Kubernetes image policy webhook explained

Kubernetes image policy webhook explained

You need to parse the requests do the logic and the response in order to allow or deny images in the cluster. The good parts of the ImagePolicyWebhook : The API server can be instructed to reject the images if the webhook endpoint is not reachable.

Introduction

In this article we will explore how webhook works in kubernetes and more specifically about the ImagePolicyWebhook, the kubernetes documentation about it is kind of vague, since there is no real example or implementation that you can get out of it, so here we will break it down to the different alternatives, in a real world scenario I would prefer to rely in OPA Gatekeeper, I’m planning to make this trip worth by adding a database and make the webhook allow or disallow images based in the vulnerability scan, for example allow only medium or lower vulnerabilities in your containers, but that will be a post for another day, if you are interested you can help in this reposee more.

There are two ways to make this work each one has a slightly different behavior, one way is using the ImagePolicyWebhook and the other is using an Admission Controllers either works validating or mutating, here I used the validating webhook, you can learn more here.

This admission controller will reject all the pods that are using images with the latest tag and in the future we will see if all pods that are not able to meet the required security levels.

Comparison

The ImagePolicyWebhook is an admission controller that evaluates only images, you need to parse the requests do the logic and the response in order to allow or deny images in the cluster.

The good parts about the ImagePolicyWebhook:

  • The API server can be instructed to reject the images if the webhook endpoint is not reachable, this is quite handy but it can also bring issues, like core pods won’t be able to schedule for example.

The bad parts about the ImagePolicyWebhook:

  • The configuration is a bit more involved and requires access to the master nodes or to the apiserver configuration, the documentation is not clear and it can be hard to make changes, update, etc.
  • The deployment is not so trivial as you need to deploy it with systemd or run it as a docker container in the host, update the dns, etc.

devops kubernetes security

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

The Basics of GitOps and Secure Deployment in Kubernetes

The GitOps way implies that what is in the repo will be in Kubernetes. It literally syncs the states between your repo and Kubernetes. If an unspecified person changes something in Kubernetes ( delete or update config map, for example ), the GitOps tool will sync state and overwrite changes. It works in both ways.

Kubernetes Security Best Practices for DevOps

Discussion around Kubernetes security challenges and best practices for DevOps. You will learn how to: stay on top of ongoing Kubernetes hygiene by hardening your nodes, employing RBAC best practices; secure your production workloads; thwart an attack, with a live demo

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

What Is DevOps and Is Enterprise DevOps Any Good?

What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!