Merge pull request #46264 from Q-Lee/annotate

Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805) Add annotation for image policy webhook fail open. **What this PR does / why we need it**: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers. **Release note**: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open. ```release-note Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open. ```
kubernetes · Jun 4, 2017 · 0970216 · 0970216
2 parents 54994b1 + a38c2b4
commit 0970216
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 6 deletions.
diff --git a/pkg/api/annotation_key_constants.go b/pkg/api/annotation_key_constants.go
@@ -19,6 +19,10 @@ limitations under the License.
 package api
 
 const (
+ // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+ // webhook backend fails.
+ ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
+
  // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
  MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
 

diff --git a/pkg/api/v1/annotation_key_constants.go b/pkg/api/v1/annotation_key_constants.go
@@ -19,6 +19,10 @@ limitations under the License.
 package v1
 
 const (
+ // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+ // webhook backend fails.
+ ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
+
  // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
  MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
 

diff --git a/plugin/pkg/admission/imagepolicy/admission.go b/plugin/pkg/admission/imagepolicy/admission.go
@@ -89,10 +89,16 @@ func (a *imagePolicyWebhook) filterAnnotations(allAnnotations map[string]string)
 }
 
 // Function to call on webhook failure; behavior determined by defaultAllow flag
-func (a *imagePolicyWebhook) webhookError(attributes admission.Attributes, err error) error {
+func (a *imagePolicyWebhook) webhookError(pod *api.Pod, attributes admission.Attributes, err error) error {
  if err != nil {
  glog.V(2).Infof("error contacting webhook backend: %s", err)
  if a.defaultAllow {
+ annotations := pod.GetAnnotations()
+ if annotations == nil {
+ annotations = make(map[string]string)
+ }
+ annotations[api.ImagePolicyFailedOpenKey] = "true"
+ pod.ObjectMeta.SetAnnotations(annotations)
  glog.V(2).Infof("resource allowed in spite of webhook backend failure")
  return nil
  }
@@ -134,13 +140,13 @@ func (a *imagePolicyWebhook) Admit(attributes admission.Attributes) (err error)
  Namespace: attributes.GetNamespace(),
  },
  }
- if err := a.admitPod(attributes, &imageReview); err != nil {
+ if err := a.admitPod(pod, attributes, &imageReview); err != nil {
  return admission.NewForbidden(attributes, err)
  }
  return nil
 }
 
-func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v1alpha1.ImageReview) error {
+func (a *imagePolicyWebhook) admitPod(pod *api.Pod, attributes admission.Attributes, review *v1alpha1.ImageReview) error {
  cacheKey, err := json.Marshal(review.Spec)
  if err != nil {
  return err
@@ -153,15 +159,15 @@ func (a *imagePolicyWebhook) admitPod(attributes admission.Attributes, review *v
  })
 
  if err := result.Error(); err != nil {
- return a.webhookError(attributes, err)
+ return a.webhookError(pod, attributes, err)
  }
  var statusCode int
  if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 {
- return a.webhookError(attributes, fmt.Errorf("Error contacting webhook: %d", statusCode))
+ return a.webhookError(pod, attributes, fmt.Errorf("Error contacting webhook: %d", statusCode))
  }
 
  if err := result.Into(review); err != nil {
- return a.webhookError(attributes, err)
+ return a.webhookError(pod, attributes, err)
  }
 
  a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status))

diff --git a/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go b/staging/src/k8s.io/client-go/pkg/api/annotation_key_constants.go
@@ -19,6 +19,10 @@ limitations under the License.
 package api
 
 const (
+ // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+ // webhook backend fails.
+ ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
+
  // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
  MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
 

diff --git a/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go b/staging/src/k8s.io/client-go/pkg/api/v1/annotation_key_constants.go
@@ -19,6 +19,10 @@ limitations under the License.
 package v1
 
 const (
+ // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+ // webhook backend fails.
+ ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
+
  // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
  MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"