Lock Down the Label That Ignores the Gatekeeper-System Namespace #231
Comments
|
+1 Just to clarify, kubebuilder enables this behavior in gatekeeper, but So maybe we should open up an issue for https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/admissionregistration/v1/types.go#L260 |
|
Another option is to configure gatekeeper to ignore certain namespaces e.g. kube-system at init time. |
|
Configuring the Gatekeeper source code won't help as it's the API server that controls what happens when the pod is down. There is some interesting context surrounding this issue: |
|
We could add a second validating webhook endpoint, Open question: whether and how the list of ignorable namespaces could be configured:
|
maxsmythe
changed the title
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
…ces (#350) * Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces Fixes #231 Signed-off-by: Max Smythe <smythe@google.com> * Namespace label webhook should fail hard Signed-off-by: Max Smythe <smythe@google.com> * Fix lint errors Signed-off-by: Max Smythe <smythe@google.com> * Wait for webhook on e2e tests; add gatekeeper label Signed-off-by: Max Smythe <smythe@google.com> * Remove unnecessary return code Signed-off-by: Max Smythe <smythe@google.com> * use --resolve instead of --connect-to for ubuntu compatibility Signed-off-by: Max Smythe <smythe@google.com> * Move cleaning of temp file closer to its creation Signed-off-by: Max Smythe <smythe@google.com> * Incorporate feedback from community mtg Signed-off-by: Max Smythe <smythe@google.com> * Fix manifests, add e2e tests Signed-off-by: Max Smythe <smythe@google.com> * Add README Signed-off-by: Max Smythe <smythe@google.com> * Add flag to helm chart Signed-off-by: Max Smythe <smythe@google.com> * Regenerate helm chart Signed-off-by: Max Smythe <smythe@google.com> * Update README to include `does not exlude audit` Signed-off-by: Max Smythe <smythe@google.com> * Add DR instructions to README Signed-off-by: Max Smythe <smythe@google.com> * Use staging manifests Signed-off-by: Max Smythe <smythe@google.com> * Add webhook customization readme and tweak flag name Signed-off-by: Max Smythe <smythe@google.com> * Add flag change to manifest Signed-off-by: Max Smythe <smythe@google.com> * Add remaining namespaces -> namespace flag changes Signed-off-by: Max Smythe <smythe@google.com> * Update deprecation comment Signed-off-by: Max Smythe <smythe@google.com>
kubebuilder does this by default, and we embraced it by adding a label to gatekeeper-system.
We shouldn't do this as there is no way to ACL labels, meaning anyone with the power to create/edit namespaces can exempt themselves from constraints.
Since gatekeeper already does not self-manage, we should remove this, though there is a bootstrapping problem once we start failing closed: If the admission controller auto-rejects when we launch a pod, how can we re-launch a pod if gatekeeper ever goes down.
It'd be good if we could ignore specific namespaces at the validatingwebhookconfiguration level, rather than relying on selectors which, as stated above, are insecure.
The text was updated successfully, but these errors were encountered: