Merge branch 'ryryryan-development-patch-39536' into 'development'

Gitlab CI Pipeline successfully passed

See merge request !17

Dockerfile

+# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \
+# '--build-arg' when building locally to replace these values
+# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image
+# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
+ARG BASE_TAG=8.4
+
+# FROM statement must reference the base image using the three ARGs established
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ENV REQIRED_PACKAGES="shadow-utils libsemanage"
+
+RUN microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \
+  && useradd sysdig -u 1000 \
+  && microdnf remove $REQIRED_PACKAGES \
+  && microdnf clean all \
+  && rm -rf /var/cache/yum
+
+ARG BINARY="webhook-v3.2.0"
+
+COPY ${BINARY} /bin/webhook
+
+EXPOSE 5000
+HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1
+USER 1000
+ENTRYPOINT ["/bin/webhook"]
\ No newline at end of file

README.md

-# <application name>
+# Sysdig Admission Controller
+Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
 
-Project template for all Iron Bank container repositories.
+Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.”
\ No newline at end of file
+
+The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc.
+
+## Features
+
+ * Registry and repository whitelist
+ * Global and per-namespace admission configuration
+ * Accept only the images that pass the scan (default)
+ * Directly reject non-whitelisted registries / repos, without scanning
+ * Accept the image even if it doesn’t pass the scan
+ * Do not accept any image that hasn’t been scanned already
+ * Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling.
+
+## Requirements
+
+* Helm 3
+* Kubernetes 1.16 or higher
+
+## Installation
+
+Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml):
+
+```
+$ kubectl create ns sysdig-admission-controller
+$ helm repo add sysdig https://charts.sysdig.com
+$ helm install -n sysdig-admission-controller sysdig-admission-controller -f values.yaml sysdig/admission-controller
+```
+
+### Basic settings
+
+The default settings in *values.yaml* should be right for most cases, but you must provide at minimum:
+
+* **sysdigSecureToken** - The Sysdig Secure Token for your account
+* **sysdigSecureUrl** - if the default SasS URL does not fit your environment (if using the on-prem version of Sysdig Secure

hardening_manifest.yaml

+---
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "sysdig/sysdig-secure/admission-controller-3.2.0"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+  - "3.2.0"
+  - "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8-minimal"
+  BASE_TAG: "8.4"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "admission-controller-3.2.0"
+  ## Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Sysdig - Admission Controller"
+  ## License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "proprietary"
+  ## URL to find more information on the image
+  # org.opencontainers.image.url: "FIXME"
+  ## Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "Sysdig"
+  org.opencontainers.image.version: "3.2.0"
+  ## Keywords to help with search (ex. "cicd,gitops,golang")
+  # mil.dso.ironbank.image.keywords: "FIXME"
+  ## This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  ## Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "sysdig-secure/admission-controller"
+
+
+# List of resources to make available to the offline build context
+resources:
+- filename: webhook-v3.2.0
+  url: https://s3.amazonaws.com/download.draios.com/repo1/admission-controller/webhook-v3.2.0
+  validation:
+    type: sha256
+    value: 767d3ceeac6a255b30442e4f2834e765e98f02c9a645b0483a0db76fb6a973c5
+
+# List of project maintainers
+maintainers:
+  - email: "aitor.acedo@sysdig.com"
+    #   # The name of the current container owner
+    name: "Aitor Acedo"
+    #   # The gitlab username of the current container owner
+    username: "aitor.acedo"