You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the validating webhook configuration and mutating webhook configuration by default, are scoped to "cluster", the value isn't set in the templates, or configurable.
They should be scoped to Namespaced by default, with the option to set the value to cluster.
Ensure that you set scope to Namespaced, not *, so that the webhook only operates in specific namespaces. Also ensure that if the operator is NotIn, you include kube-system and kube-node-lease in values (in this example, with blue-system).
Summary
the validating webhook configuration and mutating webhook configuration by default, are scoped to "cluster", the value isn't set in the templates, or configurable.
They should be scoped to Namespaced by default, with the option to set the value to cluster.
Details
Google doc advising not to use webhooks on the cluster level
specifically:
Ensure that you set scope to Namespaced, not *, so that the webhook only operates in specific namespaces. Also ensure that if the operator is NotIn, you include kube-system and kube-node-lease in values (in this example, with blue-system).
PoC
https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml#L48-L64
https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml#L101-L113
Or allow this value to be set, i.e: like in https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml#L48-L64
Impact
What kind of vulnerability is it? Who is impacted?
The text was updated successfully, but these errors were encountered: