Validating webhook for checking images against Anchore Engine Policy
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
anchore-policy-validator
cmd/anchore-image-admission-server
docs/img
hack
pkg/anchore
vendor
.gitignore
Dockerfile
LICENSE
README.md
glide.lock
glide.yaml

README.md

Anchore Image Validator for Kubernetes

THIS IS NOT AN OFFICIAL GOOGLE PRODUCT

Intro

Anchore Engine provides a mechanism to scan Docker images and then evaluate them against a set of policies. This evaluation result can be used to gate a CI pipeline or, as used in this repo, to gate the deployment of an image into a Kubernetes cluster.

Anchore Image Validator Architecture

This repository contains a server that can be used as a Validating Webhook in your Kubernetes cluster. After its been configured, Kubernetes will send a request to this server any time a Pod is requested. The server will get container images out of the PodSpec and check them against the Anchore Engine API to see if they adhere to the policy that has been defined. If the image does not yet exist in Anchore Engine it will automatically be added and scanned. The default policy validates that there are no critical security vulnerabilities in the image.

Quick Start

NOTE: Kubernetes 1.9+ Required.

  1. Add yourself as a Cluster Admin:

    kubectl create clusterrolebinding cluster-admin-$USER --username=<your-username> --clusterrole=cluster-admin
  2. Install Helm

  3. Run hack/install.sh which installs the chart for the server.

  4. Follow the instructions output by the chart installation for installing the validating web hook.

How does it work?

This server leverages the Generic Admission Server for most of the heavy lifting of implementing the admission webhook API.

The binary from this repository is registered as an API Service and run inside of Kubernetes. Once the service is registered, a ValidatingWebhookConfiguration is created that tells the Kubernetes API server to check with the admission server before running any pods in the local cluster.

The admission server receives a request that includes the Pod specification. It takes the images from the list of containers then sends requests to the Anchore Engine API to ensure that the images are passing the evaluation of the policy defined in Anchore Engine.