https://github.com/framsouza/validating-webhook

Deny pods creation that contains hostPath pointing to /
https://github.com/framsouza/validating-webhook

Last synced: 4 months ago
JSON representation

Deny pods creation that contains hostPath pointing to /

• Host: GitHub
• URL: https://github.com/framsouza/validating-webhook
• Owner: framsouza
• Created: 2022-08-16T12:52:18.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2022-08-19T07:21:05.000Z (almost 4 years ago)
• Last Synced: 2025-05-07T22:13:33.422Z (about 1 year ago)
• Language: Go
• Size: 20.5 KB
• Stars: 3
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
### Validating Webhook hostpath

This is a Validationg Webhook Configuration that will denied the creation of pods that are using `/` to mount `hostPath` volumes. For more informations about the risk of using hostPath, please check this [doc page](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath).

This is using cert-manager to generate the certs.

### Usage

1. `kind create cluster`

2. Install cert manager

  - `helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.9.1 --set installCRDs=true`

3. `git clone git@github.com:framsouza/validating-webhook.git`

4. `kubectl create -f manifests/cert-manager.yaml`

5. `kubectl create -f manifests/validation.yaml`

6. `kubectl create -f manifests/webhook.yaml`

7. `kubectl create -f manifests/bad-pod.yaml`

  The command will try to spin up a pod that mounts `/`. The output is the following:

```

kubectl create -f manifests/bad-pod.yaml 

namespace/apps created

Error from server: error when creating "manifests/bad-pod.yaml": admission webhook "hostpah-kubernetes-webhook.acme.com" denied the request: pod contains "/" as hostPath

```