Uploaded image for project: 'OpenShift API Server'
  1. OpenShift API Server
  2. API-1273

Alert on poorly configured admission webhooks

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • Warn against badly configured admission webhooks risking stability
    • None
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • None
    • False
    • None
    • None
    • None
    • 3

      Research into ways to protect ourselves against possibly harmful admission webhooks. 3rd party webhooks that affect k8s.io or openshift.io resources without label selector or namespace selector can block resource creations and updates, putting the clusters at risk. E.g., https://github.com/hashicorp/vault-k8s/blob/master/deploy/injector-mutating-webhook.yaml doesn't have any namespace selector.

      Slack thread: https://coreos.slack.com/archives/CC3CZCQHM/p1621585026315100?thread_ts=1621268975.202600&cid=CC3CZCQHM

      Ideas:

      • alert about latency per webhook
      • alert about total latency (we hava a metric afaik)
      • some info-level alert (or other way, warnings, conditions) about webhooks of core resources, i.e. not about CRDs provided by an operator

      Example customer cases:

          There are no Sub-Tasks for this issue.

              Unassigned Unassigned
              sttts@redhat.com Stefan Schimanski (Inactive)
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: