github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurity: simplify pki setup

Browse Source
This commit is contained in:
Jordan Liggitt 2021-10-27 12:53:30 -04:00
parent 0be8280faa
commit a356c32797
6 changed files with 70 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
staging/src/k8s.io/pod-security-admission/.gitignore vendored
View File

@ -1,2 +1,5 @@
# Webhook binary # Webhook binary
pod-security-webhook pod-security-webhook
# Directory containing pki files
pki/

16
staging/src/k8s.io/pod-security-admission/webhook/Makefile
View File

@ -43,10 +43,24 @@ container: build
-t $(IMAGE):$(TAG) . -t $(IMAGE):$(TAG) .
@echo Done! @echo Done!
# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
certs:
rm -fr pki
mkdir -p pki
openssl genrsa -out pki/ca.key 2048
openssl req -new -x509 -days 3650 -key pki/ca.key -subj "/CN=pod-security-webhook-ca-$(date +%s)" -out pki/ca.crt
openssl req -newkey rsa:2048 -nodes -keyout pki/tls.key -subj "/CN=webhook.pod-security-webhook.svc" -out pki/tls.csr
echo "subjectAltName=DNS:webhook.pod-security-webhook.svc" > pki/extensions.txt
echo "extendedKeyUsage=serverAuth" >> pki/extensions.txt
openssl x509 -req -extfile pki/extensions.txt -days 730 -in pki/tls.csr -CA pki/ca.crt -CAkey pki/ca.key -CAcreateserial -out pki/tls.crt
# Publishes the PodSecurity webhook Docker image to the configured registry. # Publishes the PodSecurity webhook Docker image to the configured registry.
push: push:
@docker push $(IMAGE):$(TAG) @docker push $(IMAGE):$(TAG)
# Removes Pod Security Webhook artifacts. # Removes Pod Security Webhook artifacts.
clean: clean:
rm $(EXECUTABLE) rm -f $(EXECUTABLE)
rm -fr pki

21
staging/src/k8s.io/pod-security-admission/webhook/README.md
View File

@ -10,30 +10,19 @@ The webhook is available as a Docker image that lives within the SIG-Auth contai
### Configuring the Webhook Certificate ### Configuring the Webhook Certificate
You will need to provide a cert-key pair to serve the webhook securely. See the [Kubernetes documentation on certificates](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#cfssl) for instructions on generating these files. Run `make certs` to generate a CA and serving certificate valid for `https://webhook.pod-security-webhook.svc`.
```bash
export CERT_PATH="..."
export KEY_PATH="..."
kubectl create secret tls pod-security-webhook -n pod-security-webhook \
--cert=$CERT_PATH \
--key=$KEY_PATH
```
### Deploying the Webhook ### Deploying the Webhook
Apply the manifests to install the webhook in your cluster: Apply the manifests to install the webhook in your cluster:
```bash ```bash
kubectl apply -f manifests kubectl apply -k .
``` ```
Optionally, override the default configuration with [Kustomize](https://kustomize.io): This applies the manifests in the `manifests` subdirectory,
creates a secret containing the serving certificate,
```bash and injects the CA bundle to the validating webhook.
kustomize build $OVERLAY_DIRECTORY
```
### Configuring the Webhook ### Configuring the Webhook

42
staging/src/k8s.io/pod-security-admission/webhook/kustomization.yaml
View File

@ -1,9 +1,33 @@
resources: # include the manifests
- manifests/10-namespace.yaml bases:
- manifests/20-configmap.yaml - ./manifests
- manifests/20-serviceaccount.yaml
- manifests/30-clusterrole.yaml # generate the secret
- manifests/40-clusterrolebinding.yaml # this depends on pki files, which can be created (or regenerated) with `make certs`
- manifests/50-deployment.yaml secretGenerator:
- manifests/60-service.yaml - name: pod-security-webhook
- manifests/70-validatingwebhookconfiguration.yaml namespace: pod-security-webhook
type: kubernetes.io/tls
options:
disableNameSuffixHash: true
files:
- pki/ca.crt
- pki/tls.crt
- pki/tls.key
# inject the CA into the validating webhook
replacements:
- source:
kind: Secret
name: pod-security-webhook
namespace: pod-security-webhook
fieldPath: data.ca\.crt
targets:
- select:
kind: ValidatingWebhookConfiguration
name: pod-security-webhook.kubernetes.io
fieldPaths:
- webhooks.0.clientConfig.caBundle
- webhooks.1.clientConfig.caBundle
options:
create: true

4
staging/src/k8s.io/pod-security-admission/webhook/manifests/70-validatingwebhookconfiguration.yaml
View File

@ -24,6 +24,8 @@ webhooks:
- pods - pods
- pods/ephemeralcontainers - pods/ephemeralcontainers
clientConfig: clientConfig:
# Populate with the CA for the serving certificate
caBundle: ""
service: service:
namespace: "pod-security-webhook" namespace: "pod-security-webhook"
name: "webhook" name: "webhook"
@ -62,6 +64,8 @@ webhooks:
- cronjobs - cronjobs
- jobs - jobs
clientConfig: clientConfig:
# Populate with the CA for the serving certificate
caBundle: ""
service: service:
namespace: "pod-security-webhook" namespace: "pod-security-webhook"
name: "webhook" name: "webhook"

9
staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
resources:
- 10-namespace.yaml
- 20-configmap.yaml
- 20-serviceaccount.yaml
- 30-clusterrole.yaml
- 40-clusterrolebinding.yaml
- 50-deployment.yaml
- 60-service.yaml
- 70-validatingwebhookconfiguration.yaml