Open in app

Sign in

Write

Sign in

Image Policy Webhook with Kube-Image Bouncer

tarun mittal
2 min readMay 4, 2021

--

The Image Policy Webhook is the part of the Admission Controllers in the Kubernetes, work is to intercepts requests to the Kubernetes. So how to use the image policy webhook (using Kube-Image Bouncer), to run the webhook inside the K8’s cluster.

Check out the Kubernetes document:- https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

Implementation:-

  1. You need to have the configuration file in place to enable the image policy webhook

admission-configuration.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
  configuration:
    imagePolicy:
      kubeConfigFile: /etc/kubernetes/image-webhook/kubeconfig.yaml
      allowTTL: 50
      denyTTL: 50
      retryBackoff: 500
      defaultAllow: true

2. Enable the policy webhook in the kube-apiserver.yaml file.

enable-admission-plugins=ImagePolicyWebhook

3. Now we will create the certificates for the image-policy-server, which you can see in the kubeconfig.yaml file at line:5

For E.g:- In this tutorial, I am creating certificates for the test.server.local, but using the same method you can create certificates for any domain name.

Step-1: Create the KEY first

Step-2: Create the CSR from the KEY

Step-3: Sign the CSR with the Kubernetes CA

4. Download the Kube-image-bouncer.

https://github.com/flavio/kube-image-bouncer

1. go get github.com/flavio/kube-image-bouncer
2. move the <kube-image-bouncer> to the /usr/bin/
3. go to the /etc/kubernetes/image-webhook/ where your certificates are generated.
4. run the server using the command:-
    kube-image-bouncer --cert webhook.crt --key webhook.key --port 8081
5. Now your server is up and running

5.

kubeconfig.yaml

4. Edit the kube-apiserver.yaml file, include the following lines:-

5. Before running the final command, just make the entry in your local /etc/hosts file

127.0.0.1 test.server.local

6. Now try to run the pod which is using any image having the tag as the latest, you will get an error like this.

kubectl run nginx — image=nginx

Error from server (Forbidden): pods “nginx” is forbidden: image policy webhook backend denied one or more images: Images using latest tag are not allowed

7. This means your image-policy-webhook is working, and using the latest tag is not allowed.

Thanks for reading, I think this guide will help you to achieve and learn something new about the implementation of image-policy-webhook using the kube-image bouncer.

In Case of Any Issues and Questions and Suggestion, you can connect me on LinkedIn:

https://www.linkedin.com/in/tarun-mittal-1507/

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Kubernetes
Kubernetes Security
Admission Controller
Kubernetes Cluster
K8s

--

--

tarun mittal
tarun mittal

Written by tarun mittal

27 Followers
2 Following

Currently Working As A DevOps Engineer. Loves to Troubleshoot.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams