mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
PodSecurity webhook image
This commit is contained in:
parent
d551560a78
commit
2a4701c2ca
2
staging/src/k8s.io/pod-security-admission/.gitignore
vendored
Normal file
2
staging/src/k8s.io/pod-security-admission/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
# Webhook binary
|
||||
pod-security-webhook
|
19
staging/src/k8s.io/pod-security-admission/webhook/Dockerfile
Normal file
19
staging/src/k8s.io/pod-security-admission/webhook/Dockerfile
Normal file
@ -0,0 +1,19 @@
|
||||
# Copyright 2021 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
FROM gcr.io/distroless/static:latest
|
||||
|
||||
COPY pod-security-webhook /pod-security-webhook
|
||||
|
||||
ENTRYPOINT [ "/pod-security-webhook" ]
|
49
staging/src/k8s.io/pod-security-admission/webhook/Makefile
Normal file
49
staging/src/k8s.io/pod-security-admission/webhook/Makefile
Normal file
@ -0,0 +1,49 @@
|
||||
# Copyright 2021 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
.PHONY: build container push clean
|
||||
|
||||
ENTRYPOINT = "../cmd/webhook/webhook.go"
|
||||
EXECUTABLE = "pod-security-webhook"
|
||||
|
||||
IMAGE_DOCKERFILE = "Dockerfile"
|
||||
REGISTRY ?= "gcr.io/k8s-staging-sig-auth"
|
||||
IMAGE ?= "$(REGISTRY)/pod-security-webhook"
|
||||
TAG ?= "latest"
|
||||
|
||||
OS ?= linux
|
||||
ARCH ?= amd64
|
||||
|
||||
# Builds the PodSecurity webhook binary.
|
||||
build:
|
||||
@echo Building PodSecurity webhook...
|
||||
@GOOS=$(OS) GOARCH=$(ARCH) CGO_ENABLED=0 \
|
||||
go build -o $(EXECUTABLE) $(ENTRYPOINT)
|
||||
@echo Done!
|
||||
|
||||
# Builds the PodSecurity webhook Docker image.
|
||||
container: build
|
||||
@echo Building PodSecurity webhook image...
|
||||
@docker build \
|
||||
-f $(IMAGE_DOCKERFILE) \
|
||||
-t $(IMAGE):$(TAG) .
|
||||
@echo Done!
|
||||
|
||||
# Publishes the PodSecurity webhook Docker image to the configured registry.
|
||||
push:
|
||||
@docker push $(IMAGE):$(TAG)
|
||||
|
||||
# Removes Pod Security Webhook artifacts.
|
||||
clean:
|
||||
rm $(EXECUTABLE)
|
44
staging/src/k8s.io/pod-security-admission/webhook/README.md
Normal file
44
staging/src/k8s.io/pod-security-admission/webhook/README.md
Normal file
@ -0,0 +1,44 @@
|
||||
# Pod Security Admission Webhook
|
||||
|
||||
This directory contains files for a _Validating Admission Webhook_ that checks for conformance to the Pod Security Standards. It is built with the same Go package as the [Pod Security Admission Controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). The webhook is suitable for environments where the built-in PodSecurity admission controller cannot be used.
|
||||
|
||||
For more information, see the [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) documentation on the Kubernetes website.
|
||||
|
||||
## Getting Started
|
||||
|
||||
The webhook is available as a Docker image that lives within the SIG-Auth container registry. In addition to the `Dockerfile` for the webhook, this directory also contains sample Kubernetes manifests that can be used to deploy the webhook to a Kubernetes cluster.
|
||||
|
||||
### Configuring the Webhook Certificate
|
||||
|
||||
You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
|
||||
|
||||
```bash
|
||||
export CERT_PATH="..."
|
||||
export KEY_PATH="..."
|
||||
|
||||
kubectl create secret tls pod-security-webhook -n pod-security-webhook \
|
||||
--cert=$CERT_PATH \
|
||||
--key=$KEY_PATH
|
||||
```
|
||||
|
||||
### Deploying the Webhook
|
||||
|
||||
Apply the manifests to install the webhook in your cluster:
|
||||
|
||||
```bash
|
||||
kubectl apply -f manifests
|
||||
```
|
||||
|
||||
Optionally, override the default configuration with [Kustomize](https://kustomize.io):
|
||||
|
||||
```bash
|
||||
kustomize build $OVERLAY_DIRECTORY
|
||||
```
|
||||
|
||||
### Configuring the Webhook
|
||||
|
||||
Similar to the Pod Security Admission Controller, the webhook requires a configuration file to determine how incoming resources are validated. For real-world deployments, we highly recommend reviewing our [documentation on selecting appropriate policy levels](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/#steps).
|
||||
|
||||
## Contributing
|
||||
|
||||
Please see the [contributing guidelines](../CONTRIBUTING.md) in the parent directory for general information about contributing to this project.
|
@ -0,0 +1,9 @@
|
||||
resources:
|
||||
- manifests/10-namespace.yaml
|
||||
- manifests/20-configmap.yaml
|
||||
- manifests/20-serviceaccount.yaml
|
||||
- manifests/30-clusterrole.yaml
|
||||
- manifests/40-clusterrolebinding.yaml
|
||||
- manifests/50-deployment.yaml
|
||||
- manifests/60-service.yaml
|
||||
- manifests/70-validatingwebhookconfiguration.yaml
|
@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: pod-security-webhook
|
@ -0,0 +1,33 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
||||
data:
|
||||
podsecurityconfiguration.yaml: |
|
||||
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
|
||||
kind: PodSecurityConfiguration
|
||||
# Defaults applied when a mode label is not set.
|
||||
#
|
||||
# Level label values must be one of:
|
||||
# - "privileged" (default)
|
||||
# - "baseline"
|
||||
# - "restricted"
|
||||
#
|
||||
# Version label values must be one of:
|
||||
# - "latest" (default)
|
||||
# - specific version like "v1.22"
|
||||
defaults:
|
||||
enforce: "privileged"
|
||||
enforce-version: "latest"
|
||||
audit: "privileged"
|
||||
audit-version: "latest"
|
||||
warn: "privileged"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
# Array of authenticated usernames to exempt.
|
||||
usernames: []
|
||||
# Array of runtime class names to exempt.
|
||||
runtimeClasses: []
|
||||
# Array of namespaces to exempt.
|
||||
namespaces: []
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
@ -0,0 +1,8 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: pod-security-webhook
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "namespaces"]
|
||||
verbs: ["get", "watch", "list"]
|
@ -0,0 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: pod-security-webhook
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: pod-security-webhook
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -0,0 +1,63 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
||||
labels:
|
||||
app: pod-security-webhook
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: pod-security-webhook
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: pod-security-webhook
|
||||
spec:
|
||||
serviceAccountName: pod-security-webhook
|
||||
priorityClassName: system-cluster-critical
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: pod-security-webhook
|
||||
- name: pki
|
||||
secret:
|
||||
secretName: pod-security-webhook
|
||||
containers:
|
||||
- name: pod-security-webhook
|
||||
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
args:
|
||||
[
|
||||
"--config",
|
||||
"/etc/config/podsecurityconfiguration.yaml",
|
||||
"--tls-cert-file",
|
||||
"/etc/pki/tls.crt",
|
||||
"--tls-private-key-file",
|
||||
"/etc/pki/tls.key",
|
||||
"--secure-port",
|
||||
"8443",
|
||||
]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
limits:
|
||||
cpu: 500m
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: "/etc/config"
|
||||
readOnly: true
|
||||
- name: pki
|
||||
mountPath: "/etc/pki"
|
||||
readOnly: true
|
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: webhook
|
||||
namespace: pod-security-webhook
|
||||
labels:
|
||||
app: pod-security-webhook
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
protocol: TCP
|
||||
name: https
|
||||
selector:
|
||||
app: pod-security-webhook
|
@ -0,0 +1,70 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: "pod-security-webhook.kubernetes.io"
|
||||
webhooks:
|
||||
# Audit annotations will be prefixed with this name
|
||||
- name: "pod-security-webhook.kubernetes.io"
|
||||
# Fail-closed admission webhooks can present operational challenges.
|
||||
# You may want to consider using a failure policy of Ignore, but should
|
||||
# consider the security tradeoffs.
|
||||
failurePolicy: Fail
|
||||
namespaceSelector:
|
||||
# Exempt the webhook itself to avoid a circular dependency.
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values: ["pod-security-webhook"]
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
apiVersions: ["v1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources:
|
||||
- namespaces
|
||||
- pods
|
||||
- pods/ephemeralcontainers
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "pod-security-webhook"
|
||||
name: "webhook"
|
||||
admissionReviewVersions: ["v1"]
|
||||
sideEffects: None
|
||||
timeoutSeconds: 5
|
||||
|
||||
# Audit annotations will be prefixed with this name
|
||||
- name: "advisory.pod-security-webhook.kubernetes.io"
|
||||
# Non-enforcing resources can safely fail-open.
|
||||
failurePolicy: Ignore
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values: ["pod-security-webhook"]
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
apiVersions: ["v1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources:
|
||||
- podtemplates
|
||||
- replicationcontrollers
|
||||
- apiGroups: ["apps"]
|
||||
apiVersions: ["v1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources:
|
||||
- daemonsets
|
||||
- deployments
|
||||
- replicasets
|
||||
- statefulsets
|
||||
- apiGroups: ["batch"]
|
||||
apiVersions: ["v1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources:
|
||||
- cronjobs
|
||||
- jobs
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "pod-security-webhook"
|
||||
name: "webhook"
|
||||
admissionReviewVersions: ["v1"]
|
||||
sideEffects: None
|
||||
timeoutSeconds: 5
|
Loading…
Reference in New Issue
Block a user