Open dougbtv opened 5 years ago
Some commentary that I received regarding the admission controller:
The self-approval at https://github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/blob/develop/pkg/installer/installer.go#L99 looks concerning in the current installer. Does the controller run with cluster admin permissions to be able to do that? That's generally considered bad practice. If the installer is a separate binary with an extra privileged kubeconfig, it's fine. https://github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/blob/develop/pkg/installer/installer.go#L175 – pods are always in the legacy core API group, not in apps. I assume the webhook is running as a pod in the cluster. Its namespace should be excluded, compare https://github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/blob/develop/vendor/k8s.io/api/admissionregistration/v1beta1/types.go#L193. Instead it uses failurePolicy := arv1beta1.Ignore which means the admission webhook logic will be ignored if the webhook is down. I cannot judge how security critical the webhook is, just be aware of it.
failurePolicy := arv1beta1.Ignore
Additionally some references:
For the control plane cert rotation we are using https://github.com/openshift/library-go/tree/master/pkg/operator/certrotation. For service serving certs we have https://github.com/openshift/service-serving-cert-signer in OpenShift maintained by the auth team, not sure about the state of rotation in there though. But propably that would be the way to go.
Some commentary that I received regarding the admission controller:
Additionally some references: