Documentation

Overview

    Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.

    Package imagepolicy contains an admission controller that configures a webhook to which policy decisions are delegated.

    Package imagepolicy checks a webhook for image admission

    Index

    Constants

    View Source
    const (
    	// ImagePolicyFailedOpenKeySuffix in an annotation indicates the image
    	// review failed open when the image policy webhook backend connection
    	// failed.
    	ImagePolicyFailedOpenKeySuffix string = "failed-open"
    
    	// ImagePolicyAuditRequiredKeySuffix in an annotation indicates the pod
    	// should be audited.
    	ImagePolicyAuditRequiredKeySuffix string = "audit-required"
    )
    View Source
    const PluginName = "ImagePolicyWebhook"

      PluginName indicates name of admission plugin.

      Variables

      View Source
      var AuditKeyPrefix = strings.ToLower(PluginName) + ".image-policy.k8s.io/"

        AuditKeyPrefix is used as the prefix for all audit keys handled by this pluggin. Some well known suffixes are listed below.

        Functions

        func Register

        func Register(plugins *admission.Plugins)

          Register registers a plugin

          Types

          type AdmissionConfig

          type AdmissionConfig struct {
          	ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
          }

            AdmissionConfig holds config data for admission controllers

            type Plugin

            type Plugin struct {
            	*admission.Handler
            	// contains filtered or unexported fields
            }

              Plugin is an implementation of admission.Interface.

              func NewImagePolicyWebhook

              func NewImagePolicyWebhook(configFile io.Reader) (*Plugin, error)

                NewImagePolicyWebhook a new ImagePolicyWebhook plugin from the provided config file. The config file is specified by --admission-control-config-file and has the following format for a webhook:

                {
                  "imagePolicy": {
                     "kubeConfigFile": "path/to/kubeconfig/for/backend",
                     "allowTTL": 30,           # time in s to cache approval
                     "denyTTL": 30,            # time in s to cache denial
                     "retryBackoff": 500,      # time in ms to wait between retries
                     "defaultAllow": true      # determines behavior if the webhook backend fails
                  }
                }
                

                The config file may be json or yaml.

                The kubeconfig property refers to another file in the kubeconfig format which specifies how to connect to the webhook backend.

                The kubeconfig's cluster field is used to refer to the remote service, user refers to the returned authorizer.

                # clusters refers to the remote service.
                clusters:
                - name: name-of-remote-imagepolicy-service
                  cluster:
                    certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
                    server: https://images.example.com/policy # URL of remote service to query. Must use 'https'.
                
                # users refers to the API server's webhook configuration.
                users:
                - name: name-of-api-server
                  user:
                    client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
                    client-key: /path/to/key.pem          # key matching the cert
                

                For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.

                func (*Plugin) Validate

                func (a *Plugin) Validate(attributes admission.Attributes, o admission.ObjectInterfaces) (err error)

                  Validate makes an admission decision based on the request attributes