Admission Controller (CLI-Based)

Sysdig Admission Controller

Sysdig’s Admission Controller (UI-based) combines the Sysdig Secure image scanner with a policy language to evaluate scan results and the admission context, providing great flexibility in the admission decision. It also provides the first line of defense against image-based security threats.

By using Kubernetes API extensions to perform image scanning and other security checks on admission, we cover a major threat-prevention and hardening use case: “Only the images that are explicitly approved will be allowed to run on my cluster”.

The admission decision relies not only on the image name and tag but also on additional context from the admission review, including namespace, pod metadata, etc.

Features

• Registry and repository whitelist / blacklist

• Global and per-namespace admission configuration

• Configurable pre-scan and post-scan behavior, i.e.:

  • Accept only the images that pass the scan (default)

  • Directly reject non-whitelisted registries / repos, without scanning

  • Accept the image even if it doesn’t pass the scan

  • Do not accept any image that hasn’t been scanned already

• Pod mutation: image tag is replaced by digest to prevent TOCTOU (Time of Check, Time of Use) issue if the tag is updated between the scan and the pod scheduling

Requirements

• Helm 3

• Kubernetes 1.15 or higher

More Information

• Sysdig blog post