# 第一题: ImagePolicyWebhook ###### tags: `真题讲解` 切换集群kubectl config use-context k8s **Context** A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster's configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images. **Task** You have to complete the entire task on the cluster's master node, where all services and files have been prepared and placed.Given an incomplete configuration in directory /etc/kubernetes/aa and a functional container image scanner with HTTPS endpoint http://192.168.26.60:1323/image_policy 1.Enable the necessary plugins to create an image policy 2.validate the control configuration and change it to an implicit deny 3.Edit the configuration to point to the provided HTTPS endpoint correctly. Finally , test if the configuration is working by trying to deploy the vulnerable resource /cks/1/web1.yaml You can find the container image scanner's log file at /var/loglimagepolicyiacme.log ## 解法 [官方参考文档: k8s.io/imagepolicywebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook) 按照题意进入ImagePolicyWebhook配置文件所在的目录: 1. admission_config.yaml 策略配置, 其中会指定所引用的KubeconfigFlie的位置, 以及当Webhook不可用时的默认行为. 2. kubeconf, 遵循kubeconfig语法的标准格式, 在官方文档中示例, 注意事项: server字段必须为https. ``` root@ubuk8s-vm01:~# cd /etc/kubernetes/admission/ root@ubuk8s-vm01:/etc/kubernetes/admission# ls admission_config.yaml apiserver-client-cert.pem apiserver-client-key.pem external-cert.pem external-key.pem kubeconf root@ubuk8s-vm01:/etc/kubernetes/admission# root@ubuk8s-vm01:/etc/kubernetes/admission# ``` admission_config.yaml & kubeconf 配置参考, 要点, defaultAllow: false, 确保Webhook失效默认拒绝任何镜像的拉取 ``` root@ubuk8s-vm01:/etc/kubernetes/admission# cat admission_config.yaml apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: ImagePolicyWebhook configuration: imagePolicy: kubeConfigFile: /etc/kubernetes/admission/kubeconf allowTTL: 50 denyTTL: 50 retryBackoff: 500 defaultAllow: false root@ubuk8s-vm01:/etc/kubernetes/admission# root@ubuk8s-vm01:/etc/kubernetes/admission# root@ubuk8s-vm01:/etc/kubernetes/admission# cat kubeconf apiVersion: v1 kind: Config # clusters refers to the remote service. clusters: - cluster: certificate-authority: /etc/kubernetes/admission/external-cert.pem # CA for verifying the remote service. server: https://external-service:1234/check-image # URL of remote service to query. Must use 'https'. name: image-checker contexts: - context: cluster: image-checker user: api-server name: image-checker current-context: image-checker preferences: {} # users refers to the API server's webhook configuration. users: - name: api-server user: client-certificate: /etc/kubernetes/admission/apiserver-client-cert.pem # cert for the webhook admission controller to use client-key: /etc/kubernetes/admission/apiserver-client-key.pem # key matching the cert root@ubuk8s-vm01:/etc/kubernetes/admission# ``` 文件准备完成后, 进入/etc/kubernetes/manifests, 编辑kube-apiserver.yaml: ``` // 增加Flag: ImagePolicyWebhook, 注意每个首字母为大写 - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook // 增加参数, 并制定Policy所在位置 - --admission-control-config-file=/etc/kubernetes/admission/admission_config.yaml ``` 文件是放在Linux主机的/etc/kubernetes/admission/, 确保在Kube-apiserver Pod中挂在了该主机路径(通常考试环境已挂载) ``` - mountPath: /etc/kubernetes/admission name: admission readOnly: false - hostPath: path: /etc/kubernetes/admission type: DirectoryOrCreate name: admission ``` 保存, 等待Kube-apiserver重启, 可通过docker ps|grep kube-api, 来观测和确认APIServer已经重启 ``` docker ps|grep kube-api 2b749a4911cc a301be0cd44b "kube-apiserver --ad…" 1 second ago Up Less than a second k8s_kube-apiserver_kube-apiserver-ubuk8s-vm01_kube-system_058302a8109c6f2f1e166fcf6c3f2291_0 ab7b10aef3ce k8s.gcr.io/pause:3.2 "/pause" 2 seconds ago Up 1 second k8s_POD_kube-apiserver-ubuk8s-vm01_kube-system_058302a8109c6f2f1e166fcf6c3f2291_0 ``` ## 校验 使用题目给订的YAML来创建Pod, 因为Webhook不可达, 最终效果默认拒绝 ``` root@ubuk8s-vm01:~# kubectl apply -f pod1.yaml Error from server (Forbidden): error when creating "pod1.yaml": pods "pod1" is forbidden: Post "https://external-service:1234/check-image?timeout=30s": dial tcp: lookup external-service on 10.79.0.132:53: no such host ``` ## Tips * 如果你使用自建单集群模拟考试, 做完这题后, 在Kube-apiserver中取消ImagePolicyWebhook配置. * 养成良好习惯, 将kube-apiserver.yaml备份到非当前目录