A ValidatingWebhookConfiguration which allows integration with Atomist for two purposes:
- To protect clusters from running vulnerable images. The service will validate images deployed to enabled namespaces (via annotation) by checking whether Atomist has recorded any failed checks for the image being deployed.
- To track which images are deployed to different clusters.
The controller listens on /
for POST
s from the cluster. For pods being created in namespaces where enforcement has been enabled are checked against a signed policy. For all pods appearing in the cluster (against any namespace, not just those with enforcement enabled) the service will call back to Atomist and record the instance of the workload. This allows tracking of images as they move through the deployment process (from staging to production etc.) and allows the building of an inventory of deployed images in each cluster.
Use these instructions to manually install the controller in a cluster.
Use these instructions to add the controller to an existing flux repository.