Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurity webhook makefile, image, and manifests #105923

Merged
merged 4 commits into from
Oct 27, 2021
Merged

PodSecurity webhook makefile, image, and manifests #105923

merged 4 commits into from
Oct 27, 2021

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Oct 26, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Builds on #105362 to address #105362 (comment)

  1. Sets version build flags in makefile
  2. Adds a make certs target to generate the serving certificate
  3. Adds kustomize logic to create the serving secret and inject the CA
  4. Tweaks the deployment (lowers and normalizes CPU request, sets up error logging, relies on the implicit command in the container)
  5. Adds a resource quota for cluster-critical-pods to the namespace, since some clusters restrict that by default

Which issue(s) this PR fixes:

Resolves #103559

Special notes for your reviewer:

Does this PR introduce a user-facing change?

PodSecurity: add a container image and manifests for the PodSecurity validating admission webhook

/assign @tallclair
/cc @sejr

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 26, 2021
@k8s-ci-robot k8s-ci-robot requested a review from sejr October 26, 2021 21:43
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 26, 2021
@k8s-ci-robot
Copy link
Contributor

@liggitt: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 26, 2021
@liggitt liggitt mentioned this pull request Oct 26, 2021
Closed
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 26, 2021
@liggitt liggitt force-pushed the feature/podsecurity-webhook branch from b3698de to f309aed Compare October 27, 2021 15:49
@liggitt
Copy link
Member Author

liggitt commented Oct 27, 2021
edited
Loading

addressed comments (and also renamed manifest files so they order correctly: namespace → configmap/serviceaccount rbac objects → deployment → service → webhook)

@liggitt liggitt force-pushed the feature/podsecurity-webhook branch from f309aed to bf50d6c Compare October 27, 2021 15:58
@tallclair
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Oct 27, 2021
@liggitt liggitt force-pushed the feature/podsecurity-webhook branch from 84db1f6 to e1d11e0 Compare October 27, 2021 17:31
@liggitt
Copy link
Member Author

liggitt commented Oct 27, 2021

since CI failed, I went ahead and pushed the additional fixups I was working on

diff at https://github.com/kubernetes/kubernetes/compare/bf50d6c9b0defd0bc2038a5df65236be98b39c59..e1d11e0cf014ad586107bca8d11ae6b4644df282

tallclair
tallclair reviewed Oct 27, 2021
View reviewed changes
staging/src/k8s.io/pod-security-admission/webhook/Makefile
-t $(IMAGE):$(TAG) .
@echo Done!

# Creates a CA and serving certificate valid for webhook.pod-security-webhook.svc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add some sort of disclaimer here about how we don't recommend this approach for production use?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean... there's nothing necessarily wrong with the certs produced by this, but they'd need to wrap this in a process to periodically refresh them

@liggitt liggitt force-pushed the feature/podsecurity-webhook branch from e1d11e0 to 09e9ba9 Compare October 27, 2021 17:54
@tallclair
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit b8ce285 into kubernetes:master Oct 27, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Oct 27, 2021
@liggitt liggitt deleted the feature/podsecurity-webhook branch October 27, 2021 19:19
@liggitt liggitt mentioned this pull request Nov 3, 2021
Closed
12 tasks
@uhari03 uhari03 mentioned this pull request Jan 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair left review comments

@sejr sejr Awaiting requested review from sejr

Assignees

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Webhook config template & container image
4 participants
@liggitt @k8s-ci-robot @tallclair @sejr