https://github.com/banzaicloud/anchore-image-validator
Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
https://github.com/banzaicloud/anchore-image-validator
cloud-native golang kubernetes security
Last synced: about 1 year ago
JSON representation
Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
- Host: GitHub
- URL: https://github.com/banzaicloud/anchore-image-validator
- Owner: banzaicloud
- License: apache-2.0
- Created: 2018-09-14T13:30:49.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2023-04-05T03:57:05.000Z (about 3 years ago)
- Last Synced: 2025-03-27T07:48:04.023Z (about 1 year ago)
- Topics: cloud-native, golang, kubernetes, security
- Language: Go
- Homepage:
- Size: 6.39 MB
- Stars: 44
- Watchers: 5
- Forks: 10
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
[](https://goreportcard.com/report/github.com/banzaicloud/anchore-image-validator)
[](https://hub.docker.com/r/banzaicloud/anchore-image-validator/)
# Anchore Image Validator
Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
This repository contains an [admission webhook](https://banzaicloud.com/blog/k8s-admission-webhooks/) server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.
- If an image is not valid, the release can be added to a *whitelist* resource (CRD) to bypass the blocking.
- The results of image checks are stored as an *audit* resource (CRD) in a sructured format.
## Installing
### Helm install
Install from banzaicloud-stable repository
Add repository
```
$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
$ helm repo update
```
Install chart
```
$ helm install --set externalAnchore.anchoreHost= --set externalAnchore.anchoreUser= --set externalAnchore.anchorePass= banzaicloud-stable/anchore-policy-validator
```
### Manual install
For manual install you need to define the following environment variables
| ENV | Descripton |
|------------------------|-----------------------|
|ANCHORE_ENGINE_USERNAME |Anchore-engine username|
|ANCHORE_ENGINE_PASSWORD |Anchore-engine password|
|ANCHORE_ENGINE_URL |Anchore-engine URL |
### Accessing banzaicloud security features via Kubernetes api:
```shell
$ curl http:///apis/security.banzaicloud.com/v1alpha1
```
```json
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "security.banzaicloud.com/v1alpha1",
"resources": [
{
"name": "whitelistitems",
"singularName": "whitelistitem",
"namespaced": false,
"kind": "WhiteListItem",
"verbs": [ ... ],
"shortNames": [
"wl"
]
},
{
"name": "audits",
"singularName": "audit",
"namespaced": false,
"kind": "Audit",
"verbs": [ ... ]
}
]
}
```
#### Resources accessible via `kubectl` command:
```shell
$ kubectl get whitelist
$ kubectl get audit
```
#### Example whitelist:
```yaml
apiVersion: security.banzaicloud.com/v1alpha1
kind: WhiteListItem
metadata:
name:
spec:
reason:
creator:
[regexp:]
```
#### Example audit:
```yaml
apiVersion: security.banzaicloud.com/v1alpha1
kind: Audit
metadata:
name:
ownerReferences:
-
spec:
releaseName:
resource: pod
image:
- imageName": "docker.io/image-name1",
imageTag": "latest",
imageDigest": "sha256:abcd1",
lastUpdated": "2018-11-11T14:35:38Z"
- imageName": "docker.io/image-name2",
imageTag": "latest",
imageDigest": "sha256:abcd2",
lastUpdated": "2018-11-11T14:35:38Z"
result:
-
-
action:
status:
[state:]
```