|
1 | | -## The Architecture of Controllers |
2 | | -Since controllers are in charge of meeting the desired state of the resources in Kubernetes, they somehow need to be informed about the changes on the resources and perform certain operations if needed. For this, controllers follow a special architecture to |
3 | | - |
4 | | -1) observe the resources, |
5 | | -2) inform any events (updating, deleting, adding) done on the resources, |
6 | | -3) keep a local cache to decrease the load on API Server, |
7 | | -4) keep a work queue to pick up events, |
8 | | -5) run workers to perform reconciliation on resources picked up from work queue. |
9 | | - |
10 | | - <a href="https://www.nakamasato.com/kubernetes-training/kubernetes-operator/client-go/informer/" > |
11 | | - <h4 class="text-yellow-300 text-lg">Ref: Official Docs</h4> |
12 | | - </a> |
13 | | - <a href="https://github.com/kubernetes/community/blob/8cafef897a22026d42f5e5bb3f104febe7e29830/contributors/devel/controllers.md"> |
14 | | - <h4 class="text-yellow-300 text-lg">Writing Controllers (Imp)</h4> |
15 | | - </a> |
16 | | - |
17 | | -# Factory & Informers |
18 | | - |
19 | | - |
20 | | - |
21 | | -# Single Informer |
22 | | - |
23 | | - |
24 | | - |
25 | | - |
26 | | - |
27 | | - |
28 | | -[//]: # (https://github.com/user-attachments/assets/851d2b2b-d268-4894-a15a-dbe8b501b3cc) |
29 | | - |
30 | | -## Definition : Informer |
31 | | - |
32 | | -Informer monitors the changes of target resource. An informer is created for each of the target resources if you need to handle multiple resources (e.g. podInformer, deploymentInformer). |
33 | | - |
34 | | - |
35 | | - |
36 | | -```md |
37 | | -1) Initialize the Controller |
38 | | - * The NewController function sets up the Kubernetes controller with a work queue, informer, and WebSocket connection. |
39 | | - * It listens for Deployment events (Add, Update, Delete) and enqueues them. |
40 | | - |
41 | | -2) Run the Controller |
42 | | - * The Run method waits for cache synchronization and starts the worker loop. |
43 | | - * It continuously processes events from the work queue. |
44 | | - |
45 | | -3) Process Deployment Events |
46 | | - * The processItem method retrieves Deployment events from the queue and determines the necessary action. |
47 | | - * It fetches the Deployment details and handles errors, deletions, and updates. |
48 | | - |
49 | | -4) Handle Deployment Changes |
50 | | - * `handleAdd`, `handleUpdate`, and `handleDel` respond to Deployment changes. |
51 | | - * Updates track Replica count and Image changes and send logs via WebSocket. |
52 | | - |
53 | | -5) Send Updates via WebSocket |
54 | | - * The updateLogs function logs and sends JSON messages about Deployment changes. |
55 | | - * The WebSocket connection ensures real-time updates for external systems. |
| 1 | +# 🛡️ Kubernetes CVE Scanner with Custom Controller + Admission Webhook |
| 2 | + |
| 3 | +This project includes a **Kubernetes custom controller** that: |
| 4 | +- Automatically creates **Services** and **Ingresses** for every `Deployment`. |
| 5 | +- Integrates with a **Validating Admission Webhook** to scan container images using **Trivy**. |
| 6 | +- Optionally allows skipping CVE checks with an environment variable. |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +## 🚀 Installation Guide |
| 11 | + |
| 12 | +### 1️⃣ Create a Kubernetes Cluster |
| 13 | + |
| 14 | +Make sure you have a running Kubernetes cluster (like KinD, Minikube, or EKS). |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +### 2️⃣ Install `cert-manager` |
| 19 | + |
| 20 | +```bash |
| 21 | +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml |
| 22 | +``` |
| 23 | +This will install the necessary CRDs and controllers for certificate management. |
| 24 | + |
| 25 | +### 3️⃣ Deploy Trivy as a Service |
| 26 | +```bash |
| 27 | +kubectl apply -f docs/trivy-manifest/deployment.yml |
| 28 | +kubectl apply -f docs/trivy-manifest/service.yml |
| 29 | +``` |
| 30 | +Trivy will act as the backend scanner for your webhook. |
| 31 | + |
| 32 | +### 4️⃣ Create Cluster Role & Bindings |
| 33 | +* Grant required permissions for: |
| 34 | + - Deployments |
| 35 | + - Services |
| 36 | + - Secrets |
| 37 | + - Ingresses |
| 38 | + - ValidatingWebhookConfigurations |
| 39 | +```bash |
| 40 | +kubectl apply -f manifest/cluster-permission.yaml |
| 41 | + |
| 42 | +``` |
| 43 | + |
| 44 | +### 5️⃣ Deploy Controller + Webhook |
| 45 | +* This manifest includes: |
| 46 | + - Namespace |
| 47 | + - Deployment |
| 48 | + - Service |
| 49 | + - TLS Issuers + Certs |
| 50 | + - ValidatingWebhookConfiguration |
| 51 | + |
| 52 | +```bash |
| 53 | +kubectl apply -f manifest/k8s-controller-webhook.yaml |
| 54 | +``` |
| 55 | +### 6️⃣ Test Webhook |
| 56 | +```bash |
| 57 | +# contain cve |
| 58 | +kubectl apply -f manifest/webhook-example/initContainerDeployment.yml |
| 59 | +# look for first time it might fail (look at the logs of the application (k8s-custom-controller) and |
| 60 | +# see if they return a long list of CVE -> then start creating again (Working on to optimize) |
| 61 | + |
| 62 | +# pure zero cve (does not contain cve) |
| 63 | +kubectl apply -f manifest/webhook-example/pureZeroCVE.yml |
| 64 | + |
| 65 | +# contain cve but bypass (i mean create the deployment even after having CVE) |
| 66 | +# due to this parameter `name: BYPASS_CVE_DENIED` set as yes or true |
| 67 | +kubectl apply -f manifest/webhook-example/ZeroInitCVE.yml |
| 68 | +``` |
| 69 | +### Todo: |
| 70 | +- Better docs and guide |
| 71 | + |
| 72 | +Happy Scan-ing! |
0 commit comments