Skip to content

namespaceSelector of the webhooks doesn't have effect since scope is not defined #3675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
plavy opened this issue Oct 30, 2024 · 5 comments · May be fixed by #3676
Open

namespaceSelector of the webhooks doesn't have effect since scope is not defined #3675

plavy opened this issue Oct 30, 2024 · 5 comments · May be fixed by #3676

Comments

@plavy
Copy link

plavy commented Oct 30, 2024

What steps did you take and what happened:
Helm chart generates mutating-webhook and validating-webhook configurations, but without specifying scope for rules. When the scope is not specified, it is set to * by Kubernetes. This means that namespaceSelector that is also used in the webhook configuration actually doesn't have the intended effect, since the scope is unrestricted.
From the official documentation:

The scope field specifies if only cluster-scoped resources ("Cluster") or
namespace-scoped resources ("Namespaced") will match this rule.
"∗" means that there are no scope restrictions.

When using namespaceSelector, scope should be set to Namespaced, as explained here.

What did you expect to happen:
scope of webhook configurations set to Namespaced, or at least an option in values.yaml to set it that way.

Anything else you would like to add:
This issue also causes warning on GKE, saying that the webhook is unsafe.

Environment:

  • Gatekeeper Helm version: 3.17.1
@plavy plavy added the bug Something isn't working label Oct 30, 2024
@plavy plavy linked a pull request Oct 30, 2024 that will close this issue
Open
@JaydipGabani
Copy link
Contributor

@plavy I dont think namespaceSelector does not have intended effect. The purpose here for namespaceSelector to exempt certain namespaces resources from matching againsts the webhook and not validate them through GK. I beleieve setting scope: Namespaced will limit enforcement of CT/C through GK to namespace scoped resources only, we want to be able to validate all types of resources.

For making the webhook complaint you may be able to use - https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/. Which will prevent GK from operationing on certain namespaces, but GK webhook might not be in the clear according to GKE as it still will use the same config.

@maxsmythe @ritazh @sozercan thughts on this?

@plavy
Copy link
Author

plavy commented Nov 1, 2024

@JaydipGabani I see your point, but this webhook config is still considered unsafe by GKE and currently there is no way in values.yaml to configure the scope and make it safe. Actually, I saw now that you have customRules parameter for webhooks where I could copy the default rules and also set the scope. But copying the entire rules just to change the scope seems like an unnecessary hassle. I propose to have a scope parameter in values.yaml, since this affects all GKE users.

@stale Stale
Copy link

stale bot commented Jan 1, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jan 1, 2025
@JaydipGabani JaydipGabani removed the stale label Jan 2, 2025
@stale Stale
Copy link

stale bot commented Mar 4, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Mar 4, 2025
@JaydipGabani JaydipGabani removed stale bug Something isn't working labels Mar 4, 2025
@JaydipGabani
Copy link
Contributor

PR #3676

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: scope of webhook configurations plavy/gatekeeper
2 participants
@JaydipGabani @plavy