📽️ Click the image above to watch the full 25-minute walkthrough on YouTube.
It includes setup, explanation, CVE scan demo, and auto resource creation.
This project includes a Kubernetes custom controller that:
- Automatically creates Services and Ingresses for every
Deployment. - Integrates with a Validating Admission Webhook to scan container images using Trivy.
- Optionally allows skipping CVE checks with an environment variable.
Make sure you have a running Kubernetes cluster (like KinD, Minikube, or EKS).
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yamlThis will install the necessary CRDs and controllers for certificate management.
kubectl apply -f docs/trivy-manifest/deployment.yml
kubectl apply -f docs/trivy-manifest/service.ymlTrivy will act as the backend scanner for your webhook.
Note: We are running using trivy client you can see the command here
- Grant required permissions for:
- Deployments
- Services
- Secrets
- Ingresses
- ValidatingWebhookConfigurations
kubectl apply -f manifest/cluster-permission.yaml
- This manifest includes:
- Namespace
- Deployment
- Service
- TLS Issuers + Certs
- ValidatingWebhookConfiguration
kubectl apply -f manifest/k8s-controller-webhook.yaml# contain cve
$ kubectl apply -f manifest/webhook-example/initContainerDeployment.yml
# look for first time it might fail (look at the logs of the application (k8s-custom-controller) and
# see if they return a long list of CVE -> then start creating again (Working on to optimize)
# pure zero cve (does not contain cve)
$ kubectl apply -f manifest/webhook-example/pureZeroCVE.yml
# contain cve but bypass (i mean create the deployment even after having CVE)
# due to this parameter `name: BYPASS_CVE_DENIED` set as yes or true
$ kubectl apply -f manifest/webhook-example/ZeroInitCVE.ymlTodo: Better docs and guide
Built with 💙 by Rahul Vishwakarma
Happy Scan-ing!