In December, I introduced an admission controller for Kubernetes to gate pod execution based on Anchore analysis and policy evaluation of image content. It supports 3 different modes of operation allowing you to tune the tradeoff between control and intrusiveness for your environments.
Our focus at Anchore is analyzing, validating, and evaluating docker images against custom policies to give users visibility, control-of, and confidence-in their container images before they ever execute. And, its open-source. In this post, I’ll show how to use the new Anchore admission controller for kubernetes to gate execution of docker images in kubernetes according to criteria expressed in Anchore policies such as: security vulnerabilities, package manifests, image build-instructions, image source, and the other aspects of image content that Anchore Engine can expose via policy.
Anchore provides the ability to inspect, query, and apply policies to container images prior to deployment in a Kubernetes cluster without impacting normal operations. To show how Anchore complements Kubernetes and integrates into its delivery workflow, we’ve written the following whitepaper.