Validatingwebhookconfiguration scope: * can cause cluster instability. #3249
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
the validating webhook configuration and mutating webhook configuration by default, are scoped to "cluster", the value isn't set in the templates, or configurable.
They should be scoped to Namespaced by default, with the option to set the value to cluster.
Details
Google doc advising not to use webhooks on the cluster level
specifically:
Ensure that you set scope to Namespaced, not *, so that the webhook only operates in specific namespaces. Also ensure that if the operator is NotIn, you include kube-system and kube-node-lease in values (in this example, with blue-system).PoC
https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml#L48-L64
https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml#L101-L113
Or allow this value to be set, i.e: like in https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml#L48-L64
Impact
What kind of vulnerability is it? Who is impacted?
The text was updated successfully, but these errors were encountered: