imageswap-webhook
connaisseur
| imageswap-webhook | connaisseur | |
|---|---|---|
| 1 | 3 | |
| 146 | 419 | |
| - | 0.7% | |
| 5.9 | 9.0 | |
| 5 months ago | 7 days ago | |
| Python | Go | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
imageswap-webhook
-
Air gapped on prem install - what would you do?
We have on premise clusters built that only have access to internal sites, no access to the internet. We've done this with 2 versions of K8s. The first we used a tool that was created in house. The guy who built it put it up on GitHub. It is the imageswap web hook. I haven't kept up with it since we've stopped using it, but it used to take everything other than the image name and tag and swap it with whatever we set. So, something like "webdevops/toolbox:latest" would be changed to "registry.internal.org/images/toolbox:latest" if we set our registry and path to "registry.internal.org/images". Then we'd just stage all of the necessary images in that image registry. You could choose which namespaces to label to use the image swap and which to leave alone.
connaisseur
-
Container security best practices: Comprehensive guide
We already mentioned Connaisseur Admission Controller as a way to enforce content trust and reject images that are not signed by trusted sources.
- GitHub - sse-secure-systems/connaisseur: An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
-
Making the Internet more secure one signed container at a time
Admission Controller was based on Connaisseur, heavily modified to work with v2 instead of v1 signatures.
What are some alternatives?
prom2teams - prom2teams is an HTTP server built with Python that receives alert notifications from a previously configured Prometheus Alertmanager instance and forwards it to Microsoft Teams using defined connectors
cosign - Code signing and transparency for containers and binaries
zarf - DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
talos - Talos Linux is a modern Linux distribution built for Kubernetes.
enhancements - Enhancements tracking repo for Kubernetes
gatekeeper-library - 📚 The OPA Gatekeeper policy library
magtape - MagTape Policy-as-Code for Kubernetes
cfn_nag - Linting tool for CloudFormation templates
match - :crystal_ball: Scalable reverse image search built on Kubernetes and Elasticsearch
another-ldap - Another LDAP is a form-based authentication for Active Directory / LDAP server. Provides Authentication and Authorization for your applications running in Kubernetes.
kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark