@helm-charts/banzaicloud-stable-anchore-policy-validator v0.3.5-0.1.0
@helm-charts/banzaicloud-stable-anchore-policy-validator
A Helm chart for anchore-policy-validator admission controller
| Field | Value |
|---|---|
| Repository Name | banzaicloud-stable |
| Chart Name | anchore-policy-validator |
| Chart Version | 0.3.5 |
| NPM Package Version | 0.1.0 |
replicaCount: 1
logVerbosity: 1
apiService:
group: admission.anchore.io
version: v1beta1
image:
repository: banzaicloud/anchore-image-validator
tag: 0.3.2
pullPolicy: IfNotPresent
service:
name: anchoreimagecheck
type: ClusterIP
externalPort: 443
internalPort: 8443
externalAnchore:
anchoreHost: ''
anchoreUser: ''
anchorePass: ''
resources: {}
## Node selector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
## Affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Tolerations
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []Anchore policy validator
This chart deploys an admission-server that is used as a ValidatingWebhook in a k8s cluster. If it's working, kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image, which is defined in PodSpec, against configured Anchore-engine API. If the API responds with an error, that the image is not valid according to defined policy, k8s will reject the Pod creation request.
Installing the Chart
$ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master
$ helm repo updateDeploying anchore-policy-validator using external Anchore-engine service:
$ helm install --name <name> --set externalAnchore.anchoreHost=<my.anchore.host> --set externalAnchore.anchoreUser=<username> -set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validatorDuring deploying this chart, it's creating predefined policy bundles and activates AllowAll by default.
Policy bundles
| PolicyName | Description |
|---|---|
| AllowAll | Allow all images to deploy |
| RejectCritical | Reject deploying images that contain critical vulnerabiliy |
| RejectHigh | Reject deploying images that contain high vulnerabiliy |
| BlockRoot | Block deploying images that using root as effective user |
| DenyAll | Deny all imagest to deploy |
Configuration
The following tables lists configurable parameters of the anchore-policy-validator chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| replicaCount | number of replicas | 1 |
| logVerbosity | log verbosity level | 8 |
| apiService.group | group of registered api service | admission.anchore.io |
| apiService.version | version of registered api service | v1beta1 |
| image.repository | admission-server image repo | banzaicloud/anchore-image-validator |
| image.tag | admission-server image tag | 0.3.0 |
| image.pullPolicy | admission-server image pull policy | IfNotPresent |
| service.name | validation sevice name | anchoreimagecheck |
| service.type | validation service type | ClusterIP |
| service.externalPort | validation service external port | 443 |
| service.internalPort | validation service external port | 443 |
| externalAnchore.anchoreHost | external anchore-engine host | "" |
| externalAnchore.anchoreUser | external anchore-engine username | "" |
| externalAnchore.anchorePass | external anchore-engine password | "" |
5 years ago