EphemeralContainers via kubectl debug bypass Pepr webhooks
#381
Assignees
Comments
5 tasks
cmwylie19
added a commit
that referenced
this issue
Nov 17, 2023
## Description Adds support for ephemeral containers in the webhook generation ## Related Issue Fixes #381 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/pepr/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed Co-authored-by: Case Wylie <cmwylie19@defenseunicorns.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Device and OS: macOS
App version: 0.16.0
Kubernetes distro being used: k3d
Steps to reproduce
Deploy a pepr capability that includes something operating on
a.Podduring both create and update (validate or mutate). Simple example would just be logging something out.Run a command similar to this
kubectl debug -it -n test test-pod --image busyboxand validate that the webhook is not triggered.Expected result
Pepr should see these modifications.
Actual Result
Pepr misses these calls.
Severity/Priority
For validate calls this is pretty critical as it would allow someone to bypass validation for these injected debug containers.
Additional Context
I was able to identify this issue thanks to other webhooks like kyverno that made a similar change: https://www.github.com/kyverno/kyverno/issues/2821
The text was updated successfully, but these errors were encountered: