PodSecurity webhook image

staging/src/k8s.io/pod-security-admission/.gitignore

@@ -0,0 +1,2 @@
+# Webhook binary
+pod-security-webhook

staging/src/k8s.io/pod-security-admission/webhook/Dockerfile

@@ -0,0 +1,19 @@
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM gcr.io/distroless/static:latest
+
+COPY pod-security-webhook /pod-security-webhook
+
+ENTRYPOINT [ "/pod-security-webhook" ]

staging/src/k8s.io/pod-security-admission/webhook/Makefile

@@ -0,0 +1,49 @@
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.PHONY: build container push clean
+
+ENTRYPOINT = "../cmd/webhook/webhook.go"
+EXECUTABLE = "pod-security-webhook"
+
+IMAGE_DOCKERFILE = "Dockerfile"
+REGISTRY ?= "gcr.io/k8s-staging-sig-auth"
+IMAGE ?= "$(REGISTRY)/pod-security-webhook"
+TAG ?= "latest"
+
+OS ?= linux
+ARCH ?= amd64
+
+# Builds the PodSecurity webhook binary.
+build:
+	@echo Building PodSecurity webhook...
+	@GOOS=$(OS) GOARCH=$(ARCH) CGO_ENABLED=0 \
+		go build -o $(EXECUTABLE) $(ENTRYPOINT)
+	@echo Done!
+
+# Builds the PodSecurity webhook Docker image.
+container: build
+	@echo Building PodSecurity webhook image...
+	@docker build \
+		-f $(IMAGE_DOCKERFILE) \
+		-t $(IMAGE):$(TAG) .
+	@echo Done!
+
+# Publishes the PodSecurity webhook Docker image to the configured registry.
+push:
+	@docker push $(IMAGE):$(TAG)
+
+# Removes Pod Security Webhook artifacts.
+clean:
+	rm $(EXECUTABLE)

staging/src/k8s.io/pod-security-admission/webhook/README.md

@@ -0,0 +1,44 @@
+# Pod Security Admission Webhook
+
+This directory contains files for a _Validating Admission Webhook_ that checks for conformance to the Pod Security Standards. It is built with the same Go package as the [Pod Security Admission Controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). The webhook is suitable for environments where the built-in PodSecurity admission controller cannot be used.
+
+For more information, see the [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) documentation on the Kubernetes website.
+
+## Getting Started
+
+The webhook is available as a Docker image that lives within the SIG-Auth container registry. In addition to the `Dockerfile` for the webhook, this directory also contains sample Kubernetes manifests that can be used to deploy the webhook to a Kubernetes cluster.
+
+### Configuring the Webhook Certificate
+
+You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
+
+```bash
+export CERT_PATH="..."
+export KEY_PATH="..."
+
+kubectl create secret tls pod-security-webhook -n pod-security-webhook \
+  --cert=$CERT_PATH \
+  --key=$KEY_PATH
+```
+
+### Deploying the Webhook
+
+Apply the manifests to install the webhook in your cluster:
+
+```bash
+kubectl apply -f manifests
+```
+
+Optionally, override the default configuration with [Kustomize](https://kustomize.io):
+
+```bash
+kustomize build $OVERLAY_DIRECTORY
+```
+
+### Configuring the Webhook
+
+Similar to the Pod Security Admission Controller, the webhook requires a configuration file to determine how incoming resources are validated. For real-world deployments, we highly recommend reviewing our [documentation on selecting appropriate policy levels](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/#steps).
+
+## Contributing
+
+Please see the [contributing guidelines](../CONTRIBUTING.md) in the parent directory for general information about contributing to this project.

staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+- manifests/10-namespace.yaml
+- manifests/20-configmap.yaml
+- manifests/20-serviceaccount.yaml
+- manifests/30-clusterrole.yaml
+- manifests/40-clusterrolebinding.yaml
+- manifests/50-deployment.yaml
+- manifests/60-service.yaml
+- manifests/70-validatingwebhookconfiguration.yaml

staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pod-security-webhook

staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pod-security-webhook
+  namespace: pod-security-webhook
+data:
+  podsecurityconfiguration.yaml: |
+    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+    kind: PodSecurityConfiguration
+    # Defaults applied when a mode label is not set.
+    #
+    # Level label values must be one of:
+    # - "privileged" (default)
+    # - "baseline"
+    # - "restricted"
+    #
+    # Version label values must be one of:
+    # - "latest" (default) 
+    # - specific version like "v1.22"
+    defaults:
+      enforce: "privileged"
+      enforce-version: "latest"
+      audit: "privileged"
+      audit-version: "latest"
+      warn: "privileged"
+      warn-version: "latest"
+    exemptions:
+      # Array of authenticated usernames to exempt.
+      usernames: []
+      # Array of runtime class names to exempt.
+      runtimeClasses: []
+      # Array of namespaces to exempt.
+      namespaces: []

staging/src/k8s.io/pod-security-admission/webhook/manifests/20-serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-security-webhook
+  namespace: pod-security-webhook

staging/src/k8s.io/pod-security-admission/webhook/manifests/30-clusterrole.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-security-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces"]
+    verbs: ["get", "watch", "list"]

staging/src/k8s.io/pod-security-admission/webhook/manifests/40-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-security-webhook
+subjects:
+  - kind: ServiceAccount
+    name: pod-security-webhook
+    namespace: pod-security-webhook
+roleRef:
+  kind: ClusterRole
+  name: pod-security-webhook
+  apiGroup: rbac.authorization.k8s.io

staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod-security-webhook
+  namespace: pod-security-webhook
+  labels:
+    app: pod-security-webhook
+spec:
+  selector:
+    matchLabels:
+      app: pod-security-webhook
+  template:
+    metadata:
+      labels:
+        app: pod-security-webhook
+    spec:
+      serviceAccountName: pod-security-webhook
+      priorityClassName: system-cluster-critical
+      volumes:
+        - name: config
+          configMap:
+            name: pod-security-webhook
+        - name: pki
+          secret:
+            secretName: pod-security-webhook
+      containers:
+        - name: pod-security-webhook
+          image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0
+          terminationMessagePolicy: FallbackToLogsOnError
+          ports:
+            - containerPort: 8443
+          args:
+            [
+              "--config",
+              "/etc/config/podsecurityconfiguration.yaml",
+              "--tls-cert-file",
+              "/etc/pki/tls.crt",
+              "--tls-private-key-file",
+              "/etc/pki/tls.key",
+              "--secure-port",
+              "8443",
+            ]
+          resources:
+            requests:
+              cpu: 100m
+            limits:
+              cpu: 500m
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: config
+              mountPath: "/etc/config"
+              readOnly: true
+            - name: pki
+              mountPath: "/etc/pki"
+              readOnly: true

staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook
+  namespace: pod-security-webhook
+  labels:
+    app: pod-security-webhook
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP
+      name: https
+  selector:
+    app: pod-security-webhook

staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml

@@ -0,0 +1,70 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "pod-security-webhook.kubernetes.io"
+webhooks:
+  # Audit annotations will be prefixed with this name
+  - name: "pod-security-webhook.kubernetes.io"
+    # Fail-closed admission webhooks can present operational challenges.
+    # You may want to consider using a failure policy of Ignore, but should 
+    # consider the security tradeoffs.
+    failurePolicy: Fail
+    namespaceSelector:
+      # Exempt the webhook itself to avoid a circular dependency.
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values: ["pod-security-webhook"]
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources:
+          - namespaces
+          - pods
+          - pods/ephemeralcontainers
+    clientConfig:
+      service:
+        namespace: "pod-security-webhook"
+        name: "webhook"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 5
+
+  # Audit annotations will be prefixed with this name
+  - name: "advisory.pod-security-webhook.kubernetes.io"
+    # Non-enforcing resources can safely fail-open.
+    failurePolicy: Ignore
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values: ["pod-security-webhook"]
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources:
+          - podtemplates
+          - replicationcontrollers
+      - apiGroups: ["apps"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources:
+          - daemonsets
+          - deployments
+          - replicasets
+          - statefulsets
+      - apiGroups: ["batch"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources:
+          - cronjobs
+          - jobs
+    clientConfig:
+      service:
+        namespace: "pod-security-webhook"
+        name: "webhook"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 5