Skip to content

Readonly rootFS validation, cluster scanner mode

Latest
Latest
Compare
Choose a tag to compare
@Flektoma Flektoma released this 22 Aug 11:49
v0.0.8
3e96db1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New validation option --rule-security-readonly-rootfs-required

In case you want to check readOnlyRootFilesystem property globally but also allow some containers requiring writable root filesystem, they can be whitelisted by using annotations.
In order to do that you need to:

  • Allow whitelisting of containers for this option by --rule-security-readonly-rootfs-required-whitelist-enabled option
  • Provide annotation admission.validation.avast.com/readonly-rootfs-containers-whitelist at Pod level (prefix can be changed by --annotations-prefix option)

On-demand outside of cluster scan

This tool provides also function to scan cluster (based on current context from ~/.kube/config) for objects that are violating given rules.

Usage:

  • Create binary via make build-binary
  • Run ./k8s-admission-webhook scanner [options]
Assets 2
Loading