Generated netpol for webhooks / apiservices #149
Labels
operator
Issues pertaining to the UDS Operator (Pepr)
Comments
5 tasks
mjnagel
added a commit
that referenced
this issue
Feb 20, 2024
## Description Adds the proper ingress rules to the webhooks and PERMISSIVE mTLS to allow calls to operate as expected. Validated by turning the webhook failure policies to Fail and applying CRs. The fix applied is similar to the approach taken with metrics-server, and can be re-evaluated as a generated rule instead of Anywhere in the future. ## Related Issue Related to #149 (not a solve for it, but would also be modified by that issue) ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed
robmcelvenny
pushed a commit
to owen-grady/uds-core-slim-dev
that referenced
this issue
Jun 3, 2024
## Description Adds the proper ingress rules to the webhooks and PERMISSIVE mTLS to allow calls to operate as expected. Validated by turning the webhook failure policies to Fail and applying CRs. The fix applied is similar to the approach taken with metrics-server, and can be re-evaluated as a generated rule instead of Anywhere in the future. ## Related Issue Related to defenseunicorns/uds-core#149 (not a solve for it, but would also be modified by that issue) ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe what should be investigated or refactored
f1d434a added an open ingress to metrics-server to allow the proper ingress from
kubectl top, but this is overly permissive.While testing for that PR we discovered that webhooks appear to behave the same way/are missing ingress similarly. We will want to evaluate an "Ingress from KubeAPI" generated rule that would cover this scenario, allowing ingress from the source-NAT-ed IPs for each node.
Links to any relevant code
https://github.com/defenseunicorns/uds-core/blob/main/src/metrics-server/chart/templates/uds-package.yaml
Additional context
I have not found any other repos where similar network policies are employed so this feels like a bit of uncharted territory. The closest I've seen is a cilium netpol that uses the
clusterentity - https://docs.cilium.io/en/latest/security/policy/language/#entities-basedThe text was updated successfully, but these errors were encountered: