Sentry is a Webhook Validating Admission Controller that enforces rules cluster wide on objects in Kubernetes prior to admission.
Sentry currently supports the below enforcement rules.
If they are not set in the config.yaml with "enabled" set to true, they will not be enforced.
Each rule can ignore a set of namespaces.
To enforce different configurations you can launch this admission controller under different names with different configurations.
Limits will ensure all pods have limits for cpu and memory set and are within the range you provide.
limits: enabled: true ignoredNamespaces: - "test2" - "test3" cpu: min: "1" max: "2" memory: min: 1G max: 2G
Source ensures images are only pulled from allowed sources. This is a very simple string match. This will only check if your image string starts with strings provided in the config. To ensure your domain is not read as a subdomain, it is best to end your domain with a "/".
By listing the entire image path with or without tag, you can allow specific images from a repository. So "gcr.io/google_containers/pause-amd64" would only allow the pause container. Due to the matching strategy this also means "gcr.io/google_containers/pause-amd64foo" would also pass.
source: enabled: true ignoredNamespaces: - "test2" - "test3" allowed: - "this/isallowed" - "sois/this"
Healthz ensures liveliness and readiness probes are set.
healthz: enabled: true ignoredNamespaces: - "test1" - "test3"
Tags ensures no containers launch with 'latest' or with no tag set.
tags: enabled: true ignoredNamespaces: - "test1" - "test2"
NsLabels ensures all namespaces have labels, so you can enforce NetworkPolicies.
nslabels: enabled: true ignoredNamespaces: - "test1" - "test2"
This is the Beta release
To run in your cluster, clone this respository, and edit manifest.yaml to suit your requirements.
Then you can run
$ make deployk8s
Be Aware : Like PodSecurityPolicies and RBAC, these rules are powerful, and will banhammer ANY pods that violate the rules.
You have been warned...
Try out sentry
To build and test in minikube you can run
$ minikube start --kubernetes-version v1.11.1 $ make minikube
Please use Kubernetes version >= 1.10
This will build a container from source on your minikube server.
You can deploy by running:
$ make deployk8s
This create server certs, and makes them available in the deployment. It produces a manifest-ca.yaml which gets deployed.
To see the tests working you can deploy any of the manifests under the test-manifests folder.
To run the e2e tests you can run
To develop a new module, you can copy the example module.
And then import it in the main.go
import( _ "github.com/jasonrichardsmith/sentry/my_module" )
You can add e2e tests by adding a folder for your module in test-manifests, and adding manifests named in the following convention.
Anything not titled with "pass" as an "expectation" will be expected to fail.
Then make sure your module is enabled in the manifest.yaml.
my_module: enabled: true ignoredNamespaces: - "kube-system"