Skip to content

A serverless validation webhook that rejects pods with images pulled from ECR with critical vulnerabilities

Notifications You must be signed in to change notification settings

jicowan/ecr-validation-webhook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ECR Validation Webhook

The ECR validation webhook is an example of a serverless admission controller for Kubernetes. While dynamic admission controllers such as the mutating and validation webhooks are often run within the cluster, it is not required. The ValidatingWebhookConfiguration spec includes a URL field that allows you to reference an arbitrary URL so long as it begins with "https://". This flexibility allows you to run your webhook as an HTTP API endpoint backed by an AWS Lambda function.

This particular project runs a validation webhook that inspects the images referenced in pods. If the image is being pulled from an ECR registry, the webhook calls the DescribeImageScanFindings API to see whether the referenced images have critical vulnerabilities. When found, the webhook responds with False which tells the API to reject the request. It also returns a message with a list of CVEs related to the vulnerabilities discovered. These appear as events within Kubernetes.

About

A serverless validation webhook that rejects pods with images pulled from ECR with critical vulnerabilities

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages