Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

namespaceSelector of the webhooks doesn't have effect since scope is not defined #3675

Open
plavy opened this issue Oct 30, 2024 · 2 comments · May be fixed by #3676
Open

namespaceSelector of the webhooks doesn't have effect since scope is not defined #3675

plavy opened this issue Oct 30, 2024 · 2 comments · May be fixed by #3676
Labels
bug Something isn't working

Comments

@plavy
Copy link

plavy commented Oct 30, 2024

What steps did you take and what happened:
Helm chart generates mutating-webhook and validating-webhook configurations, but without specifying scope for rules. When the scope is not specified, it is set to * by Kubernetes. This means that namespaceSelector that is also used in the webhook configuration actually doesn't have the intended effect, since the scope is unrestricted.
From the official documentation:

The scope field specifies if only cluster-scoped resources ("Cluster") or
namespace-scoped resources ("Namespaced") will match this rule.
"∗" means that there are no scope restrictions.

When using namespaceSelector, scope should be set to Namespaced, as explained here.

What did you expect to happen:
scope of webhook configurations set to Namespaced, or at least an option in values.yaml to set it that way.

Anything else you would like to add:
This issue also causes warning on GKE, saying that the webhook is unsafe.

Environment:

  • Gatekeeper Helm version: 3.17.1
@plavy plavy added the bug Something isn't working label Oct 30, 2024
@plavy plavy linked a pull request Oct 30, 2024 that will close this issue
Open
@JaydipGabani
Copy link
Contributor

@plavy I dont think namespaceSelector does not have intended effect. The purpose here for namespaceSelector to exempt certain namespaces resources from matching againsts the webhook and not validate them through GK. I beleieve setting scope: Namespaced will limit enforcement of CT/C through GK to namespace scoped resources only, we want to be able to validate all types of resources.

For making the webhook complaint you may be able to use - https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/. Which will prevent GK from operationing on certain namespaces, but GK webhook might not be in the clear according to GKE as it still will use the same config.

@maxsmythe @ritazh @sozercan thughts on this?

@plavy
Copy link
Author

plavy commented Nov 1, 2024

@JaydipGabani I see your point, but this webhook config is still considered unsafe by GKE and currently there is no way in values.yaml to configure the scope and make it safe. Actually, I saw now that you have customRules parameter for webhooks where I could copy the default rules and also set the scope. But copying the entire rules just to change the scope seems like an unnecessary hassle. I propose to have a scope parameter in values.yaml, since this affects all GKE users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: scope of webhook configurations plavy/gatekeeper
2 participants
@JaydipGabani @plavy