search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
191 stars 33 forks source link

Policy Group: `ValidatingWebhookConfiguration` is not removed after policy is deleted #887

Closed flavio closed 1 month ago

flavio commented 1 month ago

Is there an existing issue for this?

Current Behavior

Testing Kubewarden 1.17.0-rc3

I've created a ClusterAdmissionPolicyGroup policy, which lead to the creation of a ValidatingWebhookConfiguration resource.

Then I removed the ClusterAdmissionPolicyGroup. The configuration of the Policy Server was updated accordingly, but the associated ValidatingWebhookConfiguration was not removed.

This is a big deal, the webhook will still be registered, but unreachable. Hence all the request relevant for this webhook will fail. This can cause a DOS inside of the cluster.

Expected Behavior

The `ValidatingWebhookConfiguration resource is removed immediately, even before the configuration of the Policy Server is updated.

Steps To Reproduce

Deploy kubewarden 1.17.0-rc3.

Create the following policy:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicyGroup # or AdmissionPolicyGroup
metadata:
  name: demo
spec:
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      operations:
        - CREATE
        - UPDATE
  policies:
    signed_by_alice:
      module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
      settings:
        modifyImagesWithDigest: false
        signatures:
          - image: "*"
            pubKeys:
              - |
                -----BEGIN PUBLIC KEY-----
                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyg65hiNHt8FXTamzCn34IE3qMGcV
                yQz3gPlhoKq3yqa1GIofcgLjUZtcKlUSVAU2/S5gXqyDnsW6466Jx/ZVlg==
                -----END PUBLIC KEY-----
    signed_by_bob:
      module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.3.0
      settings:
        modifyImagesWithDigest: false
        signatures:
          - image: "*"
            pubKeys:
              - |
                -----BEGIN PUBLIC KEY-----
                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEswA3Ec4w1ErOpeLPfCdkrh8jvk3X
                urm8ZrXi4S3an70k8bf1OlGnI/aHCcGleewHbBk1iByySMwr8BabchXGSg==
                -----END PUBLIC KEY-----
    reject_latest:
      module: registry://ghcr.io/kubewarden/policies/trusted-repos:v0.1.12
      settings:
        tags:
          reject:
            - latest
  expression: "reject_latest() || (signed_by_bob() || signed_by_alice())"
  message: "the image is using the latest tag or is not signed by Alice or Bob"

Wait for the policy to be active. Get the list of ValidatingWebhookConfiguration resources:

kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
NAME                                                     WEBHOOKS   AGE
clusterwide-group-demo                                   1          6m52s
kubewarden-controller-validating-webhook-configuration   5          1m

Remove the policy:

kubectl delete clusteradmissionpolicygroups.policies.kubewarden.io demo

Get the list of ValidatingWebhookConfiguration resources. Regardless of the amount of time waited, this is the output:

kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
NAME                                                     WEBHOOKS   AGE
clusterwide-group-demo                                   1          6m52s
kubewarden-controller-validating-webhook-configuration   5          11m

Environment

- kubewarden 1.17.0-rc3

Anything else?

No response

flavio commented 1 month ago

This was caused by the missing finalizer. This is not solved inside of the main branch of the helm chart (which creates the (Validating|Mutating)WebhookConfiguration of our CRDs.

This is going to be part of 1.17.0-RC4