Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkerd-jaeger-injector-webhook-config mutating webhook raises warning on GKE #12193

Closed
mdnfiras opened this issue Mar 4, 2024 · 2 comments · Fixed by #12195
Closed

linkerd-jaeger-injector-webhook-config mutating webhook raises warning on GKE #12193

mdnfiras opened this issue Mar 4, 2024 · 2 comments · Fixed by #12195
Labels
bug

Comments

@mdnfiras
Copy link
Contributor

mdnfiras commented Mar 4, 2024
edited

What is the issue?

the linkerd-jaeger-injector-webhook-config mutating webhook raises a warning on GKE:

image

according to GKE documentation, a webhook is considered unsafe if it:

  • has scope set to *
  • has scope set to Namespaced and either matches namespaces kube-system/kube-node-lease with In operator, or doesn't explicitly exclude them with NotIn operator
  • matches resources nodes, tokenreviews, subjectaccessreviews, or certificatesigningrequests

How can it be reproduced?

install linkerd jaeger extension in a GKE cluster.

Logs, error output, etc

Update webhook to no longer intercept system requests. in the GCP console recommendation section.

output of linkerd check -o short

linkerd-version
---------------
‼ cli is up-to-date
    is running version 2.12.4 but the latest stable version is 2.14.10
    see https://linkerd.io/2.12/checks/#l5d-version-cli for hints

control-plane-version
---------------------
‼ control plane is up-to-date
    is running version 2.12.4 but the latest stable version is 2.14.10
    see https://linkerd.io/2.12/checks/#l5d-version-control for hints

linkerd-control-plane-proxy
---------------------------
‼ control plane proxies are up-to-date
    some proxies are not running the current version:
        * linkerd-destination-8569bcbd7c-5b8v2 (stable-2.12.4)
        * linkerd-destination-8569bcbd7c-886gs (stable-2.12.4)
        * linkerd-identity-6f648bccf6-fk2dg (stable-2.12.4)
        * linkerd-identity-6f648bccf6-hmchp (stable-2.12.4)
        * linkerd-proxy-injector-9cbc6dff4-fnc47 (stable-2.12.4)
        * linkerd-proxy-injector-9cbc6dff4-w52xp (stable-2.12.4)
    see https://linkerd.io/2.12/checks/#l5d-cp-proxy-version for hints

Linkerd extensions checks
=========================

linkerd-jaeger
--------------
‼ jaeger extension proxies are up-to-date
    some proxies are not running the current version:
        * collector-8547469f4-hhtr9 (stable-2.12.4)
        * collector-8547469f4-thdnm (stable-2.12.4)
        * jaeger-injector-857ff8576d-bxsnd (stable-2.12.4)
        * jaeger-injector-857ff8576d-vmz6c (stable-2.12.4)
    see https://linkerd.io/2.12/checks/#l5d-jaeger-proxy-cp-version for hints

Linkerd extensions checks
=========================

linkerd-viz
-----------
‼ viz extension proxies are up-to-date
    some proxies are not running the current version:
        * metrics-api-5d544bfdfb-9df2d (stable-2.12.4)
        * tap-7c69486f4-68q54 (stable-2.12.4)
        * tap-7c69486f4-tkhbq (stable-2.12.4)
        * tap-7c69486f4-w2fcs (stable-2.12.4)
        * tap-injector-55d4b59f8b-5mcjx (stable-2.12.4)
        * web-84957c64-wgs9v (stable-2.12.4)
    see https://linkerd.io/2.12/checks/#l5d-viz-proxy-cp-version for hints
‼ prometheus is installed and configured correctly
    missing ClusterRoles: linkerd-linkerd-viz-prometheus
    see https://linkerd.io/2.12/checks/#l5d-viz-prometheus for hints

Status check results are √

Environment

  • Kubernetes version 1.25.16
  • cloud environment: GKE
  • Linkerd version: 2.12.4

Possible solution

set scope to Namespaced since the webhook intercepts only pods related events, and let the user exclude kube-system and kube-node-lease using helm values if they want to.

Additional context

No response

Would you like to work on fixing this bug?

yes
@mdnfiras mdnfiras added the bug label Mar 4, 2024
@mdnfiras
Copy link
Contributor Author

mdnfiras commented Mar 4, 2024
edited

same for linkerd-tap-injector-webhook-config and linkerd-proxy-injector.linkerd.io mutating webhooks

mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 4, 2024
@mdnfiras
Set tap-injector and jaeger-injector mutating webhook rules scope to …
4cc3be8 
…Namespaced

Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-jaeger-injector-webhook-config and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section.

Solution: Setting the scope to Namespaced for both webhooks

Validation: This should not change the webhooks behaviour as both webhooks are triggered only by pod creation requests, and pods are namespaced resources. We can test it by tapping a pod for example.

Fixes linkerd#12193
@mdnfiras mdnfiras mentioned this issue Mar 4, 2024
Merged
@mdnfiras
Copy link
Contributor Author

mdnfiras commented Mar 4, 2024
edited

pull request: #12195

With that pull request, the scope will be set to Namespaced. The user can then exclude kube-system and kube-node-lease namespaces using the helm values.

mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 4, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
961815f 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section.

Solution: Setting the scope to Namespaced for both webhooks

Validation: This should not change the webhooks behaviour as both webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193
mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 4, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
28880c2 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section.

Solution: Setting the scope to Namespaced for both webhooks

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193
mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 25, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
a7a43c4 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section.

Solution: Setting the scope to Namespaced for both webhooks

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193

Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 25, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
44e6544 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section.

Solution: Setting the scope to Namespaced for both webhooks

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193

Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 25, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
50af07d 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced and namespaced kube-system and kube-node-lease are not excluded using namespaceSelector.

Solution: Setting the scope to Namespaced for both webhooks, and the user can set the namespaceSelector in the helm values.

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193

Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras added a commit to mdnfiras/linkerd2 that referenced this issue Mar 26, 2024
@mdnfiras
Set mutating webhook rules scope to Namespaced
5e93d04 
Subject: Setting the scope for mutating webhooks rules

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector.

Solution: Setting the scope to Namespaced for both webhooks, and the user can set the namespaceSelector in the helm values.

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193

Signed-off-by: f.medini <f.medini@nyris.io>
alpeb added a commit that referenced this issue Mar 28, 2024
@mdnfiras @alpeb
Set proxy-injector, tap-injector and jaeger-injector mutating webhook…
aaab29c 
… rules scope to Namespaced (#12195)

* Set mutating webhook rules scope to Namespaced

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector.

Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values.

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes #12193


---------

Signed-off-by: f.medini <f.medini@nyris.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
the-wondersmith pushed a commit to the-wondersmith/linkerd2 that referenced this issue Apr 24, 2024
@mdnfiras @alpeb @the-wondersmith
Set proxy-injector, tap-injector and jaeger-injector mutating webhook…
7a51150 
… rules scope to Namespaced (linkerd#12195)

* Set mutating webhook rules scope to Namespaced

Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector.

Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values.

Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.

Fixes linkerd#12193

---------

Signed-off-by: f.medini <f.medini@nyris.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Signed-off-by: Mark S <the@wondersmith.dev>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
1 participant
@mdnfiras