A Kubernetes validating admission webhook that checks any container images in a pod against a specified policy group.
It's intended to be used alongside Rode to prevent deployments that fail to meet certain checks.
This project requires Go 1.17 or newer.
- Follow the instructions to run Rode locally
- If you have Telepresence installed, run the enforcer on the host:
go run main.go --rode-host=rode.rode-demo.svc.cluster.local:50051 \ --rode-insecure \ --policy-group="$POLICY_GROUP" \ --tls-secret=default/enforcer-k8s \ --k8s-in-cluster=false \ --debug \ --registry-insecure-skip-verify=true - Make any changes, then use
make testto run the unit tests- If necessary, use
make fmtto address any formatting issues
- If necessary, use
- If new files were added, use
make licenseto add the required source code headers
See the rode/charts repository to use the Helm chart.
| Option | Description | Default |
|---|---|---|
--debug |
Set the log level to debug | false |
--k8s-config-file |
Path to the Kubernetes config file | $HOME/.kube/config |
--k8s-in-cluster |
Whether the enforcer should use the in-cluster Kubernetes config | true |
--policy-group |
The policy group to enforce | N/A |
--port |
The port the HTTP server should bind against | 8001 |
--registry-insecure-skip-verify |
Whether TLS should be verified when talking to container registries | false |
--rode-host |
The hostname of the Rode instance | N/A |
--rode-insecure-disable-transport-security |
Whether transport security should be verified when talking to Rode | false |