imagepolicywebhook

mingtian是吧發表於2024-03-17

imagePolicyWebhook

imagePolicyWebhook是一個評估image的准入控制器。需要啟動一個https的服務來執行該動作

【功能實踐】

  1. 為webhook 生成ssl 證書

    生成server.csr 和 server-key.pem

    cat <<EOF | cfssl genkey - | cfssljson -bare server
    {
      "hosts": [
        "image-bouncer-webhook.default.svc",
        "image-bouncer-webhook.default.svc.cluster.local",
        "image-bouncer-webhook.default.pod.cluster.local",
        "192.0.2.24",
        "10.0.34.2"
      ],
      "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
      "key": {
        "algo": "ecdsa",
        "size": 256
      },
      "names": [
        {
          "O": "system:nodes"
        }
      ]
    }
    EOF
    

    提交CertificateSigningRequest 請求生成server.crt

    cat <<EOF | kubectl apply -f -
    apiVersion: certificates.k8s.io/v1
    kind: CertificateSigningRequest
    metadata:
      name: image-bouncer-webhook.default
    spec:
      request: $(cat server.csr | base64 | tr -d '\n')
      signerName: kubernetes.io/kubelet-serving
      usages:
      - digital signature
      - key encipherment
      - server auth
    EOF
    
    kubectl certificate approve image-bouncer-webhook.default
    
    root@master01:~# kubectl get csr 
    NAME                            AGE     SIGNERNAME                      REQUESTOR          REQUESTEDDURATION   CONDITION
    image-bouncer-webhook.default   2m12s   kubernetes.io/kubelet-serving   kubernetes-admin   <none>              Approved,Issued
    
    kubectl get csr image-bouncer-webhook.default -o jsonpath='{.status.certificate}' | base64 --decode >server.crt
    
    cp server.crt /etc/kubernetes/kube-image-bouncer/pki/server.crt
    
    chown -R 1000:1000 server*
    
  2. 啟動webhook服務

    echo "127.0.0.1 image-bouncer-webhook.default.svc" >> /etc/hosts
    
    docker run --rm \
    -v `pwd`/server-key.pem:/certs/server-key.pem:ro 、
    -v `pwd`/server.crt:/certs/server.crt:ro 、
    -p 1323:1323 \
    --network host \
    kainlite/kube-image-bouncer -k /certs/server-key.pem -c /certs/server.crt
    
  3. 修改apiserver配置檔案,並重啟apiserver

    --admission-control-config-file=/etc/kubernetes/kube-image-bouncer/admission_configuration.yaml
    --enable-admission-plugins=ImagePolicyWebhook
    
    # /etc/kubernetes/kube-image-bouncer/admission_configuration.yaml
    
    imagePolicy:
      kubeConfigFile: "/etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml"
      # 以秒計的時長,控制批准請求的快取時間
      allowTTL: 50
      # 以秒計的時長,控制拒絕請求的快取時間
      denyTTL: 50
      # 以毫秒計的時長,控制重試間隔
      retryBackoff: 500
      # 確定 Webhook 後端失效時的行為
      defaultAllow: true
    
    # cat /etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml
    apiVersion: v1
    kind: Config
    clusters:
    - cluster:
        certificate-authority: /etc/kubernetes/kube-image-bouncer/pki/server.crt
        server: https://image-bouncer-webhook.default.svc:1323/image_policy
      name: bouncer_webhook
    contexts:
    - context:
        cluster: bouncer_webhook
        user: api-server
      name: bouncer_validator
    current-context: bouncer_validator
    preferences: {}
    users:
    - name: api-server
      user:
        client-certificate: /etc/kubernetes/pki/apiserver.crt
        client-key:  /etc/kubernetes/pki/apiserver.key
    
  4. 功能驗證

    root@master01:~# kubectl run test --image=busybox
    Error from server (Forbidden): pods "test" is forbidden: image policy webhook backend denied one or more images: Images using latest tag are not allowed
    

參考

Kubernetes 映象策略 webhook 解釋 - Kubernetes、CI/CD、Git、Linux、容器、Golang...和更多 (techsquad.rocks)

准入控制器參考 | Kubernetes