Kubernetes Admission Webhook to enforce pulling of Docker images from the private registry.
Kubenab is Kubernetes Admission webhook to enforce pulling of docker images from private registry.
Kubernetes 1.12.0 or above with the admissionregistration.k8s.io/v1beta1
API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
The result should be:
admissionregistration.k8s.io/v1beta1
In addition, the MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.
# Build docker image
docker build -t my-registry/kubenab:0.3.3 .
# Push it to Docker Registry
docker push my-registry/kubenab:0.3.3
# Create a Docker registry secret called 'regsecret'
kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL}
Note: Create Docker registry secret in each non-whitelisted namespaces.
./tls/gen-cert.sh
./webhook/webhook-patch-ca-bundle.sh
Note: You can skip this step and use Helm chart install with TLS certs generated by the cert-manager
# Run deployment
kubectl create -f deployment/kubenab-deployment.yaml
# Create service
kubectl create -f deployment/kubenab-svc.yaml
helm install --name kubenab --set docker.registrySecret=regsecret,docker.registryUrl=jfrog,whitelistNamespaces="kube-system,default",whitelistRegistries="jfrog",tls.secretName=kubenab-certs chart/kubenab/
MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
Note: Replace ${CA_BUNDLE}
with value generated by running ./webhook/webhook-patch-ca-bundle.sh
# Configure MutatingAdmissionWebhook
kubectl create -f webhook/kubenab-mutating-webhook-configuration.yaml
Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker image from Private Docker Registry e.g JFrog Artifactory.
If your container image is nginx
then Kubenab will append REGISTRY_URL
to it. e.g nginx
will become jfrog/nginx
# Configure ValidatingAdmissionWebhook
kubectl create -f webhook/kubenab-validating-webhook-configuration.yaml
Note: Use ValidatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g JFrog Artifactory.
If your container image does not contain REGISTRY_URL
then Kubenab will deny request to run that pod.
helm install --name kubenab --set docker.registrySecret=regsecret,docker.registryUrl=jfrog,whitelistNamespaces="kube-system,default",whitelistRegistries="jfrog" chart/kubenab/
ValidatingAdmissionWebhook
is enabled by default, use mutatingWebhook.enabled="true"
to enable MutatingAdmissionWebhook
.
# Deploy nginx
kubectl apply -f test/nginx.yaml
Run the benchmark.sh
Script in benchmark/
, you only need
go
, docker
and openssl
.
==> Mutate Webhook
1000000 / 1000000 [=====================================================================================================================] 100.00% 6850/s 2m25s
Done!
Statistics Avg Stdev Max
Reqs/sec 6906,14 612,30 7957,42
Latency 285,93us 171,41us 27,91ms
Latency Distribution
50% 257,00us
75% 309,00us
90% 376,00us
95% 440,00us
99% 764,00us
HTTP codes:
1xx - 0, 2xx - 100000, 3xx - 0, 4xx - 0, 5xx - 0
others - 0
Throughput: 15.05MB/s
==> Validate Webhook
1000000 / 1000000 [=====================================================================================================================] 100.00% 6669/s 2m29s
Done!
Statistics Avg Stdev Max
Reqs/sec 6675.83 515.18 8017.83
Latency 295.81us 99.07us 22.86ms
Latency Distribution
50% 267.00us
75% 319.00us
90% 388.00us
95% 453.00us
99% 759.00us
HTTP codes:
1xx - 0, 2xx - 1000000, 3xx - 0, 4xx - 0, 5xx - 0
others - 0
Throughput: 16.20MB/s
ATTENTION: This Benchmark was done on an non optimized Laptop! (Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz ; 8GB RAM)