I want to reject all docker registries except my own one. I'm looking for a some kind of policies for docker registries and their images.
For example my registry name is registry.my.com. I want to make kubernetes pulling/running images only from registry.my.com, so:
image: prometheus:2.6.1
or any another should be rejected, while:
image: registry.my.com/prometheus:2.6.1
shouldn't.
Is there a way to do that?
Admission Controllers is what you are looking for.
Admission controllers intercept operations to validate what should happen before the operation is committed by the api-server.
An example is the ImagePolicyWebhook, an admission controller that intercept Image operations to validate if it should be allowed or rejected.
It will make a call to an REST endpoint with a payload like:
{
"apiVersion":"imagepolicy.k8s.io/v1alpha1",
"kind":"ImageReview",
"spec":{
"containers":[
{
"image":"myrepo/myimage:v1"
},
{
"image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d90ed"
}
],
"annotations":[
"mycluster.image-policy.k8s.io/ticket-1234": "break-glass"
],
"namespace":"mynamespace"
}
}
and the API answer with Allowed:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": true
}
}
or Rejected:
{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {
"allowed": false,
"reason": "image currently blacklisted"
}
}
The endpoint could be a Lambda function or a container running in the cluster.
This github repo github.com/flavio/kube-image-bouncer implements a sample using ImagePolicyWebhook to reject containers using the tag "Latest".
There is also the option to use the flag registry-whitelist on startup to a pass a comma separated list of allowed registries, this will be used by the ValidatingAdmissionWebhook to validate if the registry is whitelisted.
.
The other alternative is the project Open Policy Agent[OPA].
OPA is a flexible engine used to create policies based on rules to match resources and take decisions according to the result of these expressions. It is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller mentioned above. In summary, the operation would work similarly as described above, the only difference is that the rules are written as configuration instead of code. The same example above rewritter to use OPA would be similar to this:
package admission
import data.k8s.matches
deny[{
"id": "container-image-whitelist", # identifies type of violation
"resource": {
"kind": "pods", # identifies kind of resource
"namespace": namespace, # identifies namespace of resource
"name": name # identifies name of resource
},
"resolution": {"message": msg}, # provides human-readable message to display
}] {
matches[["pods", namespace, name, matched_pod]]
container = matched_pod.spec.containers[_]
not re_match("^registry.acmecorp.com/.+$", container.image) # The actual validation
msg := sprintf("invalid container registry image %q", [container.image])
}
The above translates to: deny any pod where the container image does not match the following registry registry.acmecorp.com
Currently not something that you can enable or disable with one command , but there are admission controllers that you can use.
If you are on redhat platform and running just docker or kubernetes nodes on RHEL , with RHEL docker as container runtime , you can white list registries there.
Whitelisting Docker Registries
You can specify a whitelist of docker registries, allowing you to curate a set of images and templates that are available for download by OpenShift Container Platform users. This curated set can be placed in one or more docker registries, and then added to the whitelist. When using a whitelist, only the specified registries are accessible within OpenShift Container Platform, and all other registries are denied access by default.
To configure a whitelist:
Edit the
/etc/sysconfig/dockerfile to block all registries:BLOCK_REGISTRY='--block-registry=all'You may need to uncomment the BLOCK_REGISTRY line.
In the same file, add registries to which you want to allow access:
ADD_REGISTRY='--add-registry=<registry1> --add-registry=<registry2>' Allowing Access to Registries ADD_REGISTRY='--add-registry=registry.access.redhat.com'
There is also a github project:
https://github.com/flavio/kube-image-bouncer
That you can use to white list registries. I think registry white listing is already implemented in it , you just need to provide it the list when you are going to run the binary.
In case you are dealing with an Azure-managed AKS cluster you can make use of Azure Policies. Here is a summary. I wrote about it in more detail in my blog post which can be found here.
Activate the Policy Insights resource provider on your subscription
az provider register --namespace Microsoft.PolicyInsights
Enable AKS Azure Policy Add-On
az aks enable-addons --addons azure-policy --name <cluster> --resource-group rg-demo
Assign one of the built-in policies that allow just for that use case
# Define parameters for Azure Policy
$param = @{
"effect" = "deny";
"excludedNamespaces" = "kube-system", "gatekeeper-system", "azure-arc", "playground";
"allowedContainerImagesRegex" = "myregistry\.azurecr\.io\/.+$";
}
# Set a name and display name for the assignment
$name = 'restrict-container-registries'
# Retrieve the Azure Policy object
$policy = Get-AzPolicyDefinition -Name 'febd0533-8e55-448f-b837-bd0e06f16469'
# Retrieve the resource group for scope assignment
$scope = Get-AzResourceGroup -Name rg-demo
# Assign the policy
New-AzPolicyAssignment -DisplayName $name -name $name -Scope $scope.ResourceId -PolicyDefinition $policy -PolicyParameterObject $param
A couple of things worth noting:
playground on purpose for demo only© 2022 - 2024 — McMap. All rights reserved.