imagePolicyWebhook
imagePolicyWebhook是一個評估image的准入控制器。需要啟動一個https的服務來執行該動作
【功能實踐】
-
為webhook 生成ssl 證書
生成server.csr 和 server-key.pem
cat <<EOF | cfssl genkey - | cfssljson -bare server { "hosts": [ "image-bouncer-webhook.default.svc", "image-bouncer-webhook.default.svc.cluster.local", "image-bouncer-webhook.default.pod.cluster.local", "192.0.2.24", "10.0.34.2" ], "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local", "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "O": "system:nodes" } ] } EOF
提交CertificateSigningRequest 請求生成server.crt
cat <<EOF | kubectl apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: image-bouncer-webhook.default spec: request: $(cat server.csr | base64 | tr -d '\n') signerName: kubernetes.io/kubelet-serving usages: - digital signature - key encipherment - server auth EOF
kubectl certificate approve image-bouncer-webhook.default
root@master01:~# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION image-bouncer-webhook.default 2m12s kubernetes.io/kubelet-serving kubernetes-admin <none> Approved,Issued
kubectl get csr image-bouncer-webhook.default -o jsonpath='{.status.certificate}' | base64 --decode >server.crt
cp server.crt /etc/kubernetes/kube-image-bouncer/pki/server.crt
chown -R 1000:1000 server*
-
啟動webhook服務
echo "127.0.0.1 image-bouncer-webhook.default.svc" >> /etc/hosts
docker run --rm \ -v `pwd`/server-key.pem:/certs/server-key.pem:ro 、 -v `pwd`/server.crt:/certs/server.crt:ro 、 -p 1323:1323 \ --network host \ kainlite/kube-image-bouncer -k /certs/server-key.pem -c /certs/server.crt
-
修改apiserver配置檔案,並重啟apiserver
--admission-control-config-file=/etc/kubernetes/kube-image-bouncer/admission_configuration.yaml --enable-admission-plugins=ImagePolicyWebhook
# /etc/kubernetes/kube-image-bouncer/admission_configuration.yaml imagePolicy: kubeConfigFile: "/etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml" # 以秒計的時長,控制批准請求的快取時間 allowTTL: 50 # 以秒計的時長,控制拒絕請求的快取時間 denyTTL: 50 # 以毫秒計的時長,控制重試間隔 retryBackoff: 500 # 確定 Webhook 後端失效時的行為 defaultAllow: true
# cat /etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml apiVersion: v1 kind: Config clusters: - cluster: certificate-authority: /etc/kubernetes/kube-image-bouncer/pki/server.crt server: https://image-bouncer-webhook.default.svc:1323/image_policy name: bouncer_webhook contexts: - context: cluster: bouncer_webhook user: api-server name: bouncer_validator current-context: bouncer_validator preferences: {} users: - name: api-server user: client-certificate: /etc/kubernetes/pki/apiserver.crt client-key: /etc/kubernetes/pki/apiserver.key
-
功能驗證
root@master01:~# kubectl run test --image=busybox Error from server (Forbidden): pods "test" is forbidden: image policy webhook backend denied one or more images: Images using latest tag are not allowed
參考
Kubernetes 映象策略 webhook 解釋 - Kubernetes、CI/CD、Git、Linux、容器、Golang...和更多 (techsquad.rocks)
准入控制器參考 | Kubernetes