search

SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

[FIX] Fix bug for remove-default option for admission hook caused by #84 #90

Closed marcrahnsap closed 5 years ago

marcrahnsap commented 5 years ago

Description

The AdmitPod function is executed twice, once for the mutating webhook and the second time for the validating webhook. This will always cause a validation error and the pod creation gets blocked.

Checklist

Before submitting this PR, please make sure:

schu commented 5 years ago

The AdmitPod function is executed twice, once for the mutating webhook and the second time for the validating webhook.

How often the function is executed (once or twice) in the current design is defined by how karydia is configured with the apiserver (validating webhook only or mutating webhook only or validating & mutating webhook) and not by the function itself or the code flow.

mutationAllowed is the flag to distinguish both cases and act accordingly. When you run as a validating webhook, you can only accept or deny (return 1-n errors). When running as a mutating webhook, you can decide to patch the object instead - where applicable and possible.

I think with #84 the problem rather was that it returned an admin error (karydia wrongly configured) to the user as an admission error - even for a good spec.

marcrahnsap commented 5 years ago

How often the function is executed (once or twice) in the current design is defined by how karydia is configured with the apiserver (validating webhook only or mutating webhook only or validating & mutating webhook) and not by the function itself or the code flow.

I understand that. I installed karydia as it was documented, i.e. it is configured as validating & mutating webhook. The mutating webhook patches the object and it is ready to get deployed, but then the validating webhook throws an error, which should not be the case. A check, if automountServiceAccountToken is undefined would fix this. With #93 I am addressing this issue.

I think with #84 the problem rather was that it returned an admin error (karydia wrongly configured) to the user as an admission error - even for a good spec.

Why do you mean that karydia is wrongly configured? Can you explain this in more detail?