如何拒绝Kubernetes中的Docker注册表? [英] How to reject docker registries in kubernetes?
问题描述
除了我自己的之外,我想拒绝所有泊坞窗注册表.我正在寻找有关docker注册表及其映像的政策.
例如,我的注册表名称是registry.my.com.我想让kubernetes仅从registry.my.com提取/运行图像,所以:
image: prometheus:2.6.1
或任何其他应被拒绝,而:
image: registry.my.com/prometheus:2.6.1
不应该.
有办法吗?
ImagePolicyWebhook ,一个准入控制器,它拦截Image操作以验证是否应该允许或拒绝它.
它将使用有效负载调用REST端点,例如:
{
"apiVersion":"imagepolicy.k8s.io/v1alpha1",
"kind":"ImageReview",
"spec":{
"containers":[
{
"image":"myrepo/myimage:v1"
},
{
"image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d90ed"
}
],
"annotations":[
"mycluster.image-policy.k8s.io/ticket-1234": "break-glass"
],
"namespace":"mynamespace"
}
}
和带有允许的API答案:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": true
}
}
或已拒绝:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": false,
"reason": "image currently blacklisted"
}
}
终结点可以是Lambda函数,也可以是集群中运行的容器.
此github回购 github.com/flavio/kube-image-bouncer 实现使用
还可以选择在启动时使用标志 registry-whitelist 来传递逗号分隔的允许注册表列表,这将由 Open Policy Agent [OPA ].
OPA是一种灵活的引擎,用于根据规则创建策略以匹配资源并根据这些表达式的结果进行决策.这是一个变异和验证的Webhook,由上述的准入控制器调用以匹配Kubernetes API服务器的请求.总而言之,该操作将与上述操作类似,唯一的区别是规则是作为配置而不是代码编写的.上面重写器以使用OPA的同一示例将与此类似:
package admission
import data.k8s.matches
deny[{
"id": "container-image-whitelist", # identifies type of violation
"resource": {
"kind": "pods", # identifies kind of resource
"namespace": namespace, # identifies namespace of resource
"name": name # identifies name of resource
},
"resolution": {"message": msg}, # provides human-readable message to display
}] {
matches[["pods", namespace, name, matched_pod]]
container = matched_pod.spec.containers[_]
not re_match("^registry.acmecorp.com/.+$", container.image) # The actual validation
msg := sprintf("invalid container registry image %q", [container.image])
}
以上内容翻译为:拒绝容器映像与以下注册表registry.acmecorp.com
I want to reject all docker registries except my own one. I'm looking for a some kind of policies for docker registries and their images.
For example my registry name is registry.my.com. I want to make kubernetes pulling/running images only from registry.my.com, so:
image: prometheus:2.6.1
or any another should be rejected, while:
image: registry.my.com/prometheus:2.6.1
shouldn't.
Is there a way to do that?
Admission Controllers is what you are looking for.
Admission controllers intercept operations to validate what should happen before the operation is committed by the api-server.
An example is the ImagePolicyWebhook, an admission controller that intercept Image operations to validate if it should be allowed or rejected.
It will make a call to an REST endpoint with a payload like:
{
"apiVersion":"imagepolicy.k8s.io/v1alpha1",
"kind":"ImageReview",
"spec":{
"containers":[
{
"image":"myrepo/myimage:v1"
},
{
"image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d90ed"
}
],
"annotations":[
"mycluster.image-policy.k8s.io/ticket-1234": "break-glass"
],
"namespace":"mynamespace"
}
}
and the API answer with Allowed:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": true
}
}
or Rejected:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": false,
"reason": "image currently blacklisted"
}
}
The endpoint could be a Lambda function or a container running in the cluster.
This github repo github.com/flavio/kube-image-bouncer implements a sample using ImagePolicyWebhook to reject containers using the tag "Latest".
There is also the option to use the flag registry-whitelist on startup to a pass a comma separated list of allowed registries, this will be used by the ValidatingAdmissionWebhook to validate if the registry is whitelisted.
.
The other alternative is the project Open Policy Agent[OPA].
OPA is a flexible engine used to create policies based on rules to match resources and take decisions according to the result of these expressions. It is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller mentioned above. In summary, the operation would work similarly as described above, the only difference is that the rules are written as configuration instead of code. The same example above rewritter to use OPA would be similar to this:
package admission
import data.k8s.matches
deny[{
"id": "container-image-whitelist", # identifies type of violation
"resource": {
"kind": "pods", # identifies kind of resource
"namespace": namespace, # identifies namespace of resource
"name": name # identifies name of resource
},
"resolution": {"message": msg}, # provides human-readable message to display
}] {
matches[["pods", namespace, name, matched_pod]]
container = matched_pod.spec.containers[_]
not re_match("^registry.acmecorp.com/.+$", container.image) # The actual validation
msg := sprintf("invalid container registry image %q", [container.image])
}
The above translates to: deny any pod where the container image does not match the following registry registry.acmecorp.com
这篇关于如何拒绝Kubernetes中的Docker注册表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
