From 4986780da3770c5351bc649b904888d40a0080b1 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 2 Nov 2021 21:37:51 -0400 Subject: [PATCH 1/4] PodSecurity: update webhook manifest for beta --- .../pod-security-admission/webhook/manifests/20-configmap.yaml | 2 +- .../pod-security-admission/webhook/manifests/50-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml index 4d1c73bf6d4..1a6536a529b 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml @@ -5,7 +5,7 @@ metadata: namespace: pod-security-webhook data: podsecurityconfiguration.yaml: | - apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration # Defaults applied when a mode label is not set. # diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml index 104321e2cf2..3ae3bba660e 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml @@ -25,7 +25,7 @@ spec: secretName: pod-security-webhook containers: - name: pod-security-webhook - image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0 + image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0 terminationMessagePolicy: FallbackToLogsOnError ports: - containerPort: 8443 From d92e0dbea6db14783b8b8c233bdb04b181945706 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 3 Nov 2021 11:35:20 -0400 Subject: [PATCH 2/4] PodSecurity: update webhook manifest to label namespace as restricted --- .../webhook/manifests/10-namespace.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml index 5a1d492060c..2b00684b4d2 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml @@ -1,4 +1,8 @@ apiVersion: v1 kind: Namespace metadata: - name: pod-security-webhook \ No newline at end of file + name: pod-security-webhook + labels: + # Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency, + # the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway. + pod-security.kubernetes.io/enforce: restricted From f6456d098e2e17b82d9452375fb42b384798a486 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 3 Nov 2021 11:35:38 -0400 Subject: [PATCH 3/4] PodSecurity: update webhook manifest to target linux/amd64 node --- .../webhook/manifests/50-deployment.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml index 3ae3bba660e..d4e74dd3b77 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml @@ -16,6 +16,9 @@ spec: spec: serviceAccountName: pod-security-webhook priorityClassName: system-cluster-critical + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/arch: amd64 volumes: - name: config configMap: From 9f92fb0d7e8bf519839b172f255b2e091fa17081 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 3 Nov 2021 11:36:04 -0400 Subject: [PATCH 4/4] PodSecurity: update webhook manifest to use named port --- .../webhook/manifests/50-deployment.yaml | 8 ++++++-- .../webhook/manifests/60-service.yaml | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml index d4e74dd3b77..14561adabcc 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml @@ -31,7 +31,11 @@ spec: image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0 terminationMessagePolicy: FallbackToLogsOnError ports: - - containerPort: 8443 + - name: webhook + # A port > 1024 avoids needing low port bind privileges. + # Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules. + # The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet. + containerPort: 10250 args: [ "--config", @@ -41,7 +45,7 @@ spec: "--tls-private-key-file", "/etc/pki/tls.key", "--secure-port", - "8443", + "10250", ] resources: requests: diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml index 0b5f66f4035..66f44dbb704 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml @@ -8,7 +8,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8443 + targetPort: webhook protocol: TCP name: https selector: