Drop the verb update for the resource validatingwebhookconfigurations of the clusterRole 'ingress-nginx-admission' #10963
Comments
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
When the controller starts, there are several jobs that update/patch the admission controller. One is generating a certificate for the admission controller and placing it in a kubernetes secret. As you have noted, this will break if the controller can do this. What is the concern you are trying to mitigate? /triage needs-information |
k8s-ci-robot
added
the
triage/needs-information
k8s-ci-robot
added
the
needs-kind
strongjz
added
kind/support
k8s-ci-robot
removed
the
needs-kind
|
Hi @strongjz , As you are asking for the concern to mitigate a security vulnerability has been raised as part of aquasec scan which i already explained in the issue description. Below is the link which explains better. Kindly help me in knowing if anything else needs to be added. Looking forward to close this at the earliest. |
|
This is the literally the job of our webhook to stop bad deployments of the nginx conf thru a misconfigured ingress object. |
|
Can you please elaborate on the above point which you mentioned. |
|
This verb is needed for the webhook to do its job in validating an ingress object. |
I'm currently utilizing the Kubernetes Nginx Ingress Controller in Azure Kubernetes Service. In order to meet the security requirements, I need to drop the verb update for the resource validatingwebhookconfigurations of the clusterRole 'ingress-nginx-admission' for the ingress-nginx-admission-create, ingress-nginx-admission-patch pods.
As is setting:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
name: ingress-nginx-admission
rules:
resources:
verbs:
To be setting:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
name: ingress-nginx-admission
rules:
resources:
verbs:
Unfortunately, when I drop the verb "update", I encounter the following error:
W0130 13:35:20.945002 1 client_config.go:618] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
{"err":"secrets "ingress-nginx-admission" is forbidden: User "system:serviceaccount:ns-app-dp-ingress-comp-dev:ingress-nginx-admission" cannot get resource "secrets" in API group "" in the namespace "ns-app-dp-ingress-comp-dev": Azure does not have opinion for this user.","level":"fatal","msg":"error getting secret","source":"k8s/k8s.go:232","time":"2024-01-30T13:35:21Z"}
The following Kubernetes Ingress Controller Manifest file is used in my project.
https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/baremetal/deploy.yaml
Kindly suggest on the above error at the earliest
The text was updated successfully, but these errors were encountered: