Make the SPO webhooks opt-in #1207
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
approved
jhrozek
force-pushed
the
webhook_opt_in
branch
from
9c9dc91 to
4a4189e
Compare
jhrozek
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
No longer a WIP. @ccojocar your opinion is also welcome because you worked on the static webhook configuration. Do you think the static webhooks would benefit from being opt-in, too? |
jhrozek
force-pushed
the
webhook_opt_in
branch
from
4a4189e to
ed78c05
Compare
|
/test pull-security-profiles-operator-test-e2e |
Definitely, we already made this change in our clusters to prevent availability issues when the webhook is down. We made it even on a pod level basis. The webhook listens only to pods with a certain label. |
Will do, thank you for the review. |
I'm not sure if I'm reading your "definitely" right :-) do I understand correctly that you're saying that I should fixup the static webhook manifest by only making it listen for the labels?
Oh nice, we should suggest that in docs as well as additional "hardening". |
yeah, that's even better than just documenting. Let's add it to the static webhook to be consistent. |
I agree, will do. Thanks! |
This was causing flakes in the test in case the order of the returned webhook configuration changed.
The SPO webhooks have been cluster-wide by default. This is great for functionality as both recording and binding just works, but might be dangerous - if there is a bug in the webhook or the webhook is not replying, then all namespaces might be affected. This patch switches the default to opt-in, meaning that only namespaces labeled with spo.x-k8s.io/enable-binding or spo.x-k8s.io/enable-recording would be listened on.
Synchronizes the defaults for the SPO managed webhook with the static webhook
jhrozek
force-pushed
the
webhook_opt_in
branch
from
ed78c05 to
013be50
Compare
|
Another iteration: I haven't amended the docs with object selector yet, but the tests are amended now. I've only had the chance to run the local fedora based tests so far, let's see how the other fare in CI. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhrozek, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This is a work-in-progress. I want to get early feedback before I fix up tests
and adds docs etc. Feedback is appreciated!
As a fallback if others are not happy with this change, I can always just change
the OCP default namespace selector, since that's the distro I care about the most,
but I think for stability reasons, this change might be beneficial for upstream
as a whole.
What type of PR is this?
/kind feature
What this PR does / why we need it:
The SPO webhooks have been cluster-wide by default. This is great for
functionality as both recording and binding just works, but might be
dangerous - if there is a bug in the webhook or the webhook is not
replying, then all namespaces might be affected.
This patch switches the default to opt-in, meaning that only namespaces
labeled with spo.x-k8s.io/enable-binding or
spo.x-k8s.io/enable-recording would be listened on.
Which issue(s) this PR fixes:
None
Does this PR have test?
Not yet (it's a WIP)
Special notes for your reviewer:
N/A
Does this PR introduce a user-facing change?