Anchore Image Validator for Kubernetes
THIS IS NOT AN OFFICIAL GOOGLE PRODUCT
Anchore Engine provides a mechanism to scan Docker images and then evaluate them against a set of policies. This evaluation result can be used to gate a CI pipeline or, as used in this repo, to gate the deployment of an image into a Kubernetes cluster.
This repository contains a server that can be used as a Validating Webhook in your Kubernetes cluster. After its been configured, Kubernetes will send a request to this server any time a Pod is requested. The server will get container images out of the PodSpec and check them against the Anchore Engine API to see if they adhere to the policy that has been defined. If the image does not yet exist in Anchore Engine it will automatically be added and scanned. The default policy validates that there are no critical security vulnerabilities in the image.
NOTE: Kubernetes 1.9+ Required.
Add yourself as a Cluster Admin:
kubectl create clusterrolebinding cluster-admin-$USER --username=<your-username> --clusterrole=cluster-admin
hack/install.shwhich installs the chart for the server.
Follow the instructions output by the chart installation for installing the validating web hook.
How does it work?
This server leverages the Generic Admission Server for most of the heavy lifting of implementing the admission webhook API.
The binary from this repository is registered as an API Service and run inside of Kubernetes. Once the service is registered, a ValidatingWebhookConfiguration is created that tells the Kubernetes API server to check with the admission server before running any pods in the local cluster.
The admission server receives a request that includes the Pod specification. It takes the images from the list of containers then sends requests to the Anchore Engine API to ensure that the images are passing the evaluation of the policy defined in Anchore Engine.