-
Story
-
Resolution: Unresolved
-
Minor
-
ACM 2.11.0, Gatekeeper 3.15.0
-
2
-
False
-
None
-
False
-
-
No
-
-
-
GRC Sprint 2024-05
Value Statement
Without this fix, it is still working well. Nevertheless, For the best practice for Opensihft, gatekeeper pods should use the cert that Openshift provides. In addition, this workaround will reduce gatekeeper pods' deployment time
This is the error-log in gatekeeper-controller-manager
{"level":"error","ts":1709658336.7982352,"logger":"cert-rotation","msg":"Error updating webhook with certificate","name":"gatekeeper-validating-webhook-configuration","gvk":"admissionregistration.k8s.io/v1, Kind=ValidatingWebhookConfiguration","error":"Operation cannot be fulfilled on validatingwebhookconfigurations.admissionregistration.k8s.io \"gatekeeper-validating-webhook-configuration\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/open-policy-agent/cert-controller/pkg/rotator.(*ReconcileWH).Reconcile\n\t/remote-source/app/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:653\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/remote-source/app/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/remote-source/app/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/app/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/remote-source/app/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234"} {"level":"info","ts":1709658336.7983732,"logger":"cert-rotation","msg":"Ensuring CA cert","name":"gatekeeper-mutating-webhook-configuration","gvk":"admissionregistration.k8s.io/v1, Kind=MutatingWebhookConfiguration","name":"gatekeeper-mutating-webhook-configuration","gvk":"admissionregistration.k8s.io/v1, Kind=MutatingWebhookConfiguration"}
Solution:
when it is Openshift platform,
Add this snippet in both gatekeeper-controller-manager and audit deployment
- --disable-cert-rotation
add this snippet in service resource
service.beta.openshift.io/serving-cert-secret-name: gatekeeper-webhook-server-cert
apiVersion: v1
kind: Service
metadata:
labels: gatekeeper.sh/system: "yes"
name: gatekeeper-webhook-service
namespace: gatekeeper-system
and Skip "v1_secret_gatekeeper-webhook-server-cert.yaml"
Ref: https://docs.okd.io/latest/security/certificate_types_descriptions/service-ca-certificates.html
Additional:
Definition of Done for Engineering Story Owner (Checklist)
- ...
Development Complete
- The code is complete.
- Functionality is working.
- Any required downstream Docker file changes are made.
Tests Automated
- [ ] Unit/function tests have been automated and incorporated into the
build. - [ ] 100% automated unit/function test coverage for new or changed APIs.
Secure Design
- [ ] Security has been assessed and incorporated into your threat model.
Multidisciplinary Teams Readiness
- [ ] Create an informative documentation issue using the [Customer
Portal_doc_issue template](
https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
and ensure doc acceptance criteria is met. Link the development issue to
the doc issue. - [ ] Provide input to the QE team, and ensure QE acceptance criteria
(established between story owner and QE focal) are met.
Support Readiness
- [ ] The must-gather script has been updated.
- links to
-
RHEA-2024:129856
Gatekeeper v3.14.1
- mentioned on
