From b01e62960985dd7cb318372abff296fb96f1012b Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@defenseunicorns.com>
Date: Tue, 20 Feb 2024 14:54:52 -0700
Subject: [PATCH] fix: validating/mutating webhook networkpolicies and mtls
 (#192)

## Description

Adds the proper ingress rules to the webhooks and PERMISSIVE mTLS to
allow calls to operate as expected. Validated by turning the webhook
failure policies to Fail and applying CRs. The fix applied is similar to
the approach taken with metrics-server, and can be re-evaluated as a
generated rule instead of Anywhere in the future.

## Related Issue

Related to https://github.com/defenseunicorns/uds-core/issues/149 (not a
solve for it, but would also be modified by that issue)

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed
---
 .../peerauthentication/metrics-api.yaml         |  1 +
 .../neuvector-controller-pa.yaml                |  5 ++++-
 src/neuvector/chart/templates/uds-package.yaml  |  8 ++++++++
 .../prometheus-operator-pa.yaml                 | 17 +++++++++++++++++
 .../chart/templates/uds-package.yaml            |  8 ++++++++
 5 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml

diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml
index f6c3a3bc0..18c5fdcbf 100644
--- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml
+++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml
@@ -11,6 +11,7 @@ spec:
     matchLabels:
       app.kubernetes.io/name: metrics-server
   portLevelMtls:
+    # Allow api service calls to operate permissive since ingress originates from the nodes
     "10250":
       mode: PERMISSIVE
 {{- end }}
diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml
index 71c2deb73..6e881bf73 100644
--- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml
+++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml
@@ -13,4 +13,7 @@ spec:
   portLevelMtls:
     "18300":
       mode: PERMISSIVE
-{{- end }}
\ No newline at end of file
+    # Allow webhooks to operate permissive since ingress originates from the nodes
+    "30443":
+      mode: PERMISSIVE
+{{- end }}
diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml
index 631410e45..b44a25f73 100644
--- a/src/neuvector/chart/templates/uds-package.yaml
+++ b/src/neuvector/chart/templates/uds-package.yaml
@@ -31,6 +31,14 @@ spec:
         selector:
           app: neuvector-updater-pod
 
+      - direction: Ingress
+        # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls
+        remoteGenerated: Anywhere
+        selector:
+          app: neuvector-controller-pod
+        port: 30443
+        description: "Webhook"
+
       - direction: Ingress
         remoteNamespace: monitoring
         remoteSelector:
diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml
new file mode 100644
index 000000000..eb1c14d0e
--- /dev/null
+++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml
@@ -0,0 +1,17 @@
+{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  name: prometheus-operator-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: kube-prometheus-stack-operator
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    # Allow webhooks to operate permissive since ingress originates from the nodes
+    "10250":
+      mode: PERMISSIVE
+{{- end }}
diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml
index f021ddf01..5574573bc 100644
--- a/src/prometheus-stack/chart/templates/uds-package.yaml
+++ b/src/prometheus-stack/chart/templates/uds-package.yaml
@@ -33,6 +33,14 @@ spec:
         selector:
           app: kube-prometheus-stack-admission-patch
 
+      - direction: Ingress
+        # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls
+        remoteGenerated: Anywhere
+        selector:
+          app: kube-prometheus-stack-operator
+        port: 10250
+        description: "Webhook"
+
       # todo: lockdown egress to scrape targets
       - direction: Egress
         remoteNamespace: ""