Drop generic admission server

.circleci/config.yml

@@ -6,7 +6,7 @@ jobs:
       docker_layer_caching: true
 
     environment:
-      GO_VERSION: "1.12.3"
+      GO_VERSION: "1.13"
       # K8S_VERSION: v1.13.1
       # KUBECONFIG: /home/circleci/.kube/config
       # MINIKUBE_VERSION: v0.33.1
@@ -45,7 +45,7 @@ jobs:
           key: go-mod-v1-{{ .Branch }}-{{ checksum "go.sum" }}
           paths:
             - "/go/pkg/mod"
-      
+
       - run:
           name: Install license checker
           command: make bin/licensei

.licensei.toml

@@ -16,4 +16,7 @@ ignored = [
   "go.uber.org/atomic",
   "go.uber.org/multierr",
   "emperror.dev/errors",
+  "emperror.dev/emperror",
+  "logur.dev/logur",
+  "logur.dev/adapter/logrus",
 ]

.vscode/launch.json

@@ -0,0 +1,17 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/main.go",
+            "env": {},
+            "args": ["--dev-http"]
+        }
+    ]
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
 
 RUN apk add --update --no-cache ca-certificates git
 
@@ -10,11 +10,9 @@ RUN go mod download
 COPY . /build
 RUN go install ./cmd 
 
-FROM alpine:3.9
+FROM alpine:3.10
 
 COPY --from=builder /go/bin/cmd /usr/local/bin/anchore-image-validator
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-USER 65534:65534
-
 ENTRYPOINT ["/usr/local/bin/anchore-image-validator"]

Dockerfile.debug

@@ -1,10 +1,10 @@
-FROM golang:1.12-alpine AS builder
+FROM golang:1.13-alpine AS builder
 
 RUN apk add --update --no-cache ca-certificates git
 
 RUN go get github.com/derekparker/delve/cmd/dlv
 
-FROM alpine:3.9
+FROM alpine:3.10
 
 RUN apk add --update --no-cache libc6-compat
 

Makefile

@@ -21,10 +21,10 @@ endif
 DOCKER_TAG ?= ${VERSION}
 
 # Dependency versions
-GOLANGCI_VERSION = 1.12.3
+GOLANGCI_VERSION = 1.21.0
 LICENSEI_VERSION = 0.1.0
 
-GOLANG_VERSION = 1.12
+GOLANG_VERSION = 1.13
 
 .PHONY: clean
 clean: ## Clean the working area and the project

charts/anchore-policy-validator/templates/apiservice-webhook.yaml

@@ -1,32 +1,64 @@
 {{ $ca := genCA "svc-cat-ca" 3650 }}
-{{ $cn := printf "%s-%s.%s.svc" .Release.Name .Chart.Name .Release.Namespace }}
-{{ $server := genSignedCert $cn nil nil 365 $ca }}
-
+{{- $svcName := include "anchore-policy-validator.fullname" . }}
+{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
+{{- $altName1 := printf "%s.cluster.local" $cn }}
+{{- $altName2 := printf "%s" $cn }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 365 $ca }}
+{{- $major := .Capabilities.KubeVersion.Major -}}
+{{- $minor := .Capabilities.KubeVersion.Minor -}}
 apiVersion: v1
-kind: List
+kind: Secret
 metadata:
-items:
-
-- apiVersion: v1
-  kind: Secret
-  metadata:
-    name: {{ template "anchore-policy-validator.fullname" . }}
-    type: kubernetes.io/tls
-  data:
-    servingCert: {{ b64enc $server.Cert }}
-    servingKey: {{ b64enc $server.Key }}
-    caCert: {{ b64enc $ca.Cert }}
-
-- apiVersion: apiregistration.k8s.io/v1beta1
-  kind: APIService
-  metadata:
-    name: {{ .Values.apiService.version }}.{{ .Values.apiService.group }}
-  spec:
-    caBundle: {{ b64enc $ca.Cert }}
-    group: {{ .Values.apiService.group }}
-    groupPriorityMinimum: 1000
-    versionPriority: 15
+  name: {{ template "anchore-policy-validator.fullname" . }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ b64enc $server.Cert }}
+  tls.key: {{ b64enc $server.Key }}
+  ca.crt: {{ b64enc $ca.Cert }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ template "anchore-policy-validator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+webhooks:
+- name: pods.{{ template "anchore-policy-validator.name" . }}.admission.banzaicloud.com
+  clientConfig:
     service:
-      name: {{ template "anchore-policy-validator.fullname" . }}
       namespace: {{ .Release.Namespace }}
-    version: {{ .Values.apiService.version }}
+      name: {{ template "anchore-policy-validator.fullname" . }}
+      path: /imagecheck
+    caBundle: {{ b64enc $ca.Cert }}
+  rules:
+  - apiGroups:   [""]
+    apiVersions: ["v1"]
+    operations:  ["CREATE"]
+    resources:   ["pods"]
+    scope:       "*"
+  admissionReviewVersions: ["v1", "v1beta1"]
+  failurePolicy: {{ .Values.podsFailurePolicy }}
+  sideEffects: None
+  namespaceSelector:
+  {{- if .Values.namespaceSelector.matchLabels }}
+    matchLabels:
+{{ toYaml .Values.namespaceSelector.matchLabels | indent 6 }}
+  {{- end }}
+    matchExpressions:
+  {{- if .Values.namespaceSelector.matchExpressions }}
+{{ toYaml .Values.namespaceSelector.matchExpressions | indent 6 }}
+  {{- end }}
+    - key: name
+      operator: NotIn
+      values:
+      - {{ .Release.Namespace }}
+{{- if and (eq (int $major) 1) (ge (int $minor) 15) }}
+  objectSelector:
+    matchExpressions:
+  {{- if .Values.objectSelector.matchExpressions }}
+{{ toYaml .Values.objectSelector.matchExpressions | indent 4 }}
+  {{- end }}
+    - key: security.banzaicloud.io/validate
+      operator: NotIn
+      values:
+      - skip
+{{- end }}

charts/anchore-policy-validator/templates/validator-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "anchore-policy-validator.fullname" . }}
@@ -10,11 +10,16 @@ metadata:
     component: admission-server
 spec:
   replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "anchore-policy-validator.name" . }}
+      release: {{ .Release.Name }}
   template:
     metadata:
       labels:
         app: {{ template "anchore-policy-validator.name" . }}
         release: {{ .Release.Name }}
+        security.banzaicloud.io/validate: skip
     spec:
       {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ template "anchore-policy-validator.fullname" . }}
@@ -26,17 +31,15 @@ spec:
           secretName: {{ template "anchore-policy-validator.fullname" . }}
       - name: tmp
         emptyDir: {}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
           - "/usr/local/bin/anchore-image-validator"
-          - "--audit-log-path=-"
-          - "--tls-cert-file=/var/serving-cert/servingCert"
-          - "--tls-private-key-file=/var/serving-cert/servingKey"
-          - "--v={{ .Values.logVerbosity }}"
-          - "--secure-port={{ .Values.service.internalPort }}"
           env:
           - name: KUBERNETES_NAMESPACE
             value: {{ .Release.Namespace }}
@@ -54,20 +57,18 @@ spec:
             value: {{ .Values.externalAnchore.anchoreHost }}
           - name: NAMESPACE_SELECTOR
             value: {{ default "exclude" .Values.namespaceSelector }}
+          ports:
+            - containerPort: {{ .Values.service.internalPort }}
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-            runAsUser: 65534
-            fsGroup: 65534
-          ports:
-            - containerPort: {{ .Values.service.internalPort }}
           livenessProbe:
             httpGet:
-              path: /healthz
+              path: /imagecheck
               port: {{ .Values.service.internalPort }}
               scheme: HTTPS
           volumeMounts:
-          - mountPath: /var/serving-cert
+          - mountPath: /webhook/certs
             name: serving-cert
           - mountPath: /tmp
             name: tmp

charts/anchore-policy-validator/templates/whitelist-crd.yaml

@@ -9,8 +9,6 @@ spec:
     kind: WhiteListItem
     plural: whitelistitems
     singular: whitelistitem
-    shortnames:
-      - wl
   scope: Cluster
   validation:
     openAPIV3Schema:

charts/anchore-policy-validator/values.yaml

@@ -5,7 +5,7 @@ apiService:
   version: v1beta1
 image:
   repository: banzaicloud/anchore-image-validator
-  tag: 0.3.6
+  tag: remove-generic-admission-server
   pullPolicy: IfNotPresent
 service:
   name: anchoreimagecheck
@@ -18,7 +18,9 @@ externalAnchore:
   anchorePass: ""
 resources: {}
 
-namespaceSelector: ""
+namespaceSelector: {}
+
+objectSelector: {}
 
 ## Node selector
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

cmd/build.go

@@ -1,22 +1,23 @@
-// Copyright © 2018 Banzai Cloud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 
 package main
 
 // Provisioned by ldflags
 // nolint: gochecknoglobals
-
 var (
 	version    string
 	commitHash string

cmd/config.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2019 Banzai Cloud.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/banzaicloud/anchore-image-validator/internal/app"
+	"github.com/banzaicloud/anchore-image-validator/internal/log"
+	"github.com/spf13/pflag"
+	"github.com/spf13/viper"
+)
+
+// Config contains configs
+type Config struct {
+	// App configuration
+	App app.Config
+	// Log configuration
+	Log log.Config
+}
+
+func configure(v *viper.Viper, p *pflag.FlagSet) {
+	p.Init("imagecheck", pflag.ExitOnError)
+	pflag.Usage = func() {
+		_, _ = fmt.Fprintln(os.Stderr, "Usage of imagecheck:")
+
+		pflag.PrintDefaults()
+	}
+	_ = v.BindPFlags(p)
+	// Log configuration
+	v.SetDefault("log.format", "json")
+	v.SetDefault("log.level", "info")
+	v.SetDefault("log.noColor", true)
+	// App configuration
+	v.SetDefault("app.port", 8443)
+	v.SetDefault("app.certfile", "/webhook/certs/tls.crt")
+	v.SetDefault("app.keyfile", "/webhook/certs/tls.key")
+
+	v.AllowEmptyEnv(true)
+	v.SetEnvPrefix("imagecheck")
+	v.SetConfigName("config")
+	v.AddConfigPath(".")
+	v.AddConfigPath(os.Getenv("CONFIG_DIR"))
+	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+	v.AutomaticEnv()
+}