controlplaneio / kubesec-webhook Goto Github PK
View Code? Open in Web Editor NEWSecurity risk analysis for Kubernetes resources
Home Page: https://kubesec.io
License: MIT License
Security risk analysis for Kubernetes resources
Home Page: https://kubesec.io
License: MIT License
Create a Helm chart and modify gen-certs.sh
to generate the cert and CA Bundle inside the chart root without creating the webhooks yamls.
It will be useful to print scan result in webhook
logs and in the output of kubectl apply
.
Current output is not helpful for analysis
webhook debug log
kubectl logs kubesec-webhook-576994f77f-g9jfk -n kubesec -f
2019/09/12 01:11:44 [INFO] webhooks listening on :8080...
2019/09/12 01:11:44 [INFO] metrics listening on :8081...
2019/09/12 01:12:08 [DEBUG] reviewing request 5791fc9c-d4fa-11e9-9336-f213d8fe6e28, named: pd-test/
2019/09/12 01:12:08 [INFO] Scanning deployment deployment-test
kubectl output
$ kubectl apply -f ./test/deployment.yaml -n pd-test
Error from server (InternalError): error when creating "./test/deployment.yaml": Internal error occurred: admission webhook "deployment.admission.kubesc.io" denied the request: deployment-test score is -30, deployment minimum accepted score is 0
Issue when deploying to Kuberntes 1.19:
x509: certificate relies on legacy Common Name field, use SANs
This is due to Kubernetes updating to GoLang 1.15: https://kubernetes.io/docs/setup/release/notes/#api-change
Kubernetes is now built with golang 1.15.0-rc.1.
The deprecated, legacy behavior of treating the CommonName field on X.509 serving certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. (#93264, @justaugustus) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scalability, Storage and Testing]
Kubesec-webhook is still stable in prior versions of Kubernetes.
Remove hardcoded certificate details from helm chart, can be achieved using genSignedCert
The kubsec-webhook container image referenced in the Deployment YAML file has not been updated in a long time and is not managed by ControlPlane.
There isn't a lot of new code to test in comparison with kubesec
but we should have a minimum set of tests to make sure sending a request to the webhook is working as expected.
make deploy
is resulting in the following error. This was attempted on an on-prem Kubernetes cluster running version 1.23.7
make deploy
kubectl create namespace kubesec
namespace/kubesec created
kubectl apply -f ./deploy/
deployment.apps/kubesec-webhook created
service/kubesec-webhook created
error: resource mapping not found for name: "kubesec-webhook" namespace: "" from "deploy/webhook-registration.yaml": no matches for kind "MutatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first
make: *** [Makefile:27: deploy] Error 1
There is currently no CI running for PRs and for releasing new images.
should I use all for the implementation, or "helm" is enough to create and configure everything? I still get X509 certs error. I'm using CRI-O by the way, but ran the cert generator script on a Docker server, then copied the directory to my CRI-O cluster.
Thank you,
This will allow us to use Admission reviews v1 and optionally in the future OpenTelemetry tracing
Move to use kubesec v2 as a library (not just sending requests to the hosted v2 api)
The documentation around this project is a bit out of date and needs updating and further fleshing out
Post to Slack the scan result including Kubesec advice using the same format as the kubectl plugin
Hi, nice work :)
It would be nice to have a matchLabel to ignore a deployment
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.