Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
Description
Description of problem:
kube-apiserver sends no credentials with AdmissionReview requests.
It is unclear how to configure this in a supported manner in OpenShift. KubeAPIServer .unsupportedConfigOverrides can be used to add admission pluginConfig, but there is no way to inject a kubeConfigFile to mirror vanilla Kubernetes' documentation.
Vanilla Kubernetes documentation for setting admission webhook authentication: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers
Version-Release number of selected component (if applicable):
How reproducible:
Always, default configuration sends no credentials. Unclear if there is a way to configure: --admission-control-config-file.
Steps to Reproduce:
1. Create MutatingWebhookConfigurations
2. Trigger mutation webhook by mutating selected resource
3. Observe request sent by kube-apiserver
Actual results:
AdmissionReview request sent by kube-apiserver includes no credentials.
Expected results:
Ability to authenticate AdmissionReview requests sent by kube-apiserver.
Additional info:
MutatingWebhookConfigurations caBundle is for kube-apiserver to verify it is talking to the configured endpoint. This is not the same requirement as the endpoint verifying the request comes from the kube-apiserver.
