Skip to content
An example of a ASP.NET Core WebAPI application that can be used as a webhook for Kubernetes auditing
C# Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.vscode
Controllers
Properties
.dockerignore
.gitignore
Dockerfile
Program.cs
README
Startup.cs
appsettings.Development.json
appsettings.json
kubernetes-audit-webhook.csproj

README

More detail on this can be found in my blog post [here](https://talkcloudlytome.com/implementing-an-audit-webhook-for-kubernetes/)

***Build the docker image from the source repo
***Publish the docker image to a registry where you can access it
***Deploy the following service to your kubernetes system:

apiVersion: v1
kind: Service
metadata:
  name: audit-webhook-service
spec:
  selector:
    app: audit-webhook
  ports:
    - protocol: TCP
      port: 80

***Deploy the following deployment to your kubernetes system (note - you need your own "regcred" secret deployed and need to set your image appropriately):
	***(NOTE:  The "command" shouldn't really be necessary, as it should be set via Dockerfile, but I couldn't get it to work...it works this way)
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: audit-webhook-deployment
  labels:
    app: audit-webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app: audit-webhook
  template:
    metadata:
      labels:
        app: audit-webhook
    spec:
      containers:
      - name: audit-webhook-application
        image: wfmjdcimagecr.azurecr.io/k8s-audit-webhook:build-1803-v1
        command: ["dotnet.exe", "kubernetes-audit-webhook.dll"]
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: regcred

***Determine the IP address of the service you just deployed
***Create a file on your master node called "audit-webhook-kubeconfig" in the /etc/kubernetes directory, with the following text (update the IP with the IP of your service you created):
apiVersion: v1
clusters:
- cluster:
    server: http://10.0.245.224/api/audits
  name: audit-webhook-service
contexts:
- context:
    cluster: audit-webhook-service
    user: ""
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users: []

***Modify the /etc/kubernetes/manifests/kube-apiserver.yaml file to add the following parameter:
 "--audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig",
 
***Delete the kube-apiserver pod so it's forced to restart with the new configuration (or just do sudo systemctl restart kubelet.service)

***View the logs for your pod to see the output!!!


***OTHER STUFF TO EVENTUALLY CONSIDER:
- Get it working with TLS/SSL
- Use the kubernetes service host name instead of hard-coding the IP address in the kubeconfig
- Push to OMS instead of STDOUT on the pod
- Figure out how to use certificate/credentials to call the webhook service
- What else?
You can’t perform that action at this time.