Container image vulnerabilities can be a major attack vector for your Kubernetes infrastructure. In this lab, you will implement automated image scanning to ensure that severely vulnerable images do not run in your cluster.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Configure the Admission Controller
You will find a skeleton admission control configuration at
/etc/kubernetes/admission-control/admission-control.conf. Configure the admission controller by adding the necessary configuration to this file.When configuring the admission controller:
- The kubeconfig is located at
/etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig. - Configure the admission controller to deny workload creation by default, even if the backend webhook cannot be reached.
- The kubeconfig is located at
- Edit the Admission Controller’s kubeconfig to Point to the Backend Webhook
Modify the admission controller’s kubeconfig to point to the backend service.
The kubeconfig is located at
/etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig.The backend service can be reached at
acg.trivy.k8s.webhook:8090/scan.Certificates are already set up in the kubeconfig, and the API server is already set up to be able to locate these certificate files.
- Enable Any Necessary Admission Control Plugins
Configure the API server to enable any necessary admission control plugins.
Once this is done, the API server should be using the backend webhook to scan images and deny workloads that have major vulnerabilities.
You can find Pod manifest files in
/home/cloud_useryou can use to test your setup. The Pod defined ingood-pod.ymlshould succeed, while the Pod inbad-pod.ymlshould fail to be created due to image vulnerabilities.
