Skip to content

Add ability to run Mutating Webhook BEFORE OpenShift updates pod defenition  #20543

@mlbiam

Description

@mlbiam

When I configure a mutating webhook the pod definition that comes into the webhook has already had its security information added. It makes transforming the pod to change the service account, sec, etc difficult and is leading to odd results. For instance once the runAsUser and serviceAccountName and openshift.io/scc I can't rsh into the container anymore.

Version
oc v3.9.0
kubernetes v1.9.1+cbc5b49
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://os.server.lan:443
openshift v3.9.0+ba7faec-1
kubernetes v1.9.1+a0ce1bc657
Steps To Reproduce
  1. Enable Mutating webhooks
  2. deploy mutating webhook for pods CREATE and UPDATE
  3. Deploy the below pod definition:
apiVersion: v1
kind: Pod
metadata:
  name: krbtest
  labels:
    name: krbtest
  annotations:
    com.tremolosecurity.openshift: krb5_sidecar
spec:
  containers:
    - resources:
      image: mlbiam/krbdonothing
      name: motorcycle
Current Result

this is what is being submitted to my webhook (yaml version)

---
request:
  uid: 62d87962-9819-11e8-95dd-525400887c40
  userInfo:
    injectedIdentity: eyJraWQiOiJDTj1qd3Qtc2lnLCBPVT1kZXYsIE89ZGV2LCBMPWRldiwgU1Q9ZGV2LCBDPWRldi1DTj1qd3Qtc2lnLCBPVT1kZXYsIE89ZGV2LCBMPWRldiwgU1Q9ZGV2LCBDPWRldi0xNTI4Njg0NDk0MTI5IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL3VuaXNvbi1vcGEudW5pc29uLnN2Yy5jbHVzdGVyLmxvY2FsIiwiYXVkIjoiaHR0cHM6Ly9vcGEudW5pc29uLnN2YyIsImV4cCI6MTUzMzQwOTYwNywianRpIjoiYmdyUExnbmxXNE1rajhOR2VYVnVRZyIsImlhdCI6MTUzMzQwOTU0NywibmJmIjoxNTMzNDA5NDg3LCJub25jZSI6ImYwNTI1MTk5LTE3YTgtNGFmYi1iN2RkLTZkNjg0M2U0ZDUzZSIsInN1YiI6ImZyZWVpcGEzQGVudDJrMTIuZG9tYWluLmNvbSIsInJvbGVzIjpbIk9wZW5TaGlmdCAtIGFkbWluaXN0cmF0b3JzLWZyZWVpcGEzLXByb2plY3QiLCJPcGVuU2hpZnQgLSBlZGl0b3ItZnJlZWlwYTMtcHJvamVjdCIsIkZyZWVJUEEgLSBhcHBsaWNhdGlvbnMtb3BlbnNoaWZ0IiwiRnJlZUlQQSAtIGFwcGxpY2F0aW9ucy1vcGVuc2hpZnQta2V5dGFicyJdLCJ1aWRudW1iZXIiOiIxNjA4MTI0NTAifQ.kwaCS65MKcJ07M_cx4nixIALeDz9xtY52xoSEb1j7ojDa_ZydyQlgCBOqhHPedttvT6d-9plNd-vhXHMs_NOxhHV8NY6cZQ3FRdhYJyitedSWZhfDSSTPZ0KlazxRWBhgpNZ5mrdbWurxC6vm6X2uWTk61RWegBsWHG9NBxR7fg_RwNcWKMQaOvW0QUwNXexcN96jBPZ5vF6pnvH8MLwu5AQDaR6jISykuCnhJ2tkdk-W3jfVE8Q-qpEzaZ64gKwbbY1Vw_lbsv3NTxyztUhqJZD72P11UUFmFgyP5KdFGnZLaqmzhivIVDpyeLLgvAv0RKi_CIDbnxFMC4wEkcLRg
    uid: 8e804b18-7e5f-11e8-acd7-525400887c40
    extra:
      scopes.authorization.openshift.io:
      - user:full
    groups:
    - administrators-freeipa3-project
    - editor-freeipa3-project
    - system:authenticated:oauth
    - system:authenticated
    username: freeipa3@ent2k12.domain.com
  resource:
    resource: pods
    version: v1
    group: ''
  kind:
    kind: Pod
    version: v1
    group: ''
  namespace: freeipa3-project
  oldObject: 
  operation: CREATE
  object:
    metadata:
      name: krbtest
      namespace: freeipa3-project
      creationTimestamp: 
      annotations:
        com.tremolosecurity.openshift: krb5_sidecar
        openshift.io/scc: restricted
      labels:
        name: krbtest
    spec:
      dnsPolicy: ClusterFirst
      terminationGracePeriodSeconds: 30
      serviceAccountName: default
      imagePullSecrets:
      - name: default-dockercfg-6zz7j
      volumes:
      - name: default-token-s6d2l
        secret:
          secretName: default-token-s6d2l
      containers:
      - image: mlbiam/krbdonothing
        imagePullPolicy: Always
        terminationMessagePolicy: File
        terminationMessagePath: "/dev/termination-log"
        name: motorcycle
        resources: {}
        securityContext:
          runAsUser: 1000300000
          capabilities:
            drop:
            - KILL
            - MKNOD
            - SETGID
            - SETUID
        volumeMounts:
        - mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
          name: default-token-s6d2l
          readOnly: true
      serviceAccount: default
      securityContext:
        seLinuxOptions:
          level: s0:c17,c14
        fsGroup: 1000300000
      restartPolicy: Always
      schedulerName: default-scheduler
      nodeSelector:
        node-role.kubernetes.io/compute: 'true'
    status: {}
apiVersion: admission.k8s.io/v1beta1
kind: AdmissionReview
Expected Result
apiVersion: v1
kind: Pod
metadata:
  name: krbtest
  labels:
    name: krbtest
  annotations:
    com.tremolosecurity.openshift: krb5_sidecar
spec:
  containers:
    - resources:
      image: mlbiam/krbdonothing
      name: motorcycle
Additional Information

[try to run $ oc adm diagnostics (or oadm diagnostics) command if possible]
[if you are reporting issue related to builds, provide build logs with BUILD_LOGLEVEL=5]
[consider attaching output of the $ oc get all -o json -n <namespace> command to the issue]
[visit https://docs.openshift.org/latest/welcome/index.html]

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions