New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Mutating|ValidatingWebhookConfiguration to use secret for CABundle #72944
Comments
/sig api-machinery |
isn't configmap a better place to store CA? @deads2k ref openshift ca rotation: openshift/cluster-kube-apiserver-operator#164 |
putting the caBundle inline in the configuration yaml makes it unreadable |
/assign @caesarxuchao |
I think it is a good idea. Ad if we want to do it, it has API implications that I prefer it to be included in v1 API for Admission Webhook GA. @sttts @deads2k @caesarxuchao what do you think? |
I'm on the fence about whether this is desirable or not. Things I see as pros:
Things I see as cons:
|
When rotating a bundle that is going to be mounted into a pod, it makes a lot of sense to coordinate in configmaps. However, here we're talking about trying to manage a resource that is designed to be watched live for reaction and never mounted. While it is possible to do this with a configmap, you end up having to write an effective join between the two. In a case where you're reading live object data, I think it's easier to take an approach similar to how the openshift/service-ca injects cabundles into annotated apiservices. The update can take place directly in the resource you're already watching. |
When referencing certificates in the context of a service, a secret is used. Why should this be any different? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
FYI: cert-manager's cainjector solves this by injecting a Certificate into the UPDATE: With cert-manager 0.11 it changed to: |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/lifecycle frozen |
@liggitt can priority/awaiting-more-evidence be removed ... to me there seems to be no evidence missing ? |
You can workaround this by installing cert-manager's cainjector and setting the appropriate annotation, it will set the caBundle for you from a TLS secret. |
doesn't the configmapRef become more relevant post the 1.20 release of RootCAConfigMap https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#introducing-rootcaconfigmap |
What would you like to be added:
Allow Mutating|ValidatingWebhookConfiguration to reference content of a secret as CABundle.
The following shows the idea. We can use better names than below.
This can also be applied to CRD conversion webhook
Why is this needed:
It will be very useful if the CA is rotated.
Before: An admin or a controller (with permission to update WebhookConfiguration) need to update CABundle field if the CA has changed.
After: The Webhook configuration will automatically pickup the new CA.
EDIT:
From the security PoV, another advantage is that no need to update the CA means we don't need to grant permissions to some controller for Updating the CABundle field in Mutating|ValidatingWebhookConfig. Current k8s authn doesn't support field-wise fine-grain access control. IOW, a compromised controller can modify the service field of MutatingWebhookConfig to point a random service that may inject an arbitrary container to each pod.
The text was updated successfully, but these errors were encountered: