Skip to content

az82/k8s-admission-control-showcase

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.vscode
.vscode
 
 
policies
policies
 
 
test
test
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 
webhook.yaml
webhook.yaml
 
 

Repository files navigation

Kubernetes Admission Control and Archiving Showcase

Deploys a custom Kubernetes validating admission controller. The controller will review deployments for namespaces with the label admission-webhook: enabled.

The controller then uses an OPA (OpenPolicyAgent) sidecar to decide what to do with the deployment.

That step of indirection allows us to use the OPA data API instead of the Query API. The data API is much more convenient to manage.

OPA can not only allow or deny an admission, it can also provide more advanced policies, most importantly control taking actions upon deployments.

The policies define a set of processors that can be called out-of-band if the deployment is allowed. The deployment won't be slowed down by steps that can take a lot of time. This approach makes it easy to fulfil auditing or archiving requirements.

In the future, things like max/min resource limits, number of instances and so on could also be controlled by central OPA policies.

Prerequisites

  • GNU Make

  • Kubectl

  • Docker

  • Go > 1.11 (Because we are using Go modules)

  • OpenSSL

  • Base64

  • Kubernetes Cluster

    The Makefile assumes that docker build will install the image in the target cluster's registry. This is the case for Docker Desktop and Minikube, but not for remote clusters.

  • OPA (Only needed for manual local testing)

How to Use

  1. Build & Deploy the Web hook

    make deploy

  2. Try to deploy an application that does not meet the policy

    kubectl apply -f test/deployments/invalid.yaml

  3. You should get the following error message

    Error from server (Forbidden): error when creating "test/deployments/invalid.yaml": admission webhook "test-validating-webhook.az82.de" denied the request: No explicit image version for the container hello-kubernetes, Invalid Git repository annotation, Invalid Git commit hash annotation

  4. Try to deploy an application that meets the policy

    kubectl apply -f test/deployments/valid.yaml

  5. Inspect the policies. You can then try to create a deployment that fulfils the policies or try to tweak the policies.

Cleaning up

  • Undeploy everything

    make undeploy

  • Clean the workspace

    make clean

See also

Pitfalls

Kubernetes currently does not support creating config maps recursively from a directory. That means that policies stored in a config map cannot be organized in directories. See kubernetes/kubernetes#62421 for reference

About

Kubernetes admission control showcase

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages