GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook #79553
Commits on Jul 22, 2019
-
GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook
This commit adds support for using `gke-exec-auth-plugin` (vTPM-based certificates for mTLS) for webhooks when calling endpoints matching `*.googleapis.com`, and integrates this support with ValidatingAdmissionWebhook. To enable it, request ValidatingAdmissionWebhook with `ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...` (default) and opt in to `gke-exec-auth-plugin` using `WEBHOOK_GKE_EXEC_AUTH=true` during the configuration process. If you don't opt-in, ValidatingAdmissionWebhook will be deployed as before. Requesting `WEBHOOK_GKE_EXEC_AUTH=true` will fail if you have not provided other configuration variables: * `EXEC_AUTH_PLUGIN_URL`: controls whether `gke-exec-auth-plugin` is downloaded during the installation step. A prerequisite for actually using the plugin. * `TOKEN_URL`, `TOKEN_BODY`, and `TOKEN_BODY_UNQUOTED`: configuration values used when calling the plugin. `TOKEN_URL` and `TOKEN_BODY` have existing usage. `TOKEN_BODY_UNQUOTED` is a new variable that is meant to sidestep the problem of inverting `strconv.Quote` in Bash. The existing configuration process for ImagePolicyWebhook has been reworked to make it play nicely with ValidatingAdmissionWebhook under `WEBHOOK_GKE_EXEC_AUTH=true`. * It originally placed the ImagePolicyWebhook configuration object at the top-level of the file specified by `--admission-control-config-file`. I can't see why this worked; it must have been hitting some sort of lucky path through the various config file loading mechanisms. Now, it places its configuration in a sub-field of that file, which is shared among all admission control plugins. * It mounted its various config files read-write. I reviewed the code and couldn't see why it was necessary, so I moved the config files into the existing read-only mount at `/etc/srv/kubernetes`. * It now checks that all the configuration values it requires have been provided. Co-authored-by: Mike Danese <mikedanese@google.com> Co-authored-by: Taahir Ahmed <taahm@google.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.