wip: added BYPASS_CVE_DENIED as env for bypassing fail on CVE

Signed-off-by: Rahul Vishwakarma <[email protected]>

Author: manzil-infinity180

Makefile

@@ -1,6 +1,6 @@
 APP_NAME = k8s-custom-controller
 DOCKER_USER = manzilrahul
-VERSION ?= 1.0.11
+VERSION ?= 1.0.14
 IMAGE_NAME = $(DOCKER_USER)/$(APP_NAME)
 
 # 🖼️ Logo banner

main.go

@@ -138,7 +138,8 @@ func main() {
 	go func() {
 		http.HandleFunc("/validate", ValidateDeployment)
 		log.Println("Starting webhook server on :8000...")
-		err := http.ListenAndServeTLS(":8000", "certs/tls.crt", "certs/tls.key", nil)
+		// local go for certs/tls.crt and certs/tls.key
+		err := http.ListenAndServeTLS(":8000", "/certs/tls.crt", "/certs/tls.key", nil) // k8s
 		if err != nil {
 			log.Fatalf("Failed to start webhook server: %v", err)
 		}
@@ -241,15 +242,27 @@ func ValidateDeployment(w http.ResponseWriter, r *http.Request) {
 	images := []string{}
 	denied := false
 	var reasons []string
+	BYPASS_CVE_DENIED := false
 	// InitContainers
 	for _, c := range dep.Spec.Template.Spec.InitContainers {
+		for _, e := range c.Env {
+			if e.Name == "BYPASS_CVE_DENIED" && (e.Value == "yes" || e.Value == "true") {
+				BYPASS_CVE_DENIED = true
+			}
+		}
 		images = append(images, c.Image)
 	}
 	// Containers
 	for _, c := range dep.Spec.Template.Spec.Containers {
+		for _, e := range c.Env {
+			if e.Name == "BYPASS_CVE_DENIED" && (e.Value == "yes" || e.Value == "true") {
+				BYPASS_CVE_DENIED = true
+			}
+		}
 		images = append(images, c.Image)
 	}
 	for _, image := range images {
+		log.Printf("started scanning for [ %s ]", image)
 		ok, vulns, err := scanImageWithTrivy(image)
 		if err != nil {
 			log.Printf("Error scanning image %s: %v", image, err)
@@ -262,7 +275,14 @@ func ValidateDeployment(w http.ResponseWriter, r *http.Request) {
 	}
 	message := "Images allowed"
 	if denied {
-		message = fmt.Sprintf("Denied images due to CVEs: %v", reasons)
+		message = fmt.Sprintf("Denied images due to total CVEs across %v images: %v", len(images), reasons)
+		log.Printf("Denied images due to CVEs: %v", reasons)
+	}
+
+	// look for BYPASS_CVE env - you need to skip
+	if BYPASS_CVE_DENIED {
+		log.Printf("It have CVE across all the %v images, but we are skipping as BYPASS_CVE_DENIED set true", len(images))
+		denied = false
 	}
 
 	log.Printf("Validating Deployment: %s, Images: %v", dep.Name, images)

manifest/k8s-controller-webhook.yaml

@@ -67,7 +67,7 @@ spec:
     spec:
       containers:
         - name: k8s-controller
-          image: manzilrahul/k8s-custom-controller:1.0.11
+          image: manzilrahul/k8s-custom-controller:1.0.14
           volumeMounts:
             - name: webhook-certs
               mountPath: /certs
@@ -77,6 +77,8 @@ spec:
               value: "/certs/tls.crt"
             - name: TLS_KEY_FILE
               value: "/certs/tls.key"
+#            - name: BYPASS_CVE_DENIED
+#              value: "yes"  # yes or true (lowercase)
       volumes:
         - name: webhook-certs
           secret:

manifest/webhook-example/ZeroInitCVE.yml

@@ -22,3 +22,6 @@ spec:
           image: nginx:1.19    # Will have CVEs
           ports:
             - containerPort: 80
+          env:
+            - name: BYPASS_CVE_DENIED
+              value: "yes"  # yes or true (lowercase)