Custodian Kubernetes Support
Cloud Custodian can run policies directly inside your cluster, reporting on resources that violate those policies, or blocking them altogether.
Running the server
c7n-kates can be run and installed via poetry. poetry install && poetry run c7n-kates
.
name | default | description |
---|---|---|
--host | 127.0.0.1 | (optional) The host that the server should listen on. |
--port | 8800 | (optional) The port the server will listen on. |
--policy-dir | Path to the policy directory. | |
--on-exception | warn | Action to take on an internal exception. One of: warn, deny. |
--cert | Path to the certificate. | |
--ca-cert | Path to the CA's certificate. | |
--cert-key | Path to the certificate's key. |
Generate a MutatingWebhookConfiguration
After the server is running, you’ll need to configure and install the
MutatingWebhookConfiguration manually. To generate a webhook configuration, you
can run poetry run c7n-kates --generate --endpoint $ENDPOINT_URL --policy-dir $DIR
, and
it will generate an appropriate configuration for you, based on your policies.
Note: some modification of the webhook configuration may be required. See the documentation on webhooks for more configuration.
Development
You can use skaffold to
assist with testing and debugging this controller. Run skaffold dev
in this
folder to deploy the local container into a local kubernetes cluster. It will
automatically redeploy it as files change.