externalip-webhook

created to address CVE-2020-8554

externalip-webhook, is a validating webhook which prevents services from using random external IPs. Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying allowed-external-ip-cidrs parameter. Webhook will only allow creation of services which doesn't require external IP or whose external IPs are within the range specified by the administrator. externalip-webhook can also restrict who can specify allowed ranges of external IPs to services by specifying allowed-usernames and allowed-groups parameters.

This repo is built using kubebuilder.

Deploying

To restrict external IP to certain CIDRs, uncomment and update allowed-external-ip-cidrs in webhook.yaml.

To restrict users that can specify external IPs to services, uncomment and update allowed-usernames and/or allowed-groups in webhook.yaml. Default values for both parameters are empty and it means any users can specify. If either of the parameters is set, specifying external IPs is restricted to the users that match to any of these parameters.

NOTE: If auth-proxy is enabled then update allowed-external-ip-cidrs in metrics_server_auth_proxy.yaml.

Deploy pre-built webhook

To deploy the webhook using the manifests in this repo, you must have kustomize in your path. You can download kustomize here: https://kubernetes-sigs.github.io/kustomize/installation/

make deploy

Build and deploy webhook

make docker-build docker-push IMG=DOCKER_IMAGE_TAG
make deploy IMG=DOCKER_IMAGE_TAG

Configuration

Updating webhook namespace

Webhook by default runs under externalip-validation-system ns. This can be changed by updating namespace and namePrefix in kustomization.yaml file.

Certificate generation for webhook

Webhook certificates can either be generated through cert-manager or by uploading certs. Following section explains how this can be achieved.

Using cert manager

Uncomment all sections with 'CERTMANAGER' in kustomization.yaml file.

Uploading webhook certificates

1. Upload certs data (ca.crt, tls.crt and tls.key) as kubernetes secret with name webhook-server-cert in namespace same as kustomization.yaml.
2. Update caBundle field in manifests.yaml.

Enabling metrics endpoint

Webhook emits webhook_failed_request_count metrics whenever it rejects service creation or update operation.

Enabling without auth-proxy

Uncomment --metrics-addr and the corresponding section in containers.Port in webhook.yaml.

Enabling /metrics with auth-proxy

1. Uncomment all sections with 'METRICS_SERVER_RBAC' in kustomization.yaml file.
2. Create cluster role binding for the cluster role in auth_proxy_client_clusterrole.yaml.

Exporting metrics for Prometheus

Follow the steps mentioned here to export the webhook metrics.

Community, discussion, contribution, and support

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

• Slack
• Mailing List

Code of conduct

Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.