A UI-based Admission Controller is now available, and is not backward-compatible with the CLI-based version. We advise not installing the CLI-based version at this time.
Sysdig Admission Controller
Sysdig’s Admission Controller (UI-based) combines the Sysdig Secure image scanner with a policy language to evaluate scan results and the admission context, providing great flexibility in the admission decision. It also provides the first line of defense against image-based security threats.
By using Kubernetes API extensions to perform image scanning and other security checks on admission, we cover a major threat-prevention and hardening use case: “Only the images that are explicitly approved will be allowed to run on my cluster”.
The admission decision relies not only on the image name and tag but also on additional context from the admission review, including namespace, pod metadata, etc.
Registry and repository whitelist / blacklist
Global and per-namespace admission configuration
Configurable pre-scan and post-scan behavior, i.e.:
Accept only the images that pass the scan (default)
Directly reject non-whitelisted registries / repos, without scanning
Accept the image even if it doesn’t pass the scan
Do not accept any image that hasn’t been scanned already
Pod mutation: image tag is replaced by digest to prevent TOCTOU (Time of Check, Time of Use) issue if the tag is updated between the scan and the pod scheduling
Kubernetes 1.15 or higher