Admission webhook implementation (#25)

* wip: adding addmission webhook

* wip: first dummy version working

* wip: version2 working demo - but it takes alot of time

* configured the trivy server using k8s deployment/svc way

* updated the backend to use trivy client

* wip: tested the almost everything - its working

Signed-off-by: Rahul Vishwakarma <[email protected]>

* wip: added cert in .gitignore

Signed-off-by: Rahul Vishwakarma <[email protected]>

* wip: added BYPASS_CVE_DENIED as env for bypassing fail on CVE

Signed-off-by: Rahul Vishwakarma <[email protected]>

* wip: improved the bit of log formatting

Signed-off-by: Rahul Vishwakarma <[email protected]>

---------

Signed-off-by: Rahul Vishwakarma <[email protected]>

Author: manzil-infinity180

.gitignore

@@ -4,4 +4,6 @@ vendor\
 .idea
 .DS_Store
 vendor
-.env
+.env
+results.json
+certs

Dockerfile

@@ -1,24 +1,53 @@
-# Build stage
+# =========================
+# Build Stage
+# =========================
 FROM golang:1.24 AS builder
 
 WORKDIR /app
 
+# Download dependencies
 COPY go.mod go.sum ./
 RUN go mod download
 
+# Copy the source code
 COPY . .
 ARG TARGETARCH=amd64
-#RUN go build -o k8s-custom-controller
+
+# Build the Go binary
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o backend main.go
 
 
-# Final stage
-FROM alpine:latest
-RUN apk --no-cache add ca-certificates
+# =========================
+# Final Stage with Trivy
+# =========================
+FROM alpine:3.20
+
+# Install required packages
+RUN apk --no-cache add \
+    ca-certificates \
+    curl \
+    bash \
+    tar \
+    gzip \
+    libc6-compat
+
+# Install Trivy (static binary)
+ENV TRIVY_VERSION=0.55.2
+RUN curl -sfL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz \
+    | tar zx -C /usr/local/bin/ trivy
+
+# Verify installation
+RUN trivy --version
+
 WORKDIR /root/
+
+# Copy the Go binary
 COPY --from=builder /app/backend .
 
 # Allow access to Kubernetes API via a volume mount for kubeconfig
 VOLUME ["/root/.kube"]
+
+# Expose webhook port
 EXPOSE 8000
+
 CMD ["./backend"]

Makefile

@@ -1,6 +1,6 @@
 APP_NAME = k8s-custom-controller
 DOCKER_USER = manzilrahul
-VERSION ?= 1.0.5
+VERSION ?= 1.0.15
 IMAGE_NAME = $(DOCKER_USER)/$(APP_NAME)
 
 # 🖼️ Logo banner

chart/templates/role.yaml

@@ -8,7 +8,7 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: 8000 #http
       protocol: TCP
       name: http
   selector:

chart/templates/rolebinding.yaml

@@ -11,7 +11,7 @@ image:
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "1.0.5"
+  tag: "latest" # 1.0.9
 
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []
@@ -55,7 +55,8 @@ service:
   # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
   type: NodePort
   # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
-  port: 8000
+  #  port: 8000
+  port: 443
 
 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:

chart/templates/service.yaml

@@ -75,7 +75,9 @@ func (c *controller) processItem() bool {
 	}
 	err = c.syncDeployment(namespace, name)
 	if err != nil {
+		fmt.Println("────────────────────────────────────────────────────")
 		fmt.Printf("sync deployment, %s\n", err.Error())
+		fmt.Println("────────────────────────────────────────────────────")
 		return false
 	}
 	return true
@@ -117,12 +119,16 @@ func (c *controller) syncDeployment(ns, name string) error {
 
 	_, err = c.clientset.CoreV1().Services(ns).Create(ctx, &service, metav1.CreateOptions{})
 	if err != nil {
+		fmt.Println("────────────────────────────────────────────────────")
 		fmt.Printf("sync deployment, %s\n", err.Error())
+		fmt.Println("────────────────────────────────────────────────────")
 	}
 
 	err = c.createIngress(ns, name)
 	if err != nil {
+		fmt.Println("────────────────────────────────────────────────────")
 		fmt.Printf("sync deployment, %s\n", err.Error())
+		fmt.Println("────────────────────────────────────────────────────")
 	}
 	return nil
 }
@@ -193,18 +199,17 @@ func depLabels(dep appsv1.Deployment) map[string]string {
 func (c *controller) handleAdd(obj interface{}) {
 	deployment, ok := obj.(*appsv1.Deployment)
 	if !ok {
-		fmt.Println("\n Not a Deployment")
+		fmt.Println("\n❌ Not a Deployment object")
 		return
 	}
 
-	fmt.Printf("Deployment Added:\n")
-	fmt.Printf("Name: %s\n", deployment.Name)
-
-	fmt.Printf("ADDED: Name=%s, Namespace=%s, UID=%s, Created=%s\n",
-		deployment.Name,
-		deployment.Namespace,
-		string(deployment.UID),
-		deployment.CreationTimestamp)
+	fmt.Println("────────────────────────────────────────────────────")
+	fmt.Println("📦 Deployment Added")
+	fmt.Printf("🔤 Name:      %s\n", deployment.Name)
+	fmt.Printf("📂 Namespace: %s\n", deployment.Namespace)
+	fmt.Printf("🆔 UID:       %s\n", deployment.UID)
+	fmt.Printf("🕓 Created:   %s\n", deployment.CreationTimestamp.UTC().Format("2006-01-02 15:04:05 MST"))
+	fmt.Println("────────────────────────────────────────────────────")
 
 	c.queue.Add(obj)
 }
@@ -213,17 +218,17 @@ func (c *controller) handleAdd(obj interface{}) {
 func (c *controller) handleDel(obj interface{}) {
 	deployment, ok := obj.(*appsv1.Deployment)
 	if !ok {
-		fmt.Println("\n Not a Deployment")
+		fmt.Println("\n❌ Not a Deployment")
 		return
 	}
-	fmt.Printf("Deployment Deleted:\n")
-	fmt.Printf("Name: %s\n", deployment.Name)
 
-	fmt.Printf("DELETED: Name=%s, Namespace=%s, UID=%s, Created=%s\n",
-		deployment.Name,
-		deployment.Namespace,
-		string(deployment.UID),
-		deployment.CreationTimestamp)
+	fmt.Println("────────────────────────────────────────────────────")
+	fmt.Println("📦 Deployment DELETED")
+	fmt.Printf("🔤 Name:      %s\n", deployment.Name)
+	fmt.Printf("📂 Namespace: %s\n", deployment.Namespace)
+	fmt.Printf("🆔 UID:       %s\n", deployment.UID)
+	fmt.Printf("🕓 Deleted:   %s\n", deployment.CreationTimestamp.UTC().Format("2006-01-02 15:04:05 MST"))
+	fmt.Println("────────────────────────────────────────────────────")
 
 	//c.queue.Add(obj)
 }

chart/values.yaml

@@ -0,0 +1,8 @@
+```bash 
+# create cluster 
+# Install cert-manager 
+# add trivy - k apply -f docs/trivy-manifest/deployment.yml and then same for svc
+# k apply -f manifest/k8s-controller-webhook.yaml (it contain everything, cert, tls secrets)
+# add cluster permission for list, watch, create, get 
+# k apply -f manifest/cluster-permission.yaml
+```

controller/controller.go

@@ -0,0 +1,15 @@
+```bash
+kubectl exec -it <your-controller-pod> -- nslookup trivy-server-service.default.svc
+kubectl exec -it <your-controller-pod> -- curl http://trivy-server-service.default.svc:8080/healthz
+
+---
+kubectl exec -it k8s-custom-controller-5c7d47fdb7-69757 -- curl http://trivy-server-service.default.svc:8080/healthz
+ok
+---
+k exec -it k8s-custom-controller-5c7d47fdb7-69757 -- bash
+k8s-custom-controller-5c7d47fdb7-69757:/etc# cat resolv.conf
+search example1.svc.cluster.local svc.cluster.local cluster.local
+nameserver 10.96.0.10
+options ndots:5
+```
+