Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
Project template for all Iron Bank container repositories.
\ No newline at end of file
Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.”
The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc.
## Features
* Registry and repository whitelist
* Global and per-namespace admission configuration
* Accept only the images that pass the scan (default)
* Directly reject non-whitelisted registries / repos, without scanning
* Accept the image even if it doesn’t pass the scan
* Do not accept any image that hasn’t been scanned already
* Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling.
## Requirements
* Helm 3
* Kubernetes 1.16 or higher
## Installation
Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml):
