Closed larsks closed 1 year ago
To which I replied:
There's always a way! :slightly_smiling_face: One option we can investigate is the use of a mutating webhook (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook), which can be used to modify resources when they are submitted to the cluster. We may not even have to write our own; there are some policy enforcement frameworks out there that may provide the necessary capabilities out of the box. I'll have to take a look, and I'll also look to see if there's any static configuration that would simply enable edge encryption by default.
I've been looking into this a bit and it looks like Gatekeeper can do what we want:
Gatekeeper is a validating and mutating webhook that enforces CRD-based policies executed by Open Policy Agent, a policy engine for Cloud Native environments hosted by CNCF as a graduated project.
GateKeeper since version 3.something has support for mutating resources as well as validating them, so we should be able to create a policy that will enable edge encryption for any routes that haven't explicitly configured TLS.
I'll be putting together some pull requests at the beginning of next week to enable this feature.
@larsks with the Noobaa issue that cropped up is this still an issue we plan to resolve this sprint?
@joachimweyl yes, the pr that implements that majority of this has been waiting for reviews for about 5 days. https://github.com/OCP-on-NERC/gatekeeper/pull/2 (previously https://github.com/OCP-on-NERC/gatekeeper/pull/1, which was erroneously closed)
Support for enforcing TLS routes has been added to nerc-ocp-prod. We need to deploy a new release of openshift-acct-mgt for this to be enabled by default for new projects, but we can add enforcement to existing projects by adding the appropriate label.
Nathan Weeks asks on Slack: