Skip to content
Kubernetes Object Validating Admission Controller
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
config
example
healthz
limits
mux
nslabels
sentry
source
tags
test-manifests
vendor
.gitignore
.travis.yml
CODE_OF_CONDUCT.md
Dockerfile
LICENSE
Makefile
README.md
VERSION
ca-bundle.sh
dind-cluster-v1.10.sh
gen-cert.sh
glide.lock
glide.yaml
main.go
manifest.yaml
sentry-ns.yaml

README.md

Build Status Coverage Status GoDoc Go Report Card

Sentry

Sentry is a Webhook Validating Admission Controller that enforces rules cluster wide on objects in Kubernetes prior to admission.

Rules

Sentry currently supports the below enforcement rules.

If they are not set in the config.yaml with "enabled" set to true, they will not be enforced.

Each rule can ignore a set of namespaces.

To enforce different configurations you can launch this admission controller under different names with different configurations.

Limits

Limits will ensure all pods have limits for cpu and memory set and are within the range you provide.

limits:
  enabled: true
  ignoredNamespaces:
    - "test2"
    - "test3"
  cpu:
    min: "1"
    max: "2"
  memory:
    min: 1G
    max: 2G

Source

Source ensures images are only pulled from allowed sources. This is a very simple string match. This will only check if your image string starts with strings provided in the config. To ensure your domain is not read as a subdomain, it is best to end your domain with a "/".

By listing the entire image path with or without tag, you can allow specific images from a repository. So "gcr.io/google_containers/pause-amd64" would only allow the pause container. Due to the matching strategy this also means "gcr.io/google_containers/pause-amd64foo" would also pass.

source:
  enabled: true
  ignoredNamespaces:
    - "test2"
    - "test3"
  allowed:
    - "this/isallowed"
    - "sois/this"

Healthz

Healthz ensures liveliness and readiness probes are set.

healthz:
  enabled: true
  ignoredNamespaces:
    - "test1"
    - "test3"

Tags

Tags ensures no containers launch with 'latest' or with no tag set.

tags:
  enabled: true
  ignoredNamespaces:
    - "test1"
    - "test2"

NsLabels

NsLabels ensures all namespaces have labels, so you can enforce NetworkPolicies.

nslabels:
  enabled: true
  ignoredNamespaces:
    - "test1"
    - "test2"

Run

This is the Beta release

To run in your cluster, clone this respository, and edit manifest.yaml to suit your requirements.

Then you can run

$ make deployk8s

Be Aware : Like PodSecurityPolicies and RBAC, these rules are powerful, and will banhammer ANY pods that violate the rules.

You have been warned...

Try out sentry

To build and test in minikube you can run

$ minikube start --kubernetes-version v1.11.1
$ make minikube

Please use Kubernetes version >= 1.10

This will build a container from source on your minikube server.

You can deploy by running:

$ make deployk8s

This create server certs, and makes them available in the deployment. It produces a manifest-ca.yaml which gets deployed.

To see the tests working you can deploy any of the manifests under the test-manifests folder.

To run the e2e tests you can run

make e2etests

Development

To develop a new module, you can copy the example module.

And then import it in the main.go

import(
	_ "github.com/jasonrichardsmith/sentry/my_module"
)

Configuration is loaded using mapstructure. If you need have special decoding for your configuration you can register a decoder, please reference the limits module decoding hook in limits/config.go.

You can add e2e tests by adding a folder for your module in test-manifests, and adding manifests named in the following convention.

description.expectation.yaml

Anything not titled with "pass" as an "expectation" will be expected to fail.

Then make sure your module is enabled in the manifest.yaml.

    my_module:
      enabled: true
      ignoredNamespaces:
        - "kube-system"
You can’t perform that action at this time.