open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.72k stars 764 forks source link

namespaceSelector of the webhooks doesn't have effect since `scope` is not defined #3675

Open plavy opened 3 weeks ago

plavy commented 3 weeks ago

What steps did you take and what happened: Helm chart generates mutating-webhook and validating-webhook configurations, but without specifying scope for rules. When the scope is not specified, it is set to * by Kubernetes. This means that namespaceSelector that is also used in the webhook configuration actually doesn't have the intended effect, since the scope is unrestricted. From the official documentation:

The scope field specifies if only cluster-scoped resources ("Cluster") or
namespace-scoped resources ("Namespaced") will match this rule.
"∗" means that there are no scope restrictions.

When using namespaceSelector, scope should be set to Namespaced, as explained here.

What did you expect to happen: scope of webhook configurations set to Namespaced, or at least an option in values.yaml to set it that way.

Anything else you would like to add: This issue also causes warning on GKE, saying that the webhook is unsafe.

Environment:

JaydipGabani commented 3 weeks ago

@plavy I dont think namespaceSelector does not have intended effect. The purpose here for namespaceSelector to exempt certain namespaces resources from matching againsts the webhook and not validate them through GK. I beleieve setting scope: Namespaced will limit enforcement of CT/C through GK to namespace scoped resources only, we want to be able to validate all types of resources.

For making the webhook complaint you may be able to use - https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/. Which will prevent GK from operationing on certain namespaces, but GK webhook might not be in the clear according to GKE as it still will use the same config.

@maxsmythe @ritazh @sozercan thughts on this?

plavy commented 3 weeks ago

@JaydipGabani I see your point, but this webhook config is still considered unsafe by GKE and currently there is no way in values.yaml to configure the scope and make it safe. Actually, I saw now that you have customRules parameter for webhooks where I could copy the default rules and also set the scope. But copying the entire rules just to change the scope seems like an unnecessary hassle. I propose to have a scope parameter in values.yaml, since this affects all GKE users.