diff --git a/README.md b/README.md index 5dc6fa6db4361c22da2f35edf0544d83ba6001e2..e7a69344a254c52cc9b217a63eb2df2eaf7ba155 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,38 @@ -# +# Sysdig Admission Controller +Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision. -Project template for all Iron Bank container repositories. \ No newline at end of file +Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.” + +The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc. + +## Features + + * Registry and repository whitelist + * Global and per-namespace admission configuration + * Accept only the images that pass the scan (default) + * Directly reject non-whitelisted registries / repos, without scanning + * Accept the image even if it doesn’t pass the scan + * Do not accept any image that hasn’t been scanned already + * Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling. + +## Requirements + +* Helm 3 +* Kubernetes 1.16 or higher + +## Installation + +Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml): + +``` +$ kubectl create ns sysdig-admission-controller +$ helm repo add sysdig https://charts.sysdig.com +$ helm install -n sysdig-admission-controller sysdig-admission-controller -f values.yaml sysdig/admission-controller +``` + +### Basic settings + +The default settings in *values.yaml* should be right for most cases, but you must provide at minimum: + +* **sysdigSecureToken** - The Sysdig Secure Token for your account +* **sysdigSecureUrl** - if the default SasS URL does not fit your environment (if using the on-prem version of Sysdig Secure