From 96e606af5b6cb4d69f71b0acdc1631f8bb5bb63a Mon Sep 17 00:00:00 2001 From: nhyatt Date: Fri, 24 Mar 2023 21:17:17 -0500 Subject: [PATCH] updates image-mutation conditions --- cmd/webhook/httpServer.go | 2 +- internal/operations/podsMutation.go | 36 +++++-- mock-payloads/pods/pod-create-01.json | 101 ++++++++++++++++++ .../{test-pod01.json => pod-create-02.json} | 4 +- mock-payloads/pods/pod-create-03.json | 101 ++++++++++++++++++ mock-payloads/pods/pod-create-04.json | 101 ++++++++++++++++++ 6 files changed, 331 insertions(+), 14 deletions(-) create mode 100644 mock-payloads/pods/pod-create-01.json rename mock-payloads/pods/{test-pod01.json => pod-create-02.json} (97%) create mode 100644 mock-payloads/pods/pod-create-03.json create mode 100644 mock-payloads/pods/pod-create-04.json diff --git a/cmd/webhook/httpServer.go b/cmd/webhook/httpServer.go index 7d5994d..7026fda 100644 --- a/cmd/webhook/httpServer.go +++ b/cmd/webhook/httpServer.go @@ -199,7 +199,7 @@ func (h *admissionHandler) ahServe(hook operations.Hook) http.HandlerFunc { return } - log.Printf("[INFO] Webhook [%s] - Allowed: %t", review.Request.Operation, result.Allowed) + log.Printf("[DEBUG] Webhook [%s] - Allowed: %t", review.Request.Operation, result.Allowed) w.WriteHeader(http.StatusOK) w.Write(res) } diff --git a/internal/operations/podsMutation.go b/internal/operations/podsMutation.go index d82ef3b..7f28368 100644 --- a/internal/operations/podsMutation.go +++ b/internal/operations/podsMutation.go @@ -4,6 +4,7 @@ import ( "fmt" "log" "regexp" + "strings" admission "k8s.io/api/admission/v1" core "k8s.io/api/core/v1" @@ -51,7 +52,7 @@ func podMutationCreate() AdmitFunc { return true }(cfg.AllowAdminNoMutate, pod) { for i, p := range pod.Spec.Containers { - img, mutationOccurred, err := customDockerRegistry(p.Image, cfg) + img, mutationOccurred, err := mutateImage(p.Image, cfg) if err != nil { return &Result{Msg: err.Error()}, nil } @@ -59,13 +60,13 @@ func podMutationCreate() AdmitFunc { mutated = true path := fmt.Sprintf("/spec/containers/%d/image", i) operations = append(operations, ReplacePatchOperation(path, img)) - log.Printf("[TRACE] Image has been mutated: %s -> %s", p.Image, img) + log.Printf("[INFO] Image has been mutated: %s -> %s", p.Image, img) } else { - log.Printf("[TRACE] No mutation required for image: %s", p.Image) + log.Printf("[INFO] No mutation required for image: %s", p.Image) } } } else { - log.Printf("[TRACE] Mutations administratively disabled.") + log.Printf("[INFO] Mutations administratively disabled.") } if mutated { @@ -88,19 +89,32 @@ func podMutationCreate() AdmitFunc { } } -func customDockerRegistry(imgPath string, cfg *config.Config) (string, bool, error) { +func mutateImage(imgPath string, cfg *config.Config) (string, bool, error) { if len(cfg.DockerhubRegistry) == 0 { return imgPath, false, nil } - // regex match official project - reg, err := regexp.Compile(`^([a-z]|\.|_|-)+\:([a-zA-Z0-9]|_|\.|-)+$`) - if err != nil { - return "", false, fmt.Errorf("Unable to parse regex: %v", err) + // Is image on allow-list + for _, i := range cfg.MutateIgnoredImages { + if strings.Contains(strings.ToLower(imgPath), strings.ToLower(i)) { + log.Printf("[DEBUG] Image is on allow-list: %s", imgPath) + return "", false, nil + } } - if reg.MatchString(imgPath) { - log.Printf("Official docker image detected: %s", imgPath) + + switch { + // Is image already using defined registry? + case strings.Contains(strings.ToLower(imgPath), strings.Split(strings.ToLower(cfg.DockerhubRegistry), "/")[0]): + log.Printf("[DEBUG] Image is already using required registry: %s", imgPath) + return "", false, nil + // Is this an official dockerhub image? + case regexp.MustCompile(fmt.Sprintf(`^%s:%s$`, `([a-z0-9]|_|-)+`, `([a-zA-Z0-9]|_|\.|-)+`)).MatchString(imgPath): + log.Printf("[DEBUG] Official dockerhub image detected: %s", imgPath) return fmt.Sprintf("%s/library/%s", cfg.DockerhubRegistry, imgPath), true, nil + // Is this a normal DockerHub Image? + case regexp.MustCompile(fmt.Sprintf(`^%s\/%s:%s$`, `([a-z0-9]|_|-)+`, `([a-z0-9]|_|-)+`, `([a-zA-Z0-9]|_|\.|-)+`)).MatchString(imgPath): + log.Printf("[DEBUG] Standard dockerhub image detected: %s", imgPath) + return fmt.Sprintf("%s/%s", cfg.DockerhubRegistry, imgPath), true, nil } return "", false, nil } diff --git a/mock-payloads/pods/pod-create-01.json b/mock-payloads/pods/pod-create-01.json new file mode 100644 index 0000000..b16f74f --- /dev/null +++ b/mock-payloads/pods/pod-create-01.json @@ -0,0 +1,101 @@ +{ + "kind": "AdmissionReview", + "apiVersion": "admission.k8s.io/v1beta1", + "request": { + "uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995", + "kind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "requestKind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "requestResource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "name": "test-pod01", + "namespace": "test1", + "operation": "CREATE", + "userInfo": { + "username": "kubernetes-admin", + "groups": ["system:masters", "system:authenticated"] + }, + "object": { + "kind": "Pod", + "apiVersion": "v1", + "metadata": { + "name": "test-pod01", + "namespace": "test1", + "creationTimestamp": null, + "labels": { + "run": "toolbox" + }, + "annotations": { + "AdminNoMutate": "false" + } + }, + "spec": { + "volumes": [{ + "name": "default-token-b9kpf", + "secret": { + "secretName": "default-token-b9kpf" + } + }], + "containers": [{ + "name": "radarr", + "image": "linuxserver/radarr:latest", + "ports": [{ + "containerPort": 8080, + "protocol": "TCP" + }], + "resources": {}, + "volumeMounts": [{ + "name": "default-token-b9kpf", + "readOnly": true, + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" + }], + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "imagePullPolicy": "Always" + }], + "restartPolicy": "Always", + "terminationGracePeriodSeconds": 30, + "dnsPolicy": "ClusterFirst", + "serviceAccountName": "default", + "serviceAccount": "default", + "securityContext": {}, + "schedulerName": "default-scheduler", + "tolerations": [{ + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }, { + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }], + "priority": 0, + "enableServiceLinks": true + }, + "status": {} + }, + "oldObject": null, + "dryRun": false, + "options": { + "kind": "CreateOptions", + "apiVersion": "meta.k8s.io/v1" + } + } +} \ No newline at end of file diff --git a/mock-payloads/pods/test-pod01.json b/mock-payloads/pods/pod-create-02.json similarity index 97% rename from mock-payloads/pods/test-pod01.json rename to mock-payloads/pods/pod-create-02.json index d688809..ea41169 100644 --- a/mock-payloads/pods/test-pod01.json +++ b/mock-payloads/pods/pod-create-02.json @@ -52,8 +52,8 @@ } }], "containers": [{ - "name": "toolbox", - "image": "jmsearcy/toolbox:v1.0.0", + "name": "alpine", + "image": "alpine:3.17", "ports": [{ "containerPort": 8080, "protocol": "TCP" diff --git a/mock-payloads/pods/pod-create-03.json b/mock-payloads/pods/pod-create-03.json new file mode 100644 index 0000000..18c51c9 --- /dev/null +++ b/mock-payloads/pods/pod-create-03.json @@ -0,0 +1,101 @@ +{ + "kind": "AdmissionReview", + "apiVersion": "admission.k8s.io/v1beta1", + "request": { + "uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995", + "kind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "requestKind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "requestResource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "name": "test-pod01", + "namespace": "test1", + "operation": "CREATE", + "userInfo": { + "username": "kubernetes-admin", + "groups": ["system:masters", "system:authenticated"] + }, + "object": { + "kind": "Pod", + "apiVersion": "v1", + "metadata": { + "name": "test-pod01", + "namespace": "test1", + "creationTimestamp": null, + "labels": { + "run": "toolbox" + }, + "annotations": { + "AdminNoMutate": "false" + } + }, + "spec": { + "volumes": [{ + "name": "default-token-b9kpf", + "secret": { + "secretName": "default-token-b9kpf" + } + }], + "containers": [{ + "name": "alpine", + "image": "registry.c.test-chamber-13.lan/library/alpine:3.17", + "ports": [{ + "containerPort": 8080, + "protocol": "TCP" + }], + "resources": {}, + "volumeMounts": [{ + "name": "default-token-b9kpf", + "readOnly": true, + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" + }], + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "imagePullPolicy": "Always" + }], + "restartPolicy": "Always", + "terminationGracePeriodSeconds": 30, + "dnsPolicy": "ClusterFirst", + "serviceAccountName": "default", + "serviceAccount": "default", + "securityContext": {}, + "schedulerName": "default-scheduler", + "tolerations": [{ + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }, { + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }], + "priority": 0, + "enableServiceLinks": true + }, + "status": {} + }, + "oldObject": null, + "dryRun": false, + "options": { + "kind": "CreateOptions", + "apiVersion": "meta.k8s.io/v1" + } + } +} \ No newline at end of file diff --git a/mock-payloads/pods/pod-create-04.json b/mock-payloads/pods/pod-create-04.json new file mode 100644 index 0000000..e6a6786 --- /dev/null +++ b/mock-payloads/pods/pod-create-04.json @@ -0,0 +1,101 @@ +{ + "kind": "AdmissionReview", + "apiVersion": "admission.k8s.io/v1beta1", + "request": { + "uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995", + "kind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "requestKind": { + "group": "", + "version": "v1", + "kind": "Pod" + }, + "requestResource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "name": "test-pod01", + "namespace": "test1", + "operation": "CREATE", + "userInfo": { + "username": "kubernetes-admin", + "groups": ["system:masters", "system:authenticated"] + }, + "object": { + "kind": "Pod", + "apiVersion": "v1", + "metadata": { + "name": "test-pod01", + "namespace": "test1", + "creationTimestamp": null, + "labels": { + "run": "toolbox" + }, + "annotations": { + "AdminNoMutate": "false" + } + }, + "spec": { + "volumes": [{ + "name": "default-token-b9kpf", + "secret": { + "secretName": "default-token-b9kpf" + } + }], + "containers": [{ + "name": "harbor-portal", + "image": "goharbor/harbor-portal:v4.43.56", + "ports": [{ + "containerPort": 8080, + "protocol": "TCP" + }], + "resources": {}, + "volumeMounts": [{ + "name": "default-token-b9kpf", + "readOnly": true, + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" + }], + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "imagePullPolicy": "Always" + }], + "restartPolicy": "Always", + "terminationGracePeriodSeconds": 30, + "dnsPolicy": "ClusterFirst", + "serviceAccountName": "default", + "serviceAccount": "default", + "securityContext": {}, + "schedulerName": "default-scheduler", + "tolerations": [{ + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }, { + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "effect": "NoExecute", + "tolerationSeconds": 300 + }], + "priority": 0, + "enableServiceLinks": true + }, + "status": {} + }, + "oldObject": null, + "dryRun": false, + "options": { + "kind": "CreateOptions", + "apiVersion": "meta.k8s.io/v1" + } + } +} \ No newline at end of file