Sentry is a Webhook Validating Admission Controller that enforces rules cluster wide on objects in Kubernetes prior to admission.
Sentry currently supports the below enforcement rules.
If they are not set in the config.yaml with "enabled" set to true, they will not be enforced.
Each rule can ignore a set of namespaces.
To enforce different configurations you can launch this admission controller under different names with different configurations.
Limits will ensure all pods have limits for cpu and memory set and are within the range you provide.
limits:
enabled: true
ignoredNamespaces:
- "test2"
- "test3"
cpu:
min: "1"
max: "2"
memory:
min: 1G
max: 2GSource ensures images are only pulled from allowed sources. This is a very simple string match. This will only check if your image string starts with strings provided in the config. To ensure your domain is not read as a subdomain, it is best to end your domain with a "/".
By listing the entire image path with or without tag, you can allow specific images from a repository. So "gcr.io/google_containers/pause-amd64" would only allow the pause container. Due to the matching strategy this also means "gcr.io/google_containers/pause-amd64foo" would also pass.
source:
enabled: true
ignoredNamespaces:
- "test2"
- "test3"
allowed:
- "this/isallowed"
- "sois/this"Healthz ensures liveliness and readiness probes are set.
healthz:
enabled: true
ignoredNamespaces:
- "test1"
- "test3"Tags ensures no containers launch with 'latest' or with no tag set.
tags:
enabled: true
ignoredNamespaces:
- "test1"
- "test2"NsLabels ensures all namespaces have labels, so you can enforce NetworkPolicies.
nslabels:
enabled: true
ignoredNamespaces:
- "test1"
- "test2"This is the Beta release
To run in your cluster, clone this respository, and edit manifest.yaml to suit your requirements.
Then you can run
$ make deployk8sBe Aware : Like PodSecurityPolicies and RBAC, these rules are powerful, and will banhammer ANY pods that violate the rules.
You have been warned...
To build and test in minikube you can run
$ minikube start --kubernetes-version v1.11.1
$ make minikubePlease use Kubernetes version >= 1.10
This will build a container from source on your minikube server.
You can deploy by running:
$ make deployk8sThis create server certs, and makes them available in the deployment. It produces a manifest-ca.yaml which gets deployed.
To see the tests working you can deploy any of the manifests under the test-manifests folder.
To run the e2e tests you can run
make e2etestsTo develop a new module, you can copy the example module.
And then import it in the main.go
import(
_ "github.com/jasonrichardsmith/sentry/my_module"
)Configuration is loaded using mapstructure. If you need have special decoding for your configuration you can register a decoder, please reference the limits module decoding hook in limits/config.go.
You can add e2e tests by adding a folder for your module in test-manifests, and adding manifests named in the following convention.
description.expectation.yaml
Anything not titled with "pass" as an "expectation" will be expected to fail.
Then make sure your module is enabled in the manifest.yaml.
my_module:
enabled: true
ignoredNamespaces:
- "kube-system"