根据Anchore Engine Policy验证webhook以检查图像
Anchore Engine provides a mechanism to scan Docker images and then evaluate them against
a set of policies. This evaluation result can be used to gate a CI pipeline or, as used in this repo,
to gate the deployment of an image into a Kubernetes cluster.
This repository contains a server that can be used as a Validating Webhook
in your Kubernetes cluster. After its been configured, Kubernetes will send a request to this server any time a Pod is requested.
The server will get container images out of the PodSpec and check them against the Anchore Engine API to see if they
adhere to the policy that has been defined. If the image does not yet exist in Anchore Engine it will automatically be added
and scanned. The default policy validates that there are no critical security vulnerabilities in the image.
Add yourself as a Cluster Admin:
kubectl create clusterrolebinding cluster-admin-$USER --username=<your-username> --clusterrole=cluster-admin
Run hack/install.sh
which installs the chart for the server.
Follow the instructions output by the chart installation for installing the validating web hook.
This server leverages the Generic Admission Server
for most of the heavy lifting of implementing the admission webhook API.
The binary from this repository is registered as an API Service
and run inside of Kubernetes. Once the service is registered, a ValidatingWebhookConfiguration is created
that tells the Kubernetes API server to check with the admission server before running any pods in the local cluster.
The admission server receives a request that includes the Pod specification. It takes the images from the list of containers
then sends requests to the Anchore Engine API to ensure
that the images are passing the evaluation
of the policy defined in Anchore Engine.