PodSecurity: simplify pki setup

2025-07-23 11:50:44 +00:00 · 2021-10-27 12:53:30 -04:00 · 2021-10-27 12:53:30 -04:00 · a356c32797
commit a356c32797
parent 0be8280faa
6 changed files with 70 additions and 27 deletions
--- a/staging/src/k8s.io/pod-security-admission/.gitignore
+++ b/staging/src/k8s.io/pod-security-admission/.gitignore
@ -1,2 +1,5 @@
 # Webhook binary
-pod-security-webhook
+pod-security-webhook
+
+# Directory containing pki files
+pki/
--- a/staging/src/k8s.io/pod-security-admission/webhook/Makefile
+++ b/staging/src/k8s.io/pod-security-admission/webhook/Makefile
@ -43,10 +43,24 @@ container: build
 		-t $(IMAGE):$(TAG) .
 	@echo Done!

+# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
+certs:
+	rm -fr pki
+	mkdir -p pki
+	openssl genrsa -out pki/ca.key 2048
+	openssl req -new -x509 -days 3650 -key pki/ca.key -subj "/CN=pod-security-webhook-ca-$(date +%s)" -out pki/ca.crt
+
+	openssl req -newkey rsa:2048 -nodes -keyout pki/tls.key -subj "/CN=webhook.pod-security-webhook.svc" -out pki/tls.csr
+
+	echo "subjectAltName=DNS:webhook.pod-security-webhook.svc" > pki/extensions.txt
+	echo "extendedKeyUsage=serverAuth" >> pki/extensions.txt
+	openssl x509 -req -extfile pki/extensions.txt -days 730 -in pki/tls.csr -CA pki/ca.crt -CAkey pki/ca.key -CAcreateserial -out pki/tls.crt
+
 # Publishes the PodSecurity webhook Docker image to the configured registry.
 push:
 	@docker push $(IMAGE):$(TAG)

 # Removes Pod Security Webhook artifacts.
 clean:
-	rm $(EXECUTABLE)
+	rm -f $(EXECUTABLE)
+	rm -fr pki
--- a/staging/src/k8s.io/pod-security-admission/webhook/README.md
+++ b/staging/src/k8s.io/pod-security-admission/webhook/README.md
@ -10,30 +10,19 @@ The webhook is available as a Docker image that lives within the SIG-Auth contai

 ### Configuring the Webhook Certificate

-You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
-
-```bash
-export CERT_PATH="..."
-export KEY_PATH="..."
-
-kubectl create secret tls pod-security-webhook -n pod-security-webhook \
-  --cert=$CERT_PATH \
-  --key=$KEY_PATH
-```
+Run `make certs` to generate a CA and serving certificate valid for `https://webhook.pod-security-webhook.svc`.

 ### Deploying the Webhook

 Apply the manifests to install the webhook in your cluster:

 ```bash
-kubectl apply -f manifests
+kubectl apply -k .
 ```

-Optionally, override the default configuration with [Kustomize](https://kustomize.io):
-
-```bash
-kustomize build $OVERLAY_DIRECTORY
-```
+This applies the manifests in the `manifests` subdirectory,
+creates a secret containing the serving certificate,
+and injects the CA bundle to the validating webhook.

 ### Configuring the Webhook

--- a/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
@ -1,9 +1,33 @@
-resources:
- manifests/10-namespace.yaml
- manifests/20-configmap.yaml
- manifests/20-serviceaccount.yaml
- manifests/30-clusterrole.yaml
- manifests/40-clusterrolebinding.yaml
- manifests/50-deployment.yaml
- manifests/60-service.yaml
- manifests/70-validatingwebhookconfiguration.yaml
+# include the manifests
+bases:
+- ./manifests
+
+# generate the secret
+# this depends on pki files, which can be created (or regenerated) with `make certs`
+secretGenerator:
+- name: pod-security-webhook
+  namespace: pod-security-webhook
+  type: kubernetes.io/tls
+  options:
+    disableNameSuffixHash: true
+  files:
+  - pki/ca.crt
+  - pki/tls.crt
+  - pki/tls.key
+
+# inject the CA into the validating webhook
+replacements:
+- source:
+    kind: Secret
+    name: pod-security-webhook
+    namespace: pod-security-webhook
+    fieldPath: data.ca\.crt
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+      name: pod-security-webhook.kubernetes.io
+    fieldPaths:
+     - webhooks.0.clientConfig.caBundle
+     - webhooks.1.clientConfig.caBundle
+    options:
+      create: true
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
@ -24,6 +24,8 @@ webhooks:
          - pods
          - pods/ephemeralcontainers
    clientConfig:
+      # Populate with the CA for the serving certificate
+      caBundle: ""
      service:
        namespace: "pod-security-webhook"
        name: "webhook"
@ -62,6 +64,8 @@ webhooks:
          - cronjobs
          - jobs
    clientConfig:
+      # Populate with the CA for the serving certificate
+      caBundle: ""
      service:
        namespace: "pod-security-webhook"
        name: "webhook"
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
@ -0,0 +1,9 @@
+resources:
+- 10-namespace.yaml
+- 20-configmap.yaml
+- 20-serviceaccount.yaml
+- 30-clusterrole.yaml
+- 40-clusterrolebinding.yaml
+- 50-deployment.yaml
+- 60-service.yaml
+- 70-validatingwebhookconfiguration.yaml