Use a namespace selector for admission webhook

This prevents the webhook from being called for the Portieris install namespace, which means that Portieris can recover itself in the case of cluster failure.

Without this an approval from the Portieris webhook is needed to okay scaling itself up. This means that with no pods available, the webhook can't approve the recovery of any Portieris pods, and so the cluster deadlocks.

This change gives the Portieris chart ownership of the portieris install namespace, and labels it in such a way that we can filter for it in the webhook config.

It's configured as an opt out, rather than Istio's which is an opt in. All namespaces without the label are fair game.

By adding the namespace into the chart, it'll be deleted by Helm when the chart gets removed. And adding the label selector means that the label could be added to other namespaces to bypass Portieris. Both of these potential issues have been documented in the readme.

#112

README.md

@@ -39,7 +39,8 @@ To install Portieris in the default namespace (portieris):
 * Run `./helm/portieris/gencerts`. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster.
 * Run `helm install portieris --create-namespace --namespace portieris helm/portieris`. `portieris` is the default namespace defined in the charts' `values.yaml` file.
 
-To use an alternative namespace:
+You can also use a different namespace if you choose. The Portieris install creates the namespace automatically, and the namespace will be deleted if you uninstall the Portieris chart, so make sure that Portieris is the only thing running in that namespace! To use an alternative namespace:
+
 * Run `./helm/portieris/gencerts <namespace>`.
 * Run `helm install portieris --create <namespace> --namespace <namespace> --set namespace=<namespace> helm/portieris`.
 
@@ -60,6 +61,8 @@ Image security policies define Portieris' behavior in your cluster. You must con
 
 You can configure Kubernetes RBAC rules to define which users and applications have the ability to modify your security policies. For more information, see the [IBM Cloud docs](https://cloud.ibm.com/docs/services/Registry?topic=registry-security_enforce#assign_user_policy).
 
+You can prevent Portieris' admission webhook from being called in specific namespaces by labelling the namespace with `securityenforcement.admission.cloud.ibm.com/namespace: skip`. Doing so would allow pods in that namespace to recover when the admission webhook is down, but note that no policies are applied in that namespace. For example, the Portieris install namespace is configured with this label to allow Portieris itself to recover when it is down. Make sure to control who can add labels to namespaces and who can access namespaces with this label so that a malicious party cannot use this label to bypass Portieris.
+
 ## Reporting security issues
 
 To report a security issue, DO NOT open an issue. Instead, send your report via email to alchreg@uk.ibm.com privately.

helm/portieris/templates/admission-webhooks/webhooks.yaml

@@ -29,4 +29,10 @@ webhooks:
         apiVersions: ["*"]
         resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
     failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+      - key: securityenforcement.admission.cloud.ibm.com/namespace
+        operator: NotIn
+        values:
+        - skip
 {{ end }}

helm/portieris/templates/namespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+  labels:
+    securityenforcement.admission.cloud.ibm.com/namespace: skip