iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 The ImagePolicyWebhook admission controller is used to enforce policies on container images before they are admitted into the cluster. By configuring the ImagePolicyWebhook, you can validate that images are coming from trusted sources, have valid signatures, or meet other criteria before being deployed to Kubernetes. This check ensures that Image Provenance is configured using the ImagePolicyWebhook to enforce security policies on container images.

Rationale:
 Enforcing image provenance helps ensure that only trusted, verified, and compliant container images are deployed in your Kubernetes environment. This prevents the use of insecure or compromised images that could introduce vulnerabilities or malicious code into the cluster. By using an Image Policy Webhook, you can integrate external image signing, vulnerability scanning, or registry validation tools into the Kubernetes admission process.

Impact:

• Pros:
  
  

  • Increases security by ensuring that only trusted images are used.
    
    

  • Prevents the use of unsigned or unverified images in your environment.
    
    

  • Automates image policy enforcement during the deployment pipeline.
    
    

• Cons:
  
  

  • Requires the setup and maintenance of a custom admission controller webhook.
    
    

  • May introduce delays in the image deployment process due to external checks.
    
    

  • Could break existing workflows if images are not compliant with the configured policies.
    
    

Default Value:
 By default, the ImagePolicyWebhook admission controller is not enabled. This check requires manual configuration to integrate the webhook with the Kubernetes admission process.

Pre-requisites:
 Ensure that your cluster has a functioning ImagePolicyWebhook and an external service to validate image provenance, such as Cosign, Notary, or a third-party container registry with image signing capabilities.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   
   

2. Verify that the ImagePolicyWebhook admission controller is enabled and configured.
   
   

3. Check the Admission Controller settings to confirm that image provenance validation is properly integrated with the configured webhook.
   
   

Using Azure CLI:

1. Verify if the ImagePolicyWebhook admission controller is enabled in the AKS cluster:
   

    kubectl get validatingwebhookconfiguration <webhook-name> --namespace=kube-system

   
   

2. Ensure that the webhook is properly configured to enforce image provenance by checking the clientConfig section of the webhook configuration.
   
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to your AKS cluster and access the Admission Controllers settings.
   
   

2. Enable the ImagePolicyWebhook admission controller to enforce image provenance.
   
   

3. Configure the webhook to validate container images based on your chosen policy, such as checking image signatures, verifying images from trusted registries, or scanning images for vulnerabilities.
   
   

4. Ensure that the webhook is properly connected to an external image validation service, like Cosign or Notary.
   
   

5. Test the configuration by attempting to deploy an unsigned or unverified image and confirming that the admission controller denies the deployment.
   
   

Using Azure CLI:

Create a ValidatingWebhookConfiguration for the ImagePolicyWebhook with the following example configuration

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: image-policy-webhook
webhooks:
  - name: imagepolicy.k8s.io
    clientConfig:
      url: "https://<webhook-service>/validate-image"
      caBundle: <ca-bundle>
    rules:
      - operations: ["CREATE"]
        apiGroups: ["apps"]
        apiVersions: ["v1"]
        resources: ["deployments"]
    admissionReviewVersions: ["v1"]

1. Apply the webhook configuration using the following command:
   

    kubectl apply -f image-policy-webhook.yaml

   
   

2. Test the configuration by attempting to create a deployment with an untrusted or unsigned image and verify the webhook enforces the image policy.
   
   

Backout Plan:

Using Azure Console:

1. If the ImagePolicyWebhook causes issues, revert the changes in the Azure portal by disabling the webhook or modifying the admission controller configuration.
   
   

Using Azure CLI:

1. Revert the ValidatingWebhookConfiguration by deleting it with the following command:
   

    kubectl delete validatingwebhookconfiguration image-policy-webhook

   
   

2. Modify or disable the webhook as necessary.
   
   

References:

1. Cosign - Signing Container Images
   
   

2. Azure Kubernetes Service (AKS) Best Practices