admission-controller

command module

v0.0.0-...-3691b18 Latest Latest Go to latest Published: Mar 19, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sigstore/k8s-manifest-sigstore

Links

Open Source Insights

README ¶

Example k8s admission controller for k8s manifest verification

This is small example to show how to implement admission controller for verifying k8s manifest with sigstore signing. The original design comes from Integrity Shield project (https://github.com/IBM/integrity-enforcer) which includes more advanced capabilities.

Setup

You can setup the admission controller just by the following commands.

Please specify an image which you can push there and which can be pulled from the cluster as <YOUR_IMAGE_NAME>.

# Build & push an image of admission controller into a registry
$ make build IMG=<YOUR_IMAGE_NAME>

# Deploy an admission controller
$ make deploy IMG=<YOUR_IMAGE_NAME>

Usage

In this example, the admission webhook is configured to check requests of "v1" resources like "ConfigMap" or "Secret" in namespaces that have a label "k8s-manifest-sigstore=true" .

This command shows which namespace is targetted by the admission controller.

$ kubectl get ns -L k8s-manifest-sigstore
NAME                    STATUS   AGE    K8S-MANIFEST-SIGSTORE
default                 Active   22d
k8s-manifest-sigstore   Active   16s
kube-system             Active   22d
sample-ns               Active   19d    true

First, creating a ConfigMap in a target namespace without signature will be blocked.

$ kubectl create -n sample-ns -f sample-configmap.yaml
Error from server (no signature found): error when creating "sample-configmap.yaml": admission webhook "k8smanifest.sigstore.dev" denied the request: no signature found

Then, sign the ConfigMap YAML manifest with kubectl sigstore sign command and creating it will pass the verification.

$ kubectl sigstore sign -f sample-configmap.yaml -i <K8S_MANIFEST_IMAGE>
...

$ kubectl create -n sample-ns -f sample-configmap.yaml.signed
configmap/sample-cm created

After the above, any runtime modification without signature will be blocked.

$ kubectl patch cm -n sample-ns sample-cm -p '{"data":{"key1":"val1.1"}}'
Error from server (diff found: {"items":[{"key":"data.key1","values":{"after":"val1","before":"val1.1"}}]}): admission webhook "k8smanifest.sigstore.dev" denied the request: diff found: {"items":[{"key":"data.key1","values":{"after":"val1","before":"val1.1"}}]}

Uninstall

To remove the deployed resources, just do this.

# Remove all deployed resources by `make deploy`
$ make undeploy

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
config

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL