Skip to content

Commit

Permalink
feat: update webhook failure policy to Fail and set objectSelector (#695
Browse files Browse the repository at this point in the history 
)

- Sets failurePolicy to Fail
- Added `azure.workload.identity/use: "true"` label in objectSelector
- Regenerated helm charts and manifests

Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
@aramase
aramase committed Jan 24, 2023
1 parent fd5f060 commit 653d013
Show file tree
Hide file tree
Showing 17 changed files with 92 additions and 130 deletions.
3 changes: 3 additions & 0 deletions config/webhook/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,6 @@ resources:

configurations:
- kustomizeconfig.yaml

patchesStrategicMerge:
- webhook_patch.yaml
2 changes: 1 addition & 1 deletion config/webhook/manifests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ webhooks:
name: webhook-service
namespace: system
path: /mutate-v1-pod
failurePolicy: Ignore
failurePolicy: Fail
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
rules:
Expand Down
10 changes: 10 additions & 0 deletions config/webhook/webhook_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: mutating-webhook-configuration
webhooks:
- name: mutation.azure-workload-identity.io
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
50 changes: 24 additions & 26 deletions manifest_staging/charts/workload-identity-webhook/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,32 +29,30 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide

## Parameters

| Parameter | Description | Default |
| :------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook. Default is `Ignore` and it's safe. Setting this to fail closed could cause cluster outage when webhook is not available. | `Ignore` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. | `` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| Parameter | Description | Default |
| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v0.15.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| arcCluster | Specify if it runs on Arc cluster | `false` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |

## Contributing Changes

Expand Down
6 changes: 4 additions & 2 deletions ...mplates/azure-wi-webhook-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,13 @@ webhooks:
name: azure-wi-webhook-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /mutate-v1-pod
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
failurePolicy: Fail
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
namespaceSelector: {{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}
objectSelector: {{- toYaml .Values.mutatingWebhookObjectSelector | nindent 4 }}
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules:
- apiGroups:
- ""
Expand Down
2 changes: 0 additions & 2 deletions manifest_staging/charts/workload-identity-webhook/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,7 @@ azureTenantID:
logLevel:
metricsAddr: ":8095"
metricsBackend: prometheus
mutatingWebhookFailurePolicy: Ignore
priorityClassName: system-cluster-critical
mutatingWebhookObjectSelector: {}
mutatingWebhookAnnotations: {}
podLabels: {}
mutatingWebhookNamespaceSelector: {}
6 changes: 4 additions & 2 deletions manifest_staging/deploy/azure-wi-webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,6 @@ spec:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
labels:
azure-workload-identity.io/system: "true"
name: azure-wi-webhook-mutating-webhook-configuration
Expand All @@ -250,9 +249,12 @@ webhooks:
name: azure-wi-webhook-webhook-service
namespace: azure-workload-identity-system
path: /mutate-v1-pod
failurePolicy: Ignore
failurePolicy: Fail
matchPolicy: Equivalent
name: mutation.azure-workload-identity.io
objectSelector:
matchLabels:
azure.workload.identity/use: "true"
rules:
- apiGroups:
- ""
Expand Down
2 changes: 1 addition & 1 deletion pkg/webhook/webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ const (
warningAnnotationKey = "mutation.azure-workload-identity.io/warning"
)

// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent
// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch

// this is required for the webhook server certs generated and rotated as part of cert-controller rotator
Expand Down
2 changes: 2 additions & 0 deletions scripts/ci-e2e.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,8 @@ kind: Pod
metadata:
name: nginx-pod
namespace: azure-workload-identity-system-test
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: test-service-account
containers:
Expand Down
5 changes: 4 additions & 1 deletion test/e2e/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,10 @@ func createPod(c kubernetes.Interface, pod *corev1.Pod) (*corev1.Pod, error) {
func createPodUsingDeploymentWithServiceAccount(f *framework.Framework, serviceAccount string) *corev1.Pod {
framework.Logf("creating a deployment in %s namespace with service account %s", f.Namespace.Name, serviceAccount)

podLabels := map[string]string{"app": "busybox"}
podLabels := map[string]string{
"app": "busybox",
webhook.UseWorkloadIdentityLabel: "true",
}
nonRootUser := int64(1000)

d := &appsv1.Deployment{
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/proxy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ var _ = ginkgo.Describe("Proxy [LinuxOnly] [AKSSoakOnly] [Exclude:Arc]", func()
[]string{"/bin/sh", "-c", fmt.Sprintf("az login -i -u %s --allow-no-subscriptions --debug; sleep 3600", clientID)},
nil,
proxyAnnotations,
nil,
map[string]string{webhook.UseWorkloadIdentityLabel: "true"},
true,
)

Expand Down Expand Up @@ -98,7 +98,7 @@ var _ = ginkgo.Describe("Proxy [LinuxOnly] [AKSSoakOnly] [Exclude:Arc]", func()
[]string{"/bin/sh", "-c", "az login -i --allow-no-subscriptions --debug; sleep 3600"},
nil,
proxyAnnotations,
nil,
map[string]string{webhook.UseWorkloadIdentityLabel: "true"},
true,
)

Expand Down
2 changes: 1 addition & 1 deletion test/e2e/token_exchange.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ var _ = ginkgo.Describe("TokenExchange [AKSSoakOnly] [Exclude:Arc]", func() {
Value: keyvaultSecretName,
}},
nil,
nil,
map[string]string{webhook.UseWorkloadIdentityLabel: "true"},
false,
)
framework.ExpectNoError(err, "failed to create pod %s in %s", pod.Name, namespace)
Expand Down
Loading

0 comments on commit 653d013

Please sign in to comment.