controlplaneio / kubesec-webhook Goto Github PK

Create a Helm chart and modify gen-certs.sh to generate the cert and CA Bundle inside the chart root without creating the webhooks yamls.

It will be useful to print scan result in webhook logs and in the output of kubectl apply.
Current output is not helpful for analysis

webhook debug log

kubectl logs kubesec-webhook-576994f77f-g9jfk -n kubesec -f
2019/09/12 01:11:44 [INFO] webhooks listening on :8080...
2019/09/12 01:11:44 [INFO] metrics listening on :8081...
2019/09/12 01:12:08 [DEBUG] reviewing request 5791fc9c-d4fa-11e9-9336-f213d8fe6e28, named: pd-test/
2019/09/12 01:12:08 [INFO] Scanning deployment deployment-test

kubectl output

$ kubectl apply -f ./test/deployment.yaml -n pd-test
Error from server (InternalError): error when creating "./test/deployment.yaml": Internal error occurred: admission webhook "deployment.admission.kubesc.io" denied the request: deployment-test score is -30, deployment minimum accepted score is 0

Issue when deploying to Kuberntes 1.19:

x509: certificate relies on legacy Common Name field, use SANs

This is due to Kubernetes updating to GoLang 1.15: https://kubernetes.io/docs/setup/release/notes/#api-change

Kubernetes is now built with golang 1.15.0-rc.1.
The deprecated, legacy behavior of treating the CommonName field on X.509 serving certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. (#93264, @justaugustus) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scalability, Storage and Testing]

Kubesec-webhook is still stable in prior versions of Kubernetes.

Remove hardcoded certificate details from helm chart, can be achieved using genSignedCert

The kubsec-webhook container image referenced in the Deployment YAML file has not been updated in a long time and is not managed by ControlPlane.

There isn't a lot of new code to test in comparison with kubesec but we should have a minimum set of tests to make sure sending a request to the webhook is working as expected.

make deploy is resulting in the following error. This was attempted on an on-prem Kubernetes cluster running version 1.23.7

make deploy
kubectl create namespace kubesec
namespace/kubesec created
kubectl apply -f ./deploy/
deployment.apps/kubesec-webhook created
service/kubesec-webhook created
error: resource mapping not found for name: "kubesec-webhook" namespace: "" from "deploy/webhook-registration.yaml": no matches for kind "MutatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first
make: *** [Makefile:27: deploy] Error 1

There is currently no CI running for PRs and for releasing new images.

should I use all for the implementation, or "helm" is enough to create and configure everything? I still get X509 certs error. I'm using CRI-O by the way, but ran the cert generator script on a Docker server, then copied the directory to my CRI-O cluster.

Thank you,

This will allow us to use Admission reviews v1 and optionally in the future OpenTelemetry tracing

Move to use kubesec v2 as a library (not just sending requests to the hosted v2 api)

The documentation around this project is a bit out of date and needs updating and further fleshing out

Post to Slack the scan result including Kubesec advice using the same format as the kubectl plugin

Hi, nice work :)

It would be nice to have a matchLabel to ignore a deployment