Skip to content
/ kir Public

a tool to make review of container's image used in Kubernetes PODs

License

Apache-2.0 license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tczekajlo/kir

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
api/v1
api/v1
 
 
cmd
cmd
 
 
config
config
 
 
etcd
etcd
 
 
examples
examples
 
 
pb
pb
 
 
policy
policy
 
 
testdata
testdata
 
 
types
types
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
glide.lock
glide.lock
 
 
glide.yaml
glide.yaml
 
 
main.go
main.go
 
 

Repository files navigation

KIR

The KIR (Kubernetes Image Reviewer) is a tool to makes review of container's image used in PODs.

Requirements

  • etcdv3

Configuration

Kubernetes

You can find here details information how looks ImagePolicyWebhook configuration for Kubernetes. As server endpoint, you have to use /api/v1/review path.

KIR

In order to a configuration, you can use configuration file or flags. You can find here an example of the configuration file.

Kubernetes' ImagePolicyWebhook requires HTTPS. Below an example how to run the server with enabled TLS configuration.

:~# kir server --tls-enabled --tls-key-file=apiserver.key --tls-cert-file=apiserver.crt --tls-require-and-verify-client-cert --tls-cacert-file=ca.crt 
 __  ___  __  .______      
|  |/  / |  | |   _  \     
|  '  /  |  | |  |_)  |    
|    <   |  | |      /     
|  .  \  |  | |  |\  \---.
|__|\__\ |__| | _| ._____| 

2017-05-14 09:18:32.901041 I | 12517 :8080

Examples of usage

Add new rule

In this example, we add the rule which says that all images which are matched to ^httpd:2.2.*$ or ^nginx$ regex will be banned.

:~# kir add --image ^httpd:2.2.*$,^nginx$ --name banned --namespace ^default$ --reason "I don't like this images"

# Show rules
:~# kir get banned
    NAME     NAMESPACE          IMAGE                           ANNOTATIONS                    ALLOWED  
 ---------- ----------- ---------------------- ---------------------------------------------- --------- 
  banned     ^default$   ^httpd:2.2.*$          none=none                                      false    
                         ^nginx$

You can add a rule from file as well, e.g. kir add -f examples/rules/banned.yaml. In the case when a rule already exists and you want to override existing one you can use --override flag.

Now, every container which uses nginx image will be banned. Below the example.

:~# kubectl get rs nginx-2371676037
Name:       nginx-2371676037
Namespace:  default
Image(s):   nginx
Selector:   pod-template-hash=2371676037,run=nginx
Labels:     pod-template-hash=2371676037
        run=nginx
Replicas:   0 current / 1 desired
Pods Status:    0 Running / 0 Waiting / 0 Succeeded / 0 Failed
No volumes.
Events:
  FirstSeen LastSeen    Count   From                SubObjectPath   Type        Reason      Message
  --------- --------    -----   ----                -------------   --------    ------      -------
  23s       2s      13  {replicaset-controller }            Warning     FailedCreate    Error creating: pods "nginx-2371676037-" is forbidden: image policy webook backend denied one or more images: I don't like this images

Show details of rule

In order to get information for the rule, you can use kir get rule_name command or display information as YAML (kir get rule_name -o yaml). Keep in mind that reason field is only available in YAML output.

About

a tool to make review of container's image used in Kubernetes PODs

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages