-
Notifications
You must be signed in to change notification settings - Fork 509
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add support for kubernetes validating admission webhook
*add support for validating admission webhook *unit tests for validating admission webhook *refactor to move db logger into a separate dedicated package *refactor validate handler to move specific functionality into webhook package *fixing code smells and bugs in UI *fixing html file bugs *update documentation and fix documentation bullets *serving the CSS locally instead of fetching from internet and go mod tidy *fix: admission request is saved in db logs *incorporate review comments
- Loading branch information
1 parent
114222a
commit dcfbd54
Showing
52 changed files
with
8,639 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,4 +30,4 @@ docs/_build/ | |
|
||
.DS_Store | ||
|
||
vendor/ | ||
vendor/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
104 changes: 104 additions & 0 deletions
104
docs/getting-started/admission-controller-webhooks-usage.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# Using Terrascan as a Kubernetes Admission Controller | ||
|
||
## Overview | ||
Terrascan can be integrated with K8s [admissions webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). | ||
It can be used as one of the validating webhooks to be used and scan new configurations. | ||
|
||
In this guide, we'll demonstrate how Terrascan can be configured to: | ||
* Scan configuration changes policies when an object is being created or updated | ||
* Allow / reject the request in case a violation is detected | ||
|
||
|
||
## Installation Guide | ||
|
||
### Create an instance | ||
Your Terrascan instance has the following requirements for being able to scan K8s configurations. | ||
|
||
1. Be accessible via HTTPS. Make sure your cloud firewall is configured to allow this. | ||
2. Have a valid SSL certificate for the served domain name. To do that, choose one of our suggested methods: | ||
- Use a subdomain of your choosing (e.g dev-terrascan-k8s.accurics.com) and create a valid certificate for this subdomain through your SSL certificate provider. [Let's Encrypt](https://letsencrypt.org/) is a free, simple to use certificate authority you can use. | ||
- Use a reverse-proxy to serve SSL requests; for example, use Cloudflare Flexible to get a certificate by a trusted-CA to your [self-signed certificate](https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs). | ||
- Generate a self-signed certificate and have your K8s cluster trust it. To add a trusted CA to ca-pemstore, as demonstrated in [paraspatidar's blog post](https://medium.com/@paraspatidar/add-ssl-tls-certificate-or-pem-file-to-kubernetes-pod-s-trusted-root-ca-store-7bed5cd683d). | ||
3. Use the Terrascan docker as demonstrated in this document, or run it from the sources. | ||
|
||
### Run Terrascan webhook service | ||
Run Terrascan docker image in your server using the following command: | ||
```bash | ||
sudo docker run -p 443:9443 -v <DATA_PATH>:/data -u root -e K8S_WEBHOOK_API_KEY=<API_KEY> accurics/terrascan server --cert-path /data/cert.pem --key-path /data/key.pem -c /data/config.toml | ||
``` | ||
`<API_KEY>` is a key used for authentication between your K8s environment and the Terrascan server. Generate your preferred key and use it here. | ||
|
||
`<DATA_PATH>` is a directory path in your server where both the certificate and the private key .pem files are stored. | ||
In addition, this directory is used to save the webhook logs. (An SQLite file) | ||
|
||
You can specify a config file that specifies which policies to use in the scan and which violations should lead to rejection. | ||
|
||
A config file example: ```config.toml``` | ||
```bash | ||
[severity] | ||
level = "medium" | ||
[rules] | ||
skip-rules = [ | ||
"accurics.kubernetes.IAM.107" | ||
] | ||
|
||
[k8s-deny-rules] | ||
denied-categories = [ | ||
"Network Ports Security" | ||
] | ||
denied-severity = "high" | ||
``` | ||
|
||
You can specify the following configurations: | ||
* **scan-rules** - one or more rules to scan | ||
* **skip-rules** - one or more rules to skip while scanning | ||
* **severity** - the minimal level of severity of the policies to be scanned | ||
* **category** - the list of type of categories of the policies to be scanned | ||
|
||
|
||
* **k8s-deny-rules** - specify the rules that should cause a rejection of the admission request | ||
* **denied-categories** - one or more policy categories that are not allowed in the detected violations | ||
* **denied-severity** - the minimal level of severity that should cause a rejection | ||
|
||
### Configure K8s to send webhooks | ||
Configure a new ```ValidatingWebhookConfiguration``` in your Kubernetes environment and specify your Terrascan server endpoint. | ||
|
||
Example: | ||
```bash | ||
cat <<EOF | kubectl apply -f - | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: ValidatingWebhookConfiguration | ||
metadata: | ||
name: my.validation.example.check | ||
webhooks: | ||
- name: my.validation.example.check | ||
rules: | ||
- apiGroups: | ||
- "" | ||
apiVersions: | ||
- v1 | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
resources: | ||
- pods | ||
- services | ||
failurePolicy: Fail | ||
clientConfig: | ||
url: https://<SERVER_ADDRESS>/v1/k8s/webhooks/<API_KEY>/scan | ||
sideEffects: None | ||
admissionReviewVersions: ["v1"] | ||
EOF | ||
``` | ||
* You can modify the `rules` that trigger the webhook according to your preferences. | ||
* Update the ```clientConfig``` URL with your terrascan server address and the API key you generated before. | ||
### Test your settings | ||
Try to run a new pod / service. For example: | ||
``` Bash | ||
kubectl run mynginx --image=nginx | ||
``` | ||
Go to ```https://<SERVER_ADDRESS>/k8s/webhooks/<API_KEY>/logs``` and verify your request is logged. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
/* | ||
* JSON Tree Viewer | ||
* http://github.com/summerstyle/jsonTreeViewer | ||
* | ||
* Copyright 2017 Vera Lobacheva (http://iamvera.com) | ||
* Released under the MIT license (LICENSE.txt) | ||
*/ | ||
|
||
/* Background for the tree. May use for <body> element */ | ||
.jsontree_bg { | ||
background: #FFF; | ||
} | ||
|
||
/* Styles for the container of the tree (e.g. fonts, margins etc.) */ | ||
.jsontree_tree { | ||
/*margin-left: 30px;*/ | ||
font-family: 'PT Mono', monospace; | ||
font-size: 14px; | ||
} | ||
|
||
/* Styles for a list of child nodes */ | ||
.jsontree_child-nodes { | ||
display: none; | ||
margin-left: 35px; | ||
margin-bottom: 5px; | ||
line-height: 2; | ||
} | ||
.jsontree_node_expanded > .jsontree_value-wrapper > .jsontree_value > .jsontree_child-nodes { | ||
display: block; | ||
} | ||
|
||
/* Styles for labels */ | ||
.jsontree_label-wrapper { | ||
float: left; | ||
margin-right: 8px; | ||
} | ||
.jsontree_label { | ||
font-weight: normal; | ||
vertical-align: top; | ||
color: #000; | ||
position: relative; | ||
padding: 1px; | ||
border-radius: 4px; | ||
cursor: default; | ||
} | ||
.jsontree_node_marked > .jsontree_label-wrapper > .jsontree_label { | ||
background: #fff2aa; | ||
} | ||
|
||
/* Styles for values */ | ||
.jsontree_value-wrapper { | ||
display: block; | ||
/*overflow: hidden;*/ | ||
} | ||
.jsontree_node_complex > .jsontree_value-wrapper { | ||
overflow: inherit; | ||
} | ||
.jsontree_value { | ||
vertical-align: top; | ||
display: inline; | ||
} | ||
.jsontree_value_null { | ||
color: #777; | ||
font-weight: bold; | ||
} | ||
.jsontree_value_string { | ||
color: #025900; | ||
font-weight: bold; | ||
} | ||
.jsontree_value_number { | ||
color: #000E59; | ||
font-weight: bold; | ||
} | ||
.jsontree_value_boolean { | ||
color: #600100; | ||
font-weight: bold; | ||
} | ||
|
||
/* Styles for active elements */ | ||
.jsontree_expand-button { | ||
position: absolute; | ||
top: 3px; | ||
left: -15px; | ||
display: block; | ||
width: 11px; | ||
height: 11px; | ||
background-image: url('icons.svg'); | ||
} | ||
.jsontree_node_expanded > .jsontree_label-wrapper > .jsontree_label > .jsontree_expand-button { | ||
background-position: 0 -11px; | ||
} | ||
.jsontree_show-more { | ||
cursor: pointer; | ||
} | ||
.jsontree_node_expanded > .jsontree_value-wrapper > .jsontree_value > .jsontree_show-more { | ||
display: none; | ||
} | ||
.jsontree_node_empty > .jsontree_label-wrapper > .jsontree_label > .jsontree_expand-button, | ||
.jsontree_node_empty > .jsontree_value-wrapper > .jsontree_value > .jsontree_show-more { | ||
display: none !important; | ||
} | ||
.jsontree_node_complex > .jsontree_label-wrapper > .jsontree_label { | ||
cursor: pointer; | ||
} | ||
.jsontree_node_empty > .jsontree_label-wrapper > .jsontree_label { | ||
cursor: default !important; | ||
} |
Oops, something went wrong.