• Stars
    star
    245
  • Rank 165,304 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes admission controller webhook example

Kubernetes Admission Controller Webhook Demo

This repository contains a small HTTP server that can be used as a Kubernetes MutatingAdmissionWebhook.

The logic of this demo webhook is fairly simple: it enforces more secure defaults for running containers as non-root user. While it is still possible to run containers as root, the webhook ensures that this is only possible if the setting runAsNonRoot is explicitly set to false in the securityContext of the Pod. If no value is set for runAsNonRoot, a default of true is applied, and the user ID defaults to 1234.

Prerequisites

A cluster on which this example can be tested must be running Kubernetes 1.9.0 or above, with the admissionregistration.k8s.io/v1beta1 API enabled. You can verify that by observing that the following command produces a non-empty output:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook admission controller should be added and listed in the admission-control flag of kube-apiserver.

For building the image, GNU make and Go are required.

Deploying the Webhook Server

  1. Bring up a Kubernetes cluster satisfying the above prerequisites, and make sure it is active (i.e., either via the configuration in the default location, or by setting the KUBECONFIG environment variable).
  2. Run ./deploy.sh. This will create a CA, a certificate and private key for the webhook server, and deploy the resources in the newly created webhook-demo namespace in your Kubernetes cluster.

Verify

  1. The webhook-server pod in the webhook-demo namespace should be running:
$ kubectl -n webhook-demo get pods
NAME                             READY     STATUS    RESTARTS   AGE
webhook-server-6f976f7bf-hssc9   1/1       Running   0          35m
  1. A MutatingWebhookConfiguration named demo-webhook should exist:
$ kubectl get mutatingwebhookconfigurations
NAME           AGE
demo-webhook   36m
  1. Deploy a pod that neither sets runAsNonRoot nor runAsUser:
$ kubectl create -f examples/pod-with-defaults.yaml

Verify that the pod has default values in its security context filled in:

$ kubectl get pod/pod-with-defaults -o yaml
...
  securityContext:
    runAsNonRoot: true
    runAsUser: 1234
...

Also, check the logs that the pod had in fact been running as a non-root user:

$ kubectl logs pod-with-defaults
I am running as user 1234
  1. Deploy a pod that explicitly sets runAsNonRoot to false, allowing it to run as the root user:
$ kubectl create -f examples/pod-with-override.yaml
$ kubectl get pod/pod-with-override -o yaml
...
  securityContext:
    runAsNonRoot: false
...
$ kubectl logs pod-with-override
I am running as user 0
  1. Attempt to deploy a pod that has a conflicting setting: runAsNonRoot set to true, but runAsUser set to 0 (root). The admission controller should block the creation of that pod.
$ kubectl create -f examples/pod-with-conflict.yaml 
Error from server (InternalError): error when creating "examples/pod-with-conflict.yaml": Internal error
occurred: admission webhook "webhook-server.webhook-demo.svc" denied the request: runAsNonRoot specified,
but runAsUser set to 0 (the root user)

Build the Image from Sources (optional)

An image can be built by running make. If you want to modify the webhook server for testing purposes, be sure to set and export the shell environment variable IMAGE to an image tag for which you have push access. You can then build and push the image by running make push-image. Also make sure to change the image tag in deployment/deployment.yaml.template, and if necessary, add image pull secrets.

More Repositories

1

kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Go
2,914
star
2

stackrox

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Go
1,121
star
3

Kubernetes_Security_Specialist_Study_Guide

HCL
420
star
4

go-grpc-http1

A gRPC via HTTP/1 Enabling Library for Go
Go
111
star
5

helm-charts

Helm charts for StackRox Kubernetes Security Platform
Smarty
62
star
6

collector

Runtime data collection for the StackRox Kubernetes Security Platform using eBPF
C++
52
star
7

contributions

Samples for customer implementations & integrations
Python
47
star
8

scanner

Go
42
star
9

bsidessf-2020-workshop

Materials for a live workshop at BSidesSF on deployment-level Kubernetes security controls
Go
36
star
10

network-policy-examples

YAML files accompanying the StackRox Network Policies guide.
34
star
11

kube-linter-action

GitHub action for automating KubeLinter.
33
star
12

blog-examples

Sample code and files from StackRox blog posts
Open Policy Agent
27
star
13

ansible-demo

Create sales demos on k8s/OpenShift with Ansible
Jinja
15
star
14

k8s-i-use

Source for k8siuse, a site in the style of caniuse that visualizes GVKs and their fields over different versions of the Kubernetes API
CSS
14
star
15

acs-fleet-manager

Go
13
star
16

helmtest

helmtest is a Go-based framework for testing helm charts in various configurations
Go
13
star
17

stackrox-env

Stackrox development environment
Nix
8
star
18

berserker

Workload generator for ACS Collector
Rust
7
star
19

jenkins-plugin

The StackRox Jenkins Plugin for image scanning and security
Java
5
star
20

dev-docs

5
star
21

kernel-packer

📦 Crawl and repackage kernel headers for collector
Python
5
star
22

roxctl-installer-action

5
star
23

k8s-cves

Curated repo of Kubernetes CVEs
Go
4
star
24

central-login

TypeScript
4
star
25

helm-operator

Helm operator fork of https://github.com/operator-framework/helm-operator-plugins
Go
3
star
26

prometheus-metric-parser

Utility to parse prometheus metrics and compare them against other metrics
Go
3
star
27

workflow

Shell
3
star
28

falcosecurity-libs

Internal Fork of https://github.com/falcosecurity/libs
C
3
star
29

rox-ci-image

Dockerfile
3
star
30

istio-cves

Go
3
star
31

dotnet-scraper

.NET scraper houses .NET vulnerabilities, a primitive scraper and a cron job to ensure that we have all the most updated vulns
Go
3
star
32

image-prefetcher

A utility for pre-fetching images onto k8s nodes in parallel
Go
3
star
33

k8s-istio-cve-pusher

This repo pulls CVEs from NVD, filters them and pushes to stackrox google cloud bucket.
Go
2
star
34

junit-parse

Junit parsing CLI
Go
2
star
35

infra

🌧️ Automated infrastructure and demo provisioning
Go
2
star
36

actions

Various Reusable GitHub Actions
Shell
1
star
37

nvdtools

Go
1
star
38

bleve

Go
1
star
39

goland-indexes

Shared indexes for stackrox project
1
star
40

automation-standard

🤖 A micro-framework for building standardized cluster automation entrypoints
Go
1
star
41

docker-registry-client

Public fork of github.com/heroku/docker-registry-client
Go
1
star
42

release-registry

A mechanism to mark, identify and search release artifacts using Quality Milestones.
Go
1
star