Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set minimum TLS version in webhooks #1426

Merged
merged 15 commits into from
Sep 23, 2021
Merged

Set minimum TLS version in webhooks #1426

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
6e2f0aa
TLS min version
sozercan Jul 7, 2021
6f269a9
update CR
sozercan Jul 7, 2021
366de2e
objectutil -> internal
sozercan Jul 7, 2021
519bcc0
fix selector
sozercan Aug 4, 2021
d390a0a
Fixes for controller-runtime rebase 0.8.2->0.9.2 (#73)
shomron Aug 4, 2021
8d4b631
update client_metrics
ritazh Sep 9, 2021
abc0057
Merge branch 'master' into tls-min-version
sozercan Sep 13, 2021
b7000f2
Merge branch 'master' into tls-min-version
sozercan Sep 13, 2021
3523fde
Merge branch 'master' into tls-min-version
sozercan Sep 14, 2021
db56b9d
update frameworks to 2924b2c86f76
sozercan Sep 14, 2021
adc31bb
Merge branch 'master' into tls-min-version
sozercan Sep 14, 2021
df6bff8
Merge branch 'master' into tls-min-version
sozercan Sep 21, 2021
825a8f8
Merge branch 'master' into tls-min-version
sozercan Sep 21, 2021
234c33b
remove finalizer
sozercan Sep 21, 2021
dc2b3f8
Merge branch 'master' into tls-min-version
sozercan Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
15 changes: 6 additions & 9 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,16 @@ go 1.16

require (
contrib.go.opencensus.io/exporter/prometheus v0.3.0
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
github.com/davecgh/go-spew v1.1.1
github.com/ghodss/yaml v1.0.0
github.com/go-logr/logr v0.4.0
github.com/go-logr/zapr v0.4.0
github.com/go-openapi/spec v0.20.3 // indirect
github.com/google/go-cmp v0.5.6
github.com/google/uuid v1.1.2
github.com/mitchellh/mapstructure v1.4.1 // indirect
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.16.0
github.com/open-policy-agent/cert-controller v0.2.0
github.com/open-policy-agent/frameworks/constraint v0.0.0-20210701194838-1dbe2618668d
github.com/open-policy-agent/frameworks/constraint v0.0.0-20210816184142-2924b2c86f76
github.com/open-policy-agent/opa v0.29.4
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.11.0
Expand All @@ -32,12 +29,12 @@ require (
google.golang.org/protobuf v1.27.1 // indirect
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
k8s.io/api v0.20.10
k8s.io/apiextensions-apiserver v0.20.10
k8s.io/apimachinery v0.20.10
k8s.io/client-go v0.20.10
k8s.io/api v0.21.2
k8s.io/apiextensions-apiserver v0.21.2
k8s.io/apimachinery v0.21.2
k8s.io/client-go v0.21.2
k8s.io/klog/v2 v2.9.0
k8s.io/utils v0.0.0-20210802155522-efc7438f0176
sigs.k8s.io/controller-runtime v0.8.3
sigs.k8s.io/controller-runtime v0.9.2
sigs.k8s.io/yaml v1.2.0
)
136 changes: 80 additions & 56 deletions go.sum
View file
Open in desktop

Large diffs are not rendered by default.

7 changes: 2 additions & 5 deletions pkg/controller/config/config_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,8 @@ func TestReconcile(t *testing.T) {
g := gomega.NewGomegaWithT(t)
instance := &configv1alpha1.Config{
ObjectMeta: metav1.ObjectMeta{
Name: "config",
Namespace: "gatekeeper-system",
Finalizers: []string{finalizerName},
Name: "config",
Namespace: "gatekeeper-system",
},
Spec: configv1alpha1.ConfigSpec{
Sync: configv1alpha1.Sync{
Expand Down Expand Up @@ -223,8 +222,6 @@ func TestReconcile(t *testing.T) {
g.Expect(syncNotExcludedPod).Should(gomega.BeFalse())
g.Expect(err).To(gomega.BeNil())

// Test finalizer removal

testMgrStopped()
cs.Stop()
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/metrics/client_metrics.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ limitations under the License.
package metrics

import (
"context"
"net/url"
"time"

Expand All @@ -31,4 +32,4 @@ func DisableRESTClientMetrics() {

type noopLatency struct{}

func (noopLatency) Observe(string, url.URL, time.Duration) {}
func (noopLatency) Observe(context.Context, string, url.URL, time.Duration) {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we adding context here? Looking at the definition of clientmetrics.RequestLatency, it doesn't appear to expect a context.

Copy link
Member Author

@sozercan sozercan Sep 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is part of k8s v1.21 changes:
https://github.com/kubernetes/client-go/blob/release-1.21/tools/metrics/metrics.go#L117
https://github.com/kubernetes-sigs/controller-runtime/blob/v0.9.2/pkg/metrics/client_go_adapter.go#L166

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, might have been looking at an older version of the code. LGTM

1 change: 1 addition & 0 deletions pkg/webhook/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ var (
disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint")
logDenies = flag.Bool("log-denies", false, "log detailed info on each deny")
emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation")
tlsMinVersion = flag.String("tls-min-version", "1.2", "minimum version of TLS supported")
serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName)
// webhookName is deprecated, set this on the manifest YAML if needed".
)
Expand Down
4 changes: 3 additions & 1 deletion pkg/webhook/mutation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,9 @@ func AddMutatingWebhook(mgr manager.Manager, client *opa.Client, processExcluder
if err := wh.InjectLogger(log); err != nil {
return err
}
mgr.GetWebhookServer().Register("/v1/mutate", wh)
server := mgr.GetWebhookServer()
server.TLSMinVersion = *tlsMinVersion
server.Register("/v1/mutate", wh)

return nil
}
Expand Down
4 changes: 3 additions & 1 deletion pkg/webhook/namespacelabel.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,9 @@ func AddLabelWebhook(mgr manager.Manager, _ *opa.Client, _ *process.Excluder, mu
if err := wh.InjectLogger(log); err != nil {
return err
}
mgr.GetWebhookServer().Register("/v1/admitlabel", wh)
server := mgr.GetWebhookServer()
server.TLSMinVersion = *tlsMinVersion
server.Register("/v1/admitlabel", wh)
return nil
}

Expand Down
4 changes: 3 additions & 1 deletion pkg/webhook/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,9 @@ func AddPolicyWebhook(mgr manager.Manager, opa *opa.Client, processExcluder *pro
if err := wh.InjectLogger(log); err != nil {
return err
}
mgr.GetWebhookServer().Register("/v1/admit", wh)
server := mgr.GetWebhookServer()
server.TLSMinVersion = *tlsMinVersion
server.Register("/v1/admit", wh)
return nil
}

Expand Down
48 changes: 46 additions & 2 deletions third_party/sigs.k8s.io/controller-runtime/pkg/dynamiccache/cache.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ limitations under the License.
*/

// Modified from the original source (available at
// https://github.com/kubernetes-sigs/controller-runtime/tree/v0.8.2/pkg/cache)
// https://github.com/kubernetes-sigs/controller-runtime/tree/v0.9.2/pkg/cache)

package dynamiccache

Expand All @@ -24,6 +24,7 @@ import (
"time"

"github.com/open-policy-agent/gatekeeper/third_party/sigs.k8s.io/controller-runtime/pkg/dynamiccache/internal"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
"sigs.k8s.io/controller-runtime/pkg/cache"
Expand All @@ -41,10 +42,38 @@ func New(config *rest.Config, opts cache.Options) (cache.Cache, error) {
if err != nil {
return nil, err
}
im := internal.NewInformersMap(config, opts.Scheme, opts.Mapper, *opts.Resync, opts.Namespace)
selectorsByGVK, err := convertToSelectorsByGVK(opts.SelectorsByObject, opts.Scheme)
if err != nil {
return nil, err
}
im := internal.NewInformersMap(config, opts.Scheme, opts.Mapper, *opts.Resync, opts.Namespace, selectorsByGVK)
return &dynamicInformerCache{InformersMap: im}, nil
}

// BuilderWithOptions returns a Cache constructor that will build the a cache
// honoring the options argument, this is useful to specify options like
// SelectorsByObject
// WARNING: if SelectorsByObject is specified. filtered out resources are not
// returned.
func BuilderWithOptions(options cache.Options) cache.NewCacheFunc {
return func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
if opts.Scheme == nil {
opts.Scheme = options.Scheme
}
if opts.Mapper == nil {
opts.Mapper = options.Mapper
}
if opts.Resync == nil {
opts.Resync = options.Resync
}
if opts.Namespace == "" {
opts.Namespace = options.Namespace
}
opts.SelectorsByObject = options.SelectorsByObject
return New(config, opts)
}
}

func defaultOpts(config *rest.Config, opts cache.Options) (cache.Options, error) {
// Use the default Kubernetes Scheme if unset
if opts.Scheme == nil {
Expand All @@ -67,3 +96,18 @@ func defaultOpts(config *rest.Config, opts cache.Options) (cache.Options, error)
}
return opts, nil
}

func convertToSelectorsByGVK(selectorsByObject cache.SelectorsByObject, scheme *runtime.Scheme) (internal.SelectorsByGVK, error) {
selectorsByGVK := internal.SelectorsByGVK{}
for object, selector := range selectorsByObject {
gvk, err := apiutil.GVKForObject(object, scheme)
if err != nil {
return nil, err
}
selectorsByGVK[gvk] = internal.Selector{
Label: selector.Label,
Field: selector.Field,
}
}
return selectorsByGVK, nil
}
6 changes: 2 additions & 4 deletions third_party/sigs.k8s.io/controller-runtime/pkg/dynamiccache/cache_suite_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ limitations under the License.
*/

// Modified from the original source (available at
// https://github.com/kubernetes-sigs/controller-runtime/tree/v0.8.2/pkg/cache)
// https://github.com/kubernetes-sigs/controller-runtime/tree/v0.9.2/pkg/cache)

package dynamiccache_test

Expand All @@ -42,7 +42,7 @@ var testenv *envtest.Environment
var cfg *rest.Config
var clientset *kubernetes.Clientset

var _ = BeforeSuite(func(done Done) {
var _ = BeforeSuite(func() {
logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))

testenv = &envtest.Environment{}
Expand All @@ -53,8 +53,6 @@ var _ = BeforeSuite(func(done Done) {

clientset, err = kubernetes.NewForConfig(cfg)
Expect(err).NotTo(HaveOccurred())

close(done)
}, 60)

var _ = AfterSuite(func() {
Expand Down
Loading