From a356c32797bc221aaccf5e907f67dadd1bd61bc6 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Wed, 27 Oct 2021 12:53:30 -0400
Subject: [PATCH] PodSecurity: simplify pki setup

---
 .../k8s.io/pod-security-admission/.gitignore  |  5 ++-
 .../pod-security-admission/webhook/Makefile   | 16 ++++++-
 .../pod-security-admission/webhook/README.md  | 21 +++-------
 .../webhook/kustomization.yaml                | 42 +++++++++++++++----
 .../70-validatingwebhookconfiguration.yaml    |  4 ++
 .../webhook/manifests/kustomization.yaml      |  9 ++++
 6 files changed, 70 insertions(+), 27 deletions(-)
 create mode 100644 staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml

diff --git a/staging/src/k8s.io/pod-security-admission/.gitignore b/staging/src/k8s.io/pod-security-admission/.gitignore
index f5c81b02256..ec2ce3d4b0a 100644
--- a/staging/src/k8s.io/pod-security-admission/.gitignore
+++ b/staging/src/k8s.io/pod-security-admission/.gitignore
@@ -1,2 +1,5 @@
 # Webhook binary
-pod-security-webhook
\ No newline at end of file
+pod-security-webhook
+
+# Directory containing pki files
+pki/
\ No newline at end of file
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/Makefile b/staging/src/k8s.io/pod-security-admission/webhook/Makefile
index f7e501fedc4..1e8587343ee 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/Makefile
+++ b/staging/src/k8s.io/pod-security-admission/webhook/Makefile
@@ -43,10 +43,24 @@ container: build
 		-t $(IMAGE):$(TAG) .
 	@echo Done!
 
+# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
+certs:
+	rm -fr pki
+	mkdir -p pki
+	openssl genrsa -out pki/ca.key 2048
+	openssl req -new -x509 -days 3650 -key pki/ca.key -subj "/CN=pod-security-webhook-ca-$(date +%s)" -out pki/ca.crt
+
+	openssl req -newkey rsa:2048 -nodes -keyout pki/tls.key -subj "/CN=webhook.pod-security-webhook.svc" -out pki/tls.csr
+
+	echo "subjectAltName=DNS:webhook.pod-security-webhook.svc" > pki/extensions.txt
+	echo "extendedKeyUsage=serverAuth" >> pki/extensions.txt
+	openssl x509 -req -extfile pki/extensions.txt -days 730 -in pki/tls.csr -CA pki/ca.crt -CAkey pki/ca.key -CAcreateserial -out pki/tls.crt
+
 # Publishes the PodSecurity webhook Docker image to the configured registry.
 push:
 	@docker push $(IMAGE):$(TAG)
 
 # Removes Pod Security Webhook artifacts.
 clean:
-	rm $(EXECUTABLE)
+	rm -f $(EXECUTABLE)
+	rm -fr pki
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/README.md b/staging/src/k8s.io/pod-security-admission/webhook/README.md
index 063d65ba643..0bed2b98c83 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/README.md
+++ b/staging/src/k8s.io/pod-security-admission/webhook/README.md
@@ -10,30 +10,19 @@ The webhook is available as a Docker image that lives within the SIG-Auth contai
 
 ### Configuring the Webhook Certificate
 
-You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files.
-
-```bash
-export CERT_PATH="..."
-export KEY_PATH="..."
-
-kubectl create secret tls pod-security-webhook -n pod-security-webhook \
-  --cert=$CERT_PATH \
-  --key=$KEY_PATH
-```
+Run `make certs` to generate a CA and serving certificate valid for `https://webhook.pod-security-webhook.svc`.
 
 ### Deploying the Webhook
 
 Apply the manifests to install the webhook in your cluster:
 
 ```bash
-kubectl apply -f manifests
+kubectl apply -k .
 ```
 
-Optionally, override the default configuration with [Kustomize](https://kustomize.io):
-
-```bash
-kustomize build $OVERLAY_DIRECTORY
-```
+This applies the manifests in the `manifests` subdirectory,
+creates a secret containing the serving certificate,
+and injects the CA bundle to the validating webhook.
 
 ### Configuring the Webhook
 
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml b/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
index 18189bf487f..ac22d13e8ab 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
@@ -1,9 +1,33 @@
-resources:
-- manifests/10-namespace.yaml
-- manifests/20-configmap.yaml
-- manifests/20-serviceaccount.yaml
-- manifests/30-clusterrole.yaml
-- manifests/40-clusterrolebinding.yaml
-- manifests/50-deployment.yaml
-- manifests/60-service.yaml
-- manifests/70-validatingwebhookconfiguration.yaml
+# include the manifests
+bases:
+- ./manifests
+
+# generate the secret
+# this depends on pki files, which can be created (or regenerated) with `make certs`
+secretGenerator:
+- name: pod-security-webhook
+  namespace: pod-security-webhook
+  type: kubernetes.io/tls
+  options:
+    disableNameSuffixHash: true
+  files:
+  - pki/ca.crt
+  - pki/tls.crt
+  - pki/tls.key
+
+# inject the CA into the validating webhook
+replacements:
+- source:
+    kind: Secret
+    name: pod-security-webhook
+    namespace: pod-security-webhook
+    fieldPath: data.ca\.crt
+  targets:
+  - select:
+      kind: ValidatingWebhookConfiguration
+      name: pod-security-webhook.kubernetes.io
+    fieldPaths:
+     - webhooks.0.clientConfig.caBundle
+     - webhooks.1.clientConfig.caBundle
+    options:
+      create: true
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
index 4a1f2aca7e2..c185c26c18e 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
@@ -24,6 +24,8 @@ webhooks:
           - pods
           - pods/ephemeralcontainers
     clientConfig:
+      # Populate with the CA for the serving certificate
+      caBundle: ""
       service:
         namespace: "pod-security-webhook"
         name: "webhook"
@@ -62,6 +64,8 @@ webhooks:
           - cronjobs
           - jobs
     clientConfig:
+      # Populate with the CA for the serving certificate
+      caBundle: ""
       service:
         namespace: "pod-security-webhook"
         name: "webhook"
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
new file mode 100644
index 00000000000..f637494436e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
@@ -0,0 +1,9 @@
+resources:
+- 10-namespace.yaml
+- 20-configmap.yaml
+- 20-serviceaccount.yaml
+- 30-clusterrole.yaml
+- 40-clusterrolebinding.yaml
+- 50-deployment.yaml
+- 60-service.yaml
+- 70-validatingwebhookconfiguration.yaml