docs: adding doc to enable apiserver authentication in versioned docs #2378
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ritazh
reviewed
Nov 1, 2022
|
|
||
| 1. Deploy gatekeeper with a client CA cert name. Provide name of the client CA with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate apiserver requests if client CA name is provided with flag. | ||
|
|
||
| 2. You will need to patch the webhook secret manually to attach client ca crt. Update secret `gatekeeper-webhook-server-cert` to include `clientca.crt`. Key name `clientca.crt` should match the name passed with `--client-cert-name` flag. |
There was a problem hiding this comment.
I should have asked this in the previous PR, should we include openssl cmds here to show how to generate clientca.crt?
There was a problem hiding this comment.
aren't we using apiserver's cert here so we don't want to generate?
There was a problem hiding this comment.
Yes we are! May be to make it unambiguous we could say attach apiserver's client ca crt 🤔
acpana
reviewed
Nov 4, 2022
|
|
||
| ### Authenticate API server against Webhook (Self managed K8s cluster only) | ||
|
|
||
| **Note:** To enable authenticate api server requires modifying cluster resources that may not be possible in managed K8s cluster |
There was a problem hiding this comment.
Suggested change
| **Note:** To enable authenticate api server requires modifying cluster resources that may not be possible in managed K8s cluster | |
| **Note:** To enable authenticating the api server you have to be able to modify cluster resources. This may not be possible for managed K8s clusters. |
maxsmythe
reviewed
Nov 8, 2022
| namespace: <gatekeeper-namespace> | ||
| type: Opaque | ||
| ``` | ||
| 3. You will need to make sure that apiserver includes appropriate certificate while sending requests to the webhook, otherwise webhook will not accept these requests and will log error of `tls client didn't provide a certificate`. To make sure apiserver attaches correct certificate to requests being sent to webhook, you must specify the location of the admission control configuration file via the `--admission-control-config-file` flag while starting apiserver. Here is an example admission control configuration file: |
There was a problem hiding this comment.
"to make sure the K8s API Server"
maxsmythe
reviewed
Nov 8, 2022
| @@ -449,3 +449,71 @@ server := &http.Server{ | |||
| ``` | |||
|
|
|||
| 2. If `cert-controller` is disabled via the `--disable-cert-rotation` flag, you can use a cluster-wide, well-known CA certificate for Gatekeeper so that your external data provider can trust it without being deployed to the `gatekeeper-system` namespace. | |||
|
|
|||
| ### Authenticate API server against Webhook (Self managed K8s cluster only) | |||
maxsmythe
reviewed
Nov 8, 2022
|
|
||
| **Note:** To enable authenticate api server requires modifying cluster resources that may not be possible in managed K8s cluster | ||
|
|
||
| To ensure a request to the Gatekeeper webhook is coming from the api server, Gatekeeper needs to validate the client cert in the request. To enable authenticate api server, the following configuration can be made: |
JaydipGabani
force-pushed
the
master
branch
2 times, most recently
from
5a7c62f to
b6af7a3
Compare
maxsmythe
approved these changes
Nov 9, 2022
|
|
||
| To ensure a request to the Gatekeeper webhook is coming from the API server, Gatekeeper needs to validate the client cert in the request. To enable authenticate API server, the following configuration can be made: | ||
|
|
||
| 1. Deploy gatekeeper with a client CA cert name. Provide name of the client CA with the flag `--client-cert-name`. The same name will be used to read certificate from the webhook secret. The webhook will only authenticate API server requests if client CA name is provided with flag. |
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
sozercan
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Jaydip Gabani gabanijaydip@gmail.com
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: