From b9955788025c4347d3d9434ed288685afe6f8499 Mon Sep 17 00:00:00 2001 From: Ian Stanton Date: Mon, 13 Jan 2025 21:04:51 -0500 Subject: [PATCH 1/5] Add pods/resize subresource to mutating and validating webhooks Signed-off-by: Ian Stanton --- ...guration-mutatingwebhookconfiguration.yaml | 31 ++++++++++--------- ...ration-validatingwebhookconfiguration.yaml | 1 + 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 6b4821181f1..8cf5e824dcc 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -64,21 +64,22 @@ webhooks: - UPDATE resources: - '*' - - pods/ephemeralcontainers - - pods/exec - - pods/log - - pods/eviction - - pods/portforward - - pods/proxy - - pods/attach - - pods/binding - - deployments/scale - - replicasets/scale - - statefulsets/scale - - replicationcontrollers/scale - - services/proxy - - nodes/proxy - - services/status + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'pods/resize' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + - 'services/status' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index d2cdd775a18..dbd2c06257b 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -79,6 +79,7 @@ webhooks: - 'pods/proxy' - 'pods/attach' - 'pods/binding' + - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' From f8b4f087769616953244fb3890a1e1a6348812d2 Mon Sep 17 00:00:00 2001 From: Ian Stanton Date: Mon, 13 Jan 2025 21:16:24 -0500 Subject: [PATCH 2/5] Revert format and generate manifests Signed-off-by: Ian Stanton --- ...guration-mutatingwebhookconfiguration.yaml | 32 +++++++++---------- cmd/build/helmify/replacements.go | 2 ++ ...guration-mutatingwebhookconfiguration.yaml | 1 + ...ration-validatingwebhookconfiguration.yaml | 1 + 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 8cf5e824dcc..313e6672b75 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -64,22 +64,22 @@ webhooks: - UPDATE resources: - '*' - - 'pods/ephemeralcontainers' - - 'pods/exec' - - 'pods/log' - - 'pods/eviction' - - 'pods/portforward' - - 'pods/proxy' - - 'pods/attach' - - 'pods/binding' - - 'pods/resize' - - 'deployments/scale' - - 'replicasets/scale' - - 'statefulsets/scale' - - 'replicationcontrollers/scale' - - 'services/proxy' - - 'nodes/proxy' - - 'services/status' + - pods/ephemeralcontainers + - pods/exec + - pods/log + - pods/eviction + - pods/portforward + - pods/proxy + - pods/attach + - pods/binding + - pods/resize + - deployments/scale + - replicasets/scale + - statefulsets/scale + - replicationcontrollers/scale + - services/proxy + - nodes/proxy + - services/status {{- end }} sideEffects: None timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 8748ba62433..5cccb957daa 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -172,6 +172,7 @@ var replacements = map[string]string{ - pods/proxy - pods/attach - pods/binding + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale @@ -256,6 +257,7 @@ var replacements = map[string]string{ - 'pods/proxy' - 'pods/attach' - 'pods/binding' + - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 6b4821181f1..6f139364823 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -72,6 +72,7 @@ webhooks: - pods/proxy - pods/attach - pods/binding + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index d2cdd775a18..689345ad126 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -79,6 +79,7 @@ webhooks: - 'pods/proxy' - 'pods/attach' - 'pods/binding' + - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' From 240087d84467420efcab6f749cda51c05cd9a12c Mon Sep 17 00:00:00 2001 From: Ian Stanton Date: Mon, 13 Jan 2025 21:18:36 -0500 Subject: [PATCH 3/5] Fix format Signed-off-by: Ian Stanton --- cmd/build/helmify/replacements.go | 4 ++-- ...ng-webhook-configuration-mutatingwebhookconfiguration.yaml | 2 +- ...-webhook-configuration-validatingwebhookconfiguration.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 5cccb957daa..2e541911564 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -172,7 +172,7 @@ var replacements = map[string]string{ - pods/proxy - pods/attach - pods/binding - - pods/resize + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale @@ -257,7 +257,7 @@ var replacements = map[string]string{ - 'pods/proxy' - 'pods/attach' - 'pods/binding' - - 'pods/resize' + - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 6f139364823..313e6672b75 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -72,7 +72,7 @@ webhooks: - pods/proxy - pods/attach - pods/binding - - pods/resize + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 689345ad126..dbd2c06257b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -79,7 +79,7 @@ webhooks: - 'pods/proxy' - 'pods/attach' - 'pods/binding' - - 'pods/resize' + - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' From 71600320915cda0bf77565e910dbfd6b07122d4a Mon Sep 17 00:00:00 2001 From: Ian Stanton Date: Mon, 13 Jan 2025 21:24:41 -0500 Subject: [PATCH 4/5] Add to kubebuilder annotation and generate Signed-off-by: Ian Stanton --- config/webhook/manifests.yaml | 1 + deploy/gatekeeper.yaml | 1 + manifest_staging/deploy/gatekeeper.yaml | 1 + pkg/webhook/policy.go | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 9c89134b2d5..965ba731290 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -83,6 +83,7 @@ webhooks: - pods/proxy - pods/attach - pods/binding + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 0e2da7d3598..5c7002d3053 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -5379,6 +5379,7 @@ webhooks: - pods/proxy - pods/attach - pods/binding + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 0e2da7d3598..5c7002d3053 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -5379,6 +5379,7 @@ webhooks: - pods/proxy - pods/attach - pods/binding + - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index 48af84aa08c..d245fe76926 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -80,7 +80,7 @@ func init() { // Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). But include "services/status" for constraints that mitigate CVE-2020-8554. // You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' -// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact +// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;pods/resize;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact // +kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch // AddPolicyWebhook registers the policy webhook server with the manager. From a32620cb2bdd4e8f1030543221ede77c1195c79a Mon Sep 17 00:00:00 2001 From: Ian Stanton Date: Wed, 15 Jan 2025 15:15:34 -0500 Subject: [PATCH 5/5] Drop chart changes and update subresource annotation for mutation Signed-off-by: Ian Stanton --- ...nfiguration-mutatingwebhookconfiguration.yaml | 1 - ...iguration-validatingwebhookconfiguration.yaml | 1 - config/webhook/manifests.yaml | 16 ++++++++++++++++ deploy/gatekeeper.yaml | 1 - manifest_staging/deploy/gatekeeper.yaml | 16 ++++++++++++++++ pkg/webhook/mutation.go | 2 +- 6 files changed, 33 insertions(+), 4 deletions(-) diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 313e6672b75..6b4821181f1 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -72,7 +72,6 @@ webhooks: - pods/proxy - pods/attach - pods/binding - - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index dbd2c06257b..d2cdd775a18 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -79,7 +79,6 @@ webhooks: - 'pods/proxy' - 'pods/attach' - 'pods/binding' - - 'pods/resize' - 'deployments/scale' - 'replicasets/scale' - 'statefulsets/scale' diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 965ba731290..1c46e68553a 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -25,6 +25,22 @@ webhooks: - UPDATE resources: - '*' + - pods/ephemeralcontainers + - pods/exec + - pods/log + - pods/eviction + - pods/portforward + - pods/proxy + - pods/attach + - pods/binding + - pods/resize + - deployments/scale + - replicasets/scale + - statefulsets/scale + - replicationcontrollers/scale + - services/proxy + - nodes/proxy + - services/status sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 5c7002d3053..0e2da7d3598 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -5379,7 +5379,6 @@ webhooks: - pods/proxy - pods/attach - pods/binding - - pods/resize - deployments/scale - replicasets/scale - statefulsets/scale diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 5c7002d3053..db5bca310d5 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -5332,6 +5332,22 @@ webhooks: - UPDATE resources: - '*' + - pods/ephemeralcontainers + - pods/exec + - pods/log + - pods/eviction + - pods/portforward + - pods/proxy + - pods/attach + - pods/binding + - pods/resize + - deployments/scale + - replicasets/scale + - statefulsets/scale + - replicationcontrollers/scale + - services/proxy + - nodes/proxy + - services/status sideEffects: None timeoutSeconds: 1 --- diff --git a/pkg/webhook/mutation.go b/pkg/webhook/mutation.go index 91a07fb6973..4748c014098 100644 --- a/pkg/webhook/mutation.go +++ b/pkg/webhook/mutation.go @@ -49,7 +49,7 @@ func init() { } } -// +kubebuilder:webhook:verbs=create;update,path=/v1/mutate,mutating=true,failurePolicy=ignore,groups=*,resources=*,versions=*,name=mutation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact +// +kubebuilder:webhook:verbs=create;update,path=/v1/mutate,mutating=true,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;pods/resize;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=mutation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact // +kubebuilder:rbac:resourceNames=gatekeeper-mutating-webhook-configuration,groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch // AddMutatingWebhook registers the mutating webhook server with the manager.