banzaicloud · pbalogh-sa · Aug 31, 2018 · Sep 3, 2018 · Sep 3, 2018 · Sep 3, 2018
@@ -6,7 +6,7 @@ jobs:
       docker_layer_caching: true
 
     environment:
-      GO_VERSION: "1.12.3"
+      GO_VERSION: "1.13"
       # K8S_VERSION: v1.13.1
       # KUBECONFIG: /home/circleci/.kube/config
       # MINIKUBE_VERSION: v0.33.1
@@ -45,7 +45,7 @@ jobs:
           key: go-mod-v1-{{ .Branch }}-{{ checksum "go.sum" }}
           paths:
             - "/go/pkg/mod"
-      
+
       - run:
           name: Install license checker
           command: make bin/licensei

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
@@ -16,4 +16,7 @@ ignored = [
   "go.uber.org/atomic",
   "go.uber.org/multierr",
   "emperror.dev/errors",
+  "emperror.dev/emperror",
+  "logur.dev/logur",
+  "logur.dev/adapter/logrus",
 ]
@@ -0,0 +1,17 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/main.go",
+            "env": {},
+            "args": ["--dev-http"]
+        }
+    ]
+}
@@ -1,4 +1,4 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
 
 RUN apk add --update --no-cache ca-certificates git
 
@@ -10,11 +10,9 @@ RUN go mod download
 COPY . /build
 RUN go install ./cmd 
 
-FROM alpine:3.9
+FROM alpine:3.10
 
 COPY --from=builder /go/bin/cmd /usr/local/bin/anchore-image-validator
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-USER 65534:65534
-
 ENTRYPOINT ["/usr/local/bin/anchore-image-validator"]
@@ -1,10 +1,10 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
 
 RUN apk add --update --no-cache ca-certificates git
 
 RUN go get github.com/derekparker/delve/cmd/dlv
 
-FROM alpine:3.9
+FROM alpine:3.10
 
 RUN apk add --update --no-cache libc6-compat
 

@@ -21,10 +21,10 @@ endif
 DOCKER_TAG ?= ${VERSION}
 
 # Dependency versions
-GOLANGCI_VERSION = 1.12.3
+GOLANGCI_VERSION = 1.21.0
 LICENSEI_VERSION = 0.1.0
 
-GOLANG_VERSION = 1.12
+GOLANG_VERSION = 1.13
 
 .PHONY: clean
 clean: ## Clean the working area and the project

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
@@ -0,0 +1,14 @@
+apiVersion: v1
+description: A Helm chart for anchore-policy-validator admission controller
+name: anchore-policy-validator
+version: 0.4.4
+appVersion: 0.3.6
+keywords:
+ - analysis
+ - "anchore-policy-validator"
+ - image
+ - security
+maintainers:
+- name: Banzai Cloud
+  email: info@banzaicloud.com
+engine: gotpl
@@ -0,0 +1,54 @@
+# Anchore policy validator
+
+This chart deploys an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image, which is defined in PodSpec, against configured Anchore-engine API. If the API responds with an error, that the image is not valid according to defined policy, k8s will reject the Pod creation request.
+
+## Installing the Chart
+
+```bash
+$ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master
+$ helm repo update
+```
+
+Deploying anchore-policy-validator using external Anchore-engine service:
+
+```bash
+$ helm install --name <name> --set externalAnchore.anchoreHost=<my.anchore.host>  --set externalAnchore.anchoreUser=<username> -set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validator
+```
+
+
+During deploying this chart, it's creating predefined policy bundles and activates `AllowAll` by default.
+
+## Policy bundles
+
+|  PolicyName   |                         Description                         |
+|---------------|-------------------------------------------------------------|
+|AllowAll       |Allow all images to deploy                                   |
+|RejectCritical |Reject deploying images that contain `critical` vulnerabiliy |
+|RejectHigh     |Reject deploying images that contain `high` vulnerabiliy     |
+|BlockRoot      |Block deploying images that using `root` as effective user   |
+|DenyAll        |Deny all imagest to deploy                                   |
+
+
+## Configuration
+
+The following tables lists configurable parameters of the anchore-policy-validator chart and their default values.
+
+|               Parameter             |                Description                  |                  Default                 |
+| ----------------------------------- | ------------------------------------------- | -----------------------------------------|
+|replicaCount                         |number of replicas                           |1                                         |
+|logVerbosity                         |log verbosity level                          |8                                         |
+|apiService.group                     |group of registered api service              |admission.anchore.io                      |
+|apiService.version                   |version of registered api service            |v1beta1                                   |
+|image.repository                     |admission-server image repo                  |banzaicloud/anchore-image-validator       |
+|image.tag                            |admission-server image tag                   |0.3.6                                     |
+|image.pullPolicy                     |admission-server image pull policy           |IfNotPresent                              |
+|service.name                         |validation sevice name                       |anchoreimagecheck                         |
+|service.type                         |validation service type                      |ClusterIP                                 |
+|service.externalPort                 |validation service external port             |443                                       |
+|service.internalPort                 |validation service external port             |443                                       |
+|externalAnchore.anchoreHost          |external anchore-engine host                 |""                                        |
+|externalAnchore.anchoreUser          |external anchore-engine username             |""                                        |
+|externalAnchore.anchorePass          |external anchore-engine password             |""                                        |
+|rbac.enabled                         |enable RBAC                                  |true                                      |
+|rbac.psp.enabled                     |add PSP resources if enabled                 |false                                     |
+|namespaceSelector                    |webHookConfig namespaceSelector behaviour    |"" (exclude)                              |
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "anchore-policy-validator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "anchore-policy-validator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "anchore-policy-validator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
@@ -0,0 +1,64 @@
+{{ $ca := genCA "svc-cat-ca" 3650 }}
+{{- $svcName := include "anchore-policy-validator.fullname" . }}
+{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
+{{- $altName1 := printf "%s.cluster.local" $cn }}
+{{- $altName2 := printf "%s" $cn }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 365 $ca }}
+{{- $major := .Capabilities.KubeVersion.Major -}}
+{{- $minor := .Capabilities.KubeVersion.Minor -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-policy-validator.fullname" . }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ b64enc $server.Cert }}
+  tls.key: {{ b64enc $server.Key }}
+  ca.crt: {{ b64enc $ca.Cert }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ template "anchore-policy-validator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+webhooks:
+- name: pods.{{ template "anchore-policy-validator.name" . }}.admission.banzaicloud.com
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: {{ template "anchore-policy-validator.fullname" . }}
+      path: /imagecheck
+    caBundle: {{ b64enc $ca.Cert }}
+  rules:
+  - apiGroups:   [""]
+    apiVersions: ["v1"]
+    operations:  ["CREATE"]
+    resources:   ["pods"]
+    scope:       "*"
+  admissionReviewVersions: ["v1", "v1beta1"]
+  failurePolicy: {{ .Values.podsFailurePolicy }}
+  sideEffects: None
+  namespaceSelector:
+  {{- if .Values.namespaceSelector.matchLabels }}
+    matchLabels:
+{{ toYaml .Values.namespaceSelector.matchLabels | indent 6 }}
+  {{- end }}
+    matchExpressions:
+  {{- if .Values.namespaceSelector.matchExpressions }}
+{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }}
+  {{- end }}
+    - key: name
+      operator: NotIn
+      values:
+      - {{ .Release.Namespace }}
+{{- if and (eq (int $major) 1) (ge (int $minor) 15) }}
+  objectSelector:
+    matchExpressions:
+  {{- if .Values.objectSelector.matchExpressions }}
+{{ toYaml .Values.objectSelector.matchExpressions | indent 4 }}
+  {{- end }}
+    - key: security.banzaicloud.io/validate
+      operator: NotIn
+      values:
+      - skip
+{{- end }}
@@ -0,0 +1,67 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: audits.security.banzaicloud.com
+spec:
+  group: security.banzaicloud.com
+  version: v1alpha1
+  names:
+    kind: Audit
+    plural: audits
+    singular: audit
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          required:
+            - releaseName
+            - resource
+            - image
+            - result
+            - action
+          properties:
+            releaseName:
+              type: string
+            resource:
+              type: string
+            image:
+              type: array
+              items:
+                type: object
+                properties:
+                  imageName:
+                    type: string
+                  imageTag:
+                    type: string
+                  imageDigest:
+                    type: string
+                  lastUpdated:
+                    type: string
+            result:
+              type: array
+              items:
+                type: string
+            action:
+              type: string
+        status:
+          properties:
+            state:
+              type: string
+  additionalPrinterColumns:
+  - name: ReleaseName
+    type: string
+    JSONPath: .spec.releaseName
+    priority: 1
+  - name: Image
+    type: string
+    JSONPath: .spec.image[*].imageName
+    priority: 2
+  - name: result
+    type: string
+    JSONPath: .spec.result
+    priority: 3
+  - name: action
+    type: string
+    JSONPath: .spec.action
+    priority: 4