Skip to content
This repository has been archived by the owner on Jul 16, 2024. It is now read-only.

Latest commit

 

History

History
105 lines (83 loc) · 3.42 KB

README.md

File metadata and controls

105 lines (83 loc) · 3.42 KB
Raw

Configuring Minikube to leverage the Port Authority ImagePolicyWebhook

The following steps have been tested running on a Mac in Minikube server version 1.7.x-1.9.x and Kubectl client version 1.7.x-1.9.x

Prerequisites

Ensure you've successfully completed the Minikube Setup.

Setup

  1. Modify the image-review.example.yml where you see *** < my-id > ***

    # clusters refers to the remote service.
# this config assumes you're running Port Authority in Minikube.
# the IPs below are the one Minikube uses as your IP routable via the cluster.
clusters:
- name: image-review-server
  cluster:
    insecure-skip-tls-verify: true
    server: http://192.168.99.100:31700/v1/k8s-image-policy-webhook  #nodeport routable ip
    #server: http://10.0.2.2:6100/v1/k8s-image-policy-webhook ##local development routeable ip to your localhost

# users refers to the API server's webhook configuration.
users:
- name: kube-apiserver
  user:
    client-certificate: /Users/<my-id>/.minikube/client.crt
    client-key: /Users/<my-id>/.minikube/client.key
current-context: webhook
contexts:
  - context:
      cluster: image-review-server
      user: kube-apiserver
    name: webhook

  2. Modify the admission-controller.example.json with the appropriate you see *** < my-id > *** path to the image-review.example.yml file created in the previous step.

    {
  "imagePolicy": {
     "kubeConfigFile": "/Users/<myid>/go/src/github.com/target/portauthority/docs/webhook-example/image-review.example.yml",
     "allowTTL": 50,
     "denyTTL": 50,
     "retryBackoff": 500,
     "defaultAllow": true
  }
}

  3. Start Minikube with something similar to the following command after changing ** < my-id > **

    minikube start \
--extra-config=apiserver.Admission.PluginNames=ImagePolicyWebhook \
--extra-config=apiserver.Admission.ConfigFile=/Users/<my-id>/go/src/github.com/target/portauthority/docs/webhook-example/admission-controller.example.json

    Note: Minikube will NOT start if can't find a valid admission-controller.example.json file.

Create a deployment to validate that it's working

  1. Add the following annotations to your deployment

    apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    service: myapp-deployment
  name: myapp-deployment
spec:
  template:
    metadata:
      labels:
        app: myapp-deployment
      annotations:
        alpha.image-policy.k8s.io/portauthority-webhook-enable: "true"
        alpha.image-policy.k8s.io/policy: "default"
    spec:
      containers:
      - name: postgres
        env:
          - name: PGUSER
            value: postgres
          - name: PGPASSWORD
            value: password
        image: postgres:9.6

Default behavior of the webhook-example

The default behavior of the webhook is configurable on your Port Authority endpoint within config.yml:

  1. Secure configuration (requires opt-out annotation):

    imagewebhookdefaultblock: true

  2. Insecure configuration (requires opt-in annotation):

    imagewebhookdefaultblock: false

Flow Diagram:

image