-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linkerd-jaeger-injector-webhook-config mutating webhook raises warning on GKE #12193
Labels
Comments
same for |
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 4, 2024
…Namespaced Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-jaeger-injector-webhook-config and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as both webhooks are triggered only by pod creation requests, and pods are namespaced resources. We can test it by tapping a pod for example. Fixes linkerd#12193
pull request: #12195 With that pull request, the scope will be set to |
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 4, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as both webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 4, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 25, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 25, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 25, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced and namespaced kube-system and kube-node-lease are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for both webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras
added a commit
to mdnfiras/linkerd2
that referenced
this issue
Mar 26, 2024
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for both webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 Signed-off-by: f.medini <f.medini@nyris.io>
alpeb
added a commit
that referenced
this issue
Mar 28, 2024
… rules scope to Namespaced (#12195) * Set mutating webhook rules scope to Namespaced Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes #12193 --------- Signed-off-by: f.medini <f.medini@nyris.io> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
the-wondersmith
pushed a commit
to the-wondersmith/linkerd2
that referenced
this issue
Apr 24, 2024
… rules scope to Namespaced (linkerd#12195) * Set mutating webhook rules scope to Namespaced Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 --------- Signed-off-by: f.medini <f.medini@nyris.io> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> Signed-off-by: Mark S <the@wondersmith.dev>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the issue?
the
linkerd-jaeger-injector-webhook-config
mutating webhook raises a warning on GKE:according to GKE documentation, a webhook is considered unsafe if it:
scope
set to*
scope
set toNamespaced
and either matches namespaceskube-system
/kube-node-lease
withIn
operator, or doesn't explicitly exclude them withNotIn
operatornodes
,tokenreviews
,subjectaccessreviews
, orcertificatesigningrequests
How can it be reproduced?
install linkerd jaeger extension in a GKE cluster.
Logs, error output, etc
Update webhook to no longer intercept system requests.
in the GCP console recommendation section.output of
linkerd check -o short
Environment
Possible solution
set
scope
toNamespaced
since the webhook intercepts onlypods
related events, and let the user excludekube-system
andkube-node-lease
using helm values if they want to.Additional context
No response
Would you like to work on fixing this bug?
yes
The text was updated successfully, but these errors were encountered: