imagepolicywebhook

imagePolicyWebhook

imagePolicyWebhook是一個評估image的准入控制器。需要啟動一個https的服務來執行該動作

【功能實踐】

1. 為webhook 生成ssl 證書

   生成server.csr 和 server-key.pem

   cat <<EOF | cfssl genkey - | cfssljson -bare server
   {
     "hosts": [
       "image-bouncer-webhook.default.svc",
       "image-bouncer-webhook.default.svc.cluster.local",
       "image-bouncer-webhook.default.pod.cluster.local",
       "192.0.2.24",
       "10.0.34.2"
     ],
     "CN": "system:node:image-bouncer-webhook.default.pod.cluster.local",
     "key": {
       "algo": "ecdsa",
       "size": 256
     },
     "names": [
       {
         "O": "system:nodes"
       }
     ]
   }
   EOF
   

   提交CertificateSigningRequest 請求生成server.crt

   cat <<EOF | kubectl apply -f -
   apiVersion: certificates.k8s.io/v1
   kind: CertificateSigningRequest
   metadata:
     name: image-bouncer-webhook.default
   spec:
     request: $(cat server.csr | base64 | tr -d '\n')
     signerName: kubernetes.io/kubelet-serving
     usages:
     - digital signature
     - key encipherment
     - server auth
   EOF
   

   kubectl certificate approve image-bouncer-webhook.default
   

   root@master01:~# kubectl get csr 
   NAME                            AGE     SIGNERNAME                      REQUESTOR          REQUESTEDDURATION   CONDITION
   image-bouncer-webhook.default   2m12s   kubernetes.io/kubelet-serving   kubernetes-admin   <none>              Approved,Issued
   

   kubectl get csr image-bouncer-webhook.default -o jsonpath='{.status.certificate}' | base64 --decode >server.crt
   

   cp server.crt /etc/kubernetes/kube-image-bouncer/pki/server.crt
   

   chown -R 1000:1000 server*
   

2. 啟動webhook服務

   echo "127.0.0.1 image-bouncer-webhook.default.svc" >> /etc/hosts
   

   docker run --rm \
   -v `pwd`/server-key.pem:/certs/server-key.pem:ro 、
   -v `pwd`/server.crt:/certs/server.crt:ro 、
   -p 1323:1323 \
   --network host \
   kainlite/kube-image-bouncer -k /certs/server-key.pem -c /certs/server.crt
   

3. 修改apiserver配置檔案,並重啟apiserver

   --admission-control-config-file=/etc/kubernetes/kube-image-bouncer/admission_configuration.yaml
   --enable-admission-plugins=ImagePolicyWebhook
   

   # /etc/kubernetes/kube-image-bouncer/admission_configuration.yaml
   
   imagePolicy:
     kubeConfigFile: "/etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml"
     # 以秒計的時長，控制批准請求的快取時間
     allowTTL: 50
     # 以秒計的時長，控制拒絕請求的快取時間
     denyTTL: 50
     # 以毫秒計的時長，控制重試間隔
     retryBackoff: 500
     # 確定 Webhook 後端失效時的行為
     defaultAllow: true
   

   # cat /etc/kubernetes/kube-image-bouncer/kube-image-bouncer.yml
   apiVersion: v1
   kind: Config
   clusters:
   - cluster:
       certificate-authority: /etc/kubernetes/kube-image-bouncer/pki/server.crt
       server: https://image-bouncer-webhook.default.svc:1323/image_policy
     name: bouncer_webhook
   contexts:
   - context:
       cluster: bouncer_webhook
       user: api-server
     name: bouncer_validator
   current-context: bouncer_validator
   preferences: {}
   users:
   - name: api-server
     user:
       client-certificate: /etc/kubernetes/pki/apiserver.crt
       client-key:  /etc/kubernetes/pki/apiserver.key
   

4. 功能驗證

   root@master01:~# kubectl run test --image=busybox
   Error from server (Forbidden): pods "test" is forbidden: image policy webhook backend denied one or more images: Images using latest tag are not allowed
   

參考

Kubernetes 映象策略 webhook 解釋 - Kubernetes、CI/CD、Git、Linux、容器、Golang...和更多 (techsquad.rocks)

准入控制器參考 | Kubernetes