Open plavy opened 3 weeks ago
@plavy I dont think namespaceSelector
does not have intended effect. The purpose here for namespaceSelector
to exempt certain namespaces resources from matching againsts the webhook and not validate them through GK. I beleieve setting scope: Namespaced
will limit enforcement of CT/C through GK to namespace scoped resources only, we want to be able to validate all types of resources.
For making the webhook complaint you may be able to use - https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/. Which will prevent GK from operationing on certain namespaces, but GK webhook might not be in the clear according to GKE as it still will use the same config.
@maxsmythe @ritazh @sozercan thughts on this?
@JaydipGabani I see your point, but this webhook config is still considered unsafe by GKE and currently there is no way in values.yaml to configure the scope and make it safe. Actually, I saw now that you have customRules
parameter for webhooks where I could copy the default rules and also set the scope. But copying the entire rules just to change the scope seems like an unnecessary hassle. I propose to have a scope
parameter in values.yaml, since this affects all GKE users.
What steps did you take and what happened: Helm chart generates mutating-webhook and validating-webhook configurations, but without specifying
scope
forrules
. When thescope
is not specified, it is set to*
by Kubernetes. This means thatnamespaceSelector
that is also used in the webhook configuration actually doesn't have the intended effect, since the scope is unrestricted. From the official documentation:When using
namespaceSelector
, scope should be set toNamespaced
, as explained here.What did you expect to happen:
scope
of webhook configurations set toNamespaced
, or at least an option in values.yaml to set it that way.Anything else you would like to add: This issue also causes warning on GKE, saying that the webhook is unsafe.
Environment: