Admission Controller
Note
This feature is offered through SysdigLabs.
Understanding the Admission Controller
Kubernetes' admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.
Sysdig's Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.

Main Features
Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist
Only allow images that pass the scanning evaluation criteria
Only allow images that have been evaluated recently
Only allow images that have been scanned before creation is requested to Kubernetes
Registry and repository whitelist
Scan unscanned requested images immediately (optional)
Usage Steps
The Admission Controller is installed per-cluster. The workflow is straightforward:
Enable the feature in Sysdig Labs to activate it in the Sysdig Secure backend.
Install the Admission Controller in the target cluster(s) and verify that it appears in the Sysdig UI as "Connected."
Define the Admission Controller policies as you see fit for your use cases
Assign the policies to the connected clusters
Enable the Admission Controller for the cluster
Enable in Sysdig Labs
Log in to Sysdig Secure as administrator and select
Settings|User Profile
.Under Sysdig Labs, enable the Admission Controller feature and click
Save
.The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation.
Installation
The component must be installed on each cluster where you want to use it.
Note
If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.
Prerequisites
Helm 3
Kubernetes 1.16 or higher
Install the Admission Controller
Make sure
kubectl
is pointing to the target cluster where the Admission Controller will be installed.Add and synchronize the Helm repository:
helm repo add sysdig https://charts.sysdig.com helm repo update
Install the Admission Controller on the target cluster, e.g.:
helm install sysdig-admission-controller \ --create-namespace \ --namespace sysdig-admission-controller \ --set sysdig.secureAPIToken=<your Sysdig Secure API token> \ --set clusterName=<name for this cluster in the UI> \ --set sysdig.url=<Sysdig Backend endpoint> \ sysdig/admission-controller
Check that installation was successful in the Sysdig UI. Log in to Sysdig Secure and select
Image Scanning>Admission Controller|Policy Assignments
.By default, the cluster shows Connected (healthy), but Disabled (grey dot right of the name). Admission Controllers are disabled by default to avoid accidentally blocking deployment.
Installation Parameters
sysdig.secureAPIToken:
Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile.clusterName:
User-defined name for this cluster that will appear in the admission controller interface in Sysdig's backendSysdig.url:
Sysdig endpoint. This parameter is not necessary for SaaS users in theus-east
region (as it is the default value). See SaaS Regions and IP Ranges.
For more information: See the full Admission Controller Helm chart documentation.
Upgrades: How to Uninstall the CLI-based Version
Note
If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.
Deploy the following:
$ helm uninstall -n sysdig-admission-controller sysdig-admission-controller
Create Admission Controller Policies
Admission Controller Policies define the criteria to accept or reject a given container image at admission time. Remember that Policies must be assigned to a cluster to be enforced.
Log in as Administrator to Sysdig Secure and select
Image Scanning> Admission Controller|Policies
.The Admission Controller Policies page displays a list of any previously defined policies.
Click
+Policy
and enter a meaningfulName
andDescription
.Define the policy
Rules
:Evaluation Failure:
Whether to reject images that are failing scanning policy evaluationEvaluation Age:
Whether to reject images when the evaluation is older than X days. You might set this condition to force a new vulnerability check, for example.Unscanned Image:
Whether to reject images that do not have an existing evaluation at admission time. Choose from three options:Ignore:
Ignore this conditionReject:
Reject the requestReject and Scan:
Reject the request and scan the image in parallel.Note
Typically, Kubernetes will retry creating the pending image, so eventually the image will have a valid evaluation and then the other conditions will apply. Since scanning during admission can potentially slow down the deployment process, we don’t recommend this option unless you are confident that most images will have an evaluation before admission (i.e. instrumenting the CI/CD pipelines).
Click
Save
.
How Policy Conditions are Applied
Policy conditions are applied using an AND
operator.
For example, if I set Evaluation Fail
to Reject
, AND Evaluation Age
to Reject for older than 15 days
, then if I receive an image with an existing evaluation that is passing, and that evaluation is 20 days old, the request will be rejected.
Assign Admission Controller Policies
Log in as Administrator to Sysdig Secure and select
Image Scanning> Admission Controller|Policy Assignment
.The admission controller policy assignment page displays the list of Kubernetes clusters with Admission Controllers, and their current status.
Connected/disconnected clusters: Clusters where the admission controller was never installed will not appear at all. Otherwise:
Connected:
Clusters with a connected and healthy admission controller will show under the “Connected” label.Disconnected:
A Kubernetes cluster that had an admission controller installed, but the admission controller component is not reporting back to the Sysdig backend, will appear under the “Disconnected” label.
Enabled/disabled Admission Controllers: You enable/ disable the admission controller for each cluster using the switch on the top right.
Enabled:
A green dot by the cluster name shows the admission controller is enabled (enforcing)Disabled:
A grey dot means the admission controller is disabled.
Click
+Add Assignment
and enter the basic assignment details.A cluster can have multiple assignments at different levels of granularity, and the policies are evaluated from top to bottom. See also: Understanding Evaluation Order.
Namespace
: Leave blank to match any namespace, or add a relevant entry.Prefix:
Leave blank to match any image name, or limit by entering a particular prefix. For example, theredis
prefix would match images declared asredis:latest
orredis:v2
in the container creation request.Policy:
Select a policy from the drop-down list.
Choose
Default policy if no other assignment matches
: Select toAllow
by default orReject
by default.Warning
Be very careful with the
Reject by default
option. Be sure to explicitly allow critical workloads in your system.Click
Save
.Optional: Drag the new assignment to a different position in the evaluation list if it should be applied before another assignment.
Understanding Evaluation Order
Assignments are evaluated from top to bottom. The first match dictates which policy will be applied,. The default cluster action will be applied if no assignment matches.
For example:
Assignment 1: Namespace kube-system
; any Image path uses Policy1
Assignment 2: All namespaces; Image path starts with quay.io/myimage
uses Policy2
Default policy: If no other assignment matches, them Reject
Then:
Requesting to create a container with path
docker.io/myimage
in thekube-system
namespace will applyPolicy1
Requesting to create a container with path
quay.io/myimage
in thekube-system
namespace will applyPolicy1
Requesting to create a container with path
quay.io/myimage
in themynamespace
namespace will applyPolicy2
Requesting to create a container with path
docker.io/myimage
in themynamespace
namespace will beRejected
.
Enable/Disable the Admission Controller
It is recommended to develop the policies and assignments while the Admission Controller is Disabled
. Enable on a staging cluster to test before enabling in production.
When you are happy with the defined behavior:
Log in as Administrator to Sysdig Secure and select I
mage Scanning> Admission Controller|Policy Assignment.
Select the relevant cluster from the left side menu.
Slide the Admission Controller to
Enabled
.Monitor any resulting events as usual.
Note
The Disable
function can also be used to quickly stop the Admission Controller if unexpected behavior is detected that adversely affects the function of a cluster.