K
Q

Kubernetes: Policy check before container execution

11/13/2019

I am new to Kubernetes, I am looking to see if its possible to hook into the container execution life cycle events in the orchestration process so that I can call an API to pass the details of the container and see if its allowed to execute this container in the given environment, location etc.

An example check could be: container can only be run in a Europe or US data centers. so before someone tries to execute this container, outside this region data centers, it should not be allowed.

Can someone please suggest me if this is possible and what is the best way to achieve this.

Regards, Kiran

-- Kiran
kubernetes
kubernetes-pod

Similar Questions

Terraform apply, how to increment count and add kubernetes worker nodes to the existing workers?
Nginx Ingress - how to set redirect to external site if there is no marching route?
nginx ingress 504 timeout with running multi pod
certificate is valid for ingress.local, not gitlab.mydomain
Assign FQDN for Internal Services in a Private Kubernetes Cluster

2 Answers

11/13/2019

You can possibly set up an ImagePolicy admission controller in the clusters, were you describes from what registers it is allowed to pull images.

kube-image-bouncer is an example of an ImagePolicy admission controller

A simple webhook endpoint server that can be used to validate the images being created inside of the kubernetes cluster.

-- Jonas
Source: StackOverflow
11/13/2019

If you don't want to start from scratch...there is a Cloud Native Computing Foundation (incubating) project - Open Policy Agent with support for Kubernetes that seems to offer what you want. (I am not affiliated with the project)

-- apisim
Source: StackOverflow