Home

Awesome

kube-review

Simple command line utility to transform a provided Kubernetes resource into a Kubernetes AdmissionReview request, as sent from the Kubernetes API server when dynamic admission control (i.e. webhook) is configured.

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 8080

Command

$ kube-review create deployment.yaml

Output

{
    "kind": "AdmissionReview",
    "apiVersion": "admission.k8s.io/v1",
    "request": {
        "uid": "2024ee9c-c374-413c-838d-e62bcb4826be",
        "kind": {
            "group": "apps",
            "version": "v1",
            "kind": "Deployment"
        },
        "resource": {
            "group": "apps",
            "version": "v1",
            "resource": "deployments"
        },
        "requestKind": {
            "group": "apps",
            "version": "v1",
            "kind": "Deployment"
        },
        "requestResource": {
            "group": "apps",
            "version": "v1",
            "resource": "deployments"
        },
        "name": "nginx",
        "operation": "CREATE",
        "userInfo": {
            "username": "kube-review",
            "uid": "611a19d7-6aa5-47d2-bba3-8c5df2bffbc7"
        },
        "object": {
            "kind": "Deployment",
            "apiVersion": "apps/v1",
            "metadata": {
                "name": "nginx",
                "creationTimestamp": null,
                "labels": {
                    "app": "nginx"
                }
            },
            "spec": {
                "selector": {
                    "matchLabels": {
                        "app": "nginx"
                    }
                },
                "template": {
                    "metadata": {
                        "creationTimestamp": null,
                        "labels": {
                            "app": "nginx"
                        }
                    },
                    "spec": {
                        "containers": [
                            {
                                "name": "nginx",
                                "image": "nginx",
                                "ports": [
                                    {
                                        "containerPort": 8080
                                    }
                                ],
                                "resources": {}
                            }
                        ]
                    }
                },
                "strategy": {}
            },
            "status": {}
        },
        "oldObject": null,
        "dryRun": true,
        "options": {
            "kind": "CreateOptions",
            "apiVersion": "meta.k8s.io/v1"
        }
    }
}

Why?

Installation

Find the latest release for your platform at the release page. Once downloaded, rename it to kube-review (or kube-review.exe for Windows if not using WSL), allow it to be executed, and put it somewhere on your $PATH.

Running kube-review

kube-review create can either be provided a filename with a resource to create an admission review for, or can read data from stdin. This allows easily piping resources from a kube cluster and into kube-review.

Command

$ kubectl get service gatekeeper-webhook-service -o yaml | kube-review create --action update

Output

{
    "kind": "AdmissionReview",
    "apiVersion": "admission.k8s.io/v1",
    "request": {
        "uid": "b42420d7-5cc2-4644-992f-72ff67dc2889",
        "kind": {
            "group": "",
            "version": "v1",
            "kind": "Service"
        },
        "name": "gatekeeper-webhook-service",
        "namespace": "gatekeeper-system",
        "operation": "UPDATE",
        "userInfo": {
            "username": "kube-review",
            "uid": "42eac911-a8ec-4d72-9eb1-e6c466328085"
        },
        "...": "..."
    }
}

Command line options

NameTypeDefaultDescription
--actionstringcreateType of operation to apply in admission review (create, update, delete, connect)
--asstringkube-reviewName of user or service account for userInfo attributes
--as-groupstringnoneName of group this user or service account belongs to. May be repeated for multiple groups

The action provided has the following effects on the produced AdmissionReview object:

Using with Open Policy Agent

Assuming we have a policy that denies any deployment where the number of replicas is either undefined or below two:

package admission

deny["Deployment must have at least 2 replicas"] {
    input.request.object.spec.replicas < 2
}

deny["Deployment must define number of replicas explicitly"] {
    not input.request.object.spec.replicas
}

We could either run kube-review with a deployment from disk, and pipe the output into opa eval:

Command

$ kube-review create deployment.yaml \
| opa eval --format pretty --stdin-input --data policy.rego data.admission.deny

Output

[
  "Deployment must define number of replicas explicitly"
]

Or we could run the policy against any resource in our cluster in the same manner:

Command

$ kubectl get deployment my-microservice -o yaml \
| kube-review create \
| opa eval --format pretty --stdin-input --data policy.rego data.admission.deny

Output

[
  "Deployment must have at least 2 replicas"
]

Alternatively, we could use curl to send the data into a running OPA server:

Command

$ kubectl get deployment my-microservice -o yaml \
| kube-review create \
| curl --data-binary "@-" http://localhost:8181/v0/data/admission/deny

Output

[
    "Deployment must define number of replicas explicitly"
]

If your policies are written for OPA Gatekeeper, simply rename the request object in the admission request to review:

$ kube-review create deployment.yaml \
| opa eval --format pretty --stdin-input '{"review": input.request}' \
| opa eval --format pretty --stdin-input --data policy.rego data.admission.deny

Limitations