Skip to content

kubewarden/do-not-expose-admission-controller-webhook-services-policy

BranchesTags

Repository files navigation

Stable

This policy identifies Kubernetes Services that are:

  • Exposed externally via Ingress resources, NodePort services, or LoadBalancer services.
  • Used internally by Dynamic Admission Controllers as webhook endpoints.

Exposing webhook endpoints externally increases the attack surface, as highlighted by CVE-2025-1974. This policy helps secure your cluster by detecting such misconfiguration.

How It Works

  1. The policy scans all services referenced by ValidatingWebhookConfiguration and MutatingWebhookConfiguration.
  2. It queries the Kubernetes API to identify services exposed externally via Ingress resources, or via NodePort or LoadBalancer services.
  3. Any misconfigured (Validating|Mutating)WebhookConfiguration is identified.

Settings

This policy has no configurable settings.

Access to Kubernetes resources

The policy requires access to the Kubernetes API to query Ingress resources. This makes it a "context-aware policy".

Deployment

Deploy the policy as a ClusterAdmissionPolicy with the contextAwareResources field properly set. Use the following command to scaffold the policy:

kwctl scaffold manifest --type ClusterAdmissionPolicy --allow-context-aware <policy name>

About

A policy that detects webhook services used by admission controller that are accidentally exposed outside of the cluster

kubewarden.io

Topics

kubernetes webassembly compliance hacktoberfest policy-as-code kubernetes-security kubewarden-policy admissioncontroller

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

1 fork
Report repository

Releases 3

v1.0.1 Latest
May 16, 2025
+ 2 releases

Packages

 
 
 

Contributors 6

Languages