{"id":13846246,"url":"https://github.com/jasonrichardsmith/sentry","last_synced_at":"2026-01-26T23:59:54.840Z","repository":{"id":57536583,"uuid":"144059491","full_name":"jasonrichardsmith/sentry","owner":"jasonrichardsmith","description":"Kubernetes Object Validating Admission Controller","archived":false,"fork":false,"pushed_at":"2019-01-03T13:02:23.000Z","size":10878,"stargazers_count":41,"open_issues_count":3,"forks_count":5,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-07-12T07:33:15.960Z","etag":null,"topics":["containers","deployment","kubernetes","pods"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jasonrichardsmith.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-08T19:36:13.000Z","updated_at":"2024-09-11T06:05:04.000Z","dependencies_parsed_at":"2022-08-24T13:37:18.523Z","dependency_job_id":null,"html_url":"https://github.com/jasonrichardsmith/sentry","commit_stats":null,"previous_names":["jasonrichardsmith/limit-sentry","jasonsaws/sentry","jasonrichardsmith/sentry"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/jasonrichardsmith/sentry","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonrichardsmith%2Fsentry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonrichardsmith%2Fsentry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonrichardsmith%2Fsentry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonrichardsmith%2Fsentry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jasonrichardsmith","download_url":"https://codeload.github.com/jasonrichardsmith/sentry/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonrichardsmith%2Fsentry/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28792638,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T21:49:50.245Z","status":"ssl_error","status_checked_at":"2026-01-26T21:48:29.455Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","deployment","kubernetes","pods"],"created_at":"2024-08-04T18:00:20.886Z","updated_at":"2026-01-26T23:59:54.835Z","avatar_url":"https://github.com/jasonrichardsmith.png","language":"Shell","funding_links":[],"categories":["Operators vs Controllers"],"sub_categories":["Admission"],"readme":"[![Build Status](https://travis-ci.org/jasonrichardsmith/sentry.svg?branch=master)](https://travis-ci.org/jasonrichardsmith/sentry)\n[![Coverage Status](https://coveralls.io/repos/github/jasonrichardsmith/sentry/badge.svg?branch=master)](https://coveralls.io/github/jasonrichardsmith/sentry?branch=master)\n[![GoDoc](https://godoc.org/github.com/jasonrichardsmith/sentry?status.svg)](https://godoc.org/github.com/jasonrichardsmith/sentry)\n[![Go Report Card](https://goreportcard.com/badge/github.com/jasonrichardsmith/sentry)](https://goreportcard.com/report/github.com/jasonrichardsmith/sentry)\n\n# Sentry\n\nSentry is a Webhook Validating Admission Controller that enforces rules cluster wide on objects in Kubernetes prior to admission.\n\n## Rules\n \nSentry currently supports the below enforcement rules.\n\nIf they are not set in the config.yaml with \"enabled\" set to true, they will not be enforced.\n\nEach rule can ignore a set of namespaces.\n\nTo enforce different configurations you can launch this admission controller under different names with different configurations.\n\n### Limits\n \nLimits will ensure all pods have limits for cpu and memory set and are within the range you provide.\n\n```yaml\nlimits:\n  enabled: true\n  ignoredNamespaces:\n    - \"test2\"\n    - \"test3\"\n  cpu:\n    min: \"1\"\n    max: \"2\"\n  memory:\n    min: 1G\n    max: 2G\n```\n \n### Source\n\nSource ensures images are only pulled from allowed sources.  This is a very simple string match.  This will only check if your image string starts with strings provided in the config.  To ensure your domain is not read as a subdomain, it is best to end your domain with a \"/\".\n\nBy listing the entire image path with or without tag, you can allow specific images from a repository. So \"gcr.io/google_containers/pause-amd64\" would only allow the pause container.  Due to the matching strategy this also means \"gcr.io/google_containers/pause-amd64foo\" would also pass.\n\n```yaml\nsource:\n  enabled: true\n  ignoredNamespaces:\n    - \"test2\"\n    - \"test3\"\n  allowed:\n    - \"this/isallowed\"\n    - \"sois/this\"\n```\n\n\n### Healthz\n \nHealthz ensures liveliness and readiness probes are set.\n\n```yaml\nhealthz:\n  enabled: true\n  ignoredNamespaces:\n    - \"test1\"\n    - \"test3\"\n```\n\n \n### Tags\n\nTags ensures no containers launch with 'latest' or with no tag set.\n\n```yaml\ntags:\n  enabled: true\n  ignoredNamespaces:\n    - \"test1\"\n    - \"test2\"\n```\n \n### NsLabels\n\nNsLabels ensures all namespaces have labels, so you can enforce NetworkPolicies.\n\n```yaml\nnslabels:\n  enabled: true\n  ignoredNamespaces:\n    - \"test1\"\n    - \"test2\"\n```\n\n## Run\n\nThis is the Beta release\n\nTo run in your cluster, clone this respository, and edit [manifest.yaml](https://github.com/jasonrichardsmith/sentry/blob/master/manifest.yaml) to suit your requirements.\n\nThen you can run\n\n```bash\n$ make deployk8s\n```\n**Be Aware** : Like PodSecurityPolicies and RBAC, these rules are powerful, and will banhammer ANY pods that violate the rules.\n\nYou have been warned...\n\n\n## Try out sentry\n \nTo build and test in minikube you can run\n\n```bash\n$ minikube start --kubernetes-version v1.11.1\n$ make minikube\n```\n\nPlease use Kubernetes version \u003e= 1.10\n\nThis will build a container from source on your minikube server.\n\nYou can deploy by running:\n\n```bash\n$ make deployk8s\n```\n\nThis create server certs, and makes them available in the deployment. It produces a manifest-ca.yaml which gets deployed.\n\nTo see the tests working you can deploy any of the manifests under the test-manifests folder.\n\nTo run the e2e tests you can run\n\n```bash\nmake e2etests\n```\n\n## Development\n \nTo develop a new module, you can copy the [example](https://github.com/jasonrichardsmith/sentry/tree/master/example) module.\n\nAnd then import it in the main.go\n```go\nimport(\n\t_ \"github.com/jasonrichardsmith/sentry/my_module\"\n)\n```\n\nConfiguration is loaded using [mapstructure](https://github.com/mitchellh/mapstructure).  If you need have special decoding for your configuration you can register a decoder, please reference the limits module decoding hook in [limits/config.go](https://github.com/jasonrichardsmith/sentry/blob/master/limits/config.go).\n\nYou can add e2e tests by adding a folder for your module in test-manifests, and adding manifests named in the following convention.\n\n```\ndescription.expectation.yaml\n```\n\nAnything not titled with \"pass\" as an \"expectation\" will be expected to fail.\n\nThen make sure your module is enabled in the [manifest.yaml](https://github.com/jasonrichardsmith/sentry/blob/master/manifest.yaml).\n```yaml\n\n    my_module:\n      enabled: true\n      ignoredNamespaces:\n        - \"kube-system\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjasonrichardsmith%2Fsentry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjasonrichardsmith%2Fsentry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjasonrichardsmith%2Fsentry/lists"}