Skip to content

Commit

Permalink
Update admission-controller-webhooks-usage.md (#722)
Browse files Browse the repository at this point in the history
  • Loading branch information
amirbenv authored May 4, 2021
1 parent 02c8bce commit e6e6b8e
Showing 1 changed file with 10 additions and 7 deletions.
17 changes: 10 additions & 7 deletions docs/integrations/admission-controller-webhooks-usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

## Overview
Terrascan can be integrated with K8s [admissions webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
Admission controllers help you control what resources are created on a kubernetes cluster. By using terrascan as an admission controller, resources violating security policies can be blocked from getting created in a kubernetes cluster.
Admission controllers help you control what resources are created on a kubernetes cluster. By using terrascan as an admission controller, resources violating security policies can be blocked from getting created in a kubernetes cluster. [Please check our blog](https://www.accurics.com/blog/terrascan-blog/kubernetes-security-terrascan-validating-admission-controller/) for more details and instructions!

Steps to configure terrascan as an admission controller:
- SSL certificates: You can use valid SSL certificates or create self signed certificates and have your kubernetes cluster trust it.
- Create terrascan config file
- Run terrascan in server mode
- Make sure terrascan is accessible via HTTPS from the kubernetes API server.
- Configure a ValidatingWebhookConfiguration resource in kubernetes cluster pointing to the terrascan server
- Configure a [ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io) resource in kubernetes cluster pointing to the terrascan server

## Installation Guide

Expand Down Expand Up @@ -52,18 +52,21 @@ A config file example: ```config.toml```
"Network Ports Security"
]
denied-severity = "high"
dashboard=true
```

You can specify the following configurations:

* **scan-rules** - one or more rules to scan
* **skip-rules** - one or more rules to skip while scanning
* **severity** - the minimal level of severity of the policies to be scanned
* **category** - the list of type of categories of the policies to be scanned
* **severity** - the minimal level of severity of the policies to be scanned and displayed. Options are high, medium and low
* **category** - the list of type of categories of the policies to be scanned and displayed

**k8s-admission-control** - Config options for K8s Admission Controllers and GitOps workflows:

* **k8s-admission-control** - specify the rules that should cause a rejection of the admission request
* **denied-categories** - one or more policy categories that are not allowed in the detected violations
* **denied-severity** - the minimal level of severity that should cause a rejection
* **denied-severity** - Violations of this or higher severity will cause and admission rejection. Lower severity violations will be warnings. Options are high, medium. and low
* **denied-categories** - violations from these policy categories will lead to an admission rejection. Policy violations of other categories will lead to warnings.
* **dashboard=true** - enable the `/logs` endpoint to log and graphically display admission requests and violations. Default is `false`

### Configure a ValidatingWebhookConfiguration Resource in Kubernetes Cluster
Configure a new ```ValidatingWebhookConfiguration``` in your Kubernetes environment and specify your Terrascan server endpoint.
Expand Down

0 comments on commit e6e6b8e

Please sign in to comment.