Add kubernetes validation webhook endpoint? #59
Comments
|
Thanks for the suggestion @omerlh -- you're right, it would : ] We have a validating webhook for V1 that hasn't been updated to the V2 endpoint yet as we were nervous about changing too many things at once. This is based on a kubectl-plugin that is still Kubesec V1. I'd defintely accept a PR on that to upgrade it to V2 (and optionally maintain V1 behaviour) if anybody has time, which would propagate the change to this webhook. The hosted endpoint changed from https://kubesec.io https://v2.kubesec.io/scan, and the JSON response has moved to a nested list. Additionally V2 can now operate in HTTP mode, so a larger piece of work is to run V2 as a standalone webhook in this codebase. That's a slightly bigger piece of work than modifying the existing kubectl plugin, but again PRs welcome. Have I missed anything @stefanprodan? |
|
I've made a PR some time ago for the kubectl plugin, it should be easy to do the same thing for the webhook see controlplaneio/kubectl-kubesec#20 |
|
Moved to controlplaneio/kubesec-webhook#20 |
It will be really cool to run this project as a validation admission webhook - and by this denying any object creation that is insecure.
To add this, all that is required is adding another endpoint on the API server, that supports the validation webhook format. On each request, calculate the score of the object, and deny based on the result (the threshold can be configurable).
The text was updated successfully, but these errors were encountered: