Skip to content
Kubesec.io admission controller for #Kubernetes Deployments, DaemonSets and StatefulSets
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd/kubesec
deploy
pkg/webhook
test
vendor
.gitignore
.travis.yml
Dockerfile
Gopkg.lock
Gopkg.toml
LICENSE
Makefile
README.md

README.md

kubesec-webhook

Build Status

Kubesec.io admission controller for Kubernetes Deployments, DaemonSets and StatefulSets

For the kubectl scan plugin see kubectl-kubesec

Install

Generate webhook configuration files with a new TLS certificate and CA Bundle:

make certs

Deploy the admission controller and webhooks in the kubesec namespace (requires Kubernetes 1.10 or newer):

make deploy

Enable Kubesec validation by adding this label:

kubectl label namespaces default kubesec-validation=enabled

Usage

Try to apply a privileged Deployment:

kubectl apply -f ./test/deployment.yaml

Error from server (InternalError): error when creating "./test/deployment.yaml": 
Internal error occurred: admission webhook "deployment.admission.kubesc.io" denied the request: 
deployment-test score is -30, deployment minimum accepted score is 0

Try to apply a privileged DaemonSet:

kubectl apply -f ./test/daemonset.yaml

Error from server (InternalError): error when creating "./test/daemonset.yaml": 
Internal error occurred: admission webhook "daemonset.admission.kubesc.io" denied the request: 
daemonset-test score is -30, daemonset minimum accepted score is 0

Try to apply a privileged StatefulSet:

kubectl apply -f ./test/statefulset.yaml

Error from server (InternalError): error when creating "./test/statefulset.yaml": 
Internal error occurred: admission webhook "statefulset.admission.kubesc.io" denied the request: 
statefulset-test score is -30, deployment minimum accepted score is 0

Configuration

You can set the minimum Kubesec.io score in ./deploy/webhook/yaml:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: kubesec-webhook
  labels:
    app: kubesec-webhook
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kubesec-webhook
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8081"
    spec:
      containers:
        - name: kubesec-webhook
          image: stefanprodan/kubesec:0.1-dev
          imagePullPolicy: Always
          command:
            - ./kubesec
          args:
            - -tls-cert-file=/etc/webhook/certs/cert.pem
            - -tls-key-file=/etc/webhook/certs/key.pem
            - -min-score=0
          ports:
            - containerPort: 8080
            - containerPort: 8081
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      volumes:
        - name: webhook-certs
          secret:
            secretName: kubesec-webhook-certs

Monitoring

The admission controller exposes Prometheus RED metrics for each webhook a Grafana dashboard is available here.

Credits

Kudos to Xabier for the awesome kubewebhook library.

You can’t perform that action at this time.