{"id":20102932,"url":"https://github.com/stackrox/admission-controller-webhook-demo","last_synced_at":"2025-04-05T01:09:06.311Z","repository":{"id":45264696,"uuid":"172616369","full_name":"stackrox/admission-controller-webhook-demo","owner":"stackrox","description":"Kubernetes admission controller webhook example","archived":false,"fork":false,"pushed_at":"2024-01-21T08:08:43.000Z","size":2487,"stargazers_count":251,"open_issues_count":6,"forks_count":210,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-29T00:11:53.923Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-26T01:43:12.000Z","updated_at":"2025-03-21T01:16:46.000Z","dependencies_parsed_at":"2024-06-18T20:16:01.388Z","dependency_job_id":null,"html_url":"https://github.com/stackrox/admission-controller-webhook-demo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fadmission-controller-webhook-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fadmission-controller-webhook-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fadmission-controller-webhook-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fadmission-controller-webhook-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/admission-controller-webhook-demo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271532,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:43.252Z","updated_at":"2025-04-05T01:09:06.276Z","avatar_url":"https://github.com/stackrox.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Admission Controller Webhook Demo\n\nThis repository contains a small HTTP server that can be used as a Kubernetes\n[MutatingAdmissionWebhook](https://kubernetes.io/docs/admin/admission-controllers/#mutatingadmissionwebhook-beta-in-19).\n\nThe logic of this demo webhook is fairly simple: it enforces more secure defaults for running\ncontainers as non-root user. While it is still possible to run containers as root, the webhook\nensures that this is only possible if the setting `runAsNonRoot` is *explicitly* set to `false`\nin the `securityContext` of the Pod. If no value is set for `runAsNonRoot`, a default of `true`\nis applied, and the user ID defaults to `1234`.\n\n## Prerequisites\n\nA cluster on which this example can be tested must be running Kubernetes 1.9.0 or above,\nwith the `admissionregistration.k8s.io/v1beta1` API enabled. You can verify that by observing that the\nfollowing command produces a non-empty output:\n```\nkubectl api-versions | grep admissionregistration.k8s.io/v1beta1\n```\nIn addition, the `MutatingAdmissionWebhook` admission controller should be added and listed in the admission-control\nflag of `kube-apiserver`.\n\nFor building the image, [GNU make](https://www.gnu.org/software/make/) and [Go](https://golang.org) are required.\n\n## Deploying the Webhook Server\n\n1. Bring up a Kubernetes cluster satisfying the above prerequisites, and make\nsure it is active (i.e., either via the configuration in the default location, or by setting\nthe `KUBECONFIG` environment variable).\n2. Run `./deploy.sh`. This will create a CA, a certificate and private key for the webhook server,\nand deploy the resources in the newly created `webhook-demo` namespace in your Kubernetes cluster.\n\n\n## Verify\n\n1. The `webhook-server` pod in the `webhook-demo` namespace should be running:\n```\n$ kubectl -n webhook-demo get pods\nNAME                             READY     STATUS    RESTARTS   AGE\nwebhook-server-6f976f7bf-hssc9   1/1       Running   0          35m\n```\n\n2. A `MutatingWebhookConfiguration` named `demo-webhook` should exist:\n```\n$ kubectl get mutatingwebhookconfigurations\nNAME           AGE\ndemo-webhook   36m\n```\n\n3. Deploy [a pod](examples/pod-with-defaults.yaml) that neither sets `runAsNonRoot` nor `runAsUser`:\n```\n$ kubectl create -f examples/pod-with-defaults.yaml\n```\nVerify that the pod has default values in its security context filled in:\n```\n$ kubectl get pod/pod-with-defaults -o yaml\n...\n  securityContext:\n    runAsNonRoot: true\n    runAsUser: 1234\n...\n```\nAlso, check the logs that the pod had in fact been running as a non-root user:\n```\n$ kubectl logs pod-with-defaults\nI am running as user 1234\n```\n\n4. Deploy [a pod](examples/pod-with-override.yaml) that explicitly sets `runAsNonRoot` to `false`, allowing it to run as the\n`root` user:\n```\n$ kubectl create -f examples/pod-with-override.yaml\n$ kubectl get pod/pod-with-override -o yaml\n...\n  securityContext:\n    runAsNonRoot: false\n...\n$ kubectl logs pod-with-override\nI am running as user 0\n```\n\n5. Attempt to deploy [a pod](examples/pod-with-conflict.yaml) that has a conflicting setting: `runAsNonRoot` set to `true`, but `runAsUser` set to 0 (root).\nThe admission controller should block the creation of that pod.\n```\n$ kubectl create -f examples/pod-with-conflict.yaml \nError from server (InternalError): error when creating \"examples/pod-with-conflict.yaml\": Internal error\noccurred: admission webhook \"webhook-server.webhook-demo.svc\" denied the request: runAsNonRoot specified,\nbut runAsUser set to 0 (the root user)\n```\n\n## Build the Image from Sources (optional)\n\nAn image can be built by running `make`.\nIf you want to modify the webhook server for testing purposes, be sure to set and export\nthe shell environment variable `IMAGE` to an image tag for which you have push access. You can then\nbuild and push the image by running `make push-image`. Also make sure to change the image tag\nin `deployment/deployment.yaml.template`, and if necessary, add image pull secrets.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fadmission-controller-webhook-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fadmission-controller-webhook-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fadmission-controller-webhook-demo/lists"}