As root:
Ensure kubeconfig is available for root e.g.
cd /root mkdir .kube cp /home/demouser/.kube/config /root/.kube/config
Ensure kubectl is available e.g.
cp /usr/bin/oc /usr/bin/kubectl
oc adm policy add-scc-to-user anyuid -z default
securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:image-scan-k8s-webhook-system:default"]
git clone https://github.com/sysdiglabs/image-scanning-admission-controller.git cd image-scanning-admission-controller export ANCHORE_CLI_URL="https://api.sysdigcloud.com/api/scanning/v1/anchore" export ANCHORE_CLI_USER="xxxxxxx-xxxx-xxxxxx-xxxxxx-xxxxx"
make deploy
+ deploy ./scripts/deploy.sh namespace/image-scan-k8s-webhook-system created clusterrole.rbac.authorization.k8s.io/image-scan-k8s-webhook-manager-role created clusterrolebinding.rbac.authorization.k8s.io/image-scan-k8s-webhook-manager-rolebinding created secret/image-scan-k8s-webhook-webhook-server-secret created secret/sysdig-secure-token created service/image-scan-k8s-webhook-controller-manager-service created statefulset.apps/image-scan-k8s-webhook-controller-manager created + sleep 3 + kubectl get all -n image-scan-k8s-webhook-system NAME READY STATUS RESTARTS AGE pod/image-scan-k8s-webhook-controller-manager-0 0/1 ContainerCreating 0 4s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/image-scan-k8s-webhook-controller-manager-service ClusterIP 172.30.9.115 <none> 443/TCP 4s NAME READY AGE statefulset.apps/image-scan-k8s-webhook-controller-manager 0/1 4s
oc project image-scan-k8s-webhook-system
oc get ev
LAST SEEN TYPE REASON OBJECT MESSAGE 7m56s Normal Scheduled pod/image-scan-k8s-webhook-controller-manager-0 Successfully assigned image-scan-k8s-webhook-system/image-scan-k8s-webhook-controller-manager-0 to crc-847lc-master-0 5m36s Normal Pulling pod/image-scan-k8s-webhook-controller-manager-0 Pulling image "quay.io/sysdig/sysdig-image-scanning-trigger:latest" 5m34s Normal Pulled pod/image-scan-k8s-webhook-controller-manager-0 Successfully pulled image "quay.io/sysdig/sysdig-image-scanning-trigger:latest" 6m33s Normal Created pod/image-scan-k8s-webhook-controller-manager-0 Created container manager 6m33s Normal Started pod/image-scan-k8s-webhook-controller-manager-0 Started container manager 2m33s Warning BackOff pod/image-scan-k8s-webhook-controller-manager-0 Back-off restarting failed container 7m56s Normal SuccessfulCreate statefulset/image-scan-k8s-webhook-controller-manager create Pod image-scan-k8s-webhook-controller-manager-0 in StatefulSet image-scan-k8s-webhook-controller-manager successful
oc get statefulset
NAME READY AGE image-scan-k8s-webhook-controller-manager 1/1 9m
oc get pods
NAME READY STATUS RESTARTS AGE image-scan-k8s-webhook-controller-manager-0 1/1 Running 1 9m30s
oc describe pod image-scan-k8s-webhook-controller-manager-0
....... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 24m default-scheduler Successfully assigned image-scan-k8s-webhook-system/image-scan-k8s-webhook-controller-manager-0 to crc-847lc-master-0 Warning BackOff 9m32s (x3 over 12m) kubelet, crc-847lc-master-0 Back-off restarting failed container Normal Pulling 5m20s (x5 over 24m) kubelet, crc-847lc-master-0 Pulling image "quay.io/sysdig/sysdig-image-scanning-trigger:latest" Normal Pulled 5m15s (x5 over 24m) kubelet, crc-847lc-master-0 Successfully pulled image "quay.io/sysdig/sysdig-image-scanning-trigger:latest" Normal Created 5m13s (x5 over 24m) kubelet, crc-847lc-master-0 Created container manager Normal Started 5m12s (x5 over 24m) kubelet, crc-847lc-master-0 Started container manager Warning NetworkNotReady 5m8s (x3 over 5m11s) kubelet, crc-847lc-master-0 network is not ready: runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network
oc logs image-scan-k8s-webhook-controller-manager-0 --follow
{"level":"info","ts":1571949653.5109758,"logger":"entrypoint","msg":"setting up client for manager"}
{"level":"info","ts":1571949653.5113025,"logger":"entrypoint","msg":"setting up manager"}
{"level":"info","ts":1571949653.8518302,"logger":"entrypoint","msg":"Registering Components."}
{"level":"info","ts":1571949653.851867,"logger":"entrypoint","msg":"setting up scheme"}
{"level":"info","ts":1571949653.8518825,"logger":"entrypoint","msg":"Setting up controller"}
{"level":"info","ts":1571949653.8518891,"logger":"entrypoint","msg":"setting up webhooks"}
{"level":"info","ts":1571949653.8519502,"logger":"entrypoint","msg":"Starting the Cmd."}
{"level":"info","ts":1571949653.9522786,"logger":"kubebuilder.webhook","msg":"installing webhook configuration in cluster"}
oc get ValidatingWebhookConfiguration --all-namespaces
NAME CREATED AT autoscaling.openshift.io 2019-10-16T10:27:28Z multus.openshift.io 2019-10-16T10:14:17Z
make test
Debug
oc debug image-scan-k8s-webhook-controller-manager-0
Starting pod/image-scan-k8s-webhook-controller-manager-0-debug, command was: /root/manager
Pod IP: 10.128.0.231
# /root/manager
{"level":"info","ts":1571953761.2107623,"logger":"entrypoint","msg":"setting up client for manager"}
{"level":"info","ts":1571953761.2113204,"logger":"entrypoint","msg":"setting up manager"}
{"level":"info","ts":1571953761.5284233,"logger":"entrypoint","msg":"Registering Components."}
{"level":"info","ts":1571953761.6108737,"logger":"entrypoint","msg":"setting up scheme"}
{"level":"info","ts":1571953761.6110525,"logger":"entrypoint","msg":"Setting up controller"}
{"level":"info","ts":1571953761.61122,"logger":"entrypoint","msg":"setting up webhooks"}
{"level":"info","ts":1571953761.6115313,"logger":"entrypoint","msg":"Starting the Cmd."}
{"level":"info","ts":1571953761.7134192,"logger":"kubebuilder.webhook","msg":"installing webhook configuration in cluster"}