New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook #79553
Conversation
Hi @ahmedtd. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
3977fab
to
7587265
Compare
da55df9
to
f6e47b5
Compare
/retest |
cluster/gce/gci/configure-helper.sh
Outdated
plugins: | ||
EOF | ||
|
||
if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe worth to log when a admission control config is enabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some log messages, but these blocks aren't enabling the admission control plugins. The admission control plugins are enabled by inclusion in ADMISSION_CONTROL, which get included in the apiserver command line around line 1801 of configure-helper.sh.
These blocks are just "noticing" that the caller requested admission control plugins that might require special setup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, what you describe is more accurate. Thanks for the logs.
cluster/gce/gci/configure-helper.sh
Outdated
# kubeconfig to be used by webhooks with GKE exec auth support. Note that | ||
# the path to gke-exec-auth-plugin is the path when mounted inside the | ||
# kube-apiserver pod. | ||
cat <<EOF >/etc/srv/kubernetes/webhook_kubeconfig.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: make this end with .kubeconfig
to be consistent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cluster/gce/gci/configure-helper.sh
Outdated
if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then | ||
# This is the config file for the image review webhook. | ||
cat <<EOF >/etc/gcp_image_review.config | ||
if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indent mismatch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cluster/gce/gci/configure-helper.sh
Outdated
# kubeconfig to be used by webhooks with GKE exec auth support. Note that | ||
# the path to gke-exec-auth-plugin is the path when mounted inside the | ||
# kube-apiserver pod. | ||
cat <<EOF >/etc/srv/kubernetes/webhook_kubeconfig.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this kubeconfig be ever needed by something other than the exec auth admission plugin? If not, should it fall under the same if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]]
bucket?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
webhook.kubeconfig
should be usable for any webhook that needs to call to *.googleapis.com
. For example, MutatingAdmissionWebhook.
I didn't want to go through and add the kubeconfig to a bunch of other webhooks that we're not planning on exercising regularly --- ValidatingAdmissionWebhook will be using this kubeconfig as part of our binary authorization feature.
cluster/gce/gci/configure-helper.sh
Outdated
# gke-exec-auth-plugin needs to be mounted into the kube-apiserver container. | ||
local webhook_exec_auth_plugin_mount="" | ||
local webhook_exec_auth_plugin_volume="" | ||
if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a bit concerning that the logic for exec webhook are scattered among a couple places. Is there a specific reason the mount/volume setup has to be placed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I was mostly following the existing organization of the file.
Note that this block isn't doing mounts for use by gke-exec-auth-plugin, rather it's mounting gke-exec-auth-plugin into the kube-apiserver container (so that the various webhooks can execute it). To do so, it needs to modify the kube-apiserver's static pod manifest, which is what this function is all about.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks for the explanation :)
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
cluster/gce/gci/configure-helper.sh
Outdated
plugins: | ||
EOF | ||
|
||
if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, what you describe is more accurate. Thanks for the logs.
cluster/gce/gci/configure-helper.sh
Outdated
# gke-exec-auth-plugin needs to be mounted into the kube-apiserver container. | ||
local webhook_exec_auth_plugin_mount="" | ||
local webhook_exec_auth_plugin_volume="" | ||
if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks for the explanation :)
/test pull-kubernetes-kubemark-e2e-gce-big |
/test pull-kubernetes-node-e2e-containerd |
/unassign @yguo0905 |
cluster/gce/gci/configure-helper.sh
Outdated
fi | ||
|
||
if [[ -z ${TOKEN_URL:-} || -z ${TOKEN_BODY:-} || -z ${TOKEN_BODY_UNQUOTED:-} ]]; then | ||
echo "You requested GKE exec auth support for webhooks, but TOKEN_URL, TOKEN_BODY, and TOKEN_BODY_UNQUOTED were not provided. gke-exec-auth-plugin requires these values for its configuration." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be 1>&2 echo "...."
, but this file isn't consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
cluster/gce/gci/configure-helper.sh
Outdated
args: | ||
- --mode=alt-token | ||
- --alt-token-url=${TOKEN_URL?} | ||
- --alt-token-body=${TOKEN_BODY_UNQUOTED?} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Side note: we set -o nounset
so the ? is the default behavior for parameter expansion, although no problem with being defensive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
cluster/gce/gci/configure-helper.sh
Outdated
if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then | ||
# This is the config file for the image review webhook. | ||
cat <<EOF >/etc/gcp_image_review.config | ||
if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrap parameter expansions in quotes here and below. Be explicit about what the condition is checking a -n.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Removed lgtm for you to get a chance to look at the comments. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ahmedtd, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This commit adds support for using `gke-exec-auth-plugin` (vTPM-based certificates for mTLS) for webhooks when calling endpoints matching `*.googleapis.com`, and integrates this support with ValidatingAdmissionWebhook. To enable it, request ValidatingAdmissionWebhook with `ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...` (default) and opt in to `gke-exec-auth-plugin` using `WEBHOOK_GKE_EXEC_AUTH=true` during the configuration process. If you don't opt-in, ValidatingAdmissionWebhook will be deployed as before. Requesting `WEBHOOK_GKE_EXEC_AUTH=true` will fail if you have not provided other configuration variables: * `EXEC_AUTH_PLUGIN_URL`: controls whether `gke-exec-auth-plugin` is downloaded during the installation step. A prerequisite for actually using the plugin. * `TOKEN_URL`, `TOKEN_BODY`, and `TOKEN_BODY_UNQUOTED`: configuration values used when calling the plugin. `TOKEN_URL` and `TOKEN_BODY` have existing usage. `TOKEN_BODY_UNQUOTED` is a new variable that is meant to sidestep the problem of inverting `strconv.Quote` in Bash. The existing configuration process for ImagePolicyWebhook has been reworked to make it play nicely with ValidatingAdmissionWebhook under `WEBHOOK_GKE_EXEC_AUTH=true`. * It originally placed the ImagePolicyWebhook configuration object at the top-level of the file specified by `--admission-control-config-file`. I can't see why this worked; it must have been hitting some sort of lucky path through the various config file loading mechanisms. Now, it places its configuration in a sub-field of that file, which is shared among all admission control plugins. * It mounted its various config files read-write. I reviewed the code and couldn't see why it was necessary, so I moved the config files into the existing read-only mount at `/etc/srv/kubernetes`. * It now checks that all the configuration values it requires have been provided. Co-authored-by: Mike Danese <mikedanese@google.com> Co-authored-by: Taahir Ahmed <taahm@google.com>
/lgtm |
This commit adds support for using
gke-exec-auth-plugin
for webhooks when calling endpoints matching*.googleapis.com
, and integrates this support with ValidatingAdmissionWebhook.To enable it, request ValidatingAdmissionWebhook with
ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...
(default) and opt in togke-exec-auth-plugin
usingWEBHOOK_GKE_EXEC_AUTH=true
during the configuration process.If you don't opt-in, ValidatingAdmissionWebhook will be deployed as before.
Requesting
WEBHOOK_GKE_EXEC_AUTH=true
will fail if you have not provided other configuration variables:EXEC_AUTH_PLUGIN_URL
: controls whethergke-exec-auth-plugin
is downloaded during the installation step. A prerequisite for actually using the plugin.TOKEN_URL
,TOKEN_BODY
, andTOKEN_BODY_UNQUOTED
: configuration values used when calling the plugin.TOKEN_URL
andTOKEN_BODY
have existing usage.TOKEN_BODY_UNQUOTED
is a new variable that is meant to sidestep the problem of invertingstrconv.Quote
in Bash.The existing configuration process for ImagePolicyWebhook has been reworked to make it play nicely with ValidatingAdmissionWebhook under
WEBHOOK_GKE_EXEC_AUTH=true
:It originally placed the ImagePolicyWebhook configuration object at the top-level of the file specified by
--admission-control-config-file
. I can't see why this worked; it must have been hitting some sort of lucky path through the various config file loading mechanisms. Now, it places its configuration in a sub-field of that file, which is shared among all admission control plugins.It mounted its various config files read-write. I reviewed the code and couldn't see why it was necessary, so I moved the config files into the existing read-only mount at
/etc/srv/kubernetes
.It now checks that all the configuration values it requires have been provided, rather than silently writing out a broken config.
/kind feature