Open in app

Sign up

Sign in

Write

Sign up

Sign in

CKS Exam Series #5 ImagePolicyWebhook

Kubernetes CKS Example Exam Question Series

Kim Wuestkamp
ITNEXT

--

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: Create an ImagePolicyWebhook (without the external service)

The idea is to create an ImagePolicyWebhook Admission-Controller-Plugin which prevents all Pod creation, because the external service which should allow/deny is not reachable. This will be enough to get an idea on how to work with the ImagePolicyWebhook.

1: Read https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

2: Read https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers

3: Download the unfinished ImagePolicyWebhook:

git clone https://github.com/killer-sh/cks-challenge-seriescd cks-challenge-series/challenges/ImagePolicyWebhook

4: Create the admission_config.yaml so that all Pod creation will be denied in case the external service is not reachable

5: Register the ImagePolicyWebhook with the Apiserver

6: Verify it works by creating a simple Pod

7: Understand how the ImagePolicyWebhook gets the URL to contact the external service.

.

.

.

.

.

Solution

alias k=kubectl

1. Read

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

2. Read

https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers

3. Download existing files

git clone https://github.com/killer-sh/cks-challenge-seriescp -r cks-challenge-series/challenges/ImagePolicyWebhook /etc/kubernetes/admissioncd /etc/kubernetes/admission

4. Create admission_config.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: ImagePolicyWebhook
    configuration:
      imagePolicy:
        kubeConfigFile: /etc/kubernetes/admission/kubeconf
        allowTTL: 50
        denyTTL: 50
        retryBackoff: 500
        defaultAllow: false # DENY ALL PODS IF SERVICE NOT AVAILABLE

5. Register in Apiserver

vim /etc/kubernetes/manifests/kube-apiserver.yaml

Edit to:

apiVersion: v1
kind: Pod
metadata:
...
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --admission-control-config-file=/etc/kubernetes/admission/admission_config.yaml
    - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
...
    volumeMounts:
    - mountPath: /etc/kubernetes/admission
      name: admission
      readOnly: true
...
  volumes:
  - hostPath:
      path: /etc/kubernetes/admission
      type: DirectoryOrCreate
    name: admission
...

Wait for Apiserver to come back by looking for a response:

k -n kube-system get pod # just wait for a response

INFO: You might not see the Apiserver Pod because all Pods will be rejected, even the Apiserver one. But the Apiserver container is still running because the Kubelet runs it directly. The Kubelet doesn’t enforce AdmissionControllers.

In case your Apiserver doesn’t come back up at all, see previous challenge to check logs for info and misconfiguration.

6. Verify

You could now set defaultAllow: true to allow Pod creation if external service is not available and test Pod creation again, which should succeed.

7. Verify

This is done in the kubeconf file and needs to be https: https://github.com/killer-sh/cks-challenge-series/blob/master/challenges/ImagePolicyWebhook/kubeconf#L8

.

.

.

.

.

Test External Service

For a test External service one could look at this: https://github.com/flavio/kube-image-bouncer

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks
Kubernetes
DevOps
Cloud
Cloud Computing
Security

--

--

Kim Wuestkamp
ITNEXT
Follow

Written by Kim Wuestkamp

3.8K Followers
Writer for

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams