GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook #79553
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Hi @ahmedtd. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
sig/cluster-lifecycle
ahmedtd
force-pushed
the
binauthz
branch
8 times, most recently
from
3977fab
to
7587265
Compare
ahmedtd
changed the title
ahmedtd
force-pushed
the
binauthz
branch
4 times, most recently
from
da55df9
to
f6e47b5
Compare
|
/retest |
cluster/gce/gci/configure-helper.sh
Outdated
| plugins: | ||
| EOF | ||
|
|
||
| if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]]; then |
There was a problem hiding this comment.
Maybe worth to log when a admission control config is enabled?
There was a problem hiding this comment.
I added some log messages, but these blocks aren't enabling the admission control plugins. The admission control plugins are enabled by inclusion in ADMISSION_CONTROL, which get included in the apiserver command line around line 1801 of configure-helper.sh.
These blocks are just "noticing" that the caller requested admission control plugins that might require special setup.
There was a problem hiding this comment.
Right, what you describe is more accurate. Thanks for the logs.
cluster/gce/gci/configure-helper.sh
Outdated
| # kubeconfig to be used by webhooks with GKE exec auth support. Note that | ||
| # the path to gke-exec-auth-plugin is the path when mounted inside the | ||
| # kube-apiserver pod. | ||
| cat <<EOF >/etc/srv/kubernetes/webhook_kubeconfig.yaml |
There was a problem hiding this comment.
nit: make this end with .kubeconfig to be consistent?
cluster/gce/gci/configure-helper.sh
Outdated
| if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then | ||
| # This is the config file for the image review webhook. | ||
| cat <<EOF >/etc/gcp_image_review.config | ||
| if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
cluster/gce/gci/configure-helper.sh
Outdated
| # kubeconfig to be used by webhooks with GKE exec auth support. Note that | ||
| # the path to gke-exec-auth-plugin is the path when mounted inside the | ||
| # kube-apiserver pod. | ||
| cat <<EOF >/etc/srv/kubernetes/webhook_kubeconfig.yaml |
There was a problem hiding this comment.
Would this kubeconfig be ever needed by something other than the exec auth admission plugin? If not, should it fall under the same if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]] bucket?
There was a problem hiding this comment.
webhook.kubeconfig should be usable for any webhook that needs to call to *.googleapis.com. For example, MutatingAdmissionWebhook.
I didn't want to go through and add the kubeconfig to a bunch of other webhooks that we're not planning on exercising regularly --- ValidatingAdmissionWebhook will be using this kubeconfig as part of our binary authorization feature.
cluster/gce/gci/configure-helper.sh
Outdated
| # gke-exec-auth-plugin needs to be mounted into the kube-apiserver container. | ||
| local webhook_exec_auth_plugin_mount="" | ||
| local webhook_exec_auth_plugin_volume="" | ||
| if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
It is a bit concerning that the logic for exec webhook are scattered among a couple places. Is there a specific reason the mount/volume setup has to be placed here?
There was a problem hiding this comment.
Here I was mostly following the existing organization of the file.
Note that this block isn't doing mounts for use by gke-exec-auth-plugin, rather it's mounting gke-exec-auth-plugin into the kube-apiserver container (so that the various webhooks can execute it). To do so, it needs to modify the kube-apiserver's static pod manifest, which is what this function is all about.
There was a problem hiding this comment.
Makes sense, thanks for the explanation :)
|
/retest |
cluster/gce/gci/configure-helper.sh
Outdated
| plugins: | ||
| EOF | ||
|
|
||
| if [[ ${ADMISSION_CONTROL:-} == *"ImagePolicyWebhook"* ]]; then |
There was a problem hiding this comment.
Right, what you describe is more accurate. Thanks for the logs.
cluster/gce/gci/configure-helper.sh
Outdated
| # gke-exec-auth-plugin needs to be mounted into the kube-apiserver container. | ||
| local webhook_exec_auth_plugin_mount="" | ||
| local webhook_exec_auth_plugin_volume="" | ||
| if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Makes sense, thanks for the explanation :)
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
/test pull-kubernetes-node-e2e-containerd |
|
/unassign @yguo0905 |
cluster/gce/gci/configure-helper.sh
Outdated
| fi | ||
|
|
||
| if [[ -z ${TOKEN_URL:-} || -z ${TOKEN_BODY:-} || -z ${TOKEN_BODY_UNQUOTED:-} ]]; then | ||
| echo "You requested GKE exec auth support for webhooks, but TOKEN_URL, TOKEN_BODY, and TOKEN_BODY_UNQUOTED were not provided. gke-exec-auth-plugin requires these values for its configuration." |
There was a problem hiding this comment.
These should be 1>&2 echo "....", but this file isn't consistent.
cluster/gce/gci/configure-helper.sh
Outdated
| args: | ||
| - --mode=alt-token | ||
| - --alt-token-url=${TOKEN_URL?} | ||
| - --alt-token-body=${TOKEN_BODY_UNQUOTED?} |
There was a problem hiding this comment.
Side note: we set -o nounset so the ? is the default behavior for parameter expansion, although no problem with being defensive.
cluster/gce/gci/configure-helper.sh
Outdated
| if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then | ||
| # This is the config file for the image review webhook. | ||
| cat <<EOF >/etc/gcp_image_review.config | ||
| if [[ ${WEBHOOK_GKE_EXEC_AUTH:-} ]]; then |
There was a problem hiding this comment.
Wrap parameter expansions in quotes here and below. Be explicit about what the condition is checking a -n.
mikedanese
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
mikedanese
added
needs-priority
|
Removed lgtm for you to get a chance to look at the comments. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ahmedtd, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This commit adds support for using `gke-exec-auth-plugin` (vTPM-based
certificates for mTLS) for webhooks when calling endpoints matching
`*.googleapis.com`, and integrates this support with
ValidatingAdmissionWebhook.
To enable it, request ValidatingAdmissionWebhook with
`ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...` (default) and
opt in to `gke-exec-auth-plugin` using `WEBHOOK_GKE_EXEC_AUTH=true`
during the configuration process.
If you don't opt-in, ValidatingAdmissionWebhook will be deployed as
before.
Requesting `WEBHOOK_GKE_EXEC_AUTH=true` will fail if you have not
provided other configuration variables:
* `EXEC_AUTH_PLUGIN_URL`: controls whether `gke-exec-auth-plugin` is
downloaded during the installation step. A prerequisite for
actually using the plugin.
* `TOKEN_URL`, `TOKEN_BODY`, and `TOKEN_BODY_UNQUOTED`:
configuration values used when calling the plugin. `TOKEN_URL`
and `TOKEN_BODY` have existing usage. `TOKEN_BODY_UNQUOTED` is a
new variable that is meant to sidestep the problem of inverting
`strconv.Quote` in Bash.
The existing configuration process for ImagePolicyWebhook has been
reworked to make it play nicely with ValidatingAdmissionWebhook under
`WEBHOOK_GKE_EXEC_AUTH=true`.
* It originally placed the ImagePolicyWebhook configuration object
at the top-level of the file specified by
`--admission-control-config-file`. I can't see why this worked;
it must have been hitting some sort of lucky path through the
various config file loading mechanisms. Now, it places its
configuration in a sub-field of that file, which is shared among
all admission control plugins.
* It mounted its various config files read-write. I reviewed the
code and couldn't see why it was necessary, so I moved the config
files into the existing read-only mount at `/etc/srv/kubernetes`.
* It now checks that all the configuration values it requires have
been provided.
Co-authored-by: Mike Danese <mikedanese@google.com>
Co-authored-by: Taahir Ahmed <taahm@google.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
This commit adds support for using
gke-exec-auth-pluginfor webhooks when calling endpoints matching*.googleapis.com, and integrates this support with ValidatingAdmissionWebhook.To enable it, request ValidatingAdmissionWebhook with
ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...(default) and opt in togke-exec-auth-pluginusingWEBHOOK_GKE_EXEC_AUTH=trueduring the configuration process.If you don't opt-in, ValidatingAdmissionWebhook will be deployed as before.
Requesting
WEBHOOK_GKE_EXEC_AUTH=truewill fail if you have not provided other configuration variables:EXEC_AUTH_PLUGIN_URL: controls whethergke-exec-auth-pluginis downloaded during the installation step. A prerequisite for actually using the plugin.TOKEN_URL,TOKEN_BODY, andTOKEN_BODY_UNQUOTED: configuration values used when calling the plugin.TOKEN_URLandTOKEN_BODYhave existing usage.TOKEN_BODY_UNQUOTEDis a new variable that is meant to sidestep the problem of invertingstrconv.Quotein Bash.The existing configuration process for ImagePolicyWebhook has been reworked to make it play nicely with ValidatingAdmissionWebhook under
WEBHOOK_GKE_EXEC_AUTH=true:It originally placed the ImagePolicyWebhook configuration object at the top-level of the file specified by
--admission-control-config-file. I can't see why this worked; it must have been hitting some sort of lucky path through the various config file loading mechanisms. Now, it places its configuration in a sub-field of that file, which is shared among all admission control plugins.It mounted its various config files read-write. I reviewed the code and couldn't see why it was necessary, so I moved the config files into the existing read-only mount at
/etc/srv/kubernetes.It now checks that all the configuration values it requires have been provided, rather than silently writing out a broken config.
/kind feature