1

I am new to Kubernetes, I am looking to see if its possible to hook into the container execution life cycle events in the orchestration process so that I can call an API to pass the details of the container and see if its allowed to execute this container in the given environment, location etc.

An example check could be: container can only be run in a Europe or US data centers. so before someone tries to execute this container, outside this region data centers, it should not be allowed.

Is this possible and what is the best way to achieve this?

Improve this question

2 Answers 2

Reset to default
2

You can possibly set up an ImagePolicy admission controller in the clusters, were you describes from what registers it is allowed to pull images.

kube-image-bouncer is an example of an ImagePolicy admission controller

A simple webhook endpoint server that can be used to validate the images being created inside of the kubernetes cluster.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, I tried both the options to see what works best for us, I think the apisim suggested Open Policy Agent, which looks very promising for the moment as it will give us lot of control on what we plan to do,
1

If you don't want to start from scratch...there is a Cloud Native Computing Foundation (incubating) project - Open Policy Agent with support for Kubernetes that seems to offer what you want. (I am not affiliated with the project)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.