search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.08k stars 873 forks source link

Add MutatingWebhookConfiguration rule scope #976

Closed yachub closed 2 months ago

yachub commented 11 months ago

Is your feature request related to a problem? Please describe.

We received a suggestion in GKE that the vault-agent-injector-cfg was "Intercepting resources in the kube-system namespace" and linked to their docs at https://cloud.google.com/kubernetes-engine/docs/how-to/optimize-webhooks#unsafe-webhooks for resolution.

Specifically, "A webhook is flagged if scope is *. Or, a webhook is flagged if scope is Namespaced and includes kube-system and kube-node-lease".

If a webhook is intercepting any resources in system-managed namespaces, or certain types of resources, GKE considers this unsafe and recommends that you update the webhooks to avoid intercepting these resources.

Describe the solution you'd like

If I'm understanding correctly, should an optional rule scope be added to the MutatingWebhookConfiguration? https://github.com/hashicorp/vault-helm/blob/36dafa02c09eb24afb07de9895ff734b8e3bfd6a/templates/injector-mutating-webhook.yaml#L34-L38

Describe alternatives you've considered None

Additional context None