Giters

jicowan / ecr-validation-webhook

A serverless validation webhook that rejects pods with images pulled from ECR with critical vulnerabilities

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

kuberneteskubernetes-admission-webhookecr

ECR Validation Webhook

The ECR validation webhook is an example of a serverless admission controller for Kubernetes. While dynamic admission controllers such as the mutating and validation webhooks are often run within the cluster, it is not required. The ValidatingWebhookConfiguration spec includes a URL field that allows you to reference an arbitrary URL so long as it begins with "https://". This flexibility allows you to run your webhook as an HTTP API endpoint backed by an AWS Lambda function.

This particular project runs a validation webhook that inspects the images referenced in pods. If the image is being pulled from an ECR registry, the webhook calls the DescribeImageScanFindings API to see whether the referenced images have critical vulnerabilities. When found, the webhook responds with False which tells the API to reject the request. It also returns a message with a list of CVEs related to the vulnerabilities discovered. These appear as events within Kubernetes.

About

A serverless validation webhook that rejects pods with images pulled from ECR with critical vulnerabilities

kuberneteskubernetes-admission-webhookecr

Languages

Language:Python 100.0%