 +16,4 @@ kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca
kubectl delete apiservice v1beta1.admission.example.com
kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding
kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator
+```
diff --git a/README.md b/README.md
index 9791560..ee80e62 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# anchore-policy-validator
+# Anchore policy validator
This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request.
@@ -9,17 +9,10 @@ $ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/bran
$ helm repo update
```
-Deploying Anchore-engine as a dependency managed in the chart:
+Deploying anchore-policy-validator using external Anchore-engine service:
```bash
-$ helm install --name stable/anchore-policy-validator
-```
-
-
-Using external Anchore-engine service:
-
-```bash
-$ helm install --name --set externalAnchore.enabled=True --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator
+$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator
```
## Configuration
@@ -39,12 +32,11 @@ The following tables lists configurable parameters of the anchore-policy-validat
|service.type |validation service type |ClusterIP |
|service.externalPort |validation service external port |443 |
|service.internalPort |validation service external port |443 |
-|anchore-engine.enabled |enable anchore-engine deploy |true |
-|externalAnchore.enabled |enable external anchore-engine usage |false |
|externalAnchore.anchoreHost |external anchore-engine host |"" |
|externalAnchore.anchoreUser |external anchore-engine username |"" |
|externalAnchore.anchorePass |external anchore-engine password |"" |
+[Due to some resource create with jobs, these resources has to be deleted by manually.](README-dev.md)
This chart based on:
[Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator)
diff --git a/requirements.yaml b/requirements.yaml
deleted file mode 100644
index 28eb2d6..0000000
--- a/requirements.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-dependencies:
-- name: anchore-engine
- version: 0.2.x
- repository: alias:banzaicloud-stable
- condition: anchore-engine.enabled
\ No newline at end of file
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index a2e0765..8002210 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -2,6 +2,10 @@
{{/*
Expand the name of the chart.
*/}}
+{{- define "anchore-policy-validator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
{{- define "anchore-policy-validator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
diff --git a/templates/default-policy/configmap.yaml b/templates/default-policy-configmap.yaml
similarity index 94%
rename from templates/default-policy/configmap.yaml
rename to templates/default-policy-configmap.yaml
index a81e871..9ad0c71 100644
--- a/templates/default-policy/configmap.yaml
+++ b/templates/default-policy-configmap.yaml
@@ -4,6 +4,10 @@ metadata:
name: {{.Release.Name}}-default-policy
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: default-policy
data:
default-policy.json: |-
{
diff --git a/templates/default-policy/job.yaml b/templates/default-policy-job.yaml
similarity index 71%
rename from templates/default-policy/job.yaml
rename to templates/default-policy-job.yaml
index 5cfc66a..80623df 100644
--- a/templates/default-policy/job.yaml
+++ b/templates/default-policy-job.yaml
@@ -5,6 +5,10 @@ metadata:
name: "{{ .Release.Name }}-default-policy"
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: default-policy
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
@@ -27,23 +31,11 @@ spec:
mountPath: /policy
env:
- name: ANCHORE_CLI_USER
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchoreUser }}
- {{- else }}
- value: admin
- {{- end }}
- name: ANCHORE_CLI_PASS
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchorePass }}
- {{- else }}
- value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
- {{- end }}
- name: ANCHORE_CLI_URL
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchoreHost }}
- {{- else }}
- value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
- {{- end }}
command:
- "sh"
- "-c"
diff --git a/templates/init-ca/init-ca-script.yaml b/templates/init-ca-configmap.yaml
similarity index 96%
rename from templates/init-ca/init-ca-script.yaml
rename to templates/init-ca-configmap.yaml
index 95c2ef6..c08efa5 100644
--- a/templates/init-ca/init-ca-script.yaml
+++ b/templates/init-ca-configmap.yaml
@@ -4,6 +4,10 @@ metadata:
name: {{.Release.Name}}-init-ca
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: admission-server
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
diff --git a/templates/init-ca/init-ca-hook.yaml b/templates/init-ca-job.yaml
similarity index 86%
rename from templates/init-ca/init-ca-hook.yaml
rename to templates/init-ca-job.yaml
index 466a473..3c46292 100644
--- a/templates/init-ca/init-ca-hook.yaml
+++ b/templates/init-ca-job.yaml
@@ -4,6 +4,9 @@ metadata:
name: "{{ .Release.Name }}-init-ca"
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
component: admission-server
annotations:
"helm.sh/hook": pre-install
diff --git a/templates/init-ca/rbac.yaml b/templates/init-ca-rbac.yaml
similarity index 97%
rename from templates/init-ca/rbac.yaml
rename to templates/init-ca-rbac.yaml
index 8ab0a6e..ea50f35 100644
--- a/templates/init-ca/rbac.yaml
+++ b/templates/init-ca-rbac.yaml
@@ -16,7 +16,7 @@ metadata:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-6"
rules:
-- apiGroups: [""] # "" indicates the core API group
+- apiGroups: [""]
resources: ["secrets", "deployments"]
verbs: ["get", "patch", "create"]
---
diff --git a/templates/rbac.yaml b/templates/rbac.yaml
deleted file mode 100644
index 9935b09..0000000
--- a/templates/rbac.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-apiVersion: v1
-kind: List
-metadata:
-items:
-
-- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}
-
-# to delegate authentication and authorization
-- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default
- roleRef:
- kind: ClusterRole
- apiGroup: rbac.authorization.k8s.io
- name: system:auth-delegator
- subjects:
- - kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
-
-- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin
- roleRef:
- kind: ClusterRole
- apiGroup: rbac.authorization.k8s.io
- name: cluster-admin
- subjects:
- - kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
-
-# to let the admission server read the namespace reservations
-- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- annotations:
- name: {{ template "anchore-policy-validator.fullname" . }}
- rules:
- - apiGroups:
- - admission.vicnastea.io
- resources:
- - {{ template "anchore-policy-validator.fullname" . }}
- verbs:
- - get
- - list
- - watch
- - create
-
-# to let the admission server read the namespace reservations
-- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}-default
- roleRef:
- kind: ClusterRole
- apiGroup: rbac.authorization.k8s.io
- name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }}
- subjects:
- - kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
-
-# to read the config for terminating authentication
-- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- namespace: kube-system
- name: extension-{{ template "anchore-policy-validator.fullname" . }}-authentication-reader-default
- roleRef:
- kind: Role
- apiGroup: rbac.authorization.k8s.io
- name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader
- subjects:
- - kind: ServiceAccount
- name: {{ template "anchore-policy-validator.fullname" . }}
diff --git a/templates/validatingwebhook/validetingwebhook-script.yaml b/templates/validating-webhook-configmap.yaml
similarity index 89%
rename from templates/validatingwebhook/validetingwebhook-script.yaml
rename to templates/validating-webhook-configmap.yaml
index 04ea828..4f68ea9 100644
--- a/templates/validatingwebhook/validetingwebhook-script.yaml
+++ b/templates/validating-webhook-configmap.yaml
@@ -4,6 +4,10 @@ metadata:
name: {{ .Release.Name }}-validatingwebhook
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: validating-webhook
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
diff --git a/templates/validatingwebhook/validatingwebhook-job.yaml b/templates/validating-webhook-job.yaml
similarity index 87%
rename from templates/validatingwebhook/validatingwebhook-job.yaml
rename to templates/validating-webhook-job.yaml
index 13f6300..fab9501 100644
--- a/templates/validatingwebhook/validatingwebhook-job.yaml
+++ b/templates/validating-webhook-job.yaml
@@ -4,6 +4,9 @@ metadata:
name: "{{ .Release.Name }}-create-validatingwebhook"
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
component: validating-webhook
annotations:
"helm.sh/hook": post-install
diff --git a/templates/validatingwebhook/rbac.yaml b/templates/validating-webhook-rbac.yaml
similarity index 100%
rename from templates/validatingwebhook/rbac.yaml
rename to templates/validating-webhook-rbac.yaml
diff --git a/templates/deployment.yaml b/templates/validator-deployment.yaml
similarity index 75%
rename from templates/deployment.yaml
rename to templates/validator-deployment.yaml
index cf0da09..98ae9bf 100644
--- a/templates/deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -1,13 +1,13 @@
-{{- $anchoreEngineValues := index .Values "anchore-engine" }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "anchore-policy-validator.fullname" . }}
labels:
- app: {{ template "anchore-policy-validator.name" . }}
+ app: {{ template "anchore-policy-validator.fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
+ component: admission-server
spec:
replicas: {{ .Values.replicaCount }}
template:
@@ -34,23 +34,11 @@ spec:
- "--v={{ .Values.logVerbosity }}"
env:
- name: ANCHORE_ENGINE_USERNAME
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchoreUser }}
- {{- else }}
- value: admin
- {{- end }}
- name: ANCHORE_ENGINE_PASSWORD
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchorePass }}
- {{- else }}
- value: {{ $anchoreEngineValues.globalConfig.users.admin.password }}
- {{- end }}
- name: ANCHORE_ENGINE_URL
- {{- if .Values.externalAnchore.enabled }}
value: {{ .Values.externalAnchore.anchoreHost }}
- {{- else }}
- value: "http://{{ .Release.Name }}-anchore-engine.{{ .Release.Namespace }}.svc.cluster.local:8228"
- {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
new file mode 100644
index 0000000..990fff4
--- /dev/null
+++ b/templates/validator-rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: cluster-admin
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ annotations:
+ name: {{ template "anchore-policy-validator.fullname" . }}
+rules:
+- apiGroups:
+ - admission.vicnastea.io
+ resources:
+ - {{ template "anchore-policy-validator.fullname" . }}
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}-default
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ namespace: kube-system
+ name: extension-{{ template "anchore-policy-validator.fullname" . }}-authentication-reader-default
+roleRef:
+ kind: Role
+ apiGroup: rbac.authorization.k8s.io
+ name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: {{ template "anchore-policy-validator.fullname" . }}
diff --git a/templates/service.yaml b/templates/validator-service.yaml
similarity index 85%
rename from templates/service.yaml
rename to templates/validator-service.yaml
index 32af620..397c88d 100644
--- a/templates/service.yaml
+++ b/templates/validator-service.yaml
@@ -3,10 +3,11 @@ kind: Service
metadata:
name: {{ template "anchore-policy-validator.fullname" . }}
labels:
- app: {{ template "anchore-policy-validator.name" . }}
+ app: {{ template "anchore-policy-validator.fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
+ component: admission-server
spec:
type: {{ .Values.service.type }}
ports:
diff --git a/values.yaml b/values.yaml
index 8d1384a..69e64c8 100644
--- a/values.yaml
+++ b/values.yaml
@@ -12,14 +12,7 @@ service:
type: ClusterIP
externalPort: 443
internalPort: 443
-anchore-engine:
- enabled: true
- globalConfig:
- users:
- admin:
- password: foobar
externalAnchore:
- enabled: false
anchoreHost: ""
anchoreUser: ""
anchorePass: ""
From 3c7e5dd3e0d91494ab0ca32b679da63dca5facab Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 11 Sep 2018 10:54:22 +0200
Subject: [PATCH 09/66] fix README
---
README-dev.md | 2 +-
README.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/README-dev.md b/README-dev.md
index 417fa3b..f4d888b 100755
--- a/README-dev.md
+++ b/README-dev.md
@@ -1,6 +1,6 @@
# Dev helper
-Due to some resource create with specific deployment method (eg.: create via k8s job), resources has to be deleted by manually.
+Due to some resources create with specific deployment method (eg.: create via k8s job), resources has to be deleted manually.
```bash
export RELEASE_NAME=
diff --git a/README.md b/README.md
index ee80e62..f8ce83b 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# Anchore policy validator
-This chart deploy an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requst to admission server when a Pod creation is initiated. The server check image, which is defined in PodSpec, against configured Anchore-engine API. If API response that image not valid according to defined policy, k8s will reject Pod creation request.
+This chart deploys an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image, which is defined in PodSpec, against configured Anchore-engine API. If the API responds with an error, that the image is not valid according to defined policy, k8s will reject the Pod creation request.
## Installing the Chart
From bde2670a00ab494abaf56c078c7c0aec3ad2a015 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 17 Sep 2018 10:24:56 +0200
Subject: [PATCH 10/66] use banzaicloud/admission-image-validator image
---
templates/validator-deployment.yaml | 2 +-
values.yaml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 98ae9bf..b7fbabd 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -27,7 +27,7 @@ spec:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- - "/anchore-image-admission-server"
+ - "/anchore-image-validator"
- "--audit-log-path=-"
- "--tls-cert-file=/var/serving-cert/tls.crt"
- "--tls-private-key-file=/var/serving-cert/tls.key"
diff --git a/values.yaml b/values.yaml
index 69e64c8..2b6fc33 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,9 +4,9 @@ apiService:
group: admission.anchore.io
version: v1beta1
image:
- repository: viglesiasce/anchore-image-admission-server
- tag: latest
- pullPolicy: IfNotPresent
+ repository: banzaicloud/anchore-image-validator
+ tag: 0.0.2
+ pullPolicy: Always
service:
name: anchoreimagecheck
type: ClusterIP
From 061b4dd149ffe3d575d574eee8e403760bfc8c6e Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 17 Sep 2018 13:18:36 +0200
Subject: [PATCH 11/66] add crd, validationwebhook exlude noscan
---
templates/validating-webhook-configmap.yaml | 5 ++++
templates/whitelist-crd.yaml | 29 +++++++++++++++++++++
2 files changed, 34 insertions(+)
create mode 100644 templates/whitelist-crd.yaml
diff --git a/templates/validating-webhook-configmap.yaml b/templates/validating-webhook-configmap.yaml
index 4f68ea9..cb018aa 100644
--- a/templates/validating-webhook-configmap.yaml
+++ b/templates/validating-webhook-configmap.yaml
@@ -43,6 +43,11 @@ data:
resources:
- pods
failurePolicy: Fail
+ namespaceSelector:
+ matchExpressions:
+ - key: scan
+ operator: NotIn
+ values: [noscan]
EOF
sed "s/CA_BUNDLE/$(base64 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | tr -d '\n')/g" validatingwebhook.yaml | kubectl -n {{ .Release.Namespace }} apply -f -
diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml
new file mode 100644
index 0000000..ac3da0d
--- /dev/null
+++ b/templates/whitelist-crd.yaml
@@ -0,0 +1,29 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: whitelists.security.banzaicloud.com
+spec:
+ group: security.banzaicloud.com
+ version: v1alpha1
+ names:
+ kind: WhiteList
+ plural: whitelists
+ singular: whitelist
+ shortnames:
+ - wl
+ scope: Cluster
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ required:
+ - releaseName
+ - reason
+ - creator
+ properties:
+ relaseName:
+ type: string
+ reason:
+ type: string
+ creator:
+ type: string
\ No newline at end of file
From 13987f17b7fa7997b4e9a0bc68e029bcc174d108 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 17 Sep 2018 15:39:55 +0200
Subject: [PATCH 12/66] fix readme
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index f8ce83b..4d08203 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ $ helm repo update
Deploying anchore-policy-validator using external Anchore-engine service:
```bash
-$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= stable/anchore-policy-validator
+$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= banzaicloud-stable/anchore-policy-validator
```
## Configuration
From 472712bf2855db9aea8ce8ec7ca935d61468d78d Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 25 Sep 2018 14:07:19 +0200
Subject: [PATCH 13/66] Anchore default policies (#375)
* create policy bundles and activate AllowAll by default
---
Chart.yaml | 2 +-
README.md | 14 ++
templates/audit-crd.yaml | 41 ++++
templates/default-policy-configmap.yaml | 260 +++++++++++++++++++++---
templates/default-policy-job.yaml | 8 +-
values.yaml | 2 +-
6 files changed, 290 insertions(+), 37 deletions(-)
create mode 100644 templates/audit-crd.yaml
diff --git a/Chart.yaml b/Chart.yaml
index c5fac9f..ea9f5be 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.0
+version: 0.1.1
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/README.md b/README.md
index 4d08203..3da094c 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,20 @@ Deploying anchore-policy-validator using external Anchore-engine service:
$ helm install --name --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= -set externalAnchore.anchorePass= banzaicloud-stable/anchore-policy-validator
```
+
+During deploying this chart, it's creating predefined policy bundles and activates `AllowAll` by default.
+
+## Policy bundles
+
+| PolicyName | Description |
+|---------------|-------------------------------------------------------------|
+|AllowAll |Allow all images to deploy |
+|RejectCritical |Reject deploying images that contain `critical` vulnerabiliy |
+|RejectHigh |Reject deploying images that contain `high` vulnerabiliy |
+|BlockRoot |Block deploying images that using `root` as effective user |
+|DenyAll |Deny all imagest to deploy |
+
+
## Configuration
The following tables lists configurable parameters of the anchore-policy-validator chart and their default values.
diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml
new file mode 100644
index 0000000..adc17d6
--- /dev/null
+++ b/templates/audit-crd.yaml
@@ -0,0 +1,41 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: audits.security.banzaicloud.com
+spec:
+ group: security.banzaicloud.com
+ version: v1alpha1
+ names:
+ kind: Audit
+ plural: audits
+ singular: audit
+ scope: Cluster
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ required:
+ - releaseName
+ - resource
+ - image
+ - result
+ - action
+ properties:
+ releaseName:
+ type: string
+ resource:
+ type: string
+ image:
+ type: array
+ items:
+ type: string
+ result:
+ type: array
+ items:
+ type: string
+ action:
+ type: string
+ status:
+ properties:
+ state:
+ type: string
diff --git a/templates/default-policy-configmap.yaml b/templates/default-policy-configmap.yaml
index 9ad0c71..167cd73 100644
--- a/templates/default-policy-configmap.yaml
+++ b/templates/default-policy-configmap.yaml
@@ -9,21 +9,35 @@ metadata:
heritage: {{ .Release.Service }}
component: default-policy
data:
- default-policy.json: |-
+ allow-all.json: |-
{
- "id": "0a869a39-1b20-4ce7-bc00-3a7d88271f08",
+ "id": "97b33e2c-3b57-4a3f-a12b-a8c0daa472a0",
"version": "1_0",
- "name": "AnchoreUserDefault",
+ "name": "AllowAll",
"policies": [
{
"comment": "",
- "id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c",
- "name": "default",
+ "id": "b83f90b3-24b7-4c51-858e-035f85156f00",
+ "name": "allow-all",
"rules": [
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "eaef9298-9be9-4cc3-92d8-1b69968e175a",
+ "params": [],
+ "trigger": "VULNHIGH"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "f2d9e08e-b09c-4f8d-972c-de84223783f9",
+ "params": [],
+ "trigger": "VULNCRITICAL"
+ },
{
"action": "WARN",
"gate": "DOCKERFILECHECK",
- "id": "ce7b8000-829b-4c27-8122-69cd59018400",
+ "id": "f47bf985-fbd5-4afa-bdcc-658ecc9e424e",
"params": [
{
"name": "DENIEDPORTS",
@@ -31,81 +45,261 @@ data:
}
],
"trigger": "EXPOSE"
- },
+ }
+ ],
+ "version": "1_0"
+ }
+ ],
+ "whitelists": [],
+ "mappings": [
+ {
+ "id": "df21279e-57f3-4ca2-a57a-ae23cb071d6b",
+ "image": {
+ "type": "tag",
+ "value": "*"
+ },
+ "name": "allow-all",
+ "policy_id": "b83f90b3-24b7-4c51-858e-035f85156f00",
+ "registry": "*",
+ "repository": "*",
+ "whitelist_ids": []
+ }
+ ]
+ }
+ deny-all.json: |-
+ {
+ "id": "a81d4e45-6021-4b42-a217-a6554015d431",
+ "version": "1_0",
+ "name": "DenyAll",
+ "policies": [
+ {
+ "comment": "",
+ "id": "9943a629-c3d9-47ce-8235-7142e54bb682",
+ "name": "deny-all",
+ "rules": [
+ {
+ "action": "STOP",
+ "gate": "FILECHECK",
+ "id": "cbb8b7e5-f8b8-4bb9-905e-1be7f45ac39d",
+ "params": [
+ {
+ "name": "FILECHECK_NAMEREGEXP",
+ "value": ".*"
+ }
+ ],
+ "trigger": "FILENAMEMATCH"
+ }
+ ],
+ "version": "1_0"
+ }
+ ],
+ "whitelists": [],
+ "mappings": [
+ {
+ "id": "2c0ac021-94f4-4366-a818-78fe1fb493d9",
+ "image": {
+ "type": "tag",
+ "value": "*"
+ },
+ "name": "deny-all",
+ "policy_id": "9943a629-c3d9-47ce-8235-7142e54bb682",
+ "registry": "*",
+ "repository": "*",
+ "whitelist_ids": []
+ }
+ ]
+ }
+ reject-high.json: |-
+ {
+ "id": "0cd4785e-71fa-4273-8ea5-3b15f515cca4",
+ "version": "1_0",
+ "name": "RejectHigh",
+ "policies": [
+ {
+ "comment": "",
+ "id": "d8acc789-181a-4b14-b569-4e5b292c8653",
+ "name": "reject-high",
+ "rules": [
{
"action": "WARN",
- "gate": "DOCKERFILECHECK",
- "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb",
+ "gate": "ANCHORESEC",
+ "id": "1516498a-4e4e-4085-9e24-fdd878834235",
"params": [],
- "trigger": "NOHEALTHCHECK"
+ "trigger": "UNSUPPORTEDDISTRO"
},
{
"action": "WARN",
"gate": "ANCHORESEC",
- "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa",
- "params": [
- {
- "name": "MAXAGE",
- "value": "2"
- }
- ],
- "trigger": "FEEDOUTOFDATE"
+ "id": "3750deb2-d7aa-4e72-8a09-88207e5c364f",
+ "params": [],
+ "trigger": "VULNMEDIUM"
},
+ {
+ "action": "STOP",
+ "gate": "ANCHORESEC",
+ "id": "dbea7de9-a398-4306-8326-b3377a483ebd",
+ "params": [],
+ "trigger": "VULNCRITICAL"
+ },
+ {
+ "action": "STOP",
+ "gate": "ANCHORESEC",
+ "id": "92c4fd9b-df7d-40ad-91b0-717271122e72",
+ "params": [],
+ "trigger": "VULNHIGH"
+ }
+ ],
+ "version": "1_0"
+ }
+ ],
+ "whitelists": [],
+ "mappings": [
+ {
+ "id": "7bf9ee85-f5fe-4f39-9777-0d687dfd2dcc",
+ "image": {
+ "type": "tag",
+ "value": "*"
+ },
+ "name": "reject-high",
+ "policy_id": "d8acc789-181a-4b14-b569-4e5b292c8653",
+ "registry": "*",
+ "repository": "*",
+ "whitelist_ids": []
+ }
+ ]
+ }
+ reject-critical.json: |-
+ {
+ "id": "bdb91dcc-62ca-49a2-a497-ee8a3bb7ec9f",
+ "version": "1_0",
+ "name": "RejectCritical",
+ "policies": [
+ {
+ "comment": "",
+ "id": "2335c373-6182-4e1b-9e1f-dae4b47eb9f8",
+ "name": "reject-critical",
+ "rules": [
{
"action": "WARN",
"gate": "ANCHORESEC",
- "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e",
+ "id": "f8d4743b-4d19-4e37-a606-bdc886e04e26",
"params": [],
"trigger": "UNSUPPORTEDDISTRO"
},
{
"action": "WARN",
"gate": "ANCHORESEC",
- "id": "6063fdde-b1c5-46af-973a-915739451ac4",
+ "id": "d995f2d4-576c-4ea3-83cb-e171371d2740",
"params": [],
"trigger": "VULNMEDIUM"
},
{
"action": "WARN",
"gate": "ANCHORESEC",
- "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5",
+ "id": "d4d216ba-a56d-42a5-a3fc-80fd2a354f5b",
"params": [],
"trigger": "VULNHIGH"
},
+ {
+ "action": "WARN",
+ "gate": "DOCKERFILECHECK",
+ "id": "f3e4c04e-ccbe-4933-9768-ab9d722c9675",
+ "params": [],
+ "trigger": "NOHEALTHCHECK"
+ },
{
"action": "STOP",
"gate": "ANCHORESEC",
- "id": "295adc9f-28b9-4aab-a5d6-833cf7727db7",
+ "id": "bc24976e-eb4f-4162-a0aa-7e820ec61c94",
"params": [],
"trigger": "VULNCRITICAL"
+ },
+ {
+ "action": "STOP",
+ "gate": "DOCKERFILECHECK",
+ "id": "a703788b-c9ad-4ad5-859a-36a1c7f4f8aa",
+ "params": [
+ {
+ "name": "DENIEDPORTS",
+ "value": "22"
+ }
+ ],
+ "trigger": "EXPOSE"
}
],
"version": "1_0"
}
],
- "whitelists": [
+ "whitelists": [],
+ "mappings": [
+ {
+ "id": "cb60bd5e-3ac4-4bf0-8d37-16c83d3f7f07",
+ "image": {
+ "type": "tag",
+ "value": "*"
+ },
+ "name": "reject-critical",
+ "policy_id": "2335c373-6182-4e1b-9e1f-dae4b47eb9f8",
+ "registry": "*",
+ "repository": "*",
+ "whitelist_ids": []
+ }
+ ]
+ }
+ block-root.json: |-
+ {
+ "id": "377c130d-0af7-45d4-adf9-cd72878993e2",
+ "version": "1_0",
+ "name": "BlockRoot",
+ "policies": [
{
- "comment": "Default Global Whitelist",
- "id": "912937b6-05fb-472f-bfbe-834c3562f32d",
- "items": [],
- "name": "Global Whitelist",
+ "comment": "",
+ "id": "374c81e5-1f63-41c8-ad86-c76a51db4d80",
+ "name": "block-root",
+ "rules": [
+ {
+ "action": "STOP",
+ "gate": "DOCKERFILECHECK",
+ "id": "3b1c20f5-6a38-423d-9e35-7facdc6aca1c",
+ "params": [
+ {
+ "name": "DENIED",
+ "value": "root"
+ }
+ ],
+ "trigger": "EFFECTIVEUSER"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "eab521ac-ca56-4840-b463-11c427ffa7ab",
+ "params": [],
+ "trigger": "VULNHIGH"
+ },
+ {
+ "action": "WARN",
+ "gate": "ANCHORESEC",
+ "id": "66218daa-2ee7-48e9-b73e-506378a59b2e",
+ "params": [],
+ "trigger": "VULNCRITICAL"
+ }
+ ],
"version": "1_0"
}
],
+ "whitelists": [],
"mappings": [
{
- "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611",
+ "id": "c42e0769-5bb9-4e99-94d6-5c009e228439",
"image": {
"type": "tag",
"value": "*"
},
- "name": "default",
- "policy_id": "b4b551ce-376e-455d-9c2b-51ff6d0ab07c",
+ "name": "block-root",
+ "policy_id": "374c81e5-1f63-41c8-ad86-c76a51db4d80",
"registry": "*",
"repository": "*",
- "whitelist_ids": [
- "912937b6-05fb-472f-bfbe-834c3562f32d"
- ]
+ "whitelist_ids": []
}
]
}
\ No newline at end of file
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 80623df..68ffbd8 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -41,5 +41,9 @@ spec:
- "-c"
- |
set -ex
- anchore-cli policy add /policy/default-policy.json
- anchore-cli policy activate 0a869a39-1b20-4ce7-bc00-3a7d88271f08
+ anchore-cli policy add /policy/allow-all.json
+ anchore-cli policy add /policy/deny-all.json
+ anchore-cli policy add /policy/reject-high.json
+ anchore-cli policy add /policy/reject-critical.json
+ anchore-cli policy add /policy/block-root.json
+ anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0
diff --git a/values.yaml b/values.yaml
index 2b6fc33..2f98382 100644
--- a/values.yaml
+++ b/values.yaml
@@ -6,7 +6,7 @@ apiService:
image:
repository: banzaicloud/anchore-image-validator
tag: 0.0.2
- pullPolicy: Always
+ pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
type: ClusterIP
From 45910c20ee876e882b09484cc7f1f0a34e30147b Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 4 Oct 2018 21:53:30 +0200
Subject: [PATCH 14/66] fix kind in whitelist-crd (#384)
---
Chart.yaml | 2 +-
templates/whitelist-crd.yaml | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index ea9f5be..7494672 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.1
+version: 0.1.2
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml
index ac3da0d..2ffe17c 100644
--- a/templates/whitelist-crd.yaml
+++ b/templates/whitelist-crd.yaml
@@ -1,14 +1,14 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
- name: whitelists.security.banzaicloud.com
+ name: whitelistitems.security.banzaicloud.com
spec:
group: security.banzaicloud.com
version: v1alpha1
names:
- kind: WhiteList
- plural: whitelists
- singular: whitelist
+ kind: WhiteListItem
+ plural: whitelistitems
+ singular: whitelistitem
shortnames:
- wl
scope: Cluster
From c92fcb443bde1d31936671dfa9151dc8aa0e0ec2 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 15 Oct 2018 12:46:04 +0200
Subject: [PATCH 15/66] remove releaseName from WhiteListItem Spec and add
custom columns
---
Chart.yaml | 2 +-
templates/audit-crd.yaml | 17 +++++++++++++++++
templates/whitelist-crd.yaml | 14 ++++++++++----
3 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 7494672..32d3cd8 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.2
+version: 0.1.3
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml
index adc17d6..877e783 100644
--- a/templates/audit-crd.yaml
+++ b/templates/audit-crd.yaml
@@ -39,3 +39,20 @@ spec:
properties:
state:
type: string
+ additionalPrinterColumns:
+ - name: ReleaseName
+ type: string
+ JSONPath: .spec.releaseName
+ priority: 1
+ - name: Image
+ type: string
+ JSONPath: .spec.image
+ priority: 2
+ - name: result
+ type: string
+ JSONPath: .spec.result
+ priority: 3
+ - name: action
+ type: string
+ JSONPath: .spec.action
+ priority: 4
\ No newline at end of file
diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml
index 2ffe17c..18658f9 100644
--- a/templates/whitelist-crd.yaml
+++ b/templates/whitelist-crd.yaml
@@ -17,13 +17,19 @@ spec:
properties:
spec:
required:
- - releaseName
- reason
- creator
properties:
- relaseName:
- type: string
reason:
type: string
creator:
- type: string
\ No newline at end of file
+ type: string
+ additionalPrinterColumns:
+ - name: Reason
+ type: string
+ JSONPath: .spec.readson
+ priority: 1
+ - name: Creator
+ type: string
+ JSONPath: .spec.creator
+ priority: 2
\ No newline at end of file
From f1c187056c949dd3482f4a600a4213df0c0bd423 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 15 Oct 2018 13:23:56 +0200
Subject: [PATCH 16/66] increase nchore-image-validator version
---
values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/values.yaml b/values.yaml
index 2f98382..b6bd1d9 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.0.2
+ tag: 0.0.3
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 4b23e13f15364a0b9fba94185c68c4b26eda0647 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 16 Oct 2018 15:21:40 +0200
Subject: [PATCH 17/66] change anchore-image-validator version and executable
path (#399)
---
Chart.yaml | 2 +-
templates/validator-deployment.yaml | 2 +-
values.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 32d3cd8..e3af378 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.3
+version: 0.1.4
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index b7fbabd..aecf710 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -27,7 +27,7 @@ spec:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- - "/anchore-image-validator"
+ - "/usr/local/bin/anchore-image-validator"
- "--audit-log-path=-"
- "--tls-cert-file=/var/serving-cert/tls.crt"
- "--tls-private-key-file=/var/serving-cert/tls.key"
diff --git a/values.yaml b/values.yaml
index b6bd1d9..413cfb7 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.0.3
+ tag: 0.0.4
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 0ab65fd09b03e2eeeef8c41d3e3e3b3daf202096 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 24 Oct 2018 19:28:47 +0200
Subject: [PATCH 18/66] new version of anchore-image-validator (#423)
---
Chart.yaml | 3 ++-
values.yaml | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index e3af378..c355a87 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.4
+version: 0.1.5
+appVersion: 0.0.5
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/values.yaml b/values.yaml
index 413cfb7..c854604 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.0.4
+ tag: 0.0.5
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 859f40ffd891da8da2ae3a9f8018a3375ff17e46 Mon Sep 17 00:00:00 2001
From: Ferenc HERNADI
Date: Fri, 26 Oct 2018 11:16:08 +0200
Subject: [PATCH 19/66] Selector, Affinity, Tolerations added (#424)
---
Chart.yaml | 2 +-
templates/validator-deployment.yaml | 8 ++++++++
values.yaml | 12 ++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/Chart.yaml b/Chart.yaml
index c355a87..325cda2 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.5
+version: 0.1.6
appVersion: 0.0.5
keywords:
- analysis
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index aecf710..fb629d8 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -55,3 +55,11 @@ spec:
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
diff --git a/values.yaml b/values.yaml
index c854604..3a130b6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -17,3 +17,15 @@ externalAnchore:
anchoreUser: ""
anchorePass: ""
resources: {}
+
+## Node selector
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+nodeSelector: {}
+
+## Affinity
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+affinity: {}
+
+## Tolerations
+## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
From 7d1440b3231c935ec84f8d49b67b8f8fd13a851c Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 8 Nov 2018 13:46:40 +0100
Subject: [PATCH 20/66] Add pre and post delete helm hook (#452)
* add pre and post delete helm hook
* add release namespace in delet hooks
* in case of clusterroles remove unnecessary namespace in delete hook
---
Chart.yaml | 2 +-
templates/post-delete-job.yaml | 81 ++++++++++++++++++++++++++++++++++
templates/pre-delete-job.yaml | 50 +++++++++++++++++++++
3 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 templates/post-delete-job.yaml
create mode 100644 templates/pre-delete-job.yaml
diff --git a/Chart.yaml b/Chart.yaml
index 325cda2..381c50a 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.6
+version: 0.1.7
appVersion: 0.0.5
keywords:
- analysis
diff --git a/templates/post-delete-job.yaml b/templates/post-delete-job.yaml
new file mode 100644
index 0000000..453e61a
--- /dev/null
+++ b/templates/post-delete-job.yaml
@@ -0,0 +1,81 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "{{ .Release.Name }}-post-delete"
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: validating-webhook
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: validating-webhook
+ spec:
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator
+ restartPolicy: OnFailure
+ containers:
+ - name: delete-clusterrolebinding-init-ca
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - clusterrolebinding.rbac.authorization.k8s.io
+ - extension-{{ template "anchore-policy-validator.fullname" . }}-init-ca-cluster
+ - name: delete-clusterrole
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - clusterrole.rbac.authorization.k8s.io
+ - {{ template "anchore-policy-validator.fullname" . }}-init-ca-cluster
+ - name: delete-clusterrolebinding-validator
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - clusterrolebinding.rbac.authorization.k8s.io
+ - {{ template "anchore-policy-validator.fullname" . }}-validator-binding
+ - name: delete-rolebinding-init-ca
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - rolebindings.rbac.authorization.k8s.io
+ - extension-{{ template "anchore-policy-validator.fullname" . }}-init-ca-admin
+ - -n
+ - {{ .Release.Namespace }}
+ - name: delete-role-init-ca
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - role
+ - {{ template "anchore-policy-validator.fullname" . }}-init-ca
+ - -n
+ - {{ .Release.Namespace }}
+ - name: delete-serviceaccount-init-ca
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - serviceaccount
+ - {{ template "anchore-policy-validator.fullname" . }}-init-ca
+ - -n
+ - {{ .Release.Namespace }}
+ - name: delete-serviceaccount-validator
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - serviceaccount
+ - {{ template "anchore-policy-validator.fullname" . }}-validator
+ - -n
+ - {{ .Release.Namespace }}
+
diff --git a/templates/pre-delete-job.yaml b/templates/pre-delete-job.yaml
new file mode 100644
index 0000000..551d103
--- /dev/null
+++ b/templates/pre-delete-job.yaml
@@ -0,0 +1,50 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "{{ .Release.Name }}-delete-validatingwebhook"
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: validating-webhook
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-weight": "1"
+ "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "anchore-policy-validator.fullname" . }}
+ component: validating-webhook
+ spec:
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}-validator
+ restartPolicy: OnFailure
+ containers:
+ - name: delete-validatingwebhook
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - validatingwebhookconfigurations.admissionregistration.k8s.io
+ - {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
+ - name: delete-init-ca-configmap
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - configmap
+ - {{ .Release.Name }}-init-ca
+ - -n
+ - {{ .Release.Namespace }}
+ - name: delete-validatingwebhook-configmap
+ image: "lachlanevenson/k8s-kubectl"
+ command:
+ - kubectl
+ - delete
+ - configmap
+ - {{ .Release.Name }}-validatingwebhook
+ - -n
+ - {{ .Release.Namespace }}
+
From bae821217be78cc95860848dc4258fa70735b018 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Sat, 10 Nov 2018 18:17:34 +0100
Subject: [PATCH 21/66] refactor policyvalidator chart (#464)
---
Chart.yaml | 2 +-
README-dev.md | 19 ----
README.md | 5 -
templates/NOTES.txt | 1 -
templates/_helpers.tpl | 20 +++-
templates/apiservice-webhook.yaml | 63 +++++++++++
templates/default-policy-job.yaml | 3 -
templates/init-ca-configmap.yaml | 110 --------------------
templates/init-ca-job.yaml | 36 -------
templates/init-ca-rbac.yaml | 68 ------------
templates/post-delete-job.yaml | 81 --------------
templates/pre-delete-job.yaml | 50 ---------
templates/validating-webhook-configmap.yaml | 53 ----------
templates/validating-webhook-job.yaml | 37 -------
templates/validating-webhook-rbac.yaml | 24 -----
templates/validator-deployment.yaml | 9 +-
templates/validator-rbac.yaml | 2 +-
17 files changed, 88 insertions(+), 495 deletions(-)
delete mode 100755 README-dev.md
create mode 100644 templates/apiservice-webhook.yaml
delete mode 100644 templates/init-ca-configmap.yaml
delete mode 100644 templates/init-ca-job.yaml
delete mode 100644 templates/init-ca-rbac.yaml
delete mode 100644 templates/post-delete-job.yaml
delete mode 100644 templates/pre-delete-job.yaml
delete mode 100644 templates/validating-webhook-configmap.yaml
delete mode 100644 templates/validating-webhook-job.yaml
delete mode 100644 templates/validating-webhook-rbac.yaml
diff --git a/Chart.yaml b/Chart.yaml
index 381c50a..36a10e3 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.1.7
+version: 0.2.0
appVersion: 0.0.5
keywords:
- analysis
diff --git a/README-dev.md b/README-dev.md
deleted file mode 100755
index f4d888b..0000000
--- a/README-dev.md
+++ /dev/null
@@ -1,19 +0,0 @@
-# Dev helper
-
-Due to some resources create with specific deployment method (eg.: create via k8s job), resources has to be deleted manually.
-
-```bash
-export RELEASE_NAME=
-helm delete --purge ${RELEASE_NAME}
-kubectl delete role ${RELEASE_NAME}-anchore-policy-validator-init-ca
-kubectl delete rolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-admin
-kubectl delete configmap ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-validatingwebhook
-kubectl delete jobs ${RELEASE_NAME}-init-ca ${RELEASE_NAME}-default-policy ${RELEASE_NAME}-create-validatingwebhook
-kubectl delete clusterrolebinding extension-${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
-kubectl delete clusterroles ${RELEASE_NAME}-anchore-policy-validator-init-ca-cluster
-kubectl delete validatingwebhookconfiguration ${RELEASE_NAME}-anchore-policy-validator.admission.anchore.io
-kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-init-ca
-kubectl delete apiservice v1beta1.admission.example.com
-kubectl delete clusterrolebinding ${RELEASE_NAME}-anchore-policy-validator-validator-binding
-kubectl delete serviceaccount ${RELEASE_NAME}-anchore-policy-validator-validator
-```
diff --git a/README.md b/README.md
index 3da094c..2ac6c5b 100644
--- a/README.md
+++ b/README.md
@@ -49,8 +49,3 @@ The following tables lists configurable parameters of the anchore-policy-validat
|externalAnchore.anchoreHost |external anchore-engine host |"" |
|externalAnchore.anchoreUser |external anchore-engine username |"" |
|externalAnchore.anchorePass |external anchore-engine password |"" |
-
-[Due to some resource create with jobs, these resources has to be deleted by manually.](README-dev.md)
-
-This chart based on:
-[Vic Iglesias' kubernetes-anchore-image-validator](https://github.com/viglesiasce/kubernetes-anchore-image-validator)
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
index a922c2a..e69de29 100644
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@@ -1 +0,0 @@
-validatingwebhookConfigureation created :{{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 8002210..c120d6d 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -2,10 +2,6 @@
{{/*
Expand the name of the chart.
*/}}
-{{- define "anchore-policy-validator.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
{{- define "anchore-policy-validator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
@@ -13,8 +9,24 @@ Expand the name of the chart.
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
*/}}
{{- define "anchore-policy-validator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "anchore-policy-validator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml
new file mode 100644
index 0000000..5d18102
--- /dev/null
+++ b/templates/apiservice-webhook.yaml
@@ -0,0 +1,63 @@
+{{ $ca := genCA "svc-cat-ca" 3650 }}
+{{ $cn := printf "%s-%s.%s.svc" .Release.Name .Chart.Name .Release.Namespace }}
+{{ $server := genSignedCert $cn nil nil 365 $ca }}
+
+apiVersion: v1
+kind: List
+metadata:
+items:
+
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ template "anchore-policy-validator.name" . }}
+ type: kubernetes.io/tls
+ data:
+ servingCert: {{ b64enc $server.Cert }}
+ servingKey: {{ b64enc $server.Key }}
+ caCert: {{ b64enc $ca.Cert }}
+
+- apiVersion: apiregistration.k8s.io/v1beta1
+ kind: APIService
+ metadata:
+ name: {{ .Values.apiService.version }}.{{ .Values.apiService.group }}
+ spec:
+ caBundle: {{ b64enc $ca.Cert }}
+ group: {{ .Values.apiService.group }}
+ groupPriorityMinimum: 1000
+ versionPriority: 15
+ service:
+ name: {{ template "anchore-policy-validator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ version: {{ .Values.apiService.version }}
+
+- apiVersion: admissionregistration.k8s.io/v1beta1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-weight": "5"
+ webhooks:
+ - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
+ clientConfig:
+ service:
+ namespace: default
+ name: kubernetes
+ path: /apis/{{ .Values.apiService.group }}/v1beta1/imagechecks
+ caBundle: {{ b64enc $ca.Cert }}
+ rules:
+ - operations:
+ - CREATE
+ apiGroups:
+ - ""
+ apiVersions:
+ - "*"
+ resources:
+ - pods
+ failurePolicy: Fail
+ namespaceSelector:
+ matchExpressions:
+ - key: scan
+ operator: NotIn
+ values: [noscan]
\ No newline at end of file
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 68ffbd8..6cb3680 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -9,9 +9,6 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: default-policy
- annotations:
- "helm.sh/hook": post-install
- "helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
diff --git a/templates/init-ca-configmap.yaml b/templates/init-ca-configmap.yaml
deleted file mode 100644
index c08efa5..0000000
--- a/templates/init-ca-configmap.yaml
+++ /dev/null
@@ -1,110 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{.Release.Name}}-init-ca
- labels:
- app: {{ template "anchore-policy-validator.fullname" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
- component: admission-server
- annotations:
- "helm.sh/hook": pre-install
- "helm.sh/hook-weight": "-5"
-data:
- init-ca.sh: |-
- #!/bin/bash -xe
- # Adapted from https://github.com/openshift/kubernetes-namespace-reservation/blob/master/hack/install-kube.sh
- apt-get update && apt-get install -y jq
-
- curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
- chmod +x ./kubectl
- mv ./kubectl /usr/bin
-
- # creates a client CA, args are sudo, dest-dir, ca-id, purpose
- # purpose is dropped in after "key encipherment", you usually want
- # '"client auth"'
- # '"server auth"'
- # '"client auth","server auth"'
- function kube::util::create_signing_certkey {
- local sudo=$1
- local dest_dir=$2
- local id=$3
- local purpose=$4
- # Create client ca
- ${sudo} /bin/bash -e < "${dest_dir}/${id}-ca-config.json"
- EOF
- }
-
- # signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts...
- function kube::util::create_serving_certkey {
- local sudo=$1
- local dest_dir=$2
- local ca=$3
- local id=$4
- local cn=${5:-$4}
- local hosts=""
- local SEP=""
- shift 5
- while [ -n "${1:-}" ]; do
- hosts+="${SEP}\"$1\""
- SEP=","
- shift 1
- done
- ${sudo} /bin/bash -e </dev/null || { echo "Please install jq (https://stedolan.github.io/jq/)."; exit 1; }
- which cfssljson &>/dev/null || { echo "Please install cfssljson (https://github.com/cloudflare/cfssl))."; exit 1; }
-
- # create necessary TLS certificates:
- # - a local CA key and cert
- # - a webhook server key and cert signed by the local CA
- rm -rf ./_output/
- CERT_DIR=_output/tmp/certs
- mkdir -p "${CERT_DIR}"
- kube::util::create_signing_certkey "" "${CERT_DIR}" serving '"server auth"'
-
- # create webhook server key and cert
- kube::util::create_serving_certkey "" "${CERT_DIR}" "serving-ca" {{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc" "{{ template "anchore-policy-validator.fullname" . }}.{{ .Release.Namespace }}.svc"
-
- cat > secret.yaml < api-service.yaml < validatingwebhook.yaml <
Date: Mon, 12 Nov 2018 10:32:26 +0100
Subject: [PATCH 22/66] add additional information to image
---
templates/audit-crd.yaml | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/templates/audit-crd.yaml b/templates/audit-crd.yaml
index 877e783..6146426 100644
--- a/templates/audit-crd.yaml
+++ b/templates/audit-crd.yaml
@@ -28,7 +28,16 @@ spec:
image:
type: array
items:
- type: string
+ type: object
+ properties:
+ imageName:
+ type: string
+ imageTag:
+ type: string
+ imageDigest:
+ type: string
+ lastUpdated:
+ type: string
result:
type: array
items:
@@ -46,7 +55,7 @@ spec:
priority: 1
- name: Image
type: string
- JSONPath: .spec.image
+ JSONPath: .spec.image[*].imageName
priority: 2
- name: result
type: string
From 041f63cbeed821103efe29f3da1418a8a8efc4c9 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 12 Nov 2018 12:38:10 +0100
Subject: [PATCH 23/66] use image-validator version 0.1.0
---
Chart.yaml | 4 ++--
values.yaml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 36a10e3..edb72b9 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.0
-appVersion: 0.0.5
+version: 0.2.1
+appVersion: 0.1.0
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/values.yaml b/values.yaml
index 3a130b6..808a619 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.0.5
+ tag: 0.1.0
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 1617b90cf683def2e0e4a53b27353c44fe07884e Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Fri, 30 Nov 2018 15:01:38 +0100
Subject: [PATCH 24/66] bump image-validator version, add taints and
tolerations (#529)
---
Chart.yaml | 4 ++--
templates/default-policy-job.yaml | 12 ++++++++++++
templates/whitelist-crd.yaml | 2 +-
values.yaml | 2 +-
4 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index edb72b9..3ca01ca 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.1
-appVersion: 0.1.0
+version: 0.2.2
+appVersion: 0.1.1
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 6cb3680..4f3c6f5 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -44,3 +44,15 @@ spec:
anchore-cli policy add /policy/reject-critical.json
anchore-cli policy add /policy/block-root.json
anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
\ No newline at end of file
diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml
index 18658f9..60fc188 100644
--- a/templates/whitelist-crd.yaml
+++ b/templates/whitelist-crd.yaml
@@ -27,7 +27,7 @@ spec:
additionalPrinterColumns:
- name: Reason
type: string
- JSONPath: .spec.readson
+ JSONPath: .spec.reason
priority: 1
- name: Creator
type: string
diff --git a/values.yaml b/values.yaml
index 808a619..9f4d7fd 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.1.0
+ tag: 0.1.1
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 149a7583abcd19f4cccd34cf20d4a9d122da8c37 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 4 Dec 2018 14:57:23 +0100
Subject: [PATCH 25/66] delete default anchore policy bundle (#554)
---
Chart.yaml | 2 +-
templates/default-policy-job.yaml | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/Chart.yaml b/Chart.yaml
index 3ca01ca..f43261b 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.2
+version: 0.2.3
appVersion: 0.1.1
keywords:
- analysis
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 4f3c6f5..2bdda5c 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -44,6 +44,7 @@ spec:
anchore-cli policy add /policy/reject-critical.json
anchore-cli policy add /policy/block-root.json
anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0
+ anchore-cli policy del 2c53a13c-1765-11e8-82ef-23527761d060
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
From e4ca0d723b0bb7e79acb06c53b9ba1c111e01a36 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 4 Dec 2018 19:18:42 +0100
Subject: [PATCH 26/66] add whitelist regexp
---
Chart.yaml | 4 ++--
templates/whitelist-crd.yaml | 2 ++
values.yaml | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index f43261b..55fc190 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.3
-appVersion: 0.1.1
+version: 0.2.4
+appVersion: 0.1.2
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/whitelist-crd.yaml b/templates/whitelist-crd.yaml
index 60fc188..a167db3 100644
--- a/templates/whitelist-crd.yaml
+++ b/templates/whitelist-crd.yaml
@@ -24,6 +24,8 @@ spec:
type: string
creator:
type: string
+ regexp:
+ type: string
additionalPrinterColumns:
- name: Reason
type: string
diff --git a/values.yaml b/values.yaml
index 9f4d7fd..b95793e 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.1.1
+ tag: 0.1.2
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From b6128603c136b5dc043d09007bc7e69b4144ba25 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 6 Dec 2018 10:17:39 +0100
Subject: [PATCH 27/66] bump anchore-image-validator version (#561)
---
Chart.yaml | 4 ++--
values.yaml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 55fc190..ccdb1c0 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.4
-appVersion: 0.1.2
+version: 0.2.5
+appVersion: 0.2.0
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/values.yaml b/values.yaml
index b95793e..6fbc1c2 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.1.2
+ tag: 0.2.0
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 4d71314c8a24be5be86157ee41f3e9e19bc1c8c8 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 11 Dec 2018 15:22:54 +0100
Subject: [PATCH 28/66] ValidatingWebhookConfiguration is created by
image-validator (#568)
---
Chart.yaml | 4 ++--
templates/apiservice-webhook.yaml | 31 -----------------------------
templates/validator-deployment.yaml | 8 ++++++++
values.yaml | 2 +-
4 files changed, 11 insertions(+), 34 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index ccdb1c0..8011f32 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.2.5
-appVersion: 0.2.0
+version: 0.3.0
+appVersion: 0.3.0
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml
index 5d18102..823f832 100644
--- a/templates/apiservice-webhook.yaml
+++ b/templates/apiservice-webhook.yaml
@@ -30,34 +30,3 @@ items:
name: {{ template "anchore-policy-validator.fullname" . }}
namespace: {{ .Release.Namespace }}
version: {{ .Values.apiService.version }}
-
-- apiVersion: admissionregistration.k8s.io/v1beta1
- kind: ValidatingWebhookConfiguration
- metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
- annotations:
- "helm.sh/hook": post-install
- "helm.sh/hook-weight": "5"
- webhooks:
- - name: {{ template "anchore-policy-validator.fullname" . }}.admission.anchore.io
- clientConfig:
- service:
- namespace: default
- name: kubernetes
- path: /apis/{{ .Values.apiService.group }}/v1beta1/imagechecks
- caBundle: {{ b64enc $ca.Cert }}
- rules:
- - operations:
- - CREATE
- apiGroups:
- - ""
- apiVersions:
- - "*"
- resources:
- - pods
- failurePolicy: Fail
- namespaceSelector:
- matchExpressions:
- - key: scan
- operator: NotIn
- values: [noscan]
\ No newline at end of file
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 916ec8f..af191c8 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -33,6 +33,14 @@ spec:
- "--tls-private-key-file=/var/serving-cert/servingKey"
- "--v={{ .Values.logVerbosity }}"
env:
+ - name: KUBERNETES_NAMESPACE
+ value: {{ .Release.Namespace }}
+ - name: ANCHORE_APISERVICE_GROUP
+ value: {{ .Values.apiService.group }}
+ - name: ANCHORE_APISERVICE_VERSION
+ value: {{ .Values.apiService.version }}
+ - name: ANCHORE_RELEASE_NAME
+ value: {{ template "anchore-policy-validator.name" . }}
- name: ANCHORE_ENGINE_USERNAME
value: {{ .Values.externalAnchore.anchoreUser }}
- name: ANCHORE_ENGINE_PASSWORD
diff --git a/values.yaml b/values.yaml
index 6fbc1c2..10db8ac 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.2.0
+ tag: 0.3.0
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 806d20dcdbef8e9e0ec0a0dcd051ff71106673de Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 18 Dec 2018 14:54:59 +0100
Subject: [PATCH 29/66] use fullname in case of secret name and job (#579)
---
Chart.yaml | 2 +-
templates/apiservice-webhook.yaml | 2 +-
templates/default-policy-job.yaml | 2 +-
templates/validator-deployment.yaml | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 8011f32..ade9f49 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Kubernetes
name: anchore-policy-validator
-version: 0.3.0
+version: 0.3.1
appVersion: 0.3.0
keywords:
- analysis
diff --git a/templates/apiservice-webhook.yaml b/templates/apiservice-webhook.yaml
index 823f832..9825601 100644
--- a/templates/apiservice-webhook.yaml
+++ b/templates/apiservice-webhook.yaml
@@ -10,7 +10,7 @@ items:
- apiVersion: v1
kind: Secret
metadata:
- name: {{ template "anchore-policy-validator.name" . }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
type: kubernetes.io/tls
data:
servingCert: {{ b64enc $server.Cert }}
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 2bdda5c..173a252 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: "{{ .Release.Name }}-default-policy"
+ name: "{{ template "anchore-policy-validator.fullname" . }}-default-policy"
labels:
app: {{ template "anchore-policy-validator.fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index af191c8..0a24e3c 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -21,7 +21,7 @@ spec:
- name: serving-cert
secret:
defaultMode: 420
- secretName: {{ template "anchore-policy-validator.name" . }}
+ secretName: {{ template "anchore-policy-validator.fullname" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -40,7 +40,7 @@ spec:
- name: ANCHORE_APISERVICE_VERSION
value: {{ .Values.apiService.version }}
- name: ANCHORE_RELEASE_NAME
- value: {{ template "anchore-policy-validator.name" . }}
+ value: {{ template "anchore-policy-validator.fullname" . }}
- name: ANCHORE_ENGINE_USERNAME
value: {{ .Values.externalAnchore.anchoreUser }}
- name: ANCHORE_ENGINE_PASSWORD
From c9619d66f5be37c0c5e62fd3e4958d8eeb49fe56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=90ry=2C=20M=C3=A1t=C3=A9?=
Date: Wed, 19 Dec 2018 16:13:34 +0100
Subject: [PATCH 30/66] add maintainers to all charts' metadata (#580)
* add maintainers to all charts
* Update Chart.yaml
---
Chart.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index ade9f49..6084832 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
-description: A Helm chart for Kubernetes
+description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.3.1
+version: 0.3.2
appVersion: 0.3.0
keywords:
- analysis
From 878c39fa82b2a3da3df5d0775064b2b0a794450c Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 7 Jan 2019 11:53:25 +0100
Subject: [PATCH 31/66] fix anchore-policy-validator README
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 2ac6c5b..0c15866 100644
--- a/README.md
+++ b/README.md
@@ -39,8 +39,8 @@ The following tables lists configurable parameters of the anchore-policy-validat
|logVerbosity |log verbosity level |8 |
|apiService.group |group of registered api service |admission.anchore.io |
|apiService.version |version of registered api service |v1beta1 |
-|image.repository |admission-server image repo |viglesiasce/anchore-image-admission-server|
-|image.tag |admission-server image tag |latest |
+|image.repository |admission-server image repo |banzaicloud/anchore-image-validator |
+|image.tag |admission-server image tag |0.3.0 |
|image.pullPolicy |admission-server image pull policy |IfNotPresent |
|service.name |validation sevice name |anchoreimagecheck |
|service.type |validation service type |ClusterIP |
From a1d267e1e0bbaba29c56dc247b1be31528ce018e Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Sat, 12 Jan 2019 19:39:17 +0100
Subject: [PATCH 32/66] add unauthenticated discovery binding
---
Chart.yaml | 2 +-
templates/validator-rbac.yaml | 13 +++++++++++++
values.yaml | 2 +-
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 6084832..f2bd948 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.3.2
+version: 0.3.3
appVersion: 0.3.0
keywords:
- analysis
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
index 62897a4..a8cb313 100644
--- a/templates/validator-rbac.yaml
+++ b/templates/validator-rbac.yaml
@@ -70,3 +70,16 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: anchore-unauth-discovery
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:discovery
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: Group
+ name: system:unauthenticated
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index 10db8ac..5106c1e 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,5 +1,5 @@
replicaCount: 1
-logVerbosity: 8
+logVerbosity: 1
apiService:
group: admission.anchore.io
version: v1beta1
From aff4d9e96fb071a661095fce775ee174f53cd85a Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 25 Feb 2019 13:28:28 +0100
Subject: [PATCH 33/66] images without setcap
---
Chart.yaml | 4 ++--
values.yaml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index f2bd948..e2f3aba 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.3.3
-appVersion: 0.3.0
+version: 0.3.4
+appVersion: 0.3.1
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/values.yaml b/values.yaml
index 5106c1e..654590a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.0
+ tag: 0.3.1
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From d0954fd2768cd9345cb11422078eac91362f5c23 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 7 Mar 2019 10:34:29 +0100
Subject: [PATCH 34/66] use unprivileged internalPort (#696)
---
Chart.yaml | 4 ++--
templates/validator-deployment.yaml | 4 ++++
values.yaml | 4 ++--
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index e2f3aba..757c308 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.3.4
-appVersion: 0.3.1
+version: 0.3.5
+appVersion: 0.3.2
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 0a24e3c..6023ee9 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -32,6 +32,7 @@ spec:
- "--tls-cert-file=/var/serving-cert/servingCert"
- "--tls-private-key-file=/var/serving-cert/servingKey"
- "--v={{ .Values.logVerbosity }}"
+ - "--secure-port={{ .Values.service.internalPort }}"
env:
- name: KUBERNETES_NAMESPACE
value: {{ .Release.Namespace }}
@@ -47,6 +48,9 @@ spec:
value: {{ .Values.externalAnchore.anchorePass }}
- name: ANCHORE_ENGINE_URL
value: {{ .Values.externalAnchore.anchoreHost }}
+ securityContext:
+ runAsUser: 65534
+ allowPrivilegeEscalation: false
ports:
- containerPort: {{ .Values.service.internalPort }}
livenessProbe:
diff --git a/values.yaml b/values.yaml
index 654590a..706469f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,13 +5,13 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.1
+ tag: 0.3.2
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
type: ClusterIP
externalPort: 443
- internalPort: 443
+ internalPort: 8443
externalAnchore:
anchoreHost: ""
anchoreUser: ""
From 505becac13a88c522101fdcbe6b299d245837624 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Fri, 12 Apr 2019 09:12:13 +0200
Subject: [PATCH 35/66] add psp
---
templates/validator-deployment.yaml | 4 ++-
templates/validator-psp.yaml | 53 +++++++++++++++++++++++++++++
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 templates/validator-psp.yaml
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 6023ee9..800acd2 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -49,8 +49,10 @@ spec:
- name: ANCHORE_ENGINE_URL
value: {{ .Values.externalAnchore.anchoreHost }}
securityContext:
- runAsUser: 65534
+ readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
+ runAsUser: 65534
+ fsGroup: 65534
ports:
- containerPort: {{ .Values.service.internalPort }}
livenessProbe:
diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml
new file mode 100644
index 0000000..91bd4a9
--- /dev/null
+++ b/templates/validator-psp.yaml
@@ -0,0 +1,53 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ creationTimestamp: null
+ name: psp.imagevalidator
+spec:
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ runAsUser:
+ rule: MustRunAsNonRoot
+ fsGroup:
+ rule: MustRunAs
+ ranges:
+ - min: 1
+ max: 65535
+ supplementalGroups:
+ rule: MustRunAs
+ ranges:
+ - min: 1
+ max: 65535
+ seLinux:
+ rule: RunAsAny
+ volumes:
+ - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+roleRef:
+ kind: Role
+ apiGroup: rbac.authorization.k8s.io
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+rules:
+- apiGroups:
+ - policy
+ resourceNames:
+ - psp.imagevalidator
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+---
\ No newline at end of file
From 956cf1496434df536bcee0112dab88677659a7b6 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 16 Apr 2019 10:10:17 +0200
Subject: [PATCH 36/66] use emptydir for /tmp
---
Chart.yaml | 4 ++--
templates/validator-deployment.yaml | 9 ++++-----
templates/validator-psp.yaml | 4 +++-
values.yaml | 4 +++-
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 757c308..72bcd58 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.3.5
-appVersion: 0.3.2
+version: 0.4.0
+appVersion: 0.3.3
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 800acd2..6977275 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -22,6 +22,8 @@ spec:
secret:
defaultMode: 420
secretName: {{ template "anchore-policy-validator.fullname" . }}
+ - name: tmp
+ emptyDir: {}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -60,14 +62,11 @@ spec:
path: /healthz
port: {{ .Values.service.internalPort }}
scheme: HTTPS
- readinessProbe:
- httpGet:
- path: /healthz
- port: {{ .Values.service.internalPort }}
- scheme: HTTPS
volumeMounts:
- mountPath: /var/serving-cert
name: serving-cert
+ - mountPath: /tmp
+ name: tmp
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml
index 91bd4a9..8128520 100644
--- a/templates/validator-psp.yaml
+++ b/templates/validator-psp.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
@@ -23,6 +24,7 @@ spec:
rule: RunAsAny
volumes:
- secret
+ - emptyDir
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -50,4 +52,4 @@ rules:
- podsecuritypolicies
verbs:
- use
----
\ No newline at end of file
+{{- end }}
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index 706469f..28307d6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.2
+ tag: 0.3.3
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
@@ -29,3 +29,5 @@ affinity: {}
## Tolerations
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
+
+pspEnabled: false
From 25f66cdfbc6a8205aafea28bb247c904caacf98c Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 16 Apr 2019 10:13:46 +0200
Subject: [PATCH 37/66] update readme
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 0c15866..fffa6ba 100644
--- a/README.md
+++ b/README.md
@@ -49,3 +49,4 @@ The following tables lists configurable parameters of the anchore-policy-validat
|externalAnchore.anchoreHost |external anchore-engine host |"" |
|externalAnchore.anchoreUser |external anchore-engine username |"" |
|externalAnchore.anchorePass |external anchore-engine password |"" |
+|pspEnabled |add PSP resources if enabled |false |
\ No newline at end of file
From 6d35b86e710c1d7fc46fa4ca5c0388386b14b7e0 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 16 Apr 2019 14:57:45 +0200
Subject: [PATCH 38/66] minor fixes
---
templates/validator-psp.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml
index 8128520..8678c1b 100644
--- a/templates/validator-psp.yaml
+++ b/templates/validator-psp.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.pspEnabled }}
+{{- if .Values.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
@@ -52,4 +52,4 @@ rules:
- podsecuritypolicies
verbs:
- use
-{{- end }}
\ No newline at end of file
+{{- end }}
From 3ca83649fa0aa28720fa813e43243dea2ecebbbb Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 16 Apr 2019 22:00:05 +0200
Subject: [PATCH 39/66] refactor psp
---
templates/default-policy-job.yaml | 5 ++++-
templates/validator-deployment.yaml | 2 ++
templates/validator-psp.yaml | 31 ++------------------------
templates/validator-rbac.yaml | 34 ++++++++++++++++++++++++++++-
values.yaml | 5 ++++-
5 files changed, 45 insertions(+), 32 deletions(-)
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index 173a252..e471bf1 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -15,6 +15,9 @@ spec:
labels:
app: {{ template "anchore-policy-validator.fullname" . }}-default-policy
spec:
+ {{- if .Values.rbac.enabled }}
+ serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
+ {{- end }}
restartPolicy: OnFailure
volumes:
- name: default-policy
@@ -56,4 +59,4 @@ spec:
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
- {{- end }}
\ No newline at end of file
+ {{- end }}
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 6977275..664ce33 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -16,7 +16,9 @@ spec:
app: {{ template "anchore-policy-validator.name" . }}
release: {{ .Release.Name }}
spec:
+ {{- if .Values.rbac.enabled }}
serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
+ {{- end }}
volumes:
- name: serving-cert
secret:
diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml
index 8678c1b..5596d62 100644
--- a/templates/validator-psp.yaml
+++ b/templates/validator-psp.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.pspEnabled }}
+{{ if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
@@ -25,31 +25,4 @@ spec:
volumes:
- secret
- emptyDir
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: psp:{{ template "anchore-policy-validator.fullname" . }}
-roleRef:
- kind: Role
- apiGroup: rbac.authorization.k8s.io
- name: psp:{{ template "anchore-policy-validator.fullname" . }}
-subjects:
-- kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: psp:{{ template "anchore-policy-validator.fullname" . }}
-rules:
-- apiGroups:
- - policy
- resourceNames:
- - psp.imagevalidator
- resources:
- - podsecuritypolicies
- verbs:
- - use
-{{- end }}
+{{ end }}
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
index a8cb313..db2eb22 100644
--- a/templates/validator-rbac.yaml
+++ b/templates/validator-rbac.yaml
@@ -1,3 +1,4 @@
+{{ if .Values.rbac.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -82,4 +83,35 @@ roleRef:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
- name: system:unauthenticated
\ No newline at end of file
+ name: system:unauthenticated
+
+{{ if .Values.rbac.psp.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+roleRef:
+ kind: Role
+ apiGroup: rbac.authorization.k8s.io
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: psp:{{ template "anchore-policy-validator.fullname" . }}
+rules:
+- apiGroups:
+ - policy
+ resourceNames:
+ - psp.imagevalidator
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+{{ end }}
+{{ end }}
diff --git a/values.yaml b/values.yaml
index 28307d6..cdad925 100644
--- a/values.yaml
+++ b/values.yaml
@@ -30,4 +30,7 @@ affinity: {}
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
-pspEnabled: false
+rbac:
+ enabled: true
+ psp:
+ enabled: false
From bd19a7d78fc2c30135f6f10f588b64530958d2d0 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 18 Apr 2019 19:42:42 +0200
Subject: [PATCH 40/66] remove namespacereservation realted binding
---
templates/validator-rbac.yaml | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
index db2eb22..16bd474 100644
--- a/templates/validator-rbac.yaml
+++ b/templates/validator-rbac.yaml
@@ -47,19 +47,6 @@ rules:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}-default
-roleRef:
- kind: ClusterRole
- apiGroup: rbac.authorization.k8s.io
- name: namespace-reservation-{{ template "anchore-policy-validator.fullname" . }}
-subjects:
-- kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: kube-system
From 7ec09148bfaa3e4042a93e796d6990273c98a42a Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 22 Apr 2019 14:15:51 +0200
Subject: [PATCH 41/66] add seccomp
---
templates/validator-psp.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/templates/validator-psp.yaml b/templates/validator-psp.yaml
index 5596d62..75ec360 100644
--- a/templates/validator-psp.yaml
+++ b/templates/validator-psp.yaml
@@ -4,6 +4,9 @@ kind: PodSecurityPolicy
metadata:
creationTimestamp: null
name: psp.imagevalidator
+ annotations:
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
spec:
readOnlyRootFilesystem: true
privileged: false
From 1d6b6f847cc023c896b419ce377836050814e98a Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 23 Apr 2019 09:47:36 +0200
Subject: [PATCH 42/66] remove cluster-admin clusterrolebinding
---
templates/validator-rbac.yaml | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
index 16bd474..e54a879 100644
--- a/templates/validator-rbac.yaml
+++ b/templates/validator-rbac.yaml
@@ -18,23 +18,11 @@ subjects:
name: {{ template "anchore-policy-validator.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-admin
-roleRef:
- kind: ClusterRole
- apiGroup: rbac.authorization.k8s.io
- name: cluster-admin
-subjects:
-- kind: ServiceAccount
- namespace: {{ .Release.Namespace }}
- name: {{ template "anchore-policy-validator.fullname" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
metadata:
annotations:
- name: {{ template "anchore-policy-validator.fullname" . }}
+ name: {{ template "anchore-policy-validator.fullname" . }}-apiext
+ namespace: kube-system
rules:
- apiGroups:
- {{ .Values.apiService.group }}
@@ -45,6 +33,16 @@ rules:
- list
- watch
- create
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - namespaces
+ - secrets
+ - configmaps
+ - serviceaccounts
+ verbs:
+ - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -54,10 +52,11 @@ metadata:
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
- name: extension-api{{ template "anchore-policy-validator.fullname" . }}-authentication-reader
+ name: {{ template "anchore-policy-validator.fullname" . }}-apiext
subjects:
- kind: ServiceAccount
name: {{ template "anchore-policy-validator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
From a90aed93e3fb7724c1887be20a27357a060e2f36 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 23 Apr 2019 09:50:00 +0200
Subject: [PATCH 43/66] update readme
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index fffa6ba..3a14681 100644
--- a/README.md
+++ b/README.md
@@ -49,4 +49,5 @@ The following tables lists configurable parameters of the anchore-policy-validat
|externalAnchore.anchoreHost |external anchore-engine host |"" |
|externalAnchore.anchoreUser |external anchore-engine username |"" |
|externalAnchore.anchorePass |external anchore-engine password |"" |
-|pspEnabled |add PSP resources if enabled |false |
\ No newline at end of file
+|rbac.enabled |enable RBAC |true |
+|rbac.psp.enabled |add PSP resources if enabled |false |
From 5d808f5c2e81f32c45a2c2beb8f1f7394ca6ba75 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 10 Jul 2019 12:22:22 +0200
Subject: [PATCH 44/66] do not delete default policy
---
Chart.yaml | 2 +-
templates/default-policy-job.yaml | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 72bcd58..e09fdfc 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.4.0
+version: 0.4.1
appVersion: 0.3.3
keywords:
- analysis
diff --git a/templates/default-policy-job.yaml b/templates/default-policy-job.yaml
index e471bf1..8719736 100644
--- a/templates/default-policy-job.yaml
+++ b/templates/default-policy-job.yaml
@@ -47,7 +47,6 @@ spec:
anchore-cli policy add /policy/reject-critical.json
anchore-cli policy add /policy/block-root.json
anchore-cli policy activate 97b33e2c-3b57-4a3f-a12b-a8c0daa472a0
- anchore-cli policy del 2c53a13c-1765-11e8-82ef-23527761d060
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
From a161f0de5bae84f3df4dde63e136898c58aa14f4 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 1 Aug 2019 22:18:28 +0200
Subject: [PATCH 45/66] fix anchore-policy-validator rbac
---
Chart.yaml | 2 +-
templates/validator-rbac.yaml | 46 +++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/Chart.yaml b/Chart.yaml
index e09fdfc..029cce6 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.4.1
+version: 0.4.2
appVersion: 0.3.3
keywords:
- analysis
diff --git a/templates/validator-rbac.yaml b/templates/validator-rbac.yaml
index e54a879..3d064eb 100644
--- a/templates/validator-rbac.yaml
+++ b/templates/validator-rbac.yaml
@@ -6,6 +6,52 @@ metadata:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}-binding
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: {{ template "anchore-policy-validator.fullname" . }}-role
+subjects:
+- kind: ServiceAccount
+ name: {{ template "anchore-policy-validator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}-role
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - create
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - namespaces
+ - secrets
+ - configmaps
+ verbs:
+ - get
+- apiGroups:
+ - security.banzaicloud.com
+ resources:
+ - audits
+ - whitelistitems
+ verbs:
+ - get
+ - list
+ - update
+ - patch
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
metadata:
name: auth-delegator-{{ template "anchore-policy-validator.fullname" . }}-default
roleRef:
From 3b1023032f3b8c4bb48f2a27c8f347136cbdc972 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 22 Aug 2019 10:53:52 +0200
Subject: [PATCH 46/66] bump anchore-image validator version
---
Chart.yaml | 4 ++--
values.yaml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 029cce6..80fc795 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.4.2
-appVersion: 0.3.3
+version: 0.4.3
+appVersion: 0.3.4
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/values.yaml b/values.yaml
index cdad925..531abdf 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.3
+ tag: 0.3.4
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
From 3b69329aeb63a721ed2b97165a79d42fa51210a3 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 23 Sep 2019 14:06:03 +0200
Subject: [PATCH 47/66] add capability to define include rule in
namespaceSelector
---
Chart.yaml | 4 ++--
README.md | 3 ++-
templates/validator-deployment.yaml | 2 ++
values.yaml | 4 +++-
4 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 80fc795..4ecc88d 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: A Helm chart for anchore-policy-validator admission controller
name: anchore-policy-validator
-version: 0.4.3
-appVersion: 0.3.4
+version: 0.4.4
+appVersion: 0.3.6
keywords:
- analysis
- "anchore-policy-validator"
diff --git a/README.md b/README.md
index 3a14681..38c7778 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ The following tables lists configurable parameters of the anchore-policy-validat
|apiService.group |group of registered api service |admission.anchore.io |
|apiService.version |version of registered api service |v1beta1 |
|image.repository |admission-server image repo |banzaicloud/anchore-image-validator |
-|image.tag |admission-server image tag |0.3.0 |
+|image.tag |admission-server image tag |0.3.6 |
|image.pullPolicy |admission-server image pull policy |IfNotPresent |
|service.name |validation sevice name |anchoreimagecheck |
|service.type |validation service type |ClusterIP |
@@ -51,3 +51,4 @@ The following tables lists configurable parameters of the anchore-policy-validat
|externalAnchore.anchorePass |external anchore-engine password |"" |
|rbac.enabled |enable RBAC |true |
|rbac.psp.enabled |add PSP resources if enabled |false |
+|webhookSelector |webHookConfig namespaceSelector behaviour |"" (exclude) |
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 664ce33..6f59091 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -52,6 +52,8 @@ spec:
value: {{ .Values.externalAnchore.anchorePass }}
- name: ANCHORE_ENGINE_URL
value: {{ .Values.externalAnchore.anchoreHost }}
+ - name: WEBHOOK_SELECTOR
+ value: {{ default "exclude" .Values.webhookSelector }}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
diff --git a/values.yaml b/values.yaml
index 531abdf..19cb5dd 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.4
+ tag: 0.3.6
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
@@ -18,6 +18,8 @@ externalAnchore:
anchorePass: ""
resources: {}
+webhookSelector: ""
+
## Node selector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
From c7e6335635706cf80ba341b81fbe090d694c5428 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 23 Sep 2019 14:53:12 +0200
Subject: [PATCH 48/66] use NAMESPACE_SELECTOR instead of WEBHOOK_SELECTOR
---
README.md | 2 +-
templates/validator-deployment.yaml | 4 ++--
values.yaml | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 38c7778..805b8c5 100644
--- a/README.md
+++ b/README.md
@@ -51,4 +51,4 @@ The following tables lists configurable parameters of the anchore-policy-validat
|externalAnchore.anchorePass |external anchore-engine password |"" |
|rbac.enabled |enable RBAC |true |
|rbac.psp.enabled |add PSP resources if enabled |false |
-|webhookSelector |webHookConfig namespaceSelector behaviour |"" (exclude) |
+|namespaceSelector |webHookConfig namespaceSelector behaviour |"" (exclude) |
diff --git a/templates/validator-deployment.yaml b/templates/validator-deployment.yaml
index 6f59091..15def1c 100644
--- a/templates/validator-deployment.yaml
+++ b/templates/validator-deployment.yaml
@@ -52,8 +52,8 @@ spec:
value: {{ .Values.externalAnchore.anchorePass }}
- name: ANCHORE_ENGINE_URL
value: {{ .Values.externalAnchore.anchoreHost }}
- - name: WEBHOOK_SELECTOR
- value: {{ default "exclude" .Values.webhookSelector }}
+ - name: NAMESPACE_SELECTOR
+ value: {{ default "exclude" .Values.namespaceSelector }}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
diff --git a/values.yaml b/values.yaml
index 19cb5dd..4308485 100644
--- a/values.yaml
+++ b/values.yaml
@@ -18,7 +18,7 @@ externalAnchore:
anchorePass: ""
resources: {}
-webhookSelector: ""
+namespaceSelector: ""
## Node selector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
From 72c304b21b2977feb1342ecd7e055d7361304f78 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Sun, 20 Oct 2019 21:00:17 +0200
Subject: [PATCH 49/66] update remove generic-admission-server
Signed-off-by: Peter Balogh
---
go.mod | 25 +++--
go.sum | 308 +++++++++++++++++++++++++++++++++++++++++----------------
2 files changed, 237 insertions(+), 96 deletions(-)
diff --git a/go.mod b/go.mod
index 3a15eca..40b0f0f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,22 +1,21 @@
module github.com/banzaicloud/anchore-image-validator
-go 1.12
+go 1.13
require (
- emperror.dev/errors v0.4.2
+ emperror.dev/emperror v0.21.3
+ emperror.dev/errors v0.4.3
github.com/imdario/mergo v0.3.7 // indirect
- github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/onsi/ginkgo v1.8.0 // indirect
github.com/onsi/gomega v1.5.0 // indirect
- github.com/openshift/generic-admission-server v1.14.0
- github.com/sirupsen/logrus v1.4.1
- github.com/spf13/cobra v0.0.3 // indirect
+ github.com/sirupsen/logrus v1.4.2
+ github.com/spf13/pflag v1.0.5
+ github.com/spf13/viper v1.4.0
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 // indirect
- golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect
- golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
- k8s.io/api v0.0.0-20190409092523-d687e77c8ae9
- k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b
- k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef // indirect
- k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798
- k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7 // indirect
+ k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2
+ k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d
+ k8s.io/client-go v0.0.0-20190918200256-06eb1244587a
+ logur.dev/adapter/logrus v0.2.0
+ logur.dev/logur v0.15.0
+ sigs.k8s.io/controller-runtime v0.3.0
)
diff --git a/go.sum b/go.sum
index 987014f..15ad14a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,110 +1,173 @@
-cloud.google.com/go v0.0.0-20160913182117-3b1ae45394a2/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-emperror.dev/errors v0.4.2 h1:snD5ODyv4c9DOBBZh645dy/TziVHZivuFtRRMZP8zK8=
-emperror.dev/errors v0.4.2/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0=
+emperror.dev/emperror v0.21.3 h1:/S3xa/ljmXKTsrxN8ttCE/eq7fmY/4H4xyqbiunObss=
+emperror.dev/emperror v0.21.3/go.mod h1:aeDoz3ERR3yJblyjfKojXoFFsXSd6K8Wfd4Zb1eEbZg=
+emperror.dev/errors v0.4.1/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0=
+emperror.dev/errors v0.4.3 h1:yfhVxX1vzHgCDXh0KL+gVKfKhXlJCabmc79jS6QQuus=
+emperror.dev/errors v0.4.3/go.mod h1:cA5SMsyzo+KXq997DKGK+lTV1DGx5TXLQUNtYe9p2p0=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-autorest v11.1.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/BurntSushi/toml v0.3.0 h1:e1/Ivsx3Z0FVTV0NSOv/aVgbUWyQuzj7DDnFblkRvsY=
+github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
github.com/BurntSushi/toml v0.3.0/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 h1:lsxEuwrXEAokXB9qhlbKWPpo3KMLZQ5WB5WLQRW1uq0=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4=
github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/coreos/bbolt v1.3.1-coreos.6 h1:uTXKg9gY70s9jMAKdfljFQcuh4e/BXOM+V+d00KFj3A=
+github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/coreos/bbolt v1.3.1-coreos.6/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.10+incompatible h1:jFneRYjIvLMLhDLCzuTuU4rSJUjRplcJQ7pD7MnhC04=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/etcd v3.3.13+incompatible h1:8F3hqu9fGYLBifCmRCJsicFqDx/D68Rt3q1JMazcgBQ=
+github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-oidc v0.0.0-20180117170138-065b426bd416/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-semver v0.0.0-20180108230905-e214231b295a h1:WqY2Kv7eI1jeoU3pC05YYK/kK4tdXyLzzaBzCR51r9M=
github.com/coreos/go-semver v0.0.0-20180108230905-e214231b295a/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda h1:NyywMz59neOoVRFDz+ccfKWxn784fiHMDnZSy6T+JXY=
github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/docker/docker v0.0.0-20180612054059-a9fbbdc8dd87/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550 h1:mV9jbLoSW/8m4VK16ZkHTozJa8sesK5u5kTMFysTYac=
github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
+github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4 h1:bRzFpEzvausOAt4va+I/22BZ1vXDtERngp0BNYDKej0=
github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/zapr v0.1.0 h1:h+WVe9j6HAA01niTJPA/kKH0i7e0rLZBCwauQFcRE54=
+github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
+github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
+github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.17.2/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.17.2/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
github.com/go-openapi/jsonpointer v0.19.0 h1:FTUMcX77w5rQkClIzDtTxvn6Bsa894CcrzNj2MMfeg8=
github.com/go-openapi/jsonpointer v0.19.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
github.com/go-openapi/jsonreference v0.19.0 h1:BqWKpV1dFd+AuiKlgtddwVIFQsuMpxfBDBHGfM2yNpk=
github.com/go-openapi/jsonreference v0.19.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.17.2/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
+github.com/go-openapi/runtime v0.17.2/go.mod h1:QO936ZXeisByFmZEO1IS1Dqhtf4QV1sYYFtIq6Ld86Q=
+github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
github.com/go-openapi/spec v0.17.2 h1:eb2NbuCnoe8cWAxhtK6CfMWUYmiFEZJ9Hx3Z2WRwJ5M=
github.com/go-openapi/spec v0.17.2/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
github.com/go-openapi/swag v0.17.2 h1:K/ycE/XTUDFltNHSO32cGRUhrVGJD64o8WgAIZNyc3k=
github.com/go-openapi/swag v0.17.2/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/validate v0.17.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
+github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
+github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8=
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20160524151835-7d79101e329e h1:JHB7F/4TJCrYBW8+GZO8VkWDj1jxcWuCl6uxKODiyi4=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k=
github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
+github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c h1:Lh2aW+HnU2Nbe1gqD9SOJLJxW1jBMmQOktN2acDyJk8=
github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v0.0.0-20190222133341-cfaf5686ec79 h1:lR9ssWAqp9qL0bALxqEEkuudiP1eweOdv9jsRK3e7lE=
github.com/grpc-ecosystem/go-grpc-middleware v0.0.0-20190222133341-cfaf5686ec79/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170330212424-2500245aa611 h1:f5vL2EW5pL274ztMNnizZAEa457nKyKPEaN/sm/kdBk=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170330212424-2500245aa611/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.3.0 h1:HJtP6RRwj2EpPCD/mhAWzSvLL/dFTdPm1UrWwanoFos=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway v1.3.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
github.com/hashicorp/golang-lru v0.5.0 h1:CL2msUPvZTLb5O648aiLNJw3hnBxN2+1Jq8rCOH9wdo=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c h1:XpRROA6ssPlTwJI8/pH+61uieOkcJhmAFz25cu0B94Y=
github.com/jonboulle/clockwork v0.0.0-20141017032234-72f9bd7c4e0c/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic=
github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
@@ -113,145 +176,224 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d h1:7PxY7LVfSZm7P
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/natefinch/lumberjack v2.0.0+incompatible h1:4QJd3OLAMgj7ph+yZTuX13Ld4UpgHp07nNdFX7mqFfM=
github.com/natefinch/lumberjack v2.0.0+incompatible/go.mod h1:Wi9p2TTF5DG5oU+6YfsmYQpsTIOm0B1VNzQg9Mw6nPk=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.4.2 h1:3mYCb7aPxS/RU7TI1y4rkEn1oKmPRjNJLNEXgw7MH2I=
+github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/openshift/generic-admission-server v1.14.0 h1:GAQy5JNVcbmUuIpPvLd39+2rPecxEm7WQ2sP7ACrse4=
-github.com/openshift/generic-admission-server v1.14.0/go.mod h1:GD9KN/W4KxqRQGVMbqQHpHzb2XcQVvLCaBaSciqXvfM=
github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
+github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/philhofer/fwd v1.0.0 h1:UbZqGr5Y38ApvM/V/jEljVxwocdweyH+vmYvRPBnbqQ=
-github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU=
-github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/ffjson v0.0.0-20180717144149-af8b230fcd20 h1:7sBb9iOkeq+O7AXlVoH/8zpIcRXX523zMkKKspHjjx8=
-github.com/pquerna/ffjson v0.0.0-20180717144149-af8b230fcd20/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.2 h1:awm861/B8OKDd2I/6o1dy3ra4BamzKhYOiGItCeZ740=
github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 h1:idejC8f05m9MGOsuEi1ATq9shN03HrxNkD/luQvxCv8=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU=
-github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a h1:9a8MnZMP0X2nLJdBg+pBmGgkJlSaKC2KaQmTCk1XDtE=
github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNGfs=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/soheilhy/cmux v0.1.3 h1:09wy7WZk4AqO03yH85Ex1X+Uo3vDsil3Fa9AgF8Emss=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/soheilhy/cmux v0.1.3/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.0-20180319062004-c439c4fa0937 h1:+ryWjMVzFAkEz5zT+Ms49aROZwxlJce3x3zLTFpkz3Y=
+github.com/spf13/cobra v0.0.0-20180319062004-c439c4fa0937/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0 h1:yXHLWeravcrgGyFSyCgdYpXQ9dR9c/WED3pg1RhxqEU=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/tinylib/msgp v1.1.0 h1:9fQd+ICuRIu/ue4vxJZu6/LzxN0HwMds2nq/0cFvxHU=
-github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8 h1:ndzgwNDnKIqyCvHTXaCqh9KlOWKvBry6nuXMJmonVsE=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1 h1:UvhxfNjNqlZ/x3cDyqxMhoiUpemd3zXkVQApN6bM/lg=
-github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1/go.mod h1:hnLbHMwcvSihnDhEfx2/BzKp2xb0Y+ErdfYcrs9tkJQ=
-github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 h1:MPPkRncZLN9Kh4MEFmbnK4h3BD7AUmskWv2+EeZJCCs=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.uber.org/atomic v0.0.0-20181018215023-8dc6146f7569/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU=
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/multierr v0.0.0-20180122172545-ddea229ff1df/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/zap v0.0.0-20180814183419-67bc79d13d15 h1:Z2sc4+v0JHV6Mn4kX1f2a5nruNjmV+Th32sugE8zwz8=
go.uber.org/zap v0.0.0-20180814183419-67bc79d13d15/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
+golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/oauth2 v0.0.0-20170412232759-a6bd8cefa181/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQeSA51uaEfbOW5dNb68=
+golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=
golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
+gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
+gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
+gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20170731182057-09f6ed296fc6 h1:72GtwBPfq6av9X0Ru2HtAopsPW+d+vh1K1zaxanTdE8=
google.golang.org/genproto v0.0.0-20170731182057-09f6ed296fc6/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/grpc v1.13.0 h1:bHIbVsCwmvbArgCJmLdgOdHFXlKqTOVjbibbS19cXHc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/grpc v1.13.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0 h1:G+97AoqBnmZIT91cLG/EkCoK9NSelj64P8bOHHNmGn0=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/natefinch/lumberjack.v2 v2.0.0-20150622162204-20b71e5b60d7 h1:986b60BAz5vO2Vaf48yQaq+wb2bU4JsXxKu1+itW6x8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0-20150622162204-20b71e5b60d7/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
gopkg.in/square/go-jose.v2 v2.0.0-20180411045311-89060dee6a84/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
-gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-k8s.io/api v0.0.0-20190409092523-d687e77c8ae9 h1:c9UEl5z8gk1DGh/g3snETZ+a52YeR9VdbX/3BQ4PHas=
-k8s.io/api v0.0.0-20190409092523-d687e77c8ae9/go.mod h1:FQEUn50aaytlU65qqBn/w+5ugllHwrBzKm7DzbnXdzE=
-k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b h1:fVkKJL9FIpA8LSJyHVM00MP45q1WJ7+af77vcxmQP4g=
-k8s.io/apimachinery v0.0.0-20190409092423-760d1845f48b/go.mod h1:FW86P8YXVLsbuplGMZeb20J3jYHscrDqw4jELaFJvRU=
-k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef h1:0JW8e1tJABjPR1XduEVUES0bCE1h2hrkGg+Y287l3rY=
-k8s.io/apiserver v0.0.0-20190409093229-67d6e044d2ef/go.mod h1:+QPgMR9yE9YFLwPkY1TFifsma26Mqa1lBcA/8yXubGU=
-k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798 h1:kVshWJGIQLSzwnl/wes9pFfbmI79Hrz58RTSc5he2/4=
-k8s.io/client-go v0.0.0-20190409092706-ca8df85b1798/go.mod h1:4IOfimLkjvlSoc9wyI1VEwkNUG20XFNp7qO6XkH2gdI=
-k8s.io/component-base v0.0.0-20190409093041-e34633071963 h1:b0EoSROSsjY+8KrBR0bhSJ/fj6VAbhQu0zeQa+eMTd4=
-k8s.io/component-base v0.0.0-20190409093041-e34633071963/go.mod h1:2AUf0gALRFIf31Zup6Torh8msIgiDioNziBnI8wpuk4=
-k8s.io/klog v0.0.0-20190306015804-8e90cee79f82 h1:SHucoAy7lRb+w5oC/hbXyZg+zX+Wftn6hD4tGzHCVqA=
-k8s.io/klog v0.0.0-20190306015804-8e90cee79f82/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2 h1:bkwe5LsuANqyOwsBng5Qc4S91D2Tv0JHctAztt3YTQs=
+k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2/go.mod h1:AOxZTnaXR/xiarlQL0JUfwQPxjmKDvVYoRp58cA7lUo=
+k8s.io/apiextensions-apiserver v0.0.0-20190918201827-3de75813f604 h1:Kl/sh+wWzYK2hWFZtwvuFECup1SbE2kXfMnhGZsoO5M=
+k8s.io/apiextensions-apiserver v0.0.0-20190918201827-3de75813f604/go.mod h1:7H8sjDlWQu89yWB3FhZfsLyRCRLuoXoCoY5qtwW1q6I=
+k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d h1:7Kns6qqhMAQWvGkxYOLSLRZ5hJO0/5pcE5lPGP2fxUw=
+k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d/go.mod h1:3jediapYqJ2w1BFw7lAZPCx7scubsTfosqHkhXCWJKw=
+k8s.io/apiserver v0.0.0-20190918200908-1e17798da8c1 h1:vXeVIqZsVgwfUENTAeybgfNVW7zZD7GPZJGtwReK+hI=
+k8s.io/apiserver v0.0.0-20190918200908-1e17798da8c1/go.mod h1:4FuDU+iKPjdsdQSN3GsEKZLB/feQsj1y9dhhBDVV2Ns=
+k8s.io/client-go v0.0.0-20190918200256-06eb1244587a h1:huOvPq1vO7dkuw9rZPYsLGpFmyGvy6L8q6mDItgkdQ4=
+k8s.io/client-go v0.0.0-20190918200256-06eb1244587a/go.mod h1:3YAcTbI2ArBRmhHns5vlHRX8YQqvkVYpz+U/N5i1mVU=
+k8s.io/code-generator v0.0.0-20190612205613-18da4a14b22b/go.mod h1:G8bQwmHm2eafm5bgtX67XDZQ8CWKSGu9DekI+yN4Y5I=
+k8s.io/component-base v0.0.0-20190918200425-ed2f0867c778 h1:YicOHTLJZz/TIpJcqhVYJI2LyuM7VMkYiiG6FZfJmzY=
+k8s.io/component-base v0.0.0-20190918200425-ed2f0867c778/go.mod h1:DFWQCXgXVLiWtzFaS17KxHdlUeUymP7FLxZSkmL9/jU=
+k8s.io/gengo v0.0.0-20190116091435-f8a0810f38af/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.3 h1:niceAagH1tzskmaie/icWd7ci1wbG7Bf2c6YGcQv+3c=
+k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30 h1:TRb4wNWoBVrH9plmkp2q86FIDppkbrEXdXlxU3a3BMI=
k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
-k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7 h1:8r+l4bNWjRlsFYlQJnKJ2p7s1YQPj4XyXiJVqDHRx7c=
-k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5 h1:VBM/0P5TWxwk+Nw6Z+lAw3DKgO76g90ETOiA6rfLV1Y=
+k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+logur.dev/adapter/logrus v0.2.0 h1:X6ZA2KYCc4X3jyKSFoWVgFoqi8XcQi7JXH1HsuDr45M=
+logur.dev/adapter/logrus v0.2.0/go.mod h1:d278iWcx1mP2HxN6v8iXn/WvvgJ4SWHcjT5cG5etSSI=
+logur.dev/logur v0.15.0 h1:LGFzpPGsV9kVuE2V+HUyIbtYb2F1Vyp54gSp7ixLQHI=
+logur.dev/logur v0.15.0/go.mod h1:DyA5B+b6WjjCcnpE1+HGtTLh2lXooxRq+JmAwXMRK08=
+modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
+modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
+modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
+modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
+modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
+sigs.k8s.io/controller-runtime v0.3.0 h1:ZtdgqJXVHsIytjdmDuk0QjagnzyLq9FjojXRqIp+dU4=
+sigs.k8s.io/controller-runtime v0.3.0/go.mod h1:Cw6PkEg0Sa7dAYovGT4R0tRkGhHXpYijwNxYhAnAZZk=
sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2 h1:9r5DY45ef9LtcA6BnkhW8MPV7OKAfbf2AUwUhq3LeRk=
sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/testing_frameworks v0.1.1 h1:cP2l8fkA3O9vekpy5Ks8mmA0NW/F7yBdXf8brkWhVrs=
+sigs.k8s.io/testing_frameworks v0.1.1/go.mod h1:VVBKrHmJ6Ekkfz284YKhQePcdycOzNH9qL6ht1zEr/U=
sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
From d68fb48b61ed27e667f02085f1158dd4a4f8bf02 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 08:36:45 +0200
Subject: [PATCH 50/66] udate dockerfiles
Signed-off-by: Peter Balogh
---
Dockerfile | 6 ++----
Dockerfile.debug | 4 ++--
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index a9a7a4d..9507efd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
RUN apk add --update --no-cache ca-certificates git
@@ -10,11 +10,9 @@ RUN go mod download
COPY . /build
RUN go install ./cmd
-FROM alpine:3.9
+FROM alpine:3.10
COPY --from=builder /go/bin/cmd /usr/local/bin/anchore-image-validator
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-USER 65534:65534
-
ENTRYPOINT ["/usr/local/bin/anchore-image-validator"]
diff --git a/Dockerfile.debug b/Dockerfile.debug
index fed0127..a278847 100644
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,10 +1,10 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
RUN apk add --update --no-cache ca-certificates git
RUN go get github.com/derekparker/delve/cmd/dlv
-FROM alpine:3.9
+FROM alpine:3.10
RUN apk add --update --no-cache libc6-compat
From 3f2bd2c2af4a80c77e32fa89d449d62bebc6e3be Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:21:31 +0200
Subject: [PATCH 51/66] drop generic-admission-server and move out validation
Signed-off-by: Peter Balogh
---
cmd/main.go | 242 ++++++++++++++++++++--------------------------------
1 file changed, 92 insertions(+), 150 deletions(-)
diff --git a/cmd/main.go b/cmd/main.go
index 753cce3..8166737 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,49 +1,44 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package main
import (
- "encoding/json"
+ "crypto/tls"
"fmt"
+ "net"
+ "net/http"
"os"
- "strings"
- "sync"
- "github.com/banzaicloud/anchore-image-validator/pkg/anchore"
+ "emperror.dev/emperror"
+ "emperror.dev/errors"
+ "github.com/banzaicloud/anchore-image-validator/internal/app"
+ "github.com/banzaicloud/anchore-image-validator/internal/log"
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
- clientV1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
- "github.com/openshift/generic-admission-server/pkg/cmd"
- "github.com/sirupsen/logrus"
- admissionv1beta1 "k8s.io/api/admission/v1beta1"
- v1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime/schema"
- "k8s.io/client-go/dynamic"
+ clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
+ "github.com/spf13/pflag"
+ "github.com/spf13/viper"
"k8s.io/client-go/kubernetes/scheme"
- "k8s.io/client-go/rest"
+ crclient "sigs.k8s.io/controller-runtime/pkg/client"
+ crconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
)
-var securityClientSet *clientV1alpha1.SecurityV1Alpha1Client
-
-type admissionHook struct {
- reservationClient dynamic.ResourceInterface
- lock sync.RWMutex
- initialized bool
-}
+var securityClientSet *clientv1alpha1.SecurityV1Alpha1Client
-const apiServiceResource = "imagechecks"
+const apiServiceResource = "imagecheck"
var (
apiServiceGroup = os.Getenv("ANCHORE_APISERVICE_GROUP")
@@ -53,24 +48,79 @@ var (
namespaceSelector = getEnv("NAMESPACE_SELECTOR", "exclude")
)
+// nolint: gochecknoinits
+func init() {
+ pflag.Bool("version", false, "Show version information")
+ pflag.Bool("dump-config", false, "Dump configuration to the console (and exit)")
+}
+
func main() {
- var config *rest.Config
- var err error
- config, err = rest.InClusterConfig()
+ configure(viper.GetViper(), pflag.CommandLine)
+
+ pflag.Parse()
+
+ if viper.GetBool("version") {
+ fmt.Printf("%s version %s (%s) built on %s\n", "anchore-image-validator", version, commitHash, buildDate)
+
+ os.Exit(0)
+ }
+
+ err := viper.ReadInConfig()
+ _, configFileNotFound := err.(viper.ConfigFileNotFoundError)
+ if !configFileNotFound {
+ emperror.Panic(errors.Wrap(err, "failed to read configuration"))
+ }
+
+ var config Config
+ err = viper.Unmarshal(&config)
if err != nil {
- logrus.Error(err)
+ emperror.Panic(errors.Wrap(err, "failed to unmarshal configuration"))
}
+ if viper.GetBool("dump-config") {
+ fmt.Printf("%+v\n", config)
+
+ os.Exit(0)
+ }
+
+ // Create logger (first thing after configuration loading)
+ logger := log.NewLogger(config.Log)
+
+ // Provide some basic context to all log lines
+ logger = log.WithFields(logger, map[string]interface{}{"service": "imagecheck"})
+
+ k8sCfg := crconfig.GetConfigOrDie()
+
+ logger.Info("kubernetes config", map[string]interface{}{
+ "k8sHost": k8sCfg.Host})
+
v1alpha1.AddToScheme(scheme.Scheme)
- securityClientSet, err = clientV1alpha1.SecurityConfig(config)
+ securityClientSet, err = clientv1alpha1.SecurityConfig(k8sCfg)
if err != nil {
- logrus.Error(err)
+ logger.Error("error")
}
- installValidatingWebhookConfig(config)
+ client, err := crclient.New(k8sCfg, crclient.Options{})
+ if err != nil {
+ logger.Error("get clisntset failed", map[string]interface{}{
+ "k8sHost": k8sCfg.Host})
+ }
+
+ installValidatingWebhookConfig(client)
+
+ pair, err := tls.LoadX509KeyPair(config.App.CertFile, config.App.KeyFile)
+ if err != nil {
+ logger.Error("failed to load key pair")
+ }
- cmd.RunAdmissionServer(&admissionHook{})
+ ln, _ := net.Listen("tcp", fmt.Sprintf(":%v", config.App.Port))
+ httpServer := &http.Server{
+ Handler: app.NewApp(logger, client),
+ TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
+ }
+ logger.Info("starting the webhook.")
+ httpServer.ServeTLS(ln, "", "")
}
func getEnv(key, fallback string) string {
@@ -80,111 +130,3 @@ func getEnv(key, fallback string) string {
}
return value
}
-
-func (a *admissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
- return schema.GroupVersionResource{
- Group: apiServiceGroup,
- Version: apiServiceVersion,
- Resource: apiServiceResource,
- },
- "imagecheck"
-}
-
-func (a *admissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
- status := &admissionv1beta1.AdmissionResponse{
- Allowed: true,
- UID: admissionSpec.UID,
- Result: &metav1.Status{Status: "Success", Message: ""}}
-
- if admissionSpec.Kind.Kind == "Pod" {
- whitelists, err := securityClientSet.Whitelists().List(metav1.ListOptions{})
- if err != nil {
- logrus.Error(err)
- } else {
- logrus.WithFields(logrus.Fields{
- "whitelists": whitelists.Items,
- }).Debug("Whitelists found")
- }
- pod := v1.Pod{}
- json.Unmarshal(admissionSpec.Object.Raw, &pod)
- logrus.WithFields(logrus.Fields{
- "PodName": pod.Name,
- "NameSpace": pod.Namespace,
- "Labels": pod.Labels,
- "Anotations": pod.Annotations,
- }).Debug("Pod details")
-
- var result []string
- var message string
- var auditImages []v1alpha1.AuditImage
- r, f := getReleaseName(pod.Labels, pod.Name)
- for _, container := range pod.Spec.Containers {
- image := container.Image
- logrus.WithFields(logrus.Fields{
- "image": image,
- }).Info("Checking image")
- auditImage, ok := anchore.CheckImage(image)
- if !ok {
- status.Result.Status = "Failure"
- status.Allowed = false
- if checkWhiteList(whitelists.Items, r, f) {
- status.Result.Status = "Success"
- status.Allowed = true
- logrus.WithFields(logrus.Fields{
- "PodName": pod.Name,
- }).Info("Whitelisted release")
- }
- message = fmt.Sprintf("Image failed policy check: %s", image)
- status.Result.Message = message
- logrus.WithFields(logrus.Fields{
- "image": image,
- }).Warning("Image failed policy check")
- } else {
- message = fmt.Sprintf("Image passed policy check: %s", image)
- logrus.WithFields(logrus.Fields{
- "image": image,
- }).Warning("Image passed policy check")
- }
- result = append(result, message)
- auditImages = append(auditImages, auditImage)
- }
-
- fr := "false"
- if f {
- fr = "true"
- }
- action := "reject"
- if status.Allowed {
- action = "allowed"
- }
- owners := pod.GetOwnerReferences()
- var auditName string
- if len(owners) > 0 {
- auditName = strings.ToLower(owners[0].Kind) + "-" + strings.ToLower(owners[0].Name)
- } else {
- auditName = pod.Name
- }
-
- ainfo := auditInfo{
- name: auditName,
- labels: map[string]string{"fakerelease": fr},
- releaseName: r,
- resource: "Pod",
- images: auditImages,
- result: result,
- action: action,
- state: "",
- owners: owners,
- }
-
- createOrUpdateAudit(ainfo)
- logrus.WithFields(logrus.Fields{
- "Status": status,
- }).Debug("Security scan status")
- }
- return status
-}
-
-func (a *admissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
- return nil
-}
From 2c20470184ebe8e9bf33c60cf601a9984a9de70a Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:22:50 +0200
Subject: [PATCH 52/66] use controller-runtime
Signed-off-by: Peter Balogh
---
cmd/self.go | 94 ++++++++++++++++++++++++++---------------------------
1 file changed, 47 insertions(+), 47 deletions(-)
diff --git a/cmd/self.go b/cmd/self.go
index e83d962..4f20cf0 100644
--- a/cmd/self.go
+++ b/cmd/self.go
@@ -1,55 +1,55 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package main
import (
+ "context"
"encoding/base64"
"fmt"
"os"
"path"
"emperror.dev/errors"
- "github.com/sirupsen/logrus"
- admissionV1beta1 "k8s.io/api/admissionregistration/v1beta1"
+ admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+ corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- admissionClient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
- clientV1 "k8s.io/client-go/kubernetes/typed/core/v1"
- "k8s.io/client-go/rest"
+ "sigs.k8s.io/controller-runtime/pkg/client"
)
-func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.ValidatingWebhookConfiguration {
+func createValidatingWebhook(c client.Client) (*admissionv1beta1.ValidatingWebhookConfiguration, error) {
path := path.Join("/apis", apiServiceGroup, apiServiceVersion, apiServiceResource)
webHookName := fmt.Sprintf("%s.%s", anchoreReleaseName, apiServiceGroup)
ownerref, caBundle, err := getSelf(c)
if err != nil {
- logrus.Error(err)
- return nil
+ return nil, errors.WrapIf(err, "unable to get self object")
}
- rule := admissionV1beta1.Rule{
+ rule := admissionv1beta1.Rule{
APIGroups: []string{""},
APIVersions: []string{"*"},
Resources: []string{"pods"},
}
- rulesWithOperations := admissionV1beta1.RuleWithOperations{
- Operations: []admissionV1beta1.OperationType{admissionV1beta1.Create},
+ rulesWithOperations := admissionv1beta1.RuleWithOperations{
+ Operations: []admissionv1beta1.OperationType{admissionv1beta1.Create},
Rule: rule,
}
- failurePolicy := admissionV1beta1.Fail
+ failurePolicy := admissionv1beta1.Fail
selectorOperator := metav1.LabelSelectorOpNotIn
selectorValues := []string{"noscan"}
@@ -69,22 +69,22 @@ func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.Validat
MatchExpressions: []metav1.LabelSelectorRequirement{expression},
}
- validatingWebhook := admissionV1beta1.Webhook{
+ validatingWebhook := admissionv1beta1.ValidatingWebhook{
Name: webHookName,
- ClientConfig: admissionV1beta1.WebhookClientConfig{
- Service: &admissionV1beta1.ServiceReference{
+ ClientConfig: admissionv1beta1.WebhookClientConfig{
+ Service: &admissionv1beta1.ServiceReference{
Namespace: "default",
Name: "kubernetes",
Path: &path,
},
CABundle: caBundle,
},
- Rules: []admissionV1beta1.RuleWithOperations{rulesWithOperations},
+ Rules: []admissionv1beta1.RuleWithOperations{rulesWithOperations},
FailurePolicy: &failurePolicy,
NamespaceSelector: nameSpaceSelector,
}
- validatingWebhookConfig := &admissionV1beta1.ValidatingWebhookConfiguration{
+ validatingWebhookConfig := &admissionv1beta1.ValidatingWebhookConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: "ValidatingWebhookConfiguration",
APIVersion: "admissionregistration.k8s.io/v1beta1",
@@ -92,41 +92,37 @@ func createValidatingWebhook(c *clientV1.CoreV1Client) *admissionV1beta1.Validat
ObjectMeta: metav1.ObjectMeta{
Name: webHookName,
},
- Webhooks: []admissionV1beta1.Webhook{validatingWebhook},
+ Webhooks: []admissionv1beta1.ValidatingWebhook{validatingWebhook},
}
validatingWebhookConfig.SetOwnerReferences(ownerref)
- return validatingWebhookConfig
+ return validatingWebhookConfig, nil
}
-func installValidatingWebhookConfig(c *rest.Config) error {
- coreClientSet, err := clientV1.NewForConfig(c)
+func installValidatingWebhookConfig(c client.Client) error {
+ validatingWebhookConfig, err := createValidatingWebhook(c)
if err != nil {
- logrus.Error(err)
- }
- validatingWebhookConfig := createValidatingWebhook(coreClientSet)
- if validatingWebhookConfig == nil {
return errors.WrapIf(err, "cannot create ValidatingkWebhooConfiguration")
}
- admissionClientSet, err := admissionClient.NewForConfig(c)
- if err != nil {
- return errors.WrapIf(err, "cannot create admission registration client")
- }
- validatingInt := admissionClientSet.ValidatingWebhookConfigurations()
- _, err = validatingInt.Create(validatingWebhookConfig)
+
+ err = c.Create(context.Background(), validatingWebhookConfig)
if err != nil {
return errors.WrapIf(err, "cannot install ValidatingWebhookConfiguration")
}
return nil
}
-func getSelf(c *clientV1.CoreV1Client) ([]metav1.OwnerReference, []byte, error) {
+func getSelf(c client.Client) ([]metav1.OwnerReference, []byte, error) {
podName, _ := os.Hostname()
if kubernetesNameSpace == "" {
return nil, nil, errors.New("not defined KUBERNETES_NAMESPACE env")
}
- podDetail, err := c.Pods(kubernetesNameSpace).Get(podName, metav1.GetOptions{})
+ podDetail := &corev1.Pod{}
+ err := c.Get(context.Background(), client.ObjectKey{
+ Namespace: kubernetesNameSpace,
+ Name: podName,
+ }, podDetail)
if err != nil {
return nil, nil, errors.WrapIf(err, "unable to get self details")
}
@@ -142,7 +138,11 @@ func getSelf(c *clientV1.CoreV1Client) ([]metav1.OwnerReference, []byte, error)
UID: podDetail.ObjectMeta.UID,
}
- secretDetail, err := c.Secrets(kubernetesNameSpace).Get(anchoreReleaseName, metav1.GetOptions{})
+ secretDetail := &corev1.Secret{}
+ err = c.Get(context.Background(), client.ObjectKey{
+ Namespace: kubernetesNameSpace,
+ Name: anchoreReleaseName,
+ }, secretDetail)
if err != nil {
return nil, nil, errors.WrapIf(err, "unable to get secretDetail")
}
From b4fe49670057557e0ba20d0c2682e85a8427f8e9 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:23:20 +0200
Subject: [PATCH 53/66] update license header
Signed-off-by: Peter Balogh
---
cmd/build.go | 28 ++++++++++++++------------
pkg/anchore/client.go | 28 ++++++++++++++------------
pkg/anchore/types.go | 28 ++++++++++++++------------
pkg/apis/security/v1alpha1/deepcopy.go | 28 ++++++++++++++------------
pkg/apis/security/v1alpha1/register.go | 28 ++++++++++++++------------
pkg/apis/security/v1alpha1/types.go | 28 ++++++++++++++------------
pkg/clientset/v1alpha1/api.go | 28 ++++++++++++++------------
pkg/clientset/v1alpha1/audit.go | 28 ++++++++++++++------------
pkg/clientset/v1alpha1/whitelist.go | 28 ++++++++++++++------------
9 files changed, 135 insertions(+), 117 deletions(-)
diff --git a/cmd/build.go b/cmd/build.go
index ca26fa0..6834f4f 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package main
diff --git a/pkg/anchore/client.go b/pkg/anchore/client.go
index 4f26eda..bbfb6ed 100644
--- a/pkg/anchore/client.go
+++ b/pkg/anchore/client.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package anchore
diff --git a/pkg/anchore/types.go b/pkg/anchore/types.go
index 89871d0..9fcd20e 100644
--- a/pkg/anchore/types.go
+++ b/pkg/anchore/types.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package anchore
diff --git a/pkg/apis/security/v1alpha1/deepcopy.go b/pkg/apis/security/v1alpha1/deepcopy.go
index 983a8dc..9831d72 100644
--- a/pkg/apis/security/v1alpha1/deepcopy.go
+++ b/pkg/apis/security/v1alpha1/deepcopy.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go
index 6f4c87c..2262390 100644
--- a/pkg/apis/security/v1alpha1/register.go
+++ b/pkg/apis/security/v1alpha1/register.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go
index 7e42195..e599e42 100644
--- a/pkg/apis/security/v1alpha1/types.go
+++ b/pkg/apis/security/v1alpha1/types.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go
index 8825141..e756ac0 100644
--- a/pkg/clientset/v1alpha1/api.go
+++ b/pkg/clientset/v1alpha1/api.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
diff --git a/pkg/clientset/v1alpha1/audit.go b/pkg/clientset/v1alpha1/audit.go
index 20b07f4..cd86be4 100644
--- a/pkg/clientset/v1alpha1/audit.go
+++ b/pkg/clientset/v1alpha1/audit.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
diff --git a/pkg/clientset/v1alpha1/whitelist.go b/pkg/clientset/v1alpha1/whitelist.go
index 2a6dc49..4b7b106 100644
--- a/pkg/clientset/v1alpha1/whitelist.go
+++ b/pkg/clientset/v1alpha1/whitelist.go
@@ -1,16 +1,18 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
package v1alpha1
From 8538d7d7a631b2515400ebd95204f199a9478808 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:25:01 +0200
Subject: [PATCH 54/66] add config
Signed-off-by: Peter Balogh
---
cmd/config.go | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 cmd/config.go
diff --git a/cmd/config.go b/cmd/config.go
new file mode 100644
index 0000000..e3450ef
--- /dev/null
+++ b/cmd/config.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+ "fmt"
+ "os"
+ "strings"
+
+ "github.com/banzaicloud/anchore-image-validator/internal/app"
+ "github.com/banzaicloud/anchore-image-validator/internal/log"
+ "github.com/spf13/pflag"
+ "github.com/spf13/viper"
+)
+
+// Config contains configs
+type Config struct {
+ // App configuration
+ App app.Config
+ // Log configuration
+ Log log.Config
+}
+
+func configure(v *viper.Viper, p *pflag.FlagSet) {
+ p.Init("imagecheck", pflag.ExitOnError)
+ pflag.Usage = func() {
+ _, _ = fmt.Fprintln(os.Stderr, "Usage of imagecheck:")
+ pflag.PrintDefaults()
+ }
+ _ = v.BindPFlags(p)
+ // Log configuration
+ v.SetDefault("log.format", "json")
+ v.SetDefault("log.level", "info")
+ v.SetDefault("log.noColor", true)
+ // App configuration
+ v.SetDefault("app.port", 8443)
+ v.SetDefault("app.certfile", "/webhook/certs/tls.crt")
+ v.SetDefault("app.keyfile", "/webhook/certs/tls.key")
+
+ v.AllowEmptyEnv(true)
+ v.SetEnvPrefix("imagecheck")
+ v.SetConfigName("config")
+ v.AddConfigPath(".")
+ v.AddConfigPath(os.Getenv("CONFIG_DIR"))
+ v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+ v.AutomaticEnv()
+}
From 8d122fd4a67f47ae19ea7b649a69c32542ae5c01 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:25:55 +0200
Subject: [PATCH 55/66] add log
Signed-off-by: Peter Balogh
---
internal/log/config.go | 28 +++++++++++++++++++++
internal/log/logger.go | 55 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
create mode 100644 internal/log/config.go
create mode 100644 internal/log/logger.go
diff --git a/internal/log/config.go b/internal/log/config.go
new file mode 100644
index 0000000..9026533
--- /dev/null
+++ b/internal/log/config.go
@@ -0,0 +1,28 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package log
+
+// Config holds details necessary for logging.
+type Config struct {
+ // Format specifies the output log format.
+ // Accepted values are: json, logfmt
+ Format string
+ // Level is the minimum log level that should appear on the output.
+ Level string
+ // NoColor makes sure that no log output gets colorized.
+ NoColor bool
+}
diff --git a/internal/log/logger.go b/internal/log/logger.go
new file mode 100644
index 0000000..7b9187f
--- /dev/null
+++ b/internal/log/logger.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package log
+
+import (
+ "os"
+
+ "github.com/sirupsen/logrus"
+ logrusadapter "logur.dev/adapter/logrus"
+ "logur.dev/logur"
+)
+
+// NewLogger creates a new logger.
+func NewLogger(config Config) logur.Logger {
+ logger := logrus.New()
+
+ logger.SetOutput(os.Stdout)
+ logger.SetFormatter(&logrus.TextFormatter{
+ DisableColors: config.NoColor,
+ EnvironmentOverrideColors: true,
+ })
+
+ switch config.Format {
+ case "logfmt":
+ // Already the default
+
+ case "json":
+ logger.SetFormatter(&logrus.JSONFormatter{})
+ }
+
+ if level, err := logrus.ParseLevel(config.Level); err == nil {
+ logger.SetLevel(level)
+ }
+
+ return logrusadapter.New(logger)
+}
+
+// WithFields returns a new contextual logger instance with context added to it.
+func WithFields(logger logur.Logger, fields map[string]interface{}) logur.Logger {
+ return logur.WithFields(logger, fields)
+}
From b94d2630e438a24ae68d7a79f54994926f477784 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 10:28:28 +0200
Subject: [PATCH 56/66] move validation to internal
Signed-off-by: Peter Balogh
---
internal/app/app.go | 117 +++++++++++++++++++++++++++++++++++++++
internal/app/config.go | 27 +++++++++
internal/app/validate.go | 81 +++++++++++++++++++++++++++
3 files changed, 225 insertions(+)
create mode 100644 internal/app/app.go
create mode 100644 internal/app/config.go
create mode 100644 internal/app/validate.go
diff --git a/internal/app/app.go b/internal/app/app.go
new file mode 100644
index 0000000..7cd7946
--- /dev/null
+++ b/internal/app/app.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+
+ admissionv1beta1 "k8s.io/api/admission/v1beta1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/runtime/serializer"
+ "logur.dev/logur"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const imageValidate = "imagechecks"
+
+// NewApp creates new application
+func NewApp(logger logur.Logger, client client.Client) http.Handler {
+ mux := http.NewServeMux()
+ mux.Handle(imageValidate, newHTTPHandler(logger, client))
+
+ return mux
+}
+
+var (
+ runtimeScheme = runtime.NewScheme()
+ codecs = serializer.NewCodecFactory(runtimeScheme)
+ deserializer = codecs.UniversalDeserializer()
+ defaulter = runtime.ObjectDefaulter(runtimeScheme)
+)
+
+// HTTPController collects the greeting use cases and exposes them as HTTP handlers.
+type HTTPController struct {
+ Logger logur.Logger
+ Client client.Client
+}
+
+// NewHTTPHandler returns a new HTTP handler for the greeter.
+func newHTTPHandler(logger logur.Logger, client client.Client) http.Handler {
+ mux := http.NewServeMux()
+ controller := NewHTTPController(logger, client)
+ mux.HandleFunc(imageValidate, controller.webhookCTRL)
+ return mux
+}
+
+// NewHTTPController returns a new HTTPController instance.
+func NewHTTPController(logger logur.Logger, client client.Client) *HTTPController {
+ return &HTTPController{
+ Logger: logger,
+ Client: client,
+ }
+}
+
+func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
+ body, err := ioutil.ReadAll(r.Body)
+ if err != nil {
+ http.Error(w, "reading request body failed", http.StatusInternalServerError)
+ return
+ }
+ if len(body) == 0 {
+ http.Error(w, "empty body", http.StatusBadRequest)
+ return
+ }
+
+ var admissionResponse *admissionv1beta1.AdmissionResponse
+ ar := admissionv1beta1.AdmissionReview{}
+ if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
+ a.Logger.Error("Can't decode body")
+ admissionResponse = &admissionv1beta1.AdmissionResponse{
+ Result: &metav1.Status{
+ Message: err.Error(),
+ },
+ }
+ } else {
+ fmt.Println(r.URL.Path)
+ if r.URL.Path == imageValidate {
+ admissionResponse = validate(&ar, a.Logger, a.Client)
+ a.Logger.Info("------ ehunnvagyoke ------")
+ }
+ }
+
+ if admissionResponse != nil {
+ ar.Response = admissionResponse
+ if ar.Request != nil {
+ ar.Response.UID = ar.Request.UID
+ }
+ }
+
+ resp, err := json.Marshal(ar)
+ if err != nil {
+ a.Logger.Error("Can't encode response")
+ http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError)
+ }
+ a.Logger.Info("Ready to write reponse ...")
+ if _, err := w.Write(resp); err != nil {
+ a.Logger.Error("Can't write response")
+ http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+ }
+}
diff --git a/internal/app/config.go b/internal/app/config.go
new file mode 100644
index 0000000..a15a96f
--- /dev/null
+++ b/internal/app/config.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+// Config holds details necessary for app.
+type Config struct {
+ // Port defines server port
+ Port int
+ // CertFile server certificate path
+ CertFile string
+ // KeyFile server key path
+ KeyFile string
+}
diff --git a/internal/app/validate.go b/internal/app/validate.go
new file mode 100644
index 0000000..13f75a7
--- /dev/null
+++ b/internal/app/validate.go
@@ -0,0 +1,81 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+ "encoding/json"
+
+ admissionv1beta1 "k8s.io/api/admission/v1beta1"
+ v1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "logur.dev/logur"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse {
+ req := ar.Request
+ logger.Info("AdmissionReview for", map[string]interface{}{
+ "Kind": req.Kind,
+ "Namespsce": req.Namespace,
+ "Resource": req.Resource,
+ "UserInfo": req.UserInfo})
+
+ switch req.Kind.Kind {
+ case "Pod":
+ pod := v1.Pod{}
+ if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
+ logger.Error("could not unmarshal raw object")
+ return &admissionv1beta1.AdmissionResponse{
+ Result: &metav1.Status{
+ Message: err.Error(),
+ },
+ }
+ }
+
+ ok, err := checkImage(&pod, pod.GetNamespace(), logger)
+ if err != nil {
+ return &admissionv1beta1.AdmissionResponse{
+ Allowed: false,
+ Result: &metav1.Status{
+ Reason: metav1.StatusReason(err.Error()),
+ },
+ }
+ }
+ if !ok {
+ return &admissionv1beta1.AdmissionResponse{
+ Allowed: false,
+ Result: &metav1.Status{
+ Reason: "scan results are above treshold",
+ },
+ }
+ }
+ }
+
+ return &admissionv1beta1.AdmissionResponse{
+ Allowed: true,
+ Result: &metav1.Status{
+ Status: "Success",
+ Reason: "",
+ Message: "",
+ },
+ }
+}
+
+func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) {
+
+ return false, nil
+}
From c56c73660f7ec451e189463cec013f34f4e3e718 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 21 Oct 2019 12:31:46 +0200
Subject: [PATCH 57/66] use controller-runtime in handler
Signed-off-by: Peter Balogh
---
{cmd => internal/app}/handler.go | 73 +++++++++++++++++++-------------
1 file changed, 43 insertions(+), 30 deletions(-)
rename {cmd => internal/app}/handler.go (63%)
diff --git a/cmd/handler.go b/internal/app/handler.go
similarity index 63%
rename from cmd/handler.go
rename to internal/app/handler.go
index f38014f..fa9a928 100644
--- a/cmd/handler.go
+++ b/internal/app/handler.go
@@ -1,20 +1,23 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package main
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
import (
+ "context"
"encoding/json"
"regexp"
"strings"
@@ -22,6 +25,8 @@ import (
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
"github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/controller-runtime/pkg/client"
)
type auditInfo struct {
@@ -90,7 +95,7 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp {
return nil
}
-func createOrUpdateAudit(a auditInfo) {
+func createOrUpdateAudit(a auditInfo, c client.Client) {
auditCR := &v1alpha1.Audit{
TypeMeta: metav1.TypeMeta{
Kind: "Audit",
@@ -111,35 +116,43 @@ func createOrUpdateAudit(a auditInfo) {
State: a.state,
},
}
- actionByte := []byte(`{"spec":`)
- aSpec, er := json.Marshal(auditCR.Spec)
- if er != nil {
- logrus.Error(er)
- }
- actionByte = append(actionByte, aSpec...)
- tail := []byte(`}`)
- actionByte = append(actionByte, tail...)
+
auditCR.SetOwnerReferences(a.owners)
- audit, err := securityClientSet.Audits().Create(auditCR)
+
+ err := c.Create(context.Background(), auditCR)
+ // audit, err := securityClientSet.Audits().Create(auditCR)
if err != nil {
logrus.Error(err)
- audit, err = securityClientSet.Audits().Update(a.name, actionByte)
+
+ actionByte := []byte(`{"spec":`)
+ aSpec, er := json.Marshal(auditCR.Spec)
+ if er != nil {
+ logrus.Error(er)
+ }
+ actionByte = append(actionByte, aSpec...)
+ tail := []byte(`}`)
+ actionByte = append(actionByte, tail...)
+
+ err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte))
+ // audit, err = securityClientSet.Audits().Update(a.name, actionByte)
if err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
- "Audit": audit,
+ "Audit": auditCR.Name,
}).Debug("Update Audit")
}
} else {
logrus.WithFields(logrus.Fields{
- "Audit": audit,
+ "Audit": auditCR.Name,
}).Debug("Created Audit")
}
}
-func listAudits() {
- audits, err := securityClientSet.Audits().List(metav1.ListOptions{})
+func listAudits(c client.Client) {
+ audits := &v1alpha1.AuditList{}
+ err := c.List(context.Background(), audits)
+ //audits, err := securityClientSet.Audits().List(metav1.ListOptions{})
if err != nil {
logrus.Error(err)
} else {
From 7f28fff1a445a9f7602f7c3c3cb636a101d6995a Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Thu, 28 Nov 2019 11:15:07 +0100
Subject: [PATCH 58/66] filter anchore-policy-validator chart
Signed-off-by: Peter Balogh
---
Chart.yaml => charts/anchore-policy-validator/Chart.yaml | 0
README.md => charts/anchore-policy-validator/README.md | 0
.../anchore-policy-validator/templates}/NOTES.txt | 0
.../anchore-policy-validator/templates}/_helpers.tpl | 0
.../anchore-policy-validator/templates}/apiservice-webhook.yaml | 0
.../anchore-policy-validator/templates}/audit-crd.yaml | 0
.../templates}/default-policy-configmap.yaml | 0
.../anchore-policy-validator/templates}/default-policy-job.yaml | 0
.../anchore-policy-validator/templates}/validator-deployment.yaml | 0
.../anchore-policy-validator/templates}/validator-psp.yaml | 0
.../anchore-policy-validator/templates}/validator-rbac.yaml | 0
.../anchore-policy-validator/templates}/validator-service.yaml | 0
.../anchore-policy-validator/templates}/whitelist-crd.yaml | 0
values.yaml => charts/anchore-policy-validator/values.yaml | 0
14 files changed, 0 insertions(+), 0 deletions(-)
rename Chart.yaml => charts/anchore-policy-validator/Chart.yaml (100%)
rename README.md => charts/anchore-policy-validator/README.md (100%)
rename {templates => charts/anchore-policy-validator/templates}/NOTES.txt (100%)
rename {templates => charts/anchore-policy-validator/templates}/_helpers.tpl (100%)
rename {templates => charts/anchore-policy-validator/templates}/apiservice-webhook.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/audit-crd.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/default-policy-configmap.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/default-policy-job.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/validator-deployment.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/validator-psp.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/validator-rbac.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/validator-service.yaml (100%)
rename {templates => charts/anchore-policy-validator/templates}/whitelist-crd.yaml (100%)
rename values.yaml => charts/anchore-policy-validator/values.yaml (100%)
diff --git a/Chart.yaml b/charts/anchore-policy-validator/Chart.yaml
similarity index 100%
rename from Chart.yaml
rename to charts/anchore-policy-validator/Chart.yaml
diff --git a/README.md b/charts/anchore-policy-validator/README.md
similarity index 100%
rename from README.md
rename to charts/anchore-policy-validator/README.md
diff --git a/templates/NOTES.txt b/charts/anchore-policy-validator/templates/NOTES.txt
similarity index 100%
rename from templates/NOTES.txt
rename to charts/anchore-policy-validator/templates/NOTES.txt
diff --git a/templates/_helpers.tpl b/charts/anchore-policy-validator/templates/_helpers.tpl
similarity index 100%
rename from templates/_helpers.tpl
rename to charts/anchore-policy-validator/templates/_helpers.tpl
diff --git a/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
similarity index 100%
rename from templates/apiservice-webhook.yaml
rename to charts/anchore-policy-validator/templates/apiservice-webhook.yaml
diff --git a/templates/audit-crd.yaml b/charts/anchore-policy-validator/templates/audit-crd.yaml
similarity index 100%
rename from templates/audit-crd.yaml
rename to charts/anchore-policy-validator/templates/audit-crd.yaml
diff --git a/templates/default-policy-configmap.yaml b/charts/anchore-policy-validator/templates/default-policy-configmap.yaml
similarity index 100%
rename from templates/default-policy-configmap.yaml
rename to charts/anchore-policy-validator/templates/default-policy-configmap.yaml
diff --git a/templates/default-policy-job.yaml b/charts/anchore-policy-validator/templates/default-policy-job.yaml
similarity index 100%
rename from templates/default-policy-job.yaml
rename to charts/anchore-policy-validator/templates/default-policy-job.yaml
diff --git a/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml
similarity index 100%
rename from templates/validator-deployment.yaml
rename to charts/anchore-policy-validator/templates/validator-deployment.yaml
diff --git a/templates/validator-psp.yaml b/charts/anchore-policy-validator/templates/validator-psp.yaml
similarity index 100%
rename from templates/validator-psp.yaml
rename to charts/anchore-policy-validator/templates/validator-psp.yaml
diff --git a/templates/validator-rbac.yaml b/charts/anchore-policy-validator/templates/validator-rbac.yaml
similarity index 100%
rename from templates/validator-rbac.yaml
rename to charts/anchore-policy-validator/templates/validator-rbac.yaml
diff --git a/templates/validator-service.yaml b/charts/anchore-policy-validator/templates/validator-service.yaml
similarity index 100%
rename from templates/validator-service.yaml
rename to charts/anchore-policy-validator/templates/validator-service.yaml
diff --git a/templates/whitelist-crd.yaml b/charts/anchore-policy-validator/templates/whitelist-crd.yaml
similarity index 100%
rename from templates/whitelist-crd.yaml
rename to charts/anchore-policy-validator/templates/whitelist-crd.yaml
diff --git a/values.yaml b/charts/anchore-policy-validator/values.yaml
similarity index 100%
rename from values.yaml
rename to charts/anchore-policy-validator/values.yaml
From 2b655d41d1b79c85437aaf2de9cf1fdbfba8af8c Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Fri, 29 Nov 2019 13:20:05 +0100
Subject: [PATCH 59/66] update charts
Signed-off-by: Peter Balogh
---
charts/anchore-policy-validator/.helmignore | 21 +++++
.../templates/apiservice-webhook.yaml | 86 +++++++++++++------
.../templates/validator-deployment.yaml | 21 ++---
.../templates/whitelist-crd.yaml | 2 -
charts/anchore-policy-validator/values.yaml | 6 +-
5 files changed, 95 insertions(+), 41 deletions(-)
create mode 100644 charts/anchore-policy-validator/.helmignore
diff --git a/charts/anchore-policy-validator/.helmignore b/charts/anchore-policy-validator/.helmignore
new file mode 100644
index 0000000..f0c1319
--- /dev/null
+++ b/charts/anchore-policy-validator/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
index 9825601..31c4667 100644
--- a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
+++ b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
@@ -1,32 +1,64 @@
{{ $ca := genCA "svc-cat-ca" 3650 }}
-{{ $cn := printf "%s-%s.%s.svc" .Release.Name .Chart.Name .Release.Namespace }}
-{{ $server := genSignedCert $cn nil nil 365 $ca }}
-
+{{- $svcName := include "anchore-policy-validator.fullname" . }}
+{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
+{{- $altName1 := printf "%s.cluster.local" $cn }}
+{{- $altName2 := printf "%s" $cn }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 365 $ca }}
+{{- $major := .Capabilities.KubeVersion.Major -}}
+{{- $minor := .Capabilities.KubeVersion.Minor -}}
apiVersion: v1
-kind: List
+kind: Secret
metadata:
-items:
-
-- apiVersion: v1
- kind: Secret
- metadata:
- name: {{ template "anchore-policy-validator.fullname" . }}
- type: kubernetes.io/tls
- data:
- servingCert: {{ b64enc $server.Cert }}
- servingKey: {{ b64enc $server.Key }}
- caCert: {{ b64enc $ca.Cert }}
-
-- apiVersion: apiregistration.k8s.io/v1beta1
- kind: APIService
- metadata:
- name: {{ .Values.apiService.version }}.{{ .Values.apiService.group }}
- spec:
- caBundle: {{ b64enc $ca.Cert }}
- group: {{ .Values.apiService.group }}
- groupPriorityMinimum: 1000
- versionPriority: 15
+ name: {{ template "anchore-policy-validator.fullname" . }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $server.Cert }}
+ tls.key: {{ b64enc $server.Key }}
+ ca.crt: {{ b64enc $ca.Cert }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: {{ template "anchore-policy-validator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+webhooks:
+- name: pods.{{ template "anchore-policy-validator.name" . }}.admission.banzaicloud.com
+ clientConfig:
service:
- name: {{ template "anchore-policy-validator.fullname" . }}
namespace: {{ .Release.Namespace }}
- version: {{ .Values.apiService.version }}
+ name: {{ template "anchore-policy-validator.fullname" . }}
+ path: /imagecheck
+ caBundle: {{ b64enc $ca.Cert }}
+ rules:
+ - apiGroups: [""]
+ apiVersions: ["v1"]
+ operations: ["CREATE"]
+ resources: ["pods"]
+ scope: "*"
+ admissionReviewVersions: ["v1", "v1beta1"]
+ failurePolicy: {{ .Values.podsFailurePolicy }}
+ sideEffects: None
+ namespaceSelector:
+ {{- if .Values.namespaceSelector.matchLabels }}
+ matchLabels:
+{{ toYaml .Values.namespaceSelector.matchLabels | indent 6 }}
+ {{- end }}
+ matchExpressions:
+ {{- if .Values.namespaceSelector.matchExpressions }}
+{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }}
+ {{- end }}
+ - key: name
+ operator: NotIn
+ values:
+ - {{ .Release.Namespace }}
+{{- if and (eq (int $major) 1) (ge (int $minor) 15) }}
+ objectSelector:
+ matchExpressions:
+ {{- if .Values.objectSelector.matchExpressions }}
+{{ toYaml .Values.objectSelector.matchExpressions | indent 4 }}
+ {{- end }}
+ - key: security.banzaicloud.io/validate
+ operator: NotIn
+ values:
+ - skip
+{{- end }}
\ No newline at end of file
diff --git a/charts/anchore-policy-validator/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml
index 15def1c..62a63e3 100644
--- a/charts/anchore-policy-validator/templates/validator-deployment.yaml
+++ b/charts/anchore-policy-validator/templates/validator-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "anchore-policy-validator.fullname" . }}
@@ -10,11 +10,16 @@ metadata:
component: admission-server
spec:
replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app: {{ template "anchore-policy-validator.name" . }}
+ release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "anchore-policy-validator.name" . }}
release: {{ .Release.Name }}
+ security.banzaicloud.io/mutate: skip
spec:
{{- if .Values.rbac.enabled }}
serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
@@ -26,17 +31,15 @@ spec:
secretName: {{ template "anchore-policy-validator.fullname" . }}
- name: tmp
emptyDir: {}
+ securityContext:
+ runAsUser: 65534
+ fsGroup: 65534
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/usr/local/bin/anchore-image-validator"
- - "--audit-log-path=-"
- - "--tls-cert-file=/var/serving-cert/servingCert"
- - "--tls-private-key-file=/var/serving-cert/servingKey"
- - "--v={{ .Values.logVerbosity }}"
- - "--secure-port={{ .Values.service.internalPort }}"
env:
- name: KUBERNETES_NAMESPACE
value: {{ .Release.Namespace }}
@@ -54,13 +57,11 @@ spec:
value: {{ .Values.externalAnchore.anchoreHost }}
- name: NAMESPACE_SELECTOR
value: {{ default "exclude" .Values.namespaceSelector }}
+ ports:
+ - containerPort: {{ .Values.service.internalPort }}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
- runAsUser: 65534
- fsGroup: 65534
- ports:
- - containerPort: {{ .Values.service.internalPort }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/charts/anchore-policy-validator/templates/whitelist-crd.yaml b/charts/anchore-policy-validator/templates/whitelist-crd.yaml
index a167db3..00018e2 100644
--- a/charts/anchore-policy-validator/templates/whitelist-crd.yaml
+++ b/charts/anchore-policy-validator/templates/whitelist-crd.yaml
@@ -9,8 +9,6 @@ spec:
kind: WhiteListItem
plural: whitelistitems
singular: whitelistitem
- shortnames:
- - wl
scope: Cluster
validation:
openAPIV3Schema:
diff --git a/charts/anchore-policy-validator/values.yaml b/charts/anchore-policy-validator/values.yaml
index 4308485..fc33a3a 100644
--- a/charts/anchore-policy-validator/values.yaml
+++ b/charts/anchore-policy-validator/values.yaml
@@ -5,7 +5,7 @@ apiService:
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
- tag: 0.3.6
+ tag: remove-generic-admission-server
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
@@ -18,7 +18,9 @@ externalAnchore:
anchorePass: ""
resources: {}
-namespaceSelector: ""
+namespaceSelector: {}
+
+objectSelector: {}
## Node selector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
From fe9c95ec390c6d18e05188e72c50d20b1a32dacf Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Mon, 16 Dec 2019 21:14:31 +0100
Subject: [PATCH 60/66] minor fixes for health check
Signed-off-by: Peter Balogh
---
.../templates/apiservice-webhook.yaml | 2 +-
.../templates/validator-deployment.yaml | 6 ++---
cmd/main.go | 26 ++++++++-----------
internal/app/app.go | 13 ++++++++--
internal/app/config.go | 2 +-
internal/app/validate.go | 2 +-
6 files changed, 28 insertions(+), 23 deletions(-)
diff --git a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
index 31c4667..c629762 100644
--- a/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
+++ b/charts/anchore-policy-validator/templates/apiservice-webhook.yaml
@@ -45,7 +45,7 @@ webhooks:
{{- end }}
matchExpressions:
{{- if .Values.namespaceSelector.matchExpressions }}
-{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }}
+{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }}
{{- end }}
- key: name
operator: NotIn
diff --git a/charts/anchore-policy-validator/templates/validator-deployment.yaml b/charts/anchore-policy-validator/templates/validator-deployment.yaml
index 62a63e3..720c40a 100644
--- a/charts/anchore-policy-validator/templates/validator-deployment.yaml
+++ b/charts/anchore-policy-validator/templates/validator-deployment.yaml
@@ -19,7 +19,7 @@ spec:
labels:
app: {{ template "anchore-policy-validator.name" . }}
release: {{ .Release.Name }}
- security.banzaicloud.io/mutate: skip
+ security.banzaicloud.io/validate: skip
spec:
{{- if .Values.rbac.enabled }}
serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
@@ -64,11 +64,11 @@ spec:
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
- path: /healthz
+ path: /imagecheck
port: {{ .Values.service.internalPort }}
scheme: HTTPS
volumeMounts:
- - mountPath: /var/serving-cert
+ - mountPath: /webhook/certs
name: serving-cert
- mountPath: /tmp
name: tmp
diff --git a/cmd/main.go b/cmd/main.go
index 8166737..b026d3d 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -17,9 +17,7 @@ limitations under the License.
package main
import (
- "crypto/tls"
"fmt"
- "net"
"net/http"
"os"
@@ -52,6 +50,7 @@ var (
func init() {
pflag.Bool("version", false, "Show version information")
pflag.Bool("dump-config", false, "Dump configuration to the console (and exit)")
+ pflag.Bool("dev-http", false, "Developer mode use http for local testing")
}
func main() {
@@ -92,7 +91,7 @@ func main() {
k8sCfg := crconfig.GetConfigOrDie()
- logger.Info("kubernetes config", map[string]interface{}{
+ logger.Debug("kubernetes config", map[string]interface{}{
"k8sHost": k8sCfg.Host})
v1alpha1.AddToScheme(scheme.Scheme)
@@ -107,20 +106,17 @@ func main() {
"k8sHost": k8sCfg.Host})
}
- installValidatingWebhookConfig(client)
+ logger.Info("starting the webhook.", map[string]interface{}{
+ "port": ":" + config.App.Port,
+ "certfile": config.App.CertFile,
+ "keyfile": config.App.KeyFile,
+ })
- pair, err := tls.LoadX509KeyPair(config.App.CertFile, config.App.KeyFile)
- if err != nil {
- logger.Error("failed to load key pair")
- }
-
- ln, _ := net.Listen("tcp", fmt.Sprintf(":%v", config.App.Port))
- httpServer := &http.Server{
- Handler: app.NewApp(logger, client),
- TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
+ if viper.GetBool("dev-http") {
+ http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client))
+ } else {
+ http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client))
}
- logger.Info("starting the webhook.")
- httpServer.ServeTLS(ln, "", "")
}
func getEnv(key, fallback string) string {
diff --git a/internal/app/app.go b/internal/app/app.go
index 7cd7946..1509dad 100644
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -30,12 +30,13 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)
-const imageValidate = "imagechecks"
+const imageValidate = "/imagecheck"
// NewApp creates new application
func NewApp(logger logur.Logger, client client.Client) http.Handler {
mux := http.NewServeMux()
mux.Handle(imageValidate, newHTTPHandler(logger, client))
+ logger.Info("newApp", map[string]interface{}{"app": imageValidate})
return mux
}
@@ -58,6 +59,8 @@ func newHTTPHandler(logger logur.Logger, client client.Client) http.Handler {
mux := http.NewServeMux()
controller := NewHTTPController(logger, client)
mux.HandleFunc(imageValidate, controller.webhookCTRL)
+ logger.Info("newHTTPHandler", map[string]interface{}{"handler": imageValidate})
+
return mux
}
@@ -70,11 +73,18 @@ func NewHTTPController(logger logur.Logger, client client.Client) *HTTPControlle
}
func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
+ if r.Method == http.MethodGet {
+ w.WriteHeader(http.StatusOK)
+ return
+ }
+
body, err := ioutil.ReadAll(r.Body)
if err != nil {
http.Error(w, "reading request body failed", http.StatusInternalServerError)
return
}
+ a.Logger.Debug("request body", map[string]interface{}{"body": body})
+
if len(body) == 0 {
http.Error(w, "empty body", http.StatusBadRequest)
return
@@ -93,7 +103,6 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
fmt.Println(r.URL.Path)
if r.URL.Path == imageValidate {
admissionResponse = validate(&ar, a.Logger, a.Client)
- a.Logger.Info("------ ehunnvagyoke ------")
}
}
diff --git a/internal/app/config.go b/internal/app/config.go
index a15a96f..9a67eec 100644
--- a/internal/app/config.go
+++ b/internal/app/config.go
@@ -19,7 +19,7 @@ package app
// Config holds details necessary for app.
type Config struct {
// Port defines server port
- Port int
+ Port string
// CertFile server certificate path
CertFile string
// KeyFile server key path
diff --git a/internal/app/validate.go b/internal/app/validate.go
index 13f75a7..7cb1359 100644
--- a/internal/app/validate.go
+++ b/internal/app/validate.go
@@ -59,7 +59,7 @@ func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c clien
return &admissionv1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
- Reason: "scan results are above treshold",
+ Reason: "result of policy evaluation is failed",
},
}
}
From cf29aff776684f511022023f80edd97e679d21db Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 17 Dec 2019 10:50:56 +0100
Subject: [PATCH 61/66] cleanup self
Signed-off-by: Peter Balogh
---
.vscode/launch.json | 17 +++
cmd/build.go | 1 -
cmd/main.go | 16 +--
cmd/self.go | 152 -------------------------
internal/app/app.go | 18 +--
internal/app/handler.go | 17 ++-
internal/app/validate.go | 4 +-
pkg/apis/security/v1alpha1/register.go | 6 +-
pkg/clientset/v1alpha1/api.go | 16 +--
9 files changed, 52 insertions(+), 195 deletions(-)
create mode 100644 .vscode/launch.json
delete mode 100644 cmd/self.go
diff --git a/.vscode/launch.json b/.vscode/launch.json
new file mode 100644
index 0000000..77919ef
--- /dev/null
+++ b/.vscode/launch.json
@@ -0,0 +1,17 @@
+{
+ // Use IntelliSense to learn about possible attributes.
+ // Hover to view descriptions of existing attributes.
+ // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+ "version": "0.2.0",
+ "configurations": [
+ {
+ "name": "Launch",
+ "type": "go",
+ "request": "launch",
+ "mode": "auto",
+ "program": "${workspaceRoot}/cmd/main.go",
+ "env": {},
+ "args": ["--dev-http"]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/cmd/build.go b/cmd/build.go
index 6834f4f..94bf7e9 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -18,7 +18,6 @@ package main
// Provisioned by ldflags
// nolint: gochecknoglobals
-
var (
version string
commitHash string
diff --git a/cmd/main.go b/cmd/main.go
index b026d3d..50f9fc4 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -34,18 +34,8 @@ import (
crconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
)
-var securityClientSet *clientv1alpha1.SecurityV1Alpha1Client
-
const apiServiceResource = "imagecheck"
-var (
- apiServiceGroup = os.Getenv("ANCHORE_APISERVICE_GROUP")
- apiServiceVersion = os.Getenv("ANCHORE_APISERVICE_VERSION")
- anchoreReleaseName = os.Getenv("ANCHORE_RELEASE_NAME")
- kubernetesNameSpace = os.Getenv("KUBERNETES_NAMESPACE")
- namespaceSelector = getEnv("NAMESPACE_SELECTOR", "exclude")
-)
-
// nolint: gochecknoinits
func init() {
pflag.Bool("version", false, "Show version information")
@@ -95,7 +85,7 @@ func main() {
"k8sHost": k8sCfg.Host})
v1alpha1.AddToScheme(scheme.Scheme)
- securityClientSet, err = clientv1alpha1.SecurityConfig(k8sCfg)
+ sc, err := clientv1alpha1.SecurityConfig(k8sCfg)
if err != nil {
logger.Error("error")
}
@@ -113,9 +103,9 @@ func main() {
})
if viper.GetBool("dev-http") {
- http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client))
+ http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client, sc))
} else {
- http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client))
+ http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client, sc))
}
}
diff --git a/cmd/self.go b/cmd/self.go
deleted file mode 100644
index 4f20cf0..0000000
--- a/cmd/self.go
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
-Copyright 2019 Banzai Cloud.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
- "context"
- "encoding/base64"
- "fmt"
- "os"
- "path"
-
- "emperror.dev/errors"
- admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1"
- corev1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "sigs.k8s.io/controller-runtime/pkg/client"
-)
-
-func createValidatingWebhook(c client.Client) (*admissionv1beta1.ValidatingWebhookConfiguration, error) {
-
- path := path.Join("/apis", apiServiceGroup, apiServiceVersion, apiServiceResource)
- webHookName := fmt.Sprintf("%s.%s", anchoreReleaseName, apiServiceGroup)
- ownerref, caBundle, err := getSelf(c)
- if err != nil {
- return nil, errors.WrapIf(err, "unable to get self object")
- }
- rule := admissionv1beta1.Rule{
- APIGroups: []string{""},
- APIVersions: []string{"*"},
- Resources: []string{"pods"},
- }
-
- rulesWithOperations := admissionv1beta1.RuleWithOperations{
- Operations: []admissionv1beta1.OperationType{admissionv1beta1.Create},
- Rule: rule,
- }
-
- failurePolicy := admissionv1beta1.Fail
-
- selectorOperator := metav1.LabelSelectorOpNotIn
- selectorValues := []string{"noscan"}
-
- if namespaceSelector == "include" {
- selectorOperator = metav1.LabelSelectorOpIn
- selectorValues = []string{"scan"}
- }
-
- expression := metav1.LabelSelectorRequirement{
- Key: "scan",
- Operator: selectorOperator,
- Values: selectorValues,
- }
-
- nameSpaceSelector := &metav1.LabelSelector{
- MatchExpressions: []metav1.LabelSelectorRequirement{expression},
- }
-
- validatingWebhook := admissionv1beta1.ValidatingWebhook{
- Name: webHookName,
- ClientConfig: admissionv1beta1.WebhookClientConfig{
- Service: &admissionv1beta1.ServiceReference{
- Namespace: "default",
- Name: "kubernetes",
- Path: &path,
- },
- CABundle: caBundle,
- },
- Rules: []admissionv1beta1.RuleWithOperations{rulesWithOperations},
- FailurePolicy: &failurePolicy,
- NamespaceSelector: nameSpaceSelector,
- }
-
- validatingWebhookConfig := &admissionv1beta1.ValidatingWebhookConfiguration{
- TypeMeta: metav1.TypeMeta{
- Kind: "ValidatingWebhookConfiguration",
- APIVersion: "admissionregistration.k8s.io/v1beta1",
- },
- ObjectMeta: metav1.ObjectMeta{
- Name: webHookName,
- },
- Webhooks: []admissionv1beta1.ValidatingWebhook{validatingWebhook},
- }
-
- validatingWebhookConfig.SetOwnerReferences(ownerref)
-
- return validatingWebhookConfig, nil
-}
-
-func installValidatingWebhookConfig(c client.Client) error {
- validatingWebhookConfig, err := createValidatingWebhook(c)
- if err != nil {
- return errors.WrapIf(err, "cannot create ValidatingkWebhooConfiguration")
- }
-
- err = c.Create(context.Background(), validatingWebhookConfig)
- if err != nil {
- return errors.WrapIf(err, "cannot install ValidatingWebhookConfiguration")
- }
- return nil
-}
-
-func getSelf(c client.Client) ([]metav1.OwnerReference, []byte, error) {
- podName, _ := os.Hostname()
- if kubernetesNameSpace == "" {
- return nil, nil, errors.New("not defined KUBERNETES_NAMESPACE env")
- }
- podDetail := &corev1.Pod{}
- err := c.Get(context.Background(), client.ObjectKey{
- Namespace: kubernetesNameSpace,
- Name: podName,
- }, podDetail)
- if err != nil {
- return nil, nil, errors.WrapIf(err, "unable to get self details")
- }
-
- if anchoreReleaseName == "" {
- return nil, nil, errors.New("not defined ANCHORE_RELEASE_NAME env")
- }
-
- owner := metav1.OwnerReference{
- APIVersion: "v1",
- Kind: "Pod",
- Name: podName,
- UID: podDetail.ObjectMeta.UID,
- }
-
- secretDetail := &corev1.Secret{}
- err = c.Get(context.Background(), client.ObjectKey{
- Namespace: kubernetesNameSpace,
- Name: anchoreReleaseName,
- }, secretDetail)
- if err != nil {
- return nil, nil, errors.WrapIf(err, "unable to get secretDetail")
- }
- caBundle := []byte(base64.StdEncoding.EncodeToString(secretDetail.Data["caCert"]))
-
- return []metav1.OwnerReference{owner}, caBundle, nil
-}
diff --git a/internal/app/app.go b/internal/app/app.go
index 1509dad..b670761 100644
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -22,6 +22,7 @@ import (
"io/ioutil"
"net/http"
+ clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
@@ -32,8 +33,16 @@ import (
const imageValidate = "/imagecheck"
+// nolint: gochecknoglobals
+var (
+ runtimeScheme = runtime.NewScheme()
+ codecs = serializer.NewCodecFactory(runtimeScheme)
+ deserializer = codecs.UniversalDeserializer()
+ defaulter = runtime.ObjectDefaulter(runtimeScheme)
+)
+
// NewApp creates new application
-func NewApp(logger logur.Logger, client client.Client) http.Handler {
+func NewApp(logger logur.Logger, client client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) http.Handler {
mux := http.NewServeMux()
mux.Handle(imageValidate, newHTTPHandler(logger, client))
logger.Info("newApp", map[string]interface{}{"app": imageValidate})
@@ -41,13 +50,6 @@ func NewApp(logger logur.Logger, client client.Client) http.Handler {
return mux
}
-var (
- runtimeScheme = runtime.NewScheme()
- codecs = serializer.NewCodecFactory(runtimeScheme)
- deserializer = codecs.UniversalDeserializer()
- defaulter = runtime.ObjectDefaulter(runtimeScheme)
-)
-
// HTTPController collects the greeting use cases and exposes them as HTTP handlers.
type HTTPController struct {
Logger logur.Logger
diff --git a/internal/app/handler.go b/internal/app/handler.go
index fa9a928..57f8938 100644
--- a/internal/app/handler.go
+++ b/internal/app/handler.go
@@ -23,6 +23,7 @@ import (
"strings"
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
+ clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
"github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
@@ -95,7 +96,7 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp {
return nil
}
-func createOrUpdateAudit(a auditInfo, c client.Client) {
+func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) {
auditCR := &v1alpha1.Audit{
TypeMeta: metav1.TypeMeta{
Kind: "Audit",
@@ -120,7 +121,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
auditCR.SetOwnerReferences(a.owners)
err := c.Create(context.Background(), auditCR)
- // audit, err := securityClientSet.Audits().Create(auditCR)
+ audit, err := sc.Audits().Create(auditCR)
if err != nil {
logrus.Error(err)
@@ -134,25 +135,23 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
actionByte = append(actionByte, tail...)
err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte))
- // audit, err = securityClientSet.Audits().Update(a.name, actionByte)
+ audit, err = sc.Audits().Update(a.name, actionByte)
if err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
- "Audit": auditCR.Name,
+ "Audit": audit,
}).Debug("Update Audit")
}
} else {
logrus.WithFields(logrus.Fields{
- "Audit": auditCR.Name,
+ "Audit": audit,
}).Debug("Created Audit")
}
}
-func listAudits(c client.Client) {
- audits := &v1alpha1.AuditList{}
- err := c.List(context.Background(), audits)
- //audits, err := securityClientSet.Audits().List(metav1.ListOptions{})
+func listAudits(c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) {
+ audits, err := sc.Audits().List(metav1.ListOptions{})
if err != nil {
logrus.Error(err)
} else {
diff --git a/internal/app/validate.go b/internal/app/validate.go
index 7cb1359..b93e2b3 100644
--- a/internal/app/validate.go
+++ b/internal/app/validate.go
@@ -26,7 +26,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)
-func validate(ar *admissionv1beta1.AdmissionReview, logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse {
+func validate(ar *admissionv1beta1.AdmissionReview,
+ logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse {
+
req := ar.Request
logger.Info("AdmissionReview for", map[string]interface{}{
"Kind": req.Kind,
diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go
index 2262390..ccbdcee 100644
--- a/pkg/apis/security/v1alpha1/register.go
+++ b/pkg/apis/security/v1alpha1/register.go
@@ -28,10 +28,10 @@ const GroupName = "security.banzaicloud.com"
// GroupVersion for crd
const GroupVersion = "v1alpha1"
-// SchemeGroupVersion for crd
-var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: GroupVersion}
-
+// nolint: gochecknoglobals
var (
+ // SchemeGroupVersion for crd
+ SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: GroupVersion}
// SchemeBuilder for crd
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
// AddToScheme for crd
diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go
index e756ac0..102318b 100644
--- a/pkg/clientset/v1alpha1/api.go
+++ b/pkg/clientset/v1alpha1/api.go
@@ -25,19 +25,19 @@ import (
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
)
-// SecurityV1Alpha1Interface interface for audit
-type SecurityV1Alpha1Interface interface {
+// Securityv1Alpha1Interface interface for audit
+type Securityv1Alpha1Interface interface {
Audits(namespace string) AuditInterface
Whitelists(namespace string) WhiteListInterface
}
-// SecurityV1Alpha1Client client for crd
-type SecurityV1Alpha1Client struct {
+// Securityv1Alpha1Client client for crd
+type Securityv1Alpha1Client struct {
restClient rest.Interface
}
// SecurityConfig for admission hook configuration
-func SecurityConfig(c *rest.Config) (*SecurityV1Alpha1Client, error) {
+func SecurityConfig(c *rest.Config) (*Securityv1Alpha1Client, error) {
config := *c
config.ContentConfig.GroupVersion = &schema.GroupVersion{Group: v1alpha1.GroupName, Version: v1alpha1.GroupVersion}
config.APIPath = "/apis"
@@ -49,18 +49,18 @@ func SecurityConfig(c *rest.Config) (*SecurityV1Alpha1Client, error) {
return nil, err
}
- return &SecurityV1Alpha1Client{restClient: client}, nil
+ return &Securityv1Alpha1Client{restClient: client}, nil
}
// Audits returns Audits for client
-func (c *SecurityV1Alpha1Client) Audits() AuditInterface {
+func (c *Securityv1Alpha1Client) Audits() AuditInterface {
return &auditClient{
restClient: c.restClient,
}
}
// Whitelists return WhiteLists for client
-func (c *SecurityV1Alpha1Client) Whitelists() WhiteListInterface {
+func (c *Securityv1Alpha1Client) Whitelists() WhiteListInterface {
return &whitelistClient{
restClient: c.restClient,
}
From 42e23b669fe28a31c4e2979a0df78dcab95cf75b Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 17 Dec 2019 14:01:51 +0100
Subject: [PATCH 62/66] fix lint
Signed-off-by: Peter Balogh
---
Makefile | 4 +-
cmd/config.go | 1 +
cmd/main.go | 15 ++---
internal/app/app.go | 16 +++--
internal/app/handler.go | 40 +++++++-----
internal/app/validate.go | 12 ++--
pkg/anchore/client.go | 39 +++++++++++-
pkg/anchore/types.go | 2 +-
pkg/apis/security/v1alpha1/deepcopy.go | 4 ++
pkg/apis/security/v1alpha1/register.go | 1 +
pkg/clientset/v1alpha1/api.go | 67 --------------------
pkg/clientset/v1alpha1/audit.go | 88 --------------------------
pkg/clientset/v1alpha1/whitelist.go | 85 -------------------------
13 files changed, 92 insertions(+), 282 deletions(-)
delete mode 100644 pkg/clientset/v1alpha1/api.go
delete mode 100644 pkg/clientset/v1alpha1/audit.go
delete mode 100644 pkg/clientset/v1alpha1/whitelist.go
diff --git a/Makefile b/Makefile
index cd15000..ffb0de5 100644
--- a/Makefile
+++ b/Makefile
@@ -21,10 +21,10 @@ endif
DOCKER_TAG ?= ${VERSION}
# Dependency versions
-GOLANGCI_VERSION = 1.12.3
+GOLANGCI_VERSION = 1.21.0
LICENSEI_VERSION = 0.1.0
-GOLANG_VERSION = 1.12
+GOLANG_VERSION = 1.13
.PHONY: clean
clean: ## Clean the working area and the project
diff --git a/cmd/config.go b/cmd/config.go
index e3450ef..e594040 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -39,6 +39,7 @@ func configure(v *viper.Viper, p *pflag.FlagSet) {
p.Init("imagecheck", pflag.ExitOnError)
pflag.Usage = func() {
_, _ = fmt.Fprintln(os.Stderr, "Usage of imagecheck:")
+
pflag.PrintDefaults()
}
_ = v.BindPFlags(p)
diff --git a/cmd/main.go b/cmd/main.go
index 50f9fc4..0142046 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -26,7 +26,6 @@ import (
"github.com/banzaicloud/anchore-image-validator/internal/app"
"github.com/banzaicloud/anchore-image-validator/internal/log"
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
- clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
"github.com/spf13/pflag"
"github.com/spf13/viper"
"k8s.io/client-go/kubernetes/scheme"
@@ -34,8 +33,6 @@ import (
crconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
)
-const apiServiceResource = "imagecheck"
-
// nolint: gochecknoinits
func init() {
pflag.Bool("version", false, "Show version information")
@@ -44,7 +41,6 @@ func init() {
}
func main() {
-
configure(viper.GetViper(), pflag.CommandLine)
pflag.Parse()
@@ -57,12 +53,14 @@ func main() {
err := viper.ReadInConfig()
_, configFileNotFound := err.(viper.ConfigFileNotFoundError)
+
if !configFileNotFound {
emperror.Panic(errors.Wrap(err, "failed to read configuration"))
}
var config Config
err = viper.Unmarshal(&config)
+
if err != nil {
emperror.Panic(errors.Wrap(err, "failed to unmarshal configuration"))
}
@@ -85,10 +83,6 @@ func main() {
"k8sHost": k8sCfg.Host})
v1alpha1.AddToScheme(scheme.Scheme)
- sc, err := clientv1alpha1.SecurityConfig(k8sCfg)
- if err != nil {
- logger.Error("error")
- }
client, err := crclient.New(k8sCfg, crclient.Options{})
if err != nil {
@@ -103,9 +97,9 @@ func main() {
})
if viper.GetBool("dev-http") {
- http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client, sc))
+ http.ListenAndServe(":"+config.App.Port, app.NewApp(logger, client))
} else {
- http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client, sc))
+ http.ListenAndServeTLS(":"+config.App.Port, config.App.CertFile, config.App.KeyFile, app.NewApp(logger, client))
}
}
@@ -114,5 +108,6 @@ func getEnv(key, fallback string) string {
if !exists {
value = fallback
}
+
return value
}
diff --git a/internal/app/app.go b/internal/app/app.go
index b670761..e937a5e 100644
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -22,7 +22,6 @@ import (
"io/ioutil"
"net/http"
- clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
@@ -38,11 +37,12 @@ var (
runtimeScheme = runtime.NewScheme()
codecs = serializer.NewCodecFactory(runtimeScheme)
deserializer = codecs.UniversalDeserializer()
- defaulter = runtime.ObjectDefaulter(runtimeScheme)
+
+// defaulter = runtime.ObjectDefaulter(runtimeScheme)
)
// NewApp creates new application
-func NewApp(logger logur.Logger, client client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) http.Handler {
+func NewApp(logger logur.Logger, client client.Client) http.Handler {
mux := http.NewServeMux()
mux.Handle(imageValidate, newHTTPHandler(logger, client))
logger.Info("newApp", map[string]interface{}{"app": imageValidate})
@@ -85,6 +85,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
http.Error(w, "reading request body failed", http.StatusInternalServerError)
return
}
+
a.Logger.Debug("request body", map[string]interface{}{"body": body})
if len(body) == 0 {
@@ -93,9 +94,12 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
}
var admissionResponse *admissionv1beta1.AdmissionResponse
+
ar := admissionv1beta1.AdmissionReview{}
+
if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
a.Logger.Error("Can't decode body")
+
admissionResponse = &admissionv1beta1.AdmissionResponse{
Result: &metav1.Status{
Message: err.Error(),
@@ -104,7 +108,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
} else {
fmt.Println(r.URL.Path)
if r.URL.Path == imageValidate {
- admissionResponse = validate(&ar, a.Logger, a.Client)
+ admissionResponse = validate(&ar, a.Logger) //a.Client)
}
}
@@ -120,7 +124,9 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
a.Logger.Error("Can't encode response")
http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError)
}
- a.Logger.Info("Ready to write reponse ...")
+
+ a.Logger.Info("Ready to write response ...")
+
if _, err := w.Write(resp); err != nil {
a.Logger.Error("Can't write response")
http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
diff --git a/internal/app/handler.go b/internal/app/handler.go
index 57f8938..874bdcb 100644
--- a/internal/app/handler.go
+++ b/internal/app/handler.go
@@ -23,7 +23,6 @@ import (
"strings"
"github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
- clientv1alpha1 "github.com/banzaicloud/anchore-image-validator/pkg/clientset/v1alpha1"
"github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
@@ -44,15 +43,19 @@ type auditInfo struct {
func getReleaseName(labels map[string]string, p string) (string, bool) {
release := labels["release"]
+
if release != "" {
logrus.WithFields(logrus.Fields{
"release": release,
}).Info("Check whitelist")
+
return release, false
}
+
logrus.WithFields(logrus.Fields{
"PodName": p,
}).Info("Missing release label, using PodName")
+
return p, true
}
@@ -62,15 +65,19 @@ func checkWhiteList(wl []v1alpha1.WhiteListItem, r string, f bool) bool {
logrus.WithFields(logrus.Fields{
"FakeRelease": true,
}).Info("Missing release label, using PodName")
+
fakeRelease := string(res.ObjectMeta.Name + "-")
if strings.Contains(r, fakeRelease) {
return true
}
}
+
if r == res.ObjectMeta.Name {
return true
}
+
match := regexpWhiteList(res)
+
if match != nil {
if match.MatchString(r) {
return true
@@ -89,14 +96,17 @@ func regexpWhiteList(wl v1alpha1.WhiteListItem) *regexp.Regexp {
"error": err,
"expression": wl.Spec.Regexp,
}).Error("regexp compile error")
+
return nil
}
+
return match
}
+
return nil
}
-func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) {
+func createOrUpdateAudit(a auditInfo, c client.Client) {
auditCR := &v1alpha1.Audit{
TypeMeta: metav1.TypeMeta{
Kind: "Audit",
@@ -121,37 +131,35 @@ func createOrUpdateAudit(a auditInfo, c client.Client, sc *clientv1alpha1.Securi
auditCR.SetOwnerReferences(a.owners)
err := c.Create(context.Background(), auditCR)
- audit, err := sc.Audits().Create(auditCR)
if err != nil {
logrus.Error(err)
- actionByte := []byte(`{"spec":`)
- aSpec, er := json.Marshal(auditCR.Spec)
- if er != nil {
- logrus.Error(er)
+ aCR, err := json.Marshal(auditCR)
+
+ if err != nil {
+ logrus.Error(err)
}
- actionByte = append(actionByte, aSpec...)
- tail := []byte(`}`)
- actionByte = append(actionByte, tail...)
- err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, actionByte))
- audit, err = sc.Audits().Update(a.name, actionByte)
+ err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR))
+
if err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
- "Audit": audit,
+ "Audit": auditCR,
}).Debug("Update Audit")
}
} else {
logrus.WithFields(logrus.Fields{
- "Audit": audit,
+ "Audit": auditCR,
}).Debug("Created Audit")
}
}
-func listAudits(c client.Client, sc *clientv1alpha1.Securityv1Alpha1Client) {
- audits, err := sc.Audits().List(metav1.ListOptions{})
+func listAudits(c client.Client) {
+ audits := &v1alpha1.AuditList{}
+ err := c.List(context.Background(), audits)
+
if err != nil {
logrus.Error(err)
} else {
diff --git a/internal/app/validate.go b/internal/app/validate.go
index b93e2b3..4e684ab 100644
--- a/internal/app/validate.go
+++ b/internal/app/validate.go
@@ -23,24 +23,24 @@ import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"logur.dev/logur"
- "sigs.k8s.io/controller-runtime/pkg/client"
+ // "sigs.k8s.io/controller-runtime/pkg/client"
)
func validate(ar *admissionv1beta1.AdmissionReview,
- logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse {
-
+ logger logur.Logger) *admissionv1beta1.AdmissionResponse {
req := ar.Request
+ // c client.Client
logger.Info("AdmissionReview for", map[string]interface{}{
"Kind": req.Kind,
"Namespsce": req.Namespace,
"Resource": req.Resource,
"UserInfo": req.UserInfo})
- switch req.Kind.Kind {
- case "Pod":
+ if req.Kind.Kind == "Pod" {
pod := v1.Pod{}
if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
logger.Error("could not unmarshal raw object")
+
return &admissionv1beta1.AdmissionResponse{
Result: &metav1.Status{
Message: err.Error(),
@@ -57,6 +57,7 @@ func validate(ar *admissionv1beta1.AdmissionReview,
},
}
}
+
if !ok {
return &admissionv1beta1.AdmissionResponse{
Allowed: false,
@@ -78,6 +79,5 @@ func validate(ar *admissionv1beta1.AdmissionReview,
}
func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) {
-
return false, nil
}
diff --git a/pkg/anchore/client.go b/pkg/anchore/client.go
index bbfb6ed..811be9d 100644
--- a/pkg/anchore/client.go
+++ b/pkg/anchore/client.go
@@ -36,73 +36,96 @@ func anchoreRequest(path string, bodyParams map[string]string, method string) ([
fullURL := anchoreEngineURL + path
client := &http.Client{}
- bodyParamJson, err := json.Marshal(bodyParams)
+ bodyParamJSON, err := json.Marshal(bodyParams)
+
if err != nil {
logrus.Fatal(err)
}
- req, err := http.NewRequest(method, fullURL, bytes.NewBuffer(bodyParamJson))
+
+ req, err := http.NewRequest(method, fullURL, bytes.NewBuffer(bodyParamJSON))
+
if err != nil {
logrus.Fatal(err)
}
+
req.SetBasicAuth(username, password)
+
logrus.WithFields(logrus.Fields{
"url": fullURL,
"bodyParams": bodyParams,
}).Info("Sending request")
+
req.Header.Add("Content-Type", "application/json")
resp, err := client.Do(req)
+
if err != nil {
return nil, fmt.Errorf("failed to complete request to Anchore: %v", err)
}
+
bodyText, err := ioutil.ReadAll(resp.Body)
+ defer resp.Body.Close()
+
logrus.WithFields(logrus.Fields{
"response": string(bodyText),
}).Info("Anchore Response Body")
+
if err != nil {
return nil, fmt.Errorf("failed to complete request to Anchore: %v", err)
}
+
if resp.StatusCode != 200 {
return nil, fmt.Errorf("response from Anchore: %d", resp.StatusCode)
}
+
return bodyText, nil
}
func getStatus(digest string, tag string) bool {
path := fmt.Sprintf("/v1/images/%s/check?history=false&detail=false&tag=%s", digest, tag)
body, err := anchoreRequest(path, nil, "GET")
+
if err != nil {
logrus.Error(err)
return false
}
+
var result []map[string]map[string][]SHAResult
err = json.Unmarshal(body, &result)
+
if err != nil {
logrus.Error(err)
return false
}
resultIndex := fmt.Sprintf("docker.io/%s:latest", tag)
+
return result[0][digest][resultIndex][0].Status == "pass"
}
func getImage(imageRef string) (Image, error) {
params := map[string]string{"tag": imageRef}
body, err := anchoreRequest("/v1/images?history=false", params, "GET")
+
if err != nil {
return Image{}, err
}
+
var images []Image
err = json.Unmarshal(body, &images)
+
if err != nil {
return Image{}, fmt.Errorf("failed to unmarshal JSON from response: %v", err)
}
+
return images[0], nil
}
func getImageDigest(imageRef string) (string, error) {
image, err := getImage(imageRef)
+
if err != nil {
return "", fmt.Errorf("failed to get image digest: %v", err)
}
+
return image.ImageDigest, nil
}
@@ -110,12 +133,15 @@ func getImageDigest(imageRef string) (string, error) {
func AddImage(image string) error {
params := map[string]string{"tag": image}
_, err := anchoreRequest("/v1/images", params, "POST")
+
if err != nil {
return err
}
+
logrus.WithFields(logrus.Fields{
"Image": image,
}).Info("Added image to Anchore Engine")
+
return nil
}
@@ -123,14 +149,18 @@ func AddImage(image string) error {
func CheckImage(image string) (v1alpha1.AuditImage, bool) {
imageParts := strings.Split(image, ":")
tag := "latest"
+
if len(imageParts) > 1 {
tag = imageParts[1]
}
+
digest, err := getImageDigest(image)
+
if err != nil {
AddImage(image)
digest, _ = getImageDigest(image)
}
+
lastUpdated := getImageLastUpdate(digest)
auditImage := v1alpha1.AuditImage{
ImageName: imageParts[0],
@@ -138,21 +168,26 @@ func CheckImage(image string) (v1alpha1.AuditImage, bool) {
ImageDigest: digest,
LastUpdated: lastUpdated,
}
+
return auditImage, getStatus(digest, tag)
}
func getImageLastUpdate(digest string) string {
path := fmt.Sprintf("/v1/images/%s?history=false&detail=false", digest)
body, err := anchoreRequest(path, nil, "GET")
+
if err != nil {
logrus.Error(err)
return ""
}
+
var images []Image
err = json.Unmarshal(body, &images)
+
if err != nil {
logrus.Error(err)
return ""
}
+
return images[0].LastUpdated
}
diff --git a/pkg/anchore/types.go b/pkg/anchore/types.go
index 9fcd20e..d3cabc9 100644
--- a/pkg/anchore/types.go
+++ b/pkg/anchore/types.go
@@ -19,7 +19,7 @@ package anchore
// Check type for Anchore check
type Check struct {
LastEvaluation string `json:"last_evaluation"`
- PolicyId string `json:"policy_id"`
+ PolicyID string `json:"policy_id"`
Status string `json:"status"`
}
diff --git a/pkg/apis/security/v1alpha1/deepcopy.go b/pkg/apis/security/v1alpha1/deepcopy.go
index 9831d72..7b01d9c 100644
--- a/pkg/apis/security/v1alpha1/deepcopy.go
+++ b/pkg/apis/security/v1alpha1/deepcopy.go
@@ -45,10 +45,12 @@ func (in *WhiteListItemList) DeepCopyObject() runtime.Object {
if in.Items != nil {
out.Items = make([]WhiteListItem, len(in.Items))
+
for i := range in.Items {
in.Items[i].DeepCopyInto(&out.Items[i])
}
}
+
return &out
}
@@ -81,9 +83,11 @@ func (in *AuditList) DeepCopyObject() runtime.Object {
if in.Items != nil {
out.Items = make([]Audit, len(in.Items))
+
for i := range in.Items {
in.Items[i].DeepCopyInto(&out.Items[i])
}
}
+
return &out
}
diff --git a/pkg/apis/security/v1alpha1/register.go b/pkg/apis/security/v1alpha1/register.go
index ccbdcee..8954d34 100644
--- a/pkg/apis/security/v1alpha1/register.go
+++ b/pkg/apis/security/v1alpha1/register.go
@@ -47,5 +47,6 @@ func addKnownTypes(scheme *runtime.Scheme) error {
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+
return nil
}
diff --git a/pkg/clientset/v1alpha1/api.go b/pkg/clientset/v1alpha1/api.go
deleted file mode 100644
index 102318b..0000000
--- a/pkg/clientset/v1alpha1/api.go
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
-Copyright 2019 Banzai Cloud.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
- "k8s.io/apimachinery/pkg/runtime/schema"
- "k8s.io/apimachinery/pkg/runtime/serializer"
- "k8s.io/client-go/kubernetes/scheme"
- "k8s.io/client-go/rest"
-
- "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
-)
-
-// Securityv1Alpha1Interface interface for audit
-type Securityv1Alpha1Interface interface {
- Audits(namespace string) AuditInterface
- Whitelists(namespace string) WhiteListInterface
-}
-
-// Securityv1Alpha1Client client for crd
-type Securityv1Alpha1Client struct {
- restClient rest.Interface
-}
-
-// SecurityConfig for admission hook configuration
-func SecurityConfig(c *rest.Config) (*Securityv1Alpha1Client, error) {
- config := *c
- config.ContentConfig.GroupVersion = &schema.GroupVersion{Group: v1alpha1.GroupName, Version: v1alpha1.GroupVersion}
- config.APIPath = "/apis"
- config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
- config.UserAgent = rest.DefaultKubernetesUserAgent()
-
- client, err := rest.RESTClientFor(&config)
- if err != nil {
- return nil, err
- }
-
- return &Securityv1Alpha1Client{restClient: client}, nil
-}
-
-// Audits returns Audits for client
-func (c *Securityv1Alpha1Client) Audits() AuditInterface {
- return &auditClient{
- restClient: c.restClient,
- }
-}
-
-// Whitelists return WhiteLists for client
-func (c *Securityv1Alpha1Client) Whitelists() WhiteListInterface {
- return &whitelistClient{
- restClient: c.restClient,
- }
-}
diff --git a/pkg/clientset/v1alpha1/audit.go b/pkg/clientset/v1alpha1/audit.go
deleted file mode 100644
index cd86be4..0000000
--- a/pkg/clientset/v1alpha1/audit.go
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
-Copyright 2019 Banzai Cloud.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/types"
- "k8s.io/client-go/kubernetes/scheme"
- "k8s.io/client-go/rest"
-
- "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
-)
-
-// AuditInterface for audit
-type AuditInterface interface {
- List(metav1.ListOptions) (*v1alpha1.AuditList, error)
- Get(string, metav1.GetOptions) (*v1alpha1.Audit, error)
- Create(*v1alpha1.Audit) (*v1alpha1.Audit, error)
- Update(string, []byte) (*v1alpha1.Audit, error)
-}
-
-type auditClient struct {
- restClient rest.Interface
-}
-
-func (c *auditClient) List(opts metav1.ListOptions) (*v1alpha1.AuditList, error) {
- result := v1alpha1.AuditList{}
- err := c.restClient.
- Get().
- Resource("audits").
- VersionedParams(&opts, scheme.ParameterCodec).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *auditClient) Get(name string, opts metav1.GetOptions) (*v1alpha1.Audit, error) {
- result := v1alpha1.Audit{}
- err := c.restClient.
- Get().
- Resource("audits").
- Name(name).
- VersionedParams(&opts, scheme.ParameterCodec).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *auditClient) Create(audit *v1alpha1.Audit) (*v1alpha1.Audit, error) {
- result := v1alpha1.Audit{}
- err := c.restClient.
- Post().
- Resource("audits").
- Body(audit).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *auditClient) Update(name string, auditPatch []byte) (*v1alpha1.Audit, error) {
- result := v1alpha1.Audit{}
- err := c.restClient.
- Patch(types.MergePatchType).
- Resource("audits").
- Name(name).
- Body(auditPatch).
- Do().
- Into(&result)
-
- return &result, err
-}
diff --git a/pkg/clientset/v1alpha1/whitelist.go b/pkg/clientset/v1alpha1/whitelist.go
deleted file mode 100644
index 4b7b106..0000000
--- a/pkg/clientset/v1alpha1/whitelist.go
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
-Copyright 2019 Banzai Cloud.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/client-go/kubernetes/scheme"
- "k8s.io/client-go/rest"
-
- "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
-)
-
-// WhiteListInterface for whitelist
-type WhiteListInterface interface {
- List(opts metav1.ListOptions) (*v1alpha1.WhiteListItemList, error)
- Get(name string, options metav1.GetOptions) (*v1alpha1.WhiteListItem, error)
- Create(*v1alpha1.WhiteListItem) (*v1alpha1.WhiteListItem, error)
- Delete(name string, options *metav1.DeleteOptions) error
-}
-
-type whitelistClient struct {
- restClient rest.Interface
-}
-
-func (c *whitelistClient) List(opts metav1.ListOptions) (*v1alpha1.WhiteListItemList, error) {
- result := v1alpha1.WhiteListItemList{}
- err := c.restClient.
- Get().
- Resource("whitelistitems").
- VersionedParams(&opts, scheme.ParameterCodec).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *whitelistClient) Get(name string, opts metav1.GetOptions) (*v1alpha1.WhiteListItem, error) {
- result := v1alpha1.WhiteListItem{}
- err := c.restClient.
- Get().
- Resource("whitelistitems").
- Name(name).
- VersionedParams(&opts, scheme.ParameterCodec).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *whitelistClient) Create(whiteListItem *v1alpha1.WhiteListItem) (*v1alpha1.WhiteListItem, error) {
- result := v1alpha1.WhiteListItem{}
- err := c.restClient.
- Post().
- Resource("whitelistitems").
- Body(whiteListItem).
- Do().
- Into(&result)
-
- return &result, err
-}
-
-func (c *whitelistClient) Delete(name string, options *metav1.DeleteOptions) error {
-
- return c.restClient.
- Delete().
- Resource("whitelistitems").
- Name(name).
- Body(options).
- Do().
- Error()
-}
From 7cc0c66329349c25c69206644c2761875a8c5b61 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 17 Dec 2019 20:40:33 +0100
Subject: [PATCH 63/66] implement original logic
Signed-off-by: Peter Balogh
---
internal/app/app.go | 2 +-
internal/app/handler.go | 10 +--
internal/app/validate.go | 139 ++++++++++++++++++++++++++++++++-------
3 files changed, 120 insertions(+), 31 deletions(-)
diff --git a/internal/app/app.go b/internal/app/app.go
index e937a5e..a371567 100644
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -108,7 +108,7 @@ func (a *HTTPController) webhookCTRL(w http.ResponseWriter, r *http.Request) {
} else {
fmt.Println(r.URL.Path)
if r.URL.Path == imageValidate {
- admissionResponse = validate(&ar, a.Logger) //a.Client)
+ admissionResponse = validate(&ar, a.Logger, a.Client)
}
}
diff --git a/internal/app/handler.go b/internal/app/handler.go
index 874bdcb..d4b7edd 100644
--- a/internal/app/handler.go
+++ b/internal/app/handler.go
@@ -130,8 +130,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
auditCR.SetOwnerReferences(a.owners)
- err := c.Create(context.Background(), auditCR)
- if err != nil {
+ if err := c.Create(context.Background(), auditCR); err != nil {
logrus.Error(err)
aCR, err := json.Marshal(auditCR)
@@ -140,9 +139,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
logrus.Error(err)
}
- err = c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR))
-
- if err != nil {
+ if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)); err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
@@ -158,9 +155,8 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
func listAudits(c client.Client) {
audits := &v1alpha1.AuditList{}
- err := c.List(context.Background(), audits)
- if err != nil {
+ if err := c.List(context.Background(), audits); err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
diff --git a/internal/app/validate.go b/internal/app/validate.go
index 4e684ab..63a5f1e 100644
--- a/internal/app/validate.go
+++ b/internal/app/validate.go
@@ -17,19 +17,24 @@ limitations under the License.
package app
import (
+ "context"
"encoding/json"
+ "fmt"
+ "strings"
+ "github.com/banzaicloud/anchore-image-validator/pkg/anchore"
+ "github.com/banzaicloud/anchore-image-validator/pkg/apis/security/v1alpha1"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"logur.dev/logur"
- // "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/client"
)
func validate(ar *admissionv1beta1.AdmissionReview,
- logger logur.Logger) *admissionv1beta1.AdmissionResponse {
+ logger logur.Logger, c client.Client) *admissionv1beta1.AdmissionResponse {
req := ar.Request
- // c client.Client
+
logger.Info("AdmissionReview for", map[string]interface{}{
"Kind": req.Kind,
"Namespsce": req.Namespace,
@@ -37,6 +42,18 @@ func validate(ar *admissionv1beta1.AdmissionReview,
"UserInfo": req.UserInfo})
if req.Kind.Kind == "Pod" {
+ whitelists := &v1alpha1.WhiteListItemList{}
+
+ if err := c.List(context.Background(), whitelists); err != nil {
+ logger.Error("cannot list whitelistimets", map[string]interface{}{
+ "error": err.Error(),
+ })
+ } else {
+ logger.Debug("whitelists found", map[string]interface{}{
+ "whitelists": whitelists.Items,
+ })
+ }
+
pod := v1.Pod{}
if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
logger.Error("could not unmarshal raw object")
@@ -48,24 +65,7 @@ func validate(ar *admissionv1beta1.AdmissionReview,
}
}
- ok, err := checkImage(&pod, pod.GetNamespace(), logger)
- if err != nil {
- return &admissionv1beta1.AdmissionResponse{
- Allowed: false,
- Result: &metav1.Status{
- Reason: metav1.StatusReason(err.Error()),
- },
- }
- }
-
- if !ok {
- return &admissionv1beta1.AdmissionResponse{
- Allowed: false,
- Result: &metav1.Status{
- Reason: "result of policy evaluation is failed",
- },
- }
- }
+ return checkImage(&pod, whitelists, logger, c)
}
return &admissionv1beta1.AdmissionResponse{
@@ -78,6 +78,99 @@ func validate(ar *admissionv1beta1.AdmissionReview,
}
}
-func checkImage(pod *v1.Pod, namespave string, logger logur.Logger) (bool, error) {
- return false, nil
+func checkImage(pod *v1.Pod,
+ wl *v1alpha1.WhiteListItemList,
+ logger logur.Logger,
+ c client.Client) *admissionv1beta1.AdmissionResponse {
+ result := []string{}
+ auditImages := []v1alpha1.AuditImage{}
+ message := ""
+
+ resp := &admissionv1beta1.AdmissionResponse{
+ Allowed: true,
+ Result: &metav1.Status{
+ Status: "Success",
+ Reason: "",
+ Message: "",
+ },
+ }
+
+ r, f := getReleaseName(pod.Labels, pod.Name)
+
+ for _, container := range pod.Spec.Containers {
+ image := container.Image
+
+ logger.Debug("Checking image", map[string]interface{}{
+ "image": image,
+ })
+
+ auditImage, ok := anchore.CheckImage(image)
+
+ if !ok {
+ resp.Result.Status = "Failure"
+ resp.Allowed = false
+
+ if checkWhiteList(wl.Items, r, f) {
+ resp.Result.Status = "Success"
+ resp.Allowed = true
+
+ logger.Info("Whitelisted release", map[string]interface{}{
+ "PodName": pod.Name,
+ })
+ }
+ message = fmt.Sprintf("Image failed policy check: %s", image)
+ resp.Result.Message = message
+
+ logger.Warn("Image failed policy check", map[string]interface{}{
+ "image": image,
+ })
+ } else {
+ message = fmt.Sprintf("Image passed policy check: %s", image)
+
+ logger.Warn("Image passed policy check", map[string]interface{}{
+ "image": image,
+ })
+ }
+
+ result = append(result, message)
+ auditImages = append(auditImages, auditImage)
+ }
+
+ fr := "false"
+ if f {
+ fr = "true"
+ }
+
+ action := "reject"
+ if resp.Allowed {
+ action = "allowed"
+ }
+
+ owners := pod.GetOwnerReferences()
+ var auditName string
+
+ if len(owners) > 0 {
+ auditName = strings.ToLower(owners[0].Kind) + "-" + strings.ToLower(owners[0].Name)
+ } else {
+ auditName = pod.Name
+ }
+
+ ainfo := auditInfo{
+ name: auditName,
+ labels: map[string]string{"fakerelease": fr},
+ releaseName: r,
+ resource: "Pod",
+ images: auditImages,
+ result: result,
+ action: action,
+ state: "",
+ owners: owners,
+ }
+
+ createOrUpdateAudit(ainfo, c)
+ logger.Debug("Security scan status", map[string]interface{}{
+ "Status": resp,
+ })
+
+ return resp
}
From 3225279d947cffe148bdab32368d66ab3441e136 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Tue, 17 Dec 2019 21:50:32 +0100
Subject: [PATCH 64/66] minor fixes
Signed-off-by: Peter Balogh
---
internal/app/handler.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/internal/app/handler.go b/internal/app/handler.go
index d4b7edd..ecb3b49 100644
--- a/internal/app/handler.go
+++ b/internal/app/handler.go
@@ -110,7 +110,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
auditCR := &v1alpha1.Audit{
TypeMeta: metav1.TypeMeta{
Kind: "Audit",
- APIVersion: "v1alpha1",
+ APIVersion: "security.banzaicloud.com/v1alpha1",
},
ObjectMeta: metav1.ObjectMeta{
Name: a.name,
@@ -139,7 +139,7 @@ func createOrUpdateAudit(a auditInfo, c client.Client) {
logrus.Error(err)
}
- if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.JSONPatchType, aCR)); err != nil {
+ if err := c.Patch(context.Background(), auditCR, client.ConstantPatch(types.MergePatchType, aCR)); err != nil {
logrus.Error(err)
} else {
logrus.WithFields(logrus.Fields{
From e01055711e132d9a4ead1382d9794172399ad85e Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 18 Dec 2019 11:05:17 +0100
Subject: [PATCH 65/66] update go version in circleci config
Signed-off-by: Peter Balogh
---
.circleci/config.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.circleci/config.yml b/.circleci/config.yml
index 38980c4..28c8fb7 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,7 +6,7 @@ jobs:
docker_layer_caching: true
environment:
- GO_VERSION: "1.12.3"
+ GO_VERSION: "1.13"
# K8S_VERSION: v1.13.1
# KUBECONFIG: /home/circleci/.kube/config
# MINIKUBE_VERSION: v0.33.1
@@ -45,7 +45,7 @@ jobs:
key: go-mod-v1-{{ .Branch }}-{{ checksum "go.sum" }}
paths:
- "/go/pkg/mod"
-
+
- run:
name: Install license checker
command: make bin/licensei
From 81149df68c297ac654e39b420198f82efa41b687 Mon Sep 17 00:00:00 2001
From: Peter Balogh
Date: Wed, 18 Dec 2019 11:25:14 +0100
Subject: [PATCH 66/66] fix licensei and check-header
Signed-off-by: Peter Balogh
---
.licensei.toml | 3 +++
scripts/check-header.sh | 30 ++++++++++++++++--------------
2 files changed, 19 insertions(+), 14 deletions(-)
diff --git a/.licensei.toml b/.licensei.toml
index 6e94247..c08ac52 100644
--- a/.licensei.toml
+++ b/.licensei.toml
@@ -16,4 +16,7 @@ ignored = [
"go.uber.org/atomic",
"go.uber.org/multierr",
"emperror.dev/errors",
+ "emperror.dev/emperror",
+ "logur.dev/logur",
+ "logur.dev/adapter/logrus",
]
diff --git a/scripts/check-header.sh b/scripts/check-header.sh
index 1b9610b..1c52977 100755
--- a/scripts/check-header.sh
+++ b/scripts/check-header.sh
@@ -1,19 +1,21 @@
#!/usr/bin/env bash
read -r -d '' EXPECTED <