ImagePolicyWebhook



This is an admission controller which can be enabled using --enable-admission-plugins in the kube-apiserver.
In order to achieve the ImagePolicyWebhook functionality , we also will need to pass AdmissionConfiguration object information about the ImagePolicyWebhook
using the --admission-control-config-file in the kube-apiserver.

Dont do this just yet, first create the AdmissionConfiguration(provided you have the certs and kubeconfig file.)

Here's how the AdmissionConfiguration.yaml will look like.


apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
configuration:
imagePolicy:
kubeConfigFile: <path-to-kubeconfig-file>
allowTTL: 50
denyTTL: 50
retryBackoff: 500
defaultAllow: true //if the external service is not available, we will still allow.

The kubeconfig file has information about the webhook server which will perform the logic for the image policy under the clusters section and under
the user section it will have api-server which will be the client, we need to provide the certificate and key pair for the api server which will
act as the client in this case.

Save the certs, key and the kubeconfig file in a location on the master node. We use this path along with the filename in the plugins.[].configuration.kubeConfigFile

Now on the api-server manifest, we add the full path of the AdmissionConfiguration file with the flag --admission-control-configuration

This AdmissionConfiguration file location has to be also mounted within the apiserver container, so we create a volume and a volumeMount for it.

The below pieces go under the spec.container

volumes:
- hostPath:
path: <path to the AdmissionConfiguration file>
type: DirectoryOrCreate
name: <give-it-any-name>

now under the volumeMounts section, we add a volume mount.

volumeMounts:
- mountPath: <path within the API Server to be mounted>
name: <give-it-the-same-name-as-in-volume>
readOnly: true

If you havent enabled the admission plugin, now is the time to enable this while editing the kube-apiserver

--enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
--admission-control-config-file=<location of the AdmissionConfiguration yaml file>

exit out of the vi and give it a few moments for the API server to restart and that should be it!