To fulfill the task, the ImagePolicyWebhook admission controller must be enabled in the kube-apiserver configuration, and the API server must be pointed to the admission configuration file using the --admission-control-config-file flag.

The core of the solution involves editing the image policy configuration file referenced by the main admission configuration. Within this file, setting the defaultAllow field to false establishes an "implicit deny" policy. This ensures that any image review request that is not explicitly approved by the webhook service is rejected. The webhook's own configuration (kubeconfig) must also be updated to point to the correct scanner endpoint: https://wakanda.local:8081/imagepolicy.

1. Kubernetes Documentation

"ImagePolicyWebhook": This official documentation details the configuration for the ImagePolicyWebhook admission controller. It specifies the structure of the configuration file and explicitly defines the defaultAllow field.

Source: Kubernetes Authors

"Using Admission Controllers"

Kubernetes Documentation.

Reference: Section: "ImagePolicyWebhook"

subsection on configuration file structure. The documentation states

"defaultAllow governs the behavior when the webhook backend fails. By default

it is allowed." Setting it to false creates the required implicit deny.

Location: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

2. Kubernetes API Reference

AdmissionConfiguration v1: This document defines the AdmissionConfiguration object

which is used to configure admission control plugins. It shows how to specify the path to the plugin-specific configuration file.

Source: Kubernetes Authors

"API Server Configuration (apiserver.config.k8s.io/v1)"

Kubernetes API Reference.

Reference: AdmissionConfiguration object definition

plugins.path field.

Location: https://kubernetes.io/docs/reference/config-api/apiserver-config.v1/#apiserver-config-k8s-io-v1-AdmissionConfiguration