This admission controller target is to ensure k8s best practices are kept.
- It runs with Fiber, which is the fastest framework out there.
- It Logs with Zap, which is the fastest logger out there.
the admission controller is configurable:
LOG_LVL, default is info.PORT, default is 8080.OUTPUT, default is stdout.CONFIG_POLICY_PATH, default is ./conf.json
Its based on json file in location - CONFIG_POLICY_PATH
The policy updates at real time, after you change json file.
json policy sample:
{
"pod": {
"policy_enforcement": true,
"default_policy": {
"readiness_liveness": true,
"default_ns": true,
"latest_image_tag": false,
"run_as_non_root": false
},
"custom_policies": {}
},
"service": {
"policy_enforcement": true,
"default_policy": {
"load_balancer": true,
"default_ns": true
},
"custom_policies": {}
}
}under pod we have:
- readiness_liveness - checks if your pod has liveness & readiness.
- default_ns - checks that you dont try to deploy pods on default ns.
- latest_image_tag - checks that you dont try to deploy latest image tag.
- run_as_non_root - checks that you dont try to run as root.
- resources - checks that you state your resource usage.
uder service we have:
- load_balancer - checks if service is of type LoadBalancer.
- default_ns - checks that you dont try to deploy pods on default ns.
- It's written in Golang.
- you can compile it to statically linked executable, for any OS.
- Support graceful shutdown.
- Support policy file.
- Support live changes in policy.
- Pod policy impl.
- Service policy impl.
- Multiple loggers support (watcher, default, health).
- Deployment policy impl.
- DeploymentConfig policy impl.
As of now there is no need in policy for ingress / route (openshift).
- Clone.
- cd to folder.
- go build github.com/matankila/fenrir/cmd.
- run './main' (linux) / './main.exe' (win).