chore: Authenticating api server against webhook #2359
Conversation
Codecov ReportBase: 53.58% // Head: 53.44% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #2359 +/- ##
==========================================
- Coverage 53.58% 53.44% -0.15%
==========================================
Files 117 117
Lines 10229 10230 +1
==========================================
- Hits 5481 5467 -14
- Misses 4331 4343 +12
- Partials 417 420 +3
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
website/docs/externaldata.md
Outdated
|
|
||
| To have requests coming from apiserver authenticated by webhook, following configuration can be made: | ||
|
|
||
| 1. Deploy gatekeeper with cert rotator disabled and with a client ca name. Provide name of the client ca with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if both - cert rotator disabled and client ca name is provided with flag - of the criteria are met. |
There was a problem hiding this comment.
Is there a reason cert rotation needs to be disabled for this to work? Is there a way to make this orthogonal? Maybe store the cert in a separate secret/configmap (IIUI WRT secret vs. configmap the cert is not sensitive)
There was a problem hiding this comment.
Interesting. Why can't we use the same secret? does cert rotator delete and creates new secret while rotating cert or does it just update the whole data field making it impossible to persist manually added entries to data map?
There was a problem hiding this comment.
TBH I can't remember how cert-rotator behaves, but I wouldn't be surprised if it clobbered the whole data field.
In any case, if we could use the same secret I'd still like to enable/disable either option separately for operational flexibility.
There was a problem hiding this comment.
Looks like cert rotator is not rewriting whole data map blindly, so we should be able to use the same secret
pkg/webhook/mutation.go
Outdated
| @@ -90,6 +90,9 @@ func AddMutatingWebhook(mgr manager.Manager, deps Dependencies) error { | |||
| } | |||
| server := mgr.GetWebhookServer() | |||
| server.TLSMinVersion = *tlsMinVersion | |||
| if *DisableCertRotation && *clientCAName != "" { | |||
| server.ClientCAName = *clientCAName | |||
There was a problem hiding this comment.
We should also add this to the policy.go webhook file, in case the user has disabled the mutation webhook (or refactor the initialization pipeline so we set global server configurations in a single place).
There was a problem hiding this comment.
Should we also add this to namespacelabel.go as well?
charts/gatekeeper/values.yaml
Outdated
| @@ -145,6 +145,7 @@ controllerManager: | |||
| priorityClassName: system-cluster-critical | |||
| disableCertRotation: false | |||
| tlsMinVersion: 1.3 | |||
| certName: "" | |||
There was a problem hiding this comment.
No need to modify this value, it will get updated automatically on the next release.
| @@ -145,6 +145,7 @@ controllerManager: | |||
| priorityClassName: system-cluster-critical | |||
| disableCertRotation: false | |||
| tlsMinVersion: 1.3 | |||
| certName: "" | |||
There was a problem hiding this comment.
This will need to be set here in order to prevent this value from being clobbered:
see https://open-policy-agent.github.io/gatekeeper/website/docs/help/#contributing-to-helm-chart for more info
| @@ -145,6 +145,7 @@ controllerManager: | |||
| priorityClassName: system-cluster-critical | |||
| disableCertRotation: false | |||
| tlsMinVersion: 1.3 | |||
| certName: "" | |||
There was a problem hiding this comment.
let's call this
| certName: "" | |
| clientCAName: "" |
pkg/webhook/common.go
Outdated
| @@ -59,6 +59,8 @@ var ( | |||
| emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation") | |||
| tlsMinVersion = flag.String("tls-min-version", "1.3", "minimum version of TLS supported") | |||
| serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) | |||
| clientCAName = flag.String("client-cert-name", "", "name of the client certificate to authenticate apiserver requrest against") | |||
There was a problem hiding this comment.
| clientCAName = flag.String("client-cert-name", "", "name of the client certificate to authenticate apiserver requrest against") | |
| clientCAName = flag.String("client-cert-name", "", "name of the client certificate to authenticate apiserver request against") |
JaydipGabani
force-pushed
the
master
branch
5 times, most recently
from
f0def98 to
edb9df1
Compare
JaydipGabani
requested review from
sozercan and
maxsmythe
and removed request for
sozercan
main.go
Outdated
| @@ -194,7 +193,7 @@ func main() { | |||
|
|
|||
| // Make sure certs are generated and valid if cert rotation is enabled. | |||
| setupFinished := make(chan struct{}) | |||
| if !*disableCertRotation { | |||
| if !*webhook.DisableCertRotation { | |||
There was a problem hiding this comment.
nit: I would leave this flag in main.go since that is where the value is consumed (and it looks like webhooks no longer use this value)
website/docs/externaldata.md
Outdated
|
|
||
| To have requests coming from apiserver authenticated by webhook, following configuration can be made: | ||
|
|
||
| 1. Deploy gatekeeper a client ca name. Provide name of the client ca with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if both client ca name is provided with flag. |
website/docs/externaldata.md
Outdated
| namespace: gatekeeper-system | ||
| type: Opaque | ||
| ``` | ||
| 3. You will need to make sure that apiserver includes appropriate certificate while sending requests to apiserver, otherwise webhook will not accept these requests and will log error of `tls client didn't provide a certificate`. To make sure apiserver attaches correct certificate to requests being sent to webhook, you must specify the location of the admission control configuration file via the `--admission-control-config-file` flag while starting apiserver. Here is an example admission control configuration file |
There was a problem hiding this comment.
nit: add a colon (:) at the end of the line
website/docs/externaldata.md
Outdated
| clusters: | ||
| - cluster: | ||
| certificate-authority-data: <clientca.crt> # same value as provided in gatekeeper webhook secret's clientca.crt | ||
| server: https://gatekeeper-webhook-service.gatekeeper-system.svc:443 |
There was a problem hiding this comment.
can we add note about service or namespace name and it should be updated if it's different
website/docs/externaldata.md
Outdated
| metadata: | ||
| ... | ||
| name: gatekeeper-webhook-server-cert | ||
| namespace: gatekeeper-system |
There was a problem hiding this comment.
let's update here too re: name and namespace
| @@ -145,6 +145,7 @@ controllerManager: | |||
| priorityClassName: system-cluster-critical | |||
| disableCertRotation: false | |||
| tlsMinVersion: 1.3 | |||
| clientCAName: "" | |||
There was a problem hiding this comment.
do we need to update the helm chart to set this value?
There was a problem hiding this comment.
Yip! Missed that. Updating chart as well
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
website/docs/externaldata.md
Outdated
|
|
||
| To have requests coming from apiserver authenticated by webhook, following configuration can be made: | ||
|
|
||
| 1. Deploy gatekeeper a client CA name. Provide name of the client ca with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if both client ca name is provided with flag. |
There was a problem hiding this comment.
| 1. Deploy gatekeeper a client CA name. Provide name of the client ca with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if both client ca name is provided with flag. | |
| 1. Deploy gatekeeper with a client CA cert name. Provide name of the client CA with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if both client CA name is provided with flag. |
There was a problem hiding this comment.
if both client CA name is provided with flag
what do you mean by "both" here?
There was a problem hiding this comment.
Ohh! "both" isn't supposed to be here.
website/docs/externaldata.md
Outdated
| namespace: <gatekeeper-namespace> | ||
| type: Opaque | ||
| ``` | ||
| 3. You will need to make sure that apiserver includes appropriate certificate while sending requests to apiserver, otherwise webhook will not accept these requests and will log error of `tls client didn't provide a certificate`. To make sure apiserver attaches correct certificate to requests being sent to webhook, you must specify the location of the admission control configuration file via the `--admission-control-config-file` flag while starting apiserver. Here is an example admission control configuration file: |
There was a problem hiding this comment.
| 3. You will need to make sure that apiserver includes appropriate certificate while sending requests to apiserver, otherwise webhook will not accept these requests and will log error of `tls client didn't provide a certificate`. To make sure apiserver attaches correct certificate to requests being sent to webhook, you must specify the location of the admission control configuration file via the `--admission-control-config-file` flag while starting apiserver. Here is an example admission control configuration file: | |
| 3. You will need to make sure that apiserver includes appropriate certificate while sending requests to the webhook, otherwise webhook will not accept these requests and will log error of `tls client didn't provide a certificate`. To make sure apiserver attaches correct certificate to requests being sent to webhook, you must specify the location of the admission control configuration file via the `--admission-control-config-file` flag while starting apiserver. Here is an example admission control configuration file: |
website/docs/externaldata.md
Outdated
|
|
||
| ### Authenticate API server against Webhook (Self managed kube cluster only) | ||
|
|
||
| To have requests coming from apiserver authenticated by webhook, following configuration can be made: |
There was a problem hiding this comment.
| To have requests coming from apiserver authenticated by webhook, following configuration can be made: | |
| To ensure a request to the Gatekeeper webhook is coming from the api server, Gatekeeper needs to validate the client cert in the request. To enable authenticate api server, the following configuration can be made: |
|
To clarify, this issue addresses the first bullet of #1294 to do this manually. Might be good to add a comment that currently there is no way to do this automatically and for managed k8s.
|
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Signed-off-by: Jaydip Gabani gabanijaydip@gmail.com
What this PR does / why we need it:
To authenticate incoming requests from api-server to webhook
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #1294
Special notes for your reviewer: