Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce kpack build pod mutating webhook
The mutating webhook sets a security policy in the kpack build pods' containers that matches the `restricted` pod security enforced by the workload namespace The webhook is a workaround to kpack issue buildpacks-community/kpack#972. Once the issue is resolved and a fix is adopted, we should probably revert the commit and adopt the kpack fix. Issue: #1220 Co-authored-by: Danail Branekov <danailster@gmail.com>
- Loading branch information
1 parent
13f99cd
commit 5301b48
Showing
15 changed files
with
450 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# The following manifests contain a self-signed issuer CR and a certificate CR. | ||
# More document can be found at https://docs.cert-manager.io | ||
# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: selfsigned-issuer | ||
namespace: system | ||
spec: | ||
selfSigned: {} | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml | ||
namespace: system | ||
spec: | ||
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize | ||
dnsNames: | ||
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc | ||
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local | ||
issuerRef: | ||
kind: Issuer | ||
name: selfsigned-issuer | ||
secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resources: | ||
- certificate.yaml | ||
|
||
configurations: | ||
- kustomizeconfig.yaml |
16 changes: 16 additions & 0 deletions
16
kpack-image-builder/config/certmanager/kustomizeconfig.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# This configuration is for teaching kustomize how to update name ref and var substitution | ||
nameReference: | ||
- kind: Issuer | ||
group: cert-manager.io | ||
fieldSpecs: | ||
- kind: Certificate | ||
group: cert-manager.io | ||
path: spec/issuerRef/name | ||
|
||
varReference: | ||
- kind: Certificate | ||
group: cert-manager.io | ||
path: spec/commonName | ||
- kind: Certificate | ||
group: cert-manager.io | ||
path: spec/dnsNames |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
kpack-image-builder/config/default/project_namespace/manager_webhook_patch.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: controller-manager | ||
namespace: system | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: manager | ||
ports: | ||
- containerPort: 9443 | ||
name: webhook-server | ||
protocol: TCP | ||
volumeMounts: | ||
- mountPath: /tmp/k8s-webhook-server/serving-certs | ||
name: cert | ||
readOnly: true | ||
volumes: | ||
- name: cert | ||
secret: | ||
defaultMode: 420 | ||
secretName: webhook-server-cert |
15 changes: 15 additions & 0 deletions
15
kpack-image-builder/config/default/project_namespace/webhookcainjection_patch.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# This patch add annotation to admission webhook config and | ||
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: mutating-webhook-configuration | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
# --- | ||
# apiVersion: admissionregistration.k8s.io/v1 | ||
# kind: ValidatingWebhookConfiguration | ||
# metadata: | ||
# name: validating-webhook-configuration | ||
# annotations: | ||
# cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
resources: | ||
- manifests.yaml | ||
- service.yaml | ||
|
||
configurations: | ||
- kustomizeconfig.yaml | ||
|
||
patchesStrategicMerge: | ||
- object_selector_patch.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# the following config is for teaching kustomize where to look at when substituting vars. | ||
# It requires kustomize v2.1.0 or newer to work properly. | ||
nameReference: | ||
- kind: Service | ||
version: v1 | ||
fieldSpecs: | ||
- kind: MutatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/name | ||
- kind: ValidatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/name | ||
|
||
namespace: | ||
- kind: MutatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/namespace | ||
create: true | ||
- kind: ValidatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/namespace | ||
create: true | ||
|
||
varReference: | ||
- path: metadata/annotations |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,27 @@ | ||
--- | ||
|
||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
creationTimestamp: null | ||
name: mutating-webhook-configuration | ||
webhooks: | ||
- admissionReviewVersions: | ||
- v1 | ||
- v1beta1 | ||
clientConfig: | ||
service: | ||
name: webhook-service | ||
namespace: system | ||
path: /mutate-kpack-build-pod | ||
failurePolicy: Ignore | ||
name: mkpackbuildpod.korifi.cloudfoundry.org | ||
rules: | ||
- apiGroups: | ||
- "" | ||
apiVersions: | ||
- v1 | ||
operations: | ||
- CREATE | ||
resources: | ||
- pods | ||
sideEffects: None |
12 changes: 12 additions & 0 deletions
12
kpack-image-builder/config/webhook/object_selector_patch.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: mutating-webhook-configuration | ||
webhooks: | ||
- name: mkpackbuildpod.korifi.cloudfoundry.org | ||
objectSelector: | ||
matchExpressions: | ||
- key: kpack.io/build | ||
operator: Exists | ||
- key: korifi.cloudfoundry.org/build-workload-name | ||
operator: Exists |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: webhook-service | ||
namespace: system | ||
spec: | ||
ports: | ||
- port: 443 | ||
protocol: TCP | ||
targetPort: 9443 | ||
selector: | ||
control-plane: controller-manager |
72 changes: 72 additions & 0 deletions
72
kpack-image-builder/controllers/podsecurity/buildpack_mutating_webhook.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
package podsecurity | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"net/http" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook/admission" | ||
) | ||
|
||
// +kubebuilder:webhook:path=/mutate-kpack-build-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create,versions=v1,name=mkpackbuildpod.korifi.cloudfoundry.org,admissionReviewVersions={v1,v1beta1},sideEffects=none | ||
|
||
type PodSecurityAdder struct { | ||
decoder *admission.Decoder | ||
} | ||
|
||
func NewPodSecurityAdder() *PodSecurityAdder { | ||
return &PodSecurityAdder{} | ||
} | ||
|
||
func pointerTo(b bool) *bool { | ||
return &b | ||
} | ||
|
||
func (a *PodSecurityAdder) Handle(ctx context.Context, req admission.Request) admission.Response { | ||
logger := ctrl.Log.WithName("kpack-build-pod-security") | ||
|
||
pod := &corev1.Pod{} | ||
err := a.decoder.Decode(req, pod) | ||
if err != nil { | ||
logger.Error(err, "decode-error") | ||
return admission.Errored(http.StatusBadRequest, err) | ||
} | ||
|
||
patchContainerSecurity(pod.Spec.Containers) | ||
patchContainerSecurity(pod.Spec.InitContainers) | ||
|
||
marshaledPod, err := json.Marshal(pod) | ||
if err != nil { | ||
return admission.Errored(http.StatusInternalServerError, err) | ||
} | ||
|
||
logger.Info("patching pod security context", "namespace", req.Namespace, "name", req.Name) | ||
return admission.PatchResponseFromRaw(req.Object.Raw, marshaledPod) | ||
} | ||
|
||
// InjectDecoder injects the decoder. | ||
func (a *PodSecurityAdder) InjectDecoder(d *admission.Decoder) error { | ||
a.decoder = d | ||
return nil | ||
} | ||
|
||
func patchContainerSecurity(containers []corev1.Container) { | ||
for i := range containers { | ||
container := containers[i] | ||
if container.SecurityContext == nil { | ||
container.SecurityContext = new(corev1.SecurityContext) | ||
} | ||
|
||
container.SecurityContext.AllowPrivilegeEscalation = pointerTo(false) | ||
container.SecurityContext.RunAsNonRoot = pointerTo(true) | ||
container.SecurityContext.Capabilities = &corev1.Capabilities{ | ||
Drop: []corev1.Capability{"ALL"}, | ||
} | ||
container.SecurityContext.SeccompProfile = &corev1.SeccompProfile{ | ||
Type: corev1.SeccompProfileTypeRuntimeDefault, | ||
} | ||
containers[i] = container | ||
} | ||
} |
Oops, something went wrong.