New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let AuditSink could share web config via configmap/secret #71733

Open
WanLinghao opened this Issue Dec 5, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@WanLinghao
Contributor

WanLinghao commented Dec 5, 2018

Currently, user must fill the CABundle field in web config of AuditSink. It looks like:

apiVersion: auditregistration.k8s.io/v1alpha1
kind: AuditSink
metadata:
  name: auditsink1
spec:
  policy:
    level: RequestResponse
    stages:
    - ResponseComplete
  webhook:
    throttle:
      qps: 10
      burst: 15
    clientConfig:
      url: https://localhost:8080
      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZakNDQWtxZ0F3SUJBZ0lKQU5QQjVGZ1BOUUZzTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ1V4SXpBaEJnTlYKQkFNTUdqRTVNaTR4TmpndU1URXhMakV6TlVBeE5UTTFNRGd5TVRVMk1CNFhEVEU0TURneU5EQXpOREl6TjFvWApEVEk0TURneU1UQXpOREl6TjFvd0pURWpNQ0VHQTFVRUF3d2FNVGt5TGpFMk9DNHhNVEV1TVRNMVFERTFNelV3Ck9ESXhOVFl3Z2dFaU1BMEdDU32FtTUNsMTJDZ0NKNEZaUDVuYkpJSlZJYnhvSGZ3S1dRb1kxZUREWVcwSjhtRAp4eFpZK21YZzBkeHJTbnhEV004VmJkck9sSHhhbU9NZFBRcWFsc3QzYU9wMVBsamRQa3BWNGhTU0tNcEdSVmJUCkh6OFd3SmhpTGxTY2tFbGRHS1RvaE1ONk9tcUFwdzIwTjl6a1NvN3BGNWZwd2h6K0p5bkpuS0ZtcDExNzFwcHEKaE1MU2ppUGVaTXpyVG1FR3p2Mk1yL2d5ekZtVEdGZzJERzZzVG5oYTRRTVZJZmk1VW16NEcvd1dKTXJEM0lTbQppUUMvL1lyN0s3WGxhU1RoeEwrWWVnTHU3bno4NkRDaGlSZ0h4YTRkZi9NNTlqeFlKTE5BT0JCTURiMUNRdUxJCjNKT1V0WWNiQWdNQkFBR2pnWlF3Z1pFd0hRWURWUjBPQkJZRUZOaHhKSTkrOGhVTFF4TmZLRXI1NGxCNHlKWlUKTUZVR0ExVWRJd1JPTUV5QUZOaHhKSTkrOGhVTFF4TmZLRXI1NGxCNHlKWlVvU21rSnpBbE1TTXdJUVlEVlFRRApEQm94T1RJdU1UWTRMakV4TVM0eE16VkFNVFV6TlRBNE1qRTFOb0lKQU5QQjVGZ1BOUUZzTUF3R0ExVWRFd1FGCk1BTUJBZjh3Q3dZRFZSMFBCQVFEQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQTAxaVg4eTBoeTMveW8KZXNxL0hlc2g3UHF0WHE0UFF5MDJUSkJtSXpyc01OUGFURkV0ZlF2cUIxTnNvaFN4U3VRRHppZ202VkZva3pTSQo4b0NDODFoUkxCZ2xIaHlMUGduY1RTNlR2RHd1bDVETENYblBmNy9pZjJyVVRSSlY4SGs1WlBvVDB0QlBGbHc3Cm9vQmE1UlhzN1VTRnU4cU44QklvQXppUDJsY0txVFBJV0dlbUVqZjhwZEdHdW9DQmlvWHJTdVBjeklqaWF5RGQKdzErV0hxTTNsS1VZU3ZvYTNkbXFIQXZvaEZiYTNrRXhwQlUyS0JoU0RSQ0pkaU1DSkFiUWg2R3hGQXFzOThOdgpRNXl4OWc1V0JRNWxEZVFjZkZoVklhTmJoSlJHc0l4R0x

The CABundle is very long in most case, which is pretty hard to modify. especially when it comes to a bunch of AuditSink. What's more, the usual case is a bunch of AuditSink share same webhook configuration, obviously we need fill it with same long CABundle one by one. And I am a bit worry about the security risk since each AuditSink object holds a CA bundle.
I think maybe we could make AuditSink extract data from configmap/secret to solve the problems above. So the new AuditSink looks like:

type AuditSinkSpec struct {
	Policy Policy
	Webhook Webhook
}
type Webhook struct {
	Throttle *WebhookThrottleConfig
	ClientConfig WebhookClientConfig
}
type WebhookClientConfig struct {
	URL *string
	Service *ServiceReference
	CABundle []byte
        ConfigMapName
}

/kind feature

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Dec 5, 2018

@WanLinghao: There are no sig labels on this issue. Please add a sig label by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@WanLinghao

This comment has been minimized.

Contributor

WanLinghao commented Dec 5, 2018

@pbarker WDYT

@pbarker

This comment has been minimized.

Contributor

pbarker commented Dec 5, 2018

@WanLinghao interesting idea, we discussed something similar in the last sig-auth meeting around storing authentication information in a secret. One of the issues with this model is the aggregate servers live in different namespaces, and would either need to their own configmap or would need permission to access a shared one. We would need to draw up a reasonable way of doing this. In the case we find a path forward it may make sense to merge this with the auth secret effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment