updates image-mutation conditions

2023-03-24 21:17:17 -05:00 · 2023-03-24 21:17:17 -05:00 · 96e606af5b
commit 96e606af5b
parent bf944cb048
6 changed files with 331 additions and 14 deletions
--- a/cmd/webhook/httpServer.go
+++ b/cmd/webhook/httpServer.go
@ -199,7 +199,7 @@ func (h *admissionHandler) ahServe(hook operations.Hook) http.HandlerFunc {
 			return
 		}
-		log.Printf("[INFO] Webhook [%s] - Allowed: %t", review.Request.Operation, result.Allowed)
+		log.Printf("[DEBUG] Webhook [%s] - Allowed: %t", review.Request.Operation, result.Allowed)
 		w.WriteHeader(http.StatusOK)
 		w.Write(res)
 	}
--- a/internal/operations/podsMutation.go
+++ b/internal/operations/podsMutation.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"regexp"
 	"strings"
 	admission "k8s.io/api/admission/v1"
 	core "k8s.io/api/core/v1"
@ -51,7 +52,7 @@ func podMutationCreate() AdmitFunc {
 			return true
 		}(cfg.AllowAdminNoMutate, pod) {
 			for i, p := range pod.Spec.Containers {
-				img, mutationOccurred, err := customDockerRegistry(p.Image, cfg)
+				img, mutationOccurred, err := mutateImage(p.Image, cfg)
 				if err != nil {
 					return &Result{Msg: err.Error()}, nil
 				}
@ -59,13 +60,13 @@ func podMutationCreate() AdmitFunc {
 					mutated = true
 					path := fmt.Sprintf("/spec/containers/%d/image", i)
 					operations = append(operations, ReplacePatchOperation(path, img))
-					log.Printf("[TRACE] Image has been mutated: %s -> %s", p.Image, img)
+					log.Printf("[INFO] Image has been mutated: %s -> %s", p.Image, img)
 				} else {
-					log.Printf("[TRACE] No mutation required for image: %s", p.Image)
+					log.Printf("[INFO] No mutation required for image: %s", p.Image)
 				}
 			}
 		} else {
-			log.Printf("[TRACE] Mutations administratively disabled.")
+			log.Printf("[INFO] Mutations administratively disabled.")
 		}
 		if mutated {
@ -88,19 +89,32 @@ func podMutationCreate() AdmitFunc {
 	}
 }
-func customDockerRegistry(imgPath string, cfg *config.Config) (string, bool, error) {
+func mutateImage(imgPath string, cfg *config.Config) (string, bool, error) {
 	if len(cfg.DockerhubRegistry) == 0 {
 		return imgPath, false, nil
 	}
-	// regex match official project
+	// Is image on allow-list
-	reg, err := regexp.Compile(`^([a-z]|\.|_|-)+\:([a-zA-Z0-9]|_|\.|-)+$`)
+	for _, i := range cfg.MutateIgnoredImages {
-	if err != nil {
+		if strings.Contains(strings.ToLower(imgPath), strings.ToLower(i)) {
-		return "", false, fmt.Errorf("Unable to parse regex: %v", err)
+			log.Printf("[DEBUG] Image is on allow-list: %s", imgPath)
 			return "", false, nil
 		}
 	}
-	if reg.MatchString(imgPath) {
+
-		log.Printf("Official docker image detected: %s", imgPath)
+	switch {
 	// Is image already using defined registry?
 	case strings.Contains(strings.ToLower(imgPath), strings.Split(strings.ToLower(cfg.DockerhubRegistry), "/")[0]):
 		log.Printf("[DEBUG] Image is already using required registry: %s", imgPath)
 		return "", false, nil
 	// Is this an official dockerhub image?
 	case regexp.MustCompile(fmt.Sprintf(`^%s:%s$`, `([a-z0-9]|_|-)+`, `([a-zA-Z0-9]|_|\.|-)+`)).MatchString(imgPath):
 		log.Printf("[DEBUG] Official dockerhub image detected: %s", imgPath)
 		return fmt.Sprintf("%s/library/%s", cfg.DockerhubRegistry, imgPath), true, nil
 	// Is this a normal DockerHub Image?
 	case regexp.MustCompile(fmt.Sprintf(`^%s\/%s:%s$`, `([a-z0-9]|_|-)+`, `([a-z0-9]|_|-)+`, `([a-zA-Z0-9]|_|\.|-)+`)).MatchString(imgPath):
 		log.Printf("[DEBUG] Standard dockerhub image detected: %s", imgPath)
 		return fmt.Sprintf("%s/%s", cfg.DockerhubRegistry, imgPath), true, nil
 	}
 	return "", false, nil
 }
--- a/mock-payloads/pods/pod-create-01.json
+++ b/mock-payloads/pods/pod-create-01.json
@ -0,0 +1,101 @@
 {
 	"kind": "AdmissionReview",
 	"apiVersion": "admission.k8s.io/v1beta1",
 	"request": {
 		"uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995",
 		"kind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"resource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"requestKind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"requestResource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"name": "test-pod01",
 		"namespace": "test1",
 		"operation": "CREATE",
 		"userInfo": {
 			"username": "kubernetes-admin",
 			"groups": ["system:masters", "system:authenticated"]
 		},
 		"object": {
 			"kind": "Pod",
 			"apiVersion": "v1",
 			"metadata": {
 				"name": "test-pod01",
 				"namespace": "test1",
 				"creationTimestamp": null,
 				"labels": {
 					"run": "toolbox"
 				},
 				"annotations": {
 						"AdminNoMutate": "false"
 				}
 			},
 			"spec": {
 				"volumes": [{
 					"name": "default-token-b9kpf",
 					"secret": {
 						"secretName": "default-token-b9kpf"
 					}
 				}],
 				"containers": [{
 					"name": "radarr",
 					"image": "linuxserver/radarr:latest",
 					"ports": [{
 						"containerPort": 8080,
 						"protocol": "TCP"
 					}],
 					"resources": {},
 					"volumeMounts": [{
 						"name": "default-token-b9kpf",
 						"readOnly": true,
 						"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
 					}],
 					"terminationMessagePath": "/dev/termination-log",
 					"terminationMessagePolicy": "File",
 					"imagePullPolicy": "Always"
 				}],
 				"restartPolicy": "Always",
 				"terminationGracePeriodSeconds": 30,
 				"dnsPolicy": "ClusterFirst",
 				"serviceAccountName": "default",
 				"serviceAccount": "default",
 				"securityContext": {},
 				"schedulerName": "default-scheduler",
 				"tolerations": [{
 					"key": "node.kubernetes.io/not-ready",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}, {
 					"key": "node.kubernetes.io/unreachable",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}],
 				"priority": 0,
 				"enableServiceLinks": true
 			},
 			"status": {}
 		},
 		"oldObject": null,
 		"dryRun": false,
 		"options": {
 			"kind": "CreateOptions",
 			"apiVersion": "meta.k8s.io/v1"
 		}
 	}
 }
--- a/mock-payloads/pods/pod-create-02.json
+++ b/mock-payloads/pods/pod-create-02.json
@ -52,8 +52,8 @@
 					}
 				}],
 				"containers": [{
-					"name": "toolbox",
+					"name": "alpine",
-					"image": "jmsearcy/toolbox:v1.0.0",
+					"image": "alpine:3.17",
 					"ports": [{
 						"containerPort": 8080,
 						"protocol": "TCP"
--- a/mock-payloads/pods/pod-create-03.json
+++ b/mock-payloads/pods/pod-create-03.json
@ -0,0 +1,101 @@
 {
 	"kind": "AdmissionReview",
 	"apiVersion": "admission.k8s.io/v1beta1",
 	"request": {
 		"uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995",
 		"kind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"resource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"requestKind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"requestResource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"name": "test-pod01",
 		"namespace": "test1",
 		"operation": "CREATE",
 		"userInfo": {
 			"username": "kubernetes-admin",
 			"groups": ["system:masters", "system:authenticated"]
 		},
 		"object": {
 			"kind": "Pod",
 			"apiVersion": "v1",
 			"metadata": {
 				"name": "test-pod01",
 				"namespace": "test1",
 				"creationTimestamp": null,
 				"labels": {
 					"run": "toolbox"
 				},
 				"annotations": {
 						"AdminNoMutate": "false"
 				}
 			},
 			"spec": {
 				"volumes": [{
 					"name": "default-token-b9kpf",
 					"secret": {
 						"secretName": "default-token-b9kpf"
 					}
 				}],
 				"containers": [{
 					"name": "alpine",
 					"image": "registry.c.test-chamber-13.lan/library/alpine:3.17",
 					"ports": [{
 						"containerPort": 8080,
 						"protocol": "TCP"
 					}],
 					"resources": {},
 					"volumeMounts": [{
 						"name": "default-token-b9kpf",
 						"readOnly": true,
 						"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
 					}],
 					"terminationMessagePath": "/dev/termination-log",
 					"terminationMessagePolicy": "File",
 					"imagePullPolicy": "Always"
 				}],
 				"restartPolicy": "Always",
 				"terminationGracePeriodSeconds": 30,
 				"dnsPolicy": "ClusterFirst",
 				"serviceAccountName": "default",
 				"serviceAccount": "default",
 				"securityContext": {},
 				"schedulerName": "default-scheduler",
 				"tolerations": [{
 					"key": "node.kubernetes.io/not-ready",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}, {
 					"key": "node.kubernetes.io/unreachable",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}],
 				"priority": 0,
 				"enableServiceLinks": true
 			},
 			"status": {}
 		},
 		"oldObject": null,
 		"dryRun": false,
 		"options": {
 			"kind": "CreateOptions",
 			"apiVersion": "meta.k8s.io/v1"
 		}
 	}
 }
--- a/mock-payloads/pods/pod-create-04.json
+++ b/mock-payloads/pods/pod-create-04.json
@ -0,0 +1,101 @@
 {
 	"kind": "AdmissionReview",
 	"apiVersion": "admission.k8s.io/v1beta1",
 	"request": {
 		"uid": "60df4b0b-8856-4ce7-9fb3-bc8034856995",
 		"kind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"resource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"requestKind": {
 			"group": "",
 			"version": "v1",
 			"kind": "Pod"
 		},
 		"requestResource": {
 			"group": "",
 			"version": "v1",
 			"resource": "pods"
 		},
 		"name": "test-pod01",
 		"namespace": "test1",
 		"operation": "CREATE",
 		"userInfo": {
 			"username": "kubernetes-admin",
 			"groups": ["system:masters", "system:authenticated"]
 		},
 		"object": {
 			"kind": "Pod",
 			"apiVersion": "v1",
 			"metadata": {
 				"name": "test-pod01",
 				"namespace": "test1",
 				"creationTimestamp": null,
 				"labels": {
 					"run": "toolbox"
 				},
 				"annotations": {
 						"AdminNoMutate": "false"
 				}
 			},
 			"spec": {
 				"volumes": [{
 					"name": "default-token-b9kpf",
 					"secret": {
 						"secretName": "default-token-b9kpf"
 					}
 				}],
 				"containers": [{
 					"name": "harbor-portal",
 					"image": "goharbor/harbor-portal:v4.43.56",
 					"ports": [{
 						"containerPort": 8080,
 						"protocol": "TCP"
 					}],
 					"resources": {},
 					"volumeMounts": [{
 						"name": "default-token-b9kpf",
 						"readOnly": true,
 						"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
 					}],
 					"terminationMessagePath": "/dev/termination-log",
 					"terminationMessagePolicy": "File",
 					"imagePullPolicy": "Always"
 				}],
 				"restartPolicy": "Always",
 				"terminationGracePeriodSeconds": 30,
 				"dnsPolicy": "ClusterFirst",
 				"serviceAccountName": "default",
 				"serviceAccount": "default",
 				"securityContext": {},
 				"schedulerName": "default-scheduler",
 				"tolerations": [{
 					"key": "node.kubernetes.io/not-ready",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}, {
 					"key": "node.kubernetes.io/unreachable",
 					"operator": "Exists",
 					"effect": "NoExecute",
 					"tolerationSeconds": 300
 				}],
 				"priority": 0,
 				"enableServiceLinks": true
 			},
 			"status": {}
 		},
 		"oldObject": null,
 		"dryRun": false,
 		"options": {
 			"kind": "CreateOptions",
 			"apiVersion": "meta.k8s.io/v1"
 		}
 	}
 }