PodSecurity: simplify pki setup

This commit is contained in:
Jordan Liggitt 2021-10-27 12:53:30 -04:00
parent 0be8280faa
commit a356c32797
6 changed files with 70 additions and 27 deletions

View File

@ -1,2 +1,5 @@
# Webhook binary
pod-security-webhook
pod-security-webhook
# Directory containing pki files
pki/

View File

@ -43,10 +43,24 @@ container: build
-t $(IMAGE):$(TAG) .
@echo Done!
# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
certs:
rm -fr pki
mkdir -p pki
openssl genrsa -out pki/ca.key 2048
openssl req -new -x509 -days 3650 -key pki/ca.key -subj "/CN=pod-security-webhook-ca-$(date +%s)" -out pki/ca.crt
openssl req -newkey rsa:2048 -nodes -keyout pki/tls.key -subj "/CN=webhook.pod-security-webhook.svc" -out pki/tls.csr
echo "subjectAltName=DNS:webhook.pod-security-webhook.svc" > pki/extensions.txt
echo "extendedKeyUsage=serverAuth" >> pki/extensions.txt
openssl x509 -req -extfile pki/extensions.txt -days 730 -in pki/tls.csr -CA pki/ca.crt -CAkey pki/ca.key -CAcreateserial -out pki/tls.crt
# Publishes the PodSecurity webhook Docker image to the configured registry.
push:
@docker push $(IMAGE):$(TAG)
# Removes Pod Security Webhook artifacts.
clean:
rm $(EXECUTABLE)
rm -f $(EXECUTABLE)
rm -fr pki

View File

@ -10,30 +10,19 @@ The webhook is available as a Docker image that lives within the SIG-Auth contai
### Configuring the Webhook Certificate
You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
```bash
export CERT_PATH="..."
export KEY_PATH="..."
kubectl create secret tls pod-security-webhook -n pod-security-webhook \
--cert=$CERT_PATH \
--key=$KEY_PATH
```
Run `make certs` to generate a CA and serving certificate valid for `https://webhook.pod-security-webhook.svc`.
### Deploying the Webhook
Apply the manifests to install the webhook in your cluster:
```bash
kubectl apply -f manifests
kubectl apply -k .
```
Optionally, override the default configuration with [Kustomize](https://kustomize.io):
```bash
kustomize build $OVERLAY_DIRECTORY
```
This applies the manifests in the `manifests` subdirectory,
creates a secret containing the serving certificate,
and injects the CA bundle to the validating webhook.
### Configuring the Webhook

View File

@ -1,9 +1,33 @@
resources:
- manifests/10-namespace.yaml
- manifests/20-configmap.yaml
- manifests/20-serviceaccount.yaml
- manifests/30-clusterrole.yaml
- manifests/40-clusterrolebinding.yaml
- manifests/50-deployment.yaml
- manifests/60-service.yaml
- manifests/70-validatingwebhookconfiguration.yaml
# include the manifests
bases:
- ./manifests
# generate the secret
# this depends on pki files, which can be created (or regenerated) with `make certs`
secretGenerator:
- name: pod-security-webhook
namespace: pod-security-webhook
type: kubernetes.io/tls
options:
disableNameSuffixHash: true
files:
- pki/ca.crt
- pki/tls.crt
- pki/tls.key
# inject the CA into the validating webhook
replacements:
- source:
kind: Secret
name: pod-security-webhook
namespace: pod-security-webhook
fieldPath: data.ca\.crt
targets:
- select:
kind: ValidatingWebhookConfiguration
name: pod-security-webhook.kubernetes.io
fieldPaths:
- webhooks.0.clientConfig.caBundle
- webhooks.1.clientConfig.caBundle
options:
create: true

View File

@ -24,6 +24,8 @@ webhooks:
- pods
- pods/ephemeralcontainers
clientConfig:
# Populate with the CA for the serving certificate
caBundle: ""
service:
namespace: "pod-security-webhook"
name: "webhook"
@ -62,6 +64,8 @@ webhooks:
- cronjobs
- jobs
clientConfig:
# Populate with the CA for the serving certificate
caBundle: ""
service:
namespace: "pod-security-webhook"
name: "webhook"

View File

@ -0,0 +1,9 @@
resources:
- 10-namespace.yaml
- 20-configmap.yaml
- 20-serviceaccount.yaml
- 30-clusterrole.yaml
- 40-clusterrolebinding.yaml
- 50-deployment.yaml
- 60-service.yaml
- 70-validatingwebhookconfiguration.yaml