From 1a8b795596728e7cabc72cacefcde7b71eb8f200 Mon Sep 17 00:00:00 2001
From: ryryryan <ryan@sysdig.com>
Date: Mon, 21 Jun 2021 14:06:17 +0000
Subject: [PATCH 1/3] Include Dockerfile

---
 Dockerfile | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d7ccc6b
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,27 @@
+# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \
+# '--build-arg' when building locally to replace these values
+# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image
+# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
+ARG BASE_TAG=8.4
+
+# FROM statement must reference the base image using the three ARGs established
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ENV REQIRED_PACKAGES="shadow-utils libsemanage"
+
+RUN microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \
+  && useradd sysdig -u 1000 \
+  && microdnf remove $REQIRED_PACKAGES \
+  && microdnf clean all \
+  && rm -rf /var/cache/yum
+
+ARG BINARY="webhook-v3.2.0"
+
+COPY ${BINARY} /bin/webhook
+
+EXPOSE 5000
+HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1
+USER 1000
+ENTRYPOINT ["/bin/webhook"]
\ No newline at end of file
-- 
GitLab


From 913be8c76599913f07d6698d3d6beede796333a8 Mon Sep 17 00:00:00 2001
From: ryryryan <ryan@sysdig.com>
Date: Mon, 21 Jun 2021 14:12:44 +0000
Subject: [PATCH 2/3] Initial hardening manifest file

---
 hardening_manifest.yaml | 57 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 hardening_manifest.yaml

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
new file mode 100644
index 0000000..b9821fc
--- /dev/null
+++ b/hardening_manifest.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "sysdig/cloudsecurity/admission-controller-3.2.0"
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+  - "3.2.0"
+  - "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8-minimal"
+  BASE_TAG: "8.4"
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "admission-controller-5.3"
+  ## Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Sysdig - Admission Controller"
+  ## License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "proprietary"
+  ## URL to find more information on the image
+  # org.opencontainers.image.url: "FIXME"
+  ## Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "Sysdig"
+  org.opencontainers.image.version: "3.2.0"
+  ## Keywords to help with search (ex. "cicd,gitops,golang")
+  # mil.dso.ironbank.image.keywords: "FIXME"
+  ## This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  ## Product the image belongs to for grouping multiple images
+  # mil.dso.ironbank.product.name: "FIXME"
+
+  com.sysdig.builddate: "2021-06-16T06:38:36"
+  com.sysdig.commit: "7ba1422"
+  com.sysdig.component: "admission-controller"
+  com.sysdig.release: "3.2.0"
+  com.sysdig.version: "3.2.0"
+  com.sysdig.dod.commit: "2dd05a9"
+  com.sysdig.dod.builddate: "2021-06-16T07:38:00"
+  com.sysdig.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.4"
+# List of resources to make available to the offline build context
+resources:
+- filename: webhook-v3.2.0
+  url: https://s3.amazonaws.com/download.draios.com/repo1/admission-controller/webhook-v3.2.0
+  validation:
+    type: sha256
+    value: 767d3ceeac6a255b30442e4f2834e765e98f02c9a645b0483a0db76fb6a973c5
+
+# List of project maintainers
+# FIXME: Fill in the following details for the current container owner in the whitelist
+# FIXME: Include any other vendor information if applicable
+maintainers:
+  - email: "aitor.acedo@sysdig.com"
+    #   # The name of the current container owner
+    name: "Aitor Acedo"
+    #   # The gitlab username of the current container owner
+    username: "aitor.acedo"
-- 
GitLab


From 7a579db4d6d2b7a7d834c0c90ebc0c5648434049 Mon Sep 17 00:00:00 2001
From: ryryryan <ryan@sysdig.com>
Date: Mon, 21 Jun 2021 14:16:35 +0000
Subject: [PATCH 3/3] Update README.md

---
 README.md | 39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5dc6fa6..e7a6934 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,38 @@
-# <application name>
+# Sysdig Admission Controller
+Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
 
-Project template for all Iron Bank container repositories.
\ No newline at end of file
+Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.”
+
+The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc.
+
+## Features
+
+ * Registry and repository whitelist
+ * Global and per-namespace admission configuration
+ * Accept only the images that pass the scan (default)
+ * Directly reject non-whitelisted registries / repos, without scanning
+ * Accept the image even if it doesn’t pass the scan
+ * Do not accept any image that hasn’t been scanned already
+ * Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling.
+
+## Requirements
+
+* Helm 3
+* Kubernetes 1.16 or higher
+
+## Installation
+
+Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml):
+
+```
+$ kubectl create ns sysdig-admission-controller
+$ helm repo add sysdig https://charts.sysdig.com
+$ helm install -n sysdig-admission-controller sysdig-admission-controller -f values.yaml sysdig/admission-controller
+```
+
+### Basic settings
+
+The default settings in *values.yaml* should be right for most cases, but you must provide at minimum:
+
+* **sysdigSecureToken** - The Sysdig Secure Token for your account
+* **sysdigSecureUrl** - if the default SasS URL does not fit your environment (if using the on-prem version of Sysdig Secure
-- 
GitLab