From 54e25938af5b3cf1078dd9dfaac75258f03bef71 Mon Sep 17 00:00:00 2001 From: plavy Date: Wed, 30 Oct 2024 14:32:06 +0000 Subject: [PATCH 1/3] set webhook scope to Namespaced Signed-off-by: plavy --- cmd/build/helmify/replacements.go | 2 + ...vkmanifest.gatekeeper.sh_gvkmanifests.yaml | 52 +++++++++++++++++++ ...guration-mutatingwebhookconfiguration.yaml | 1 + ...ration-validatingwebhookconfiguration.yaml | 1 + 4 files changed, 56 insertions(+) create mode 100644 config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index ee18c3bb05c..50ef0503673 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -173,6 +173,7 @@ var replacements = map[string]string{ - services/proxy - nodes/proxy - services/status + scope: 'Namespaced' {{- end }}`, "HELMSUBST_MUTATING_WEBHOOK_CLIENT_CONFIG: \"\"": `{{- if .Values.mutatingWebhookURL }} @@ -258,6 +259,7 @@ var replacements = map[string]string{ - 'nodes/proxy' # For constraints that mitigate CVE-2020-8554 - 'services/status' + scope: 'Namespaced' {{- end }}`, "HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`, diff --git a/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml b/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml new file mode 100644 index 00000000000..07e9ee1019f --- /dev/null +++ b/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: gvkmanifests.gvkmanifest.gatekeeper.sh +spec: + group: gvkmanifest.gatekeeper.sh + names: + kind: GVKManifest + listKind: GVKManifestList + plural: gvkmanifests + singular: gvkmanifest + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GVKManifest is the Schema for the GVKManifest API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + groups: + additionalProperties: + additionalProperties: + items: + type: string + type: array + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 6b4821181f1..f4a70cb6b1c 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -79,6 +79,7 @@ webhooks: - services/proxy - nodes/proxy - services/status + scope: 'Namespaced' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index d2cdd775a18..85ba7e86004 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -87,6 +87,7 @@ webhooks: - 'nodes/proxy' # For constraints that mitigate CVE-2020-8554 - 'services/status' + scope: 'Namespaced' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} From 66d8be9116c8c6c454701bc83268070406f883ea Mon Sep 17 00:00:00 2001 From: plavy Date: Wed, 6 Nov 2024 09:59:56 +0100 Subject: [PATCH 2/3] read webhook scope from values Signed-off-by: plavy --- cmd/build/helmify/replacements.go | 4 ++-- cmd/build/helmify/static/values.yaml | 2 ++ ...ng-webhook-configuration-mutatingwebhookconfiguration.yaml | 2 +- ...-webhook-configuration-validatingwebhookconfiguration.yaml | 2 +- manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 50ef0503673..53e38eab038 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -173,7 +173,7 @@ var replacements = map[string]string{ - services/proxy - nodes/proxy - services/status - scope: 'Namespaced' + scope: '{{ .Values.mutatingWebhookScope }}' {{- end }}`, "HELMSUBST_MUTATING_WEBHOOK_CLIENT_CONFIG: \"\"": `{{- if .Values.mutatingWebhookURL }} @@ -259,7 +259,7 @@ var replacements = map[string]string{ - 'nodes/proxy' # For constraints that mitigate CVE-2020-8554 - 'services/status' - scope: 'Namespaced' + scope: '{{ .Values.validatingWebhookScope }}' {{- end }}`, "HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`, diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 7d81f8a7534..09c0fb7cfa7 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -18,6 +18,7 @@ validatingWebhookMatchConditions: [] validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null +validatingWebhookScope: '*' enableDeleteOperations: false enableConnectOperations: false enableExternalData: true @@ -34,6 +35,7 @@ mutatingWebhookMatchConditions: [] mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} mutatingWebhookURL: null +mutatingWebhookScope: '*' mutationAnnotations: false auditChunkSize: 500 logLevel: INFO diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index f4a70cb6b1c..e1f08cc78c4 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -79,7 +79,7 @@ webhooks: - services/proxy - nodes/proxy - services/status - scope: 'Namespaced' + scope: '{{ .Values.mutatingWebhookScope }}' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 85ba7e86004..423de6b559b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -87,7 +87,7 @@ webhooks: - 'nodes/proxy' # For constraints that mitigate CVE-2020-8554 - 'services/status' - scope: 'Namespaced' + scope: '{{ .Values.validatingWebhookScope }}' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 7d81f8a7534..09c0fb7cfa7 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -18,6 +18,7 @@ validatingWebhookMatchConditions: [] validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null +validatingWebhookScope: '*' enableDeleteOperations: false enableConnectOperations: false enableExternalData: true @@ -34,6 +35,7 @@ mutatingWebhookMatchConditions: [] mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} mutatingWebhookURL: null +mutatingWebhookScope: '*' mutationAnnotations: false auditChunkSize: 500 logLevel: INFO From c237bd5c35fd0e742ed999a9c6239c1b6a98af1e Mon Sep 17 00:00:00 2001 From: "tin.plavec" Date: Wed, 6 Nov 2024 10:13:59 +0100 Subject: [PATCH 3/3] rm unwanted file Signed-off-by: tin.plavec --- ...vkmanifest.gatekeeper.sh_gvkmanifests.yaml | 52 ------------------- 1 file changed, 52 deletions(-) delete mode 100644 config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml diff --git a/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml b/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml deleted file mode 100644 index 07e9ee1019f..00000000000 --- a/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: gvkmanifests.gvkmanifest.gatekeeper.sh -spec: - group: gvkmanifest.gatekeeper.sh - names: - kind: GVKManifest - listKind: GVKManifestList - plural: gvkmanifests - singular: gvkmanifest - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GVKManifest is the Schema for the GVKManifest API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - groups: - additionalProperties: - additionalProperties: - items: - type: string - type: array - type: object - type: object - type: object - type: object - served: true - storage: true