This project has been archived since we moved to the new policy server
chimera-admission is a
Kubernetes dynamic admission controller
that loads Chimera Policies to validate admission requests.
Chimera Policies are simple WebAssembly modules.
chimera-admission can be deployed by doing a simple:
$ kubectl apply -f https://raw.githubusercontent.com/chimera-kube/chimera-admission/main/deployment/chimera-admission.yamlNote well: the Chimera Project is in its early days. Many things are going to change. It's not meant to be used in production.
We also plan to create a Kubernetes controller to simplify the management of Chimera Policies.
You can either build chimera-admission from sources (see the dedicated section
near the bottom of the file) or you can use the container image we maintain
inside of our GitHub Container Registry.
The deployment
directory inside of this repository shows how to deploy chimera-admission
on top of a Kubernetes cluster.
The behaviour of chimera-admission can be tuned either via cli flags or
environment variables. All the environment variables have the CHIMERA_ prefix.
Note well: at this time
chimera-admissionloads only one Chimera Policy. We have plans to allow users to dynamically set up Chimera Policies thatchimera-admissionwill discover and load as needed.
The Wasm file providing the Chimera Policy can be either loaded from the local filesystem or it can be fetched from a remote location. The behaviour depends on the URL format provided by the user:
file:///some/local/program.wasm: load the policy from the local filesystemhttps://some-host.com/some/remote/program.wasm: download the policy from the remote http(s) serverregistry://localhost:5000/project/artifact:some-versiondownload the policy from a OCI registry. The policy must have been pushed as an OCI artifact
Chimera Policies can be configured via environment variables. The chimera-admission
controller takes care of forwarding the environment variables from the host
system to the Wasm runtime.
The controller automatically forwards all the environment variables that
have the CHIMERA_EXPORT_ prefix. These environment variables are forwarded
with the CHIMERA_EXPORT_ prefix stripped. For example, the CHIMERA_EXPORT_ALLOWED_GROUPS
will be forwarded to the Chimera Policy as ALLOWED_GROUPS.
The chimera-admission controller automatically takes care of registering
itself against the Kubernetes API server.
Kubernetes requires all the dynamic admission controllers to be secured with a TLS certificate. The CA bundle used to generate the certificate used by the controller must be provided to Kubernetes when the controller is registered.
The user can provide the TLS certificates and the CA bundle to use. When nothing
is specified, chimera-admission will automatically generate a CA and use it
to sign a TLS certificate.
Note well: right now
chimera-admissiondoesn't implement certificate rotation.
The chimera-admission will automatically register itself using the name provided
by the user, or use a self-generated one.
Note well: the
ValidatingWebhookConfigurationobject is not deleted when thechimera-admissionis terminated.
You need a Kubernetes cluster running and accessible through a kubeconfig file.
This can be done quickly using k3s.
The following commands download k3s and then run it locally:
$ wget https://github.com/rancher/k3s/releases/download/v1.19.4%2Bk3s1/k3s
$ chmod +x k3s
$ ./k3s server --disable-agentNow we can start a chimera-admission instance that uses
this Chimera Policy
to validate Pod operations.
The policy will be downloaded as an OCI artifact from here.
$ CHIMERA_RESOURCES=pods \
CHIMERA_EXPORT_TAINT_KEY=dedicated \
CHIMERA_EXPORT_TAINT_VALUE=tenantA \
CHIMERA_EXPORT_ALLOWED_GROUPS=system:masters \
CHIMERA_WASM_URI=registry://ghcr.io/chimera-kube/policies/pod-toleration:v0.0.2 \
KUBECONFIG=$HOME/.kube/k3s.yaml \
./chimera-admission-amd64Now we can see the policy in action by creating the following Pod:
$ k3s kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
env: test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
tolerations:
- key: "dedicated"
operator: "Equal"
value: "tenantA"
effect: "NoSchedule"
EOFThe chimera-admission instance will accept the creation request because the
kubeconfig used by k3s authenticates us as user named kubernetes-admin who
belongs to the sytem:masters and to the system:authenticated groups.
Let's remove the Pod now, so that we can make one last test:
$ k3s kubectl delete pod nginxStop the previous admission server execution, and re-run it with a different tuning of the Chimera Policy:
$ CHIMERA_RESOURCES=pods \
CHIMERA_EXPORT_TAINT_KEY=dedicated \
CHIMERA_EXPORT_TAINT_VALUE=tenantA \
CHIMERA_EXPORT_ALLOWED_GROUPS=trusted-users \
CHIMERA_WASM_URI=registry://ghcr.io/chimera-kube/policies/pod-toleration:v0.0.2 \
KUBECONFIG=$HOME/.kube/k3s.yaml \
./chimera-admission-amd64Now the policy accepts this toleration only when a user who belongs to the
trusted-users group is the author of the request.
Let's create the same Pod one last time:
$ k3s kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
env: test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
EOF
Error from server: error when creating "STDIN": admission webhook "rule-0.wasm.admission.rule" denied the request: User not allowed to create Pod objects with toleration: key: example-key, operator: Exists, effect: NoSchedule)The admission controller is properly working: the creation request has been rejected because it's not done by a user who belongs to one of the valid groups.
The chimera-admission binary can be built in this way:
$ # Build x86_64 binary
$ make chimera-admission-amd64