Moved cedar webhook to a static pod

Signed-off-by: Micah Hausler <[email protected]>

Makefile

@@ -49,13 +49,17 @@ clean-authz-webhook: ## Tear down and clean up the authorization webhook
 kind: ## Start a kind cluster configured to use the local authorization webhook
 	$(FINCH_FEATURE) kind create cluster --config kind.yaml -v2
 	kubectl apply -f config/crd/bases/cedar.k8s.aws_policies.yaml
-	kubectl apply -f demo/policy.yaml
+	kubectl apply -f demo/authorization-policy.yaml
+	kubectl apply -f demo/admission-policy.yaml
 	# Create a kubeconfig for the authorizing webhoook to communicate with the API server
 	$(CONTAINER_TOOL) exec -it cedar-authz-cluster-control-plane \
 		/bin/sh -c '/usr/bin/kubeadm kubeconfig user \
 		--org system:authorizers \
 		--client-name system:authorizer:cedar-authorizer \
 		--validity-period 744h > /cedar-authorizer/policies/cedar-kubeconfig.yaml'
+	cat manifests/admission-webhook.yaml | \
+		sed -e "s/CA_BUNDLE_CONTENT/$(shell cat mount/certs/cedar-authorizer-server.crt | base64)/" | \
+		kubectl apply -f -
 
 .PHONY: sample-user-kubeconfig
 sample-user-kubeconfig: ## Create a user 'sample-user' in the groups 'sample-group' and 'requires-labels'
@@ -88,7 +92,7 @@ clean-kind: ## Delete the kind cluster and clean up genereated files
 
 .PHONY: admission-webhook
 admission-webhook: ## Install the Cedar validatingwebhookconfiguration
-	cat demo/admission-webhook.yaml | \
+	cat manifests/admission-webhook.yaml | \
 		sed -e "s/CA_BUNDLE_CONTENT/$(shell cat mount/certs/cedar-authorizer-server.crt | base64)/" | \
 		kubectl apply -f -
 

docs/Setup.md

@@ -31,36 +31,51 @@ finch vm start
 
 ## Local Quickstart
 
-1. There is an inherent circular dependency between the webhook and the authorizer. You'll need to first create a default kind cluster to get the kind network created in your VM. This is only necessary the first time you set things up.
-    ```bash
-    KIND_EXPERIMENTAL_PROVIDER=finch kind create cluster --name test1
-    KIND_EXPERIMENTAL_PROVIDER=finch kind delete cluster --name test1
-    # validate the kind network is created
-    finch network ls
-    finch network inspect kind
-    ```
-2. For an optional local build of the binaries, you can run:
+<!--
+Once kind supports easily building node images with additional container images baked in, we'll just switch to that.
+https://github.com/kubernetes-sigs/kind/pull/3634
+
+This will reduce the steps to essentially:
+    make image-build
+    make kind
+
+We'll build the custom image in the `make kind` target like:
+    kind build add-image cedar-webhook:latest --image cedar-kind-node:latest
+    kind create cluster ...
+
+with an edit to kind.yaml to reference our image
+```yaml
+nodes:
+- role: control-plane
+  image: cedar-kind-node:latest
+```
+
+Then we won't rely on the concurrent image loading, and can have kind e2e tests in CI
+ -->
+
+1. For an optional local build of the binaries, you can run:
     ```bash
     make build
     ```
-3. To build the authorizer/admission webhook container locally, run:
+2. Build the authorizer/admission webhook container by running:
     ```bash
     make image-build
     ```
-4. Start the webhook container. For debug output, you can run `finch logs --tail 20 -f cedar-authorizer`. If you modify any server (Go) code, you'll need to be sure and run `make clean-authz-webhook image-build` first.
-    ```bash
-    make authz-webhook-container
-    ```
-5. Start the Kind cluster. This cluster is configured to authorize requests via the webhook
+3. Start the Kind cluster. This cluster is configured to authorize requests via the cedar webhook
    ```bash
-   make kind test-user-kubeconfig
+   make kind
    ```
-6. Create policies. There's an example in `demo/policy.yaml` that is auto-created, but feel free to modify it or create more
+4. While the Kind Kubernetes control plane is coming up, in another terminal you'll need to side-load the cedar container image into the kind cluster. You have about 20 seconds to do this after running `make kind` before the kind cluster will fail. 
+    If you miss the window, just run `make clean-kind` before trying `make kind` again.
+    ```bash
+    make load-webhook-image
+    ```
+5. Create policies. There's an example in `demo/authorization-policy.yaml` that is auto-created, but feel free to modify it or create more
    ```bash
-   # edit demo/policy.yaml
-   kubectl apply -f demo/policy.yaml
+   # edit demo/authorization-policy.yaml
+   kubectl apply -f demo/authorization-policy.yaml
    ```
-7. Now you can make requests! You'll need use the generated kubeconfig `./mount/test-user-kubeconfig.yam` created in step 6. The user has the name `test-user` with the group `test-group`. Your default kubeconfig (`~/.kube/config`) will be auto-configured by kind with a cluster administrator identity, so `kubectl` without specifying a kubeconfig should always just work.
+6. Now you can make requests! You'll need use the generated kubeconfig `./mount/test-user-kubeconfig.yam` created in step 6. The user has the name `test-user` with the group `test-group`. Your default kubeconfig (`~/.kube/config`) will be auto-configured by kind with a cluster administrator identity, so `kubectl` without specifying a kubeconfig should always just work.
     ```bash
     # Lookup the username you are testing
     KUBECONFIG=./mount/test-user-kubeconfig.yaml kubectl auth whoami
@@ -80,13 +95,11 @@ finch vm start
     KUBECONFIG=./mount/test-user-kubeconfig.yaml kubectl get service \
         --as system:serviceaccount:default:service-manager
     ```
-8. To run the validating admission webhook:
+7. Try out admission policies:
     ```bash
     # (Optional) Update the validating webhook API groups/versions/resources you want validated
-    # by edting demo/admission-webhook.yaml
-
-    # Configure the admission webhook
-    make admission-webhook
+    # by edting demo/admission-webhook.yaml and then re-applying the webhook
+    # $ make admission-webhook
 
     # Create sample user in requires-labels group
     make sample-user-kubeconfig
@@ -116,7 +129,7 @@ finch vm start
 
 And for teardown/cleanup:
 ```bash
-make clean-kind clean-authz-webhook
+make clean-kind
 ```
 
 ## Convert RBAC policies

internal/server/handler.go

@@ -143,7 +143,7 @@ func writeResponse(w http.ResponseWriter, requestId string, err error, decision
 		resp.Status.EvaluationError = err.Error()
 	}
 
-	klog.InfoS("Response", "requestId", requestId, "response", resp)
+	klog.InfoS("Response", "requestId", requestId, "decision", authorizationDecisionString(decision), "response", resp)
 
 	if err = json.NewEncoder(w).Encode(resp); err != nil {
 		panic(err)

internal/server/options/options.go

@@ -102,7 +102,9 @@ func NewCedarOptions() *CedarOptions {
 // Config creates a runtime config object from the options (command line flags).
 func (o *AuthorizerOptions) Config() (*config.AuthorizationWebhookConfig, error) {
 	// If we ever need to listen on non-localhost, provide the address here
-	alternateDNS, alternateIPs := []string{}, []net.IP{}
+	alternateDNS, alternateIPs := []string{}, []net.IP{
+		net.ParseIP("127.0.0.1"),
+	}
 	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts(CedarAuthorizerPublicAddress, alternateDNS, alternateIPs); err != nil {
 		return nil, err
 	}

kind.yaml

@@ -26,3 +26,5 @@ nodes:
   extraMounts:
   - hostPath: "./mount"
     containerPath: "/cedar-authorizer"
+  - hostPath: "./manifests/cedar-webhook.yaml"
+    containerPath: "/etc/kubernetes/manifests/cedar-webhook.yaml"

demo/admission-webhook.yaml → manifests/admission-webhook.yaml

@@ -6,7 +6,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
-    url: https://cedar-authorizer:10288/v1/admit
+    url: https://127.0.0.1:10288/v1/admit
     caBundle: CA_BUNDLE_CONTENT
   failurePolicy: Ignore
   name: vpolicy.cedar.k8s.aws

manifests/cedar-webhook.yaml

@@ -0,0 +1,97 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    component: cedar-webhook
+    tier: control-plane
+  name: cedar-webhook
+  namespace: kube-system
+spec:
+  containers:
+  - command:
+    - /cedar-webhook
+    - -v=4
+    image: cedar-webhook:latest
+    imagePullPolicy: IfNotPresent
+    env:
+    - name: KUBECONFIG
+      value: "/cedar-authorizer/policies/cedar-kubeconfig.yaml"
+    livenessProbe:
+      failureThreshold: 8
+      httpGet:
+        path: /healthz
+        port: 10288
+        scheme: HTTPS
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 15
+    name: cedar-webhook
+    readinessProbe:
+      failureThreshold: 3
+      httpGet:
+        path: /readyz
+        port: 10288
+        scheme: HTTPS
+      periodSeconds: 1
+      timeoutSeconds: 15
+    resources:
+      requests:
+        cpu: 250m
+    startupProbe:
+      failureThreshold: 24
+      httpGet:
+        path: /readyz
+        port: 10288
+        scheme: HTTPS
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 15
+    volumeMounts:
+    - mountPath: /cedar-authorizer
+      name: api-server-cedar-authorizer-files
+    - mountPath: /etc/ssl/certs
+      name: ca-certs
+      readOnly: true
+    - mountPath: /etc/ca-certificates
+      name: etc-ca-certificates
+      readOnly: true
+    - mountPath: /usr/local/share/ca-certificates
+      name: usr-local-share-ca-certificates
+      readOnly: true
+    - mountPath: /usr/share/ca-certificates
+      name: usr-share-ca-certificates
+      readOnly: true
+    - mountPath: /var/run/cedar-authorizer/certs
+      name: var-run-cedar-authorizer-certs
+  hostNetwork: true
+  priority: 2000001000
+  priorityClassName: system-node-critical
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - hostPath:
+      path: /cedar-authorizer
+      type: ""
+    name: api-server-cedar-authorizer-files
+  - hostPath:
+      path: /etc/ssl/certs
+      type: DirectoryOrCreate
+    name: ca-certs
+  - hostPath:
+      path: /etc/ca-certificates
+      type: DirectoryOrCreate
+    name: etc-ca-certificates
+  - hostPath:
+      path: /usr/local/share/ca-certificates
+      type: DirectoryOrCreate
+    name: usr-local-share-ca-certificates
+  - hostPath:
+      path: /usr/share/ca-certificates
+      type: DirectoryOrCreate
+    name: usr-share-ca-certificates
+  - hostPath:
+      path: /cedar-authorizer/certs
+      type: DirectoryOrCreate
+    name: var-run-cedar-authorizer-certs
+status: {}

mount/authorization-config.yaml

@@ -16,7 +16,7 @@ authorizers:
       failurePolicy: NoOpinion 
       connectionInfo:
         type: KubeConfigFile
-        kubeConfigFile: /cedar-authorizer/webhook.yaml
+        kubeConfigFile: /cedar-authorizer/authorization-webhook.yaml
       matchConditions:
       # don't intercept requests from kube-system service accounts
       - expression: "!('system:serviceaccounts:kube-system' in request.groups)"

mount/webhook.yaml → mount/authorization-webhook.yaml

@@ -4,7 +4,7 @@ clusters:
 - name: cedarwebhook
   cluster:
     certificate-authority: /cedar-authorizer/certs/cedar-authorizer-server.crt
-    server: https://cedar-authorizer:10288/v1/authorize
+    server: https://127.0.0.1:10288/v1/authorize
 users:
 - name: api-server
   user: {}