mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
PodSecurity: simplify pki setup
This commit is contained in:
parent
0be8280faa
commit
a356c32797
@ -1,2 +1,5 @@
|
||||
# Webhook binary
|
||||
pod-security-webhook
|
||||
pod-security-webhook
|
||||
|
||||
# Directory containing pki files
|
||||
pki/
|
@ -43,10 +43,24 @@ container: build
|
||||
-t $(IMAGE):$(TAG) .
|
||||
@echo Done!
|
||||
|
||||
# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
|
||||
certs:
|
||||
rm -fr pki
|
||||
mkdir -p pki
|
||||
openssl genrsa -out pki/ca.key 2048
|
||||
openssl req -new -x509 -days 3650 -key pki/ca.key -subj "/CN=pod-security-webhook-ca-$(date +%s)" -out pki/ca.crt
|
||||
|
||||
openssl req -newkey rsa:2048 -nodes -keyout pki/tls.key -subj "/CN=webhook.pod-security-webhook.svc" -out pki/tls.csr
|
||||
|
||||
echo "subjectAltName=DNS:webhook.pod-security-webhook.svc" > pki/extensions.txt
|
||||
echo "extendedKeyUsage=serverAuth" >> pki/extensions.txt
|
||||
openssl x509 -req -extfile pki/extensions.txt -days 730 -in pki/tls.csr -CA pki/ca.crt -CAkey pki/ca.key -CAcreateserial -out pki/tls.crt
|
||||
|
||||
# Publishes the PodSecurity webhook Docker image to the configured registry.
|
||||
push:
|
||||
@docker push $(IMAGE):$(TAG)
|
||||
|
||||
# Removes Pod Security Webhook artifacts.
|
||||
clean:
|
||||
rm $(EXECUTABLE)
|
||||
rm -f $(EXECUTABLE)
|
||||
rm -fr pki
|
||||
|
@ -10,30 +10,19 @@ The webhook is available as a Docker image that lives within the SIG-Auth contai
|
||||
|
||||
### Configuring the Webhook Certificate
|
||||
|
||||
You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
|
||||
|
||||
```bash
|
||||
export CERT_PATH="..."
|
||||
export KEY_PATH="..."
|
||||
|
||||
kubectl create secret tls pod-security-webhook -n pod-security-webhook \
|
||||
--cert=$CERT_PATH \
|
||||
--key=$KEY_PATH
|
||||
```
|
||||
Run `make certs` to generate a CA and serving certificate valid for `https://webhook.pod-security-webhook.svc`.
|
||||
|
||||
### Deploying the Webhook
|
||||
|
||||
Apply the manifests to install the webhook in your cluster:
|
||||
|
||||
```bash
|
||||
kubectl apply -f manifests
|
||||
kubectl apply -k .
|
||||
```
|
||||
|
||||
Optionally, override the default configuration with [Kustomize](https://kustomize.io):
|
||||
|
||||
```bash
|
||||
kustomize build $OVERLAY_DIRECTORY
|
||||
```
|
||||
This applies the manifests in the `manifests` subdirectory,
|
||||
creates a secret containing the serving certificate,
|
||||
and injects the CA bundle to the validating webhook.
|
||||
|
||||
### Configuring the Webhook
|
||||
|
||||
|
@ -1,9 +1,33 @@
|
||||
resources:
|
||||
- manifests/10-namespace.yaml
|
||||
- manifests/20-configmap.yaml
|
||||
- manifests/20-serviceaccount.yaml
|
||||
- manifests/30-clusterrole.yaml
|
||||
- manifests/40-clusterrolebinding.yaml
|
||||
- manifests/50-deployment.yaml
|
||||
- manifests/60-service.yaml
|
||||
- manifests/70-validatingwebhookconfiguration.yaml
|
||||
# include the manifests
|
||||
bases:
|
||||
- ./manifests
|
||||
|
||||
# generate the secret
|
||||
# this depends on pki files, which can be created (or regenerated) with `make certs`
|
||||
secretGenerator:
|
||||
- name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
||||
type: kubernetes.io/tls
|
||||
options:
|
||||
disableNameSuffixHash: true
|
||||
files:
|
||||
- pki/ca.crt
|
||||
- pki/tls.crt
|
||||
- pki/tls.key
|
||||
|
||||
# inject the CA into the validating webhook
|
||||
replacements:
|
||||
- source:
|
||||
kind: Secret
|
||||
name: pod-security-webhook
|
||||
namespace: pod-security-webhook
|
||||
fieldPath: data.ca\.crt
|
||||
targets:
|
||||
- select:
|
||||
kind: ValidatingWebhookConfiguration
|
||||
name: pod-security-webhook.kubernetes.io
|
||||
fieldPaths:
|
||||
- webhooks.0.clientConfig.caBundle
|
||||
- webhooks.1.clientConfig.caBundle
|
||||
options:
|
||||
create: true
|
||||
|
@ -24,6 +24,8 @@ webhooks:
|
||||
- pods
|
||||
- pods/ephemeralcontainers
|
||||
clientConfig:
|
||||
# Populate with the CA for the serving certificate
|
||||
caBundle: ""
|
||||
service:
|
||||
namespace: "pod-security-webhook"
|
||||
name: "webhook"
|
||||
@ -62,6 +64,8 @@ webhooks:
|
||||
- cronjobs
|
||||
- jobs
|
||||
clientConfig:
|
||||
# Populate with the CA for the serving certificate
|
||||
caBundle: ""
|
||||
service:
|
||||
namespace: "pod-security-webhook"
|
||||
name: "webhook"
|
||||
|
@ -0,0 +1,9 @@
|
||||
resources:
|
||||
- 10-namespace.yaml
|
||||
- 20-configmap.yaml
|
||||
- 20-serviceaccount.yaml
|
||||
- 30-clusterrole.yaml
|
||||
- 40-clusterrolebinding.yaml
|
||||
- 50-deployment.yaml
|
||||
- 60-service.yaml
|
||||
- 70-validatingwebhookconfiguration.yaml
|
Loading…
Reference in New Issue
Block a user