OSD-16469 - Add ingress controller webhook

OSD-16469 - Update syncsets and docs

OSD-16469 - Use correct apiGroups for ingress controller webhook

OSD-16469 - Add exception for SREP

OSD-16469 - Add exception for CDO

OSD-16469 - Add exception for CIO

OSD-16469 - Add exception for IO

OSD-16469 - Change ingress controller webhook to use a blacklist approach

OSD-16469 - Revert back to whitelist based access for ingresscontroller webhoo

OSD-16469 - Add all Service Accounts on the IC webhook whitelist

OSD-16469 - Update IC webhook with prefix check for system: and kube: users, add additional logs

OSD-16469 - Update fake request arguments to match new definition

Author: Tafhim

build/selectorsyncset.yaml

@@ -237,6 +237,38 @@ objects:
           scope: Cluster
         sideEffects: None
         timeoutSeconds: 2
+    - apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+        creationTimestamp: null
+        name: sre-ingresscontroller-validation
+      webhooks:
+      - admissionReviewVersions:
+        - v1
+        clientConfig:
+          service:
+            name: validation-webhook
+            namespace: openshift-validation-webhook
+            path: /ingresscontroller-validation
+        failurePolicy: Ignore
+        matchPolicy: Equivalent
+        name: ingresscontroller-validation.managed.openshift.io
+        rules:
+        - apiGroups:
+          - operator.openshift.io
+          apiVersions:
+          - '*'
+          operations:
+          - CREATE
+          - UPDATE
+          resources:
+          - ingresscontroller
+          - ingresscontrollers
+          scope: Namespaced
+        sideEffects: None
+        timeoutSeconds: 1
     - apiVersion: admissionregistration.k8s.io/v1
       kind: ValidatingWebhookConfiguration
       metadata:

docs/webhooks-short.json

@@ -15,6 +15,10 @@
     "webhookName": "imagecontentpolicies-validation",
     "documentString": "Managed OpenShift customers may not create ImageContentSourcePolicy, ImageDigestMirrorSet, or ImageTagMirrorSet resources that configure mirrors for the entirety of quay.io, registry.redhat.io, nor registry.access.redhat.com. If needed, specific repositories can have mirrors configured, such as quay.io/example."
   },
+  {
+    "webhookName": "ingresscontroller-validation",
+    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes."
+  },
   {
     "webhookName": "namespace-validation",
     "documentString": "Managed OpenShift Customers may not modify namespaces specified in the [openshift-monitoring/addons-namespaces openshift-monitoring/managed-namespaces openshift-monitoring/ocp-namespaces] ConfigMaps because customer workloads should be placed in customer-created namespaces. Customers may not create namespaces identified by this regular expression (^com$|^io$|^in$) because it could interfere with critical DNS resolution. Additionally, customers may not set or change the values of these Namespace labels [managed.openshift.io/storage-pv-quota-exempt managed.openshift.io/service-lb-quota-exempt]."
@@ -29,7 +33,7 @@
   },
   {
     "webhookName": "regular-user-validation",
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [cloudcredential.openshift.io machine.openshift.io admissionregistration.k8s.io operator.openshift.io splunkforwarder.managed.openshift.io upgrade.managed.openshift.io machineconfiguration.openshift.io managed.openshift.io ocmagent.managed.openshift.io network.openshift.io config.openshift.io addons.managed.openshift.io cloudingress.managed.openshift.io autoscaling.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [autoscaling.openshift.io cloudcredential.openshift.io admissionregistration.k8s.io ocmagent.managed.openshift.io upgrade.managed.openshift.io machine.openshift.io managed.openshift.io operator.openshift.io splunkforwarder.managed.openshift.io network.openshift.io addons.managed.openshift.io cloudingress.managed.openshift.io config.openshift.io machineconfiguration.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "regular-user-validation-osd",

docs/webhooks.json

@@ -108,6 +108,29 @@
     ],
     "documentString": "Managed OpenShift customers may not create ImageContentSourcePolicy, ImageDigestMirrorSet, or ImageTagMirrorSet resources that configure mirrors for the entirety of quay.io, registry.redhat.io, nor registry.access.redhat.com. If needed, specific repositories can have mirrors configured, such as quay.io/example."
   },
+  {
+    "webhookName": "ingresscontroller-validation",
+    "rules": [
+      {
+        "operations": [
+          "CREATE",
+          "UPDATE"
+        ],
+        "apiGroups": [
+          "operator.openshift.io"
+        ],
+        "apiVersions": [
+          "*"
+        ],
+        "resources": [
+          "ingresscontroller",
+          "ingresscontrollers"
+        ],
+        "scope": "Namespaced"
+      }
+    ],
+    "documentString": "Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes."
+  },
   {
     "webhookName": "namespace-validation",
     "rules": [
@@ -318,7 +341,7 @@
         "scope": "*"
       }
     ],
-    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [addons.managed.openshift.io ocmagent.managed.openshift.io operator.openshift.io network.openshift.io admissionregistration.k8s.io cloudingress.managed.openshift.io splunkforwarder.managed.openshift.io upgrade.managed.openshift.io config.openshift.io cloudcredential.openshift.io machine.openshift.io managed.openshift.io autoscaling.openshift.io machineconfiguration.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
+    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [operator.openshift.io splunkforwarder.managed.openshift.io config.openshift.io upgrade.managed.openshift.io autoscaling.openshift.io machineconfiguration.openshift.io network.openshift.io cloudcredential.openshift.io managed.openshift.io addons.managed.openshift.io cloudingress.managed.openshift.io ocmagent.managed.openshift.io machine.openshift.io admissionregistration.k8s.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Proxy or SubjectPermission objects."
   },
   {
     "webhookName": "regular-user-validation-osd",

pkg/webhooks/add_ingresscontroller.go

@@ -0,0 +1,9 @@
+package webhooks
+
+import (
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/ingresscontroller"
+)
+
+func init() {
+	Register(ingresscontroller.WebhookName, func() Webhook { return ingresscontroller.NewWebhook() })
+}

pkg/webhooks/ingresscontroller/ingresscontroller.go

@@ -0,0 +1,187 @@
+package ingresscontroller
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
+	admissionregv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	admissionctl "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const (
+	WebhookName string = "ingresscontroller-validation"
+	docString   string = `Managed OpenShift Customer may create IngressControllers without necessary taints. This can cause those workloads to be provisioned on infra or master nodes.`
+)
+
+var (
+	log   = logf.Log.WithName(WebhookName)
+	scope = admissionregv1.NamespacedScope
+	rules = []admissionregv1.RuleWithOperations{
+		{
+			Operations: []admissionregv1.OperationType{admissionregv1.Create, admissionregv1.Update},
+			Rule: admissionregv1.Rule{
+				APIGroups:   []string{"operator.openshift.io"},
+				APIVersions: []string{"*"},
+				Resources:   []string{"ingresscontroller", "ingresscontrollers"},
+				Scope:       &scope,
+			},
+		},
+	}
+	allowedUsers = []string{
+		"backplane-cluster-admin",
+	}
+)
+
+type IngressControllerWebhook struct {
+	s runtime.Scheme
+}
+
+// ObjectSelector implements Webhook interface
+func (wh *IngressControllerWebhook) ObjectSelector() *metav1.LabelSelector { return nil }
+
+func (wh *IngressControllerWebhook) Doc() string {
+	return fmt.Sprintf(docString)
+}
+
+// TimeoutSeconds implements Webhook interface
+func (wh *IngressControllerWebhook) TimeoutSeconds() int32 { return 1 }
+
+// MatchPolicy implements Webhook interface
+func (wh *IngressControllerWebhook) MatchPolicy() admissionregv1.MatchPolicyType {
+	return admissionregv1.Equivalent
+}
+
+// Name implements Webhook interface
+func (wh *IngressControllerWebhook) Name() string { return WebhookName }
+
+// FailurePolicy implements Webhook interface and defines how unrecognized errors and timeout errors from the admission webhook are handled. Allowed values are Ignore or Fail.
+// Ignore means that an error calling the webhook is ignored and the API request is allowed to continue.
+// It's important to leave the FailurePolicy set to Ignore because otherwise the pod will fail to be created as the API request will be rejected.
+func (wh *IngressControllerWebhook) FailurePolicy() admissionregv1.FailurePolicyType {
+	return admissionregv1.Ignore
+}
+
+// Rules implements Webhook interface
+func (wh *IngressControllerWebhook) Rules() []admissionregv1.RuleWithOperations { return rules }
+
+// GetURI implements Webhook interface
+func (wh *IngressControllerWebhook) GetURI() string { return "/" + WebhookName }
+
+// SideEffects implements Webhook interface
+func (wh *IngressControllerWebhook) SideEffects() admissionregv1.SideEffectClass {
+	return admissionregv1.SideEffectClassNone
+}
+
+// Validate implements Webhook interface
+func (wh *IngressControllerWebhook) Validate(req admissionctl.Request) bool {
+	valid := true
+	valid = valid && (req.UserInfo.Username != "")
+	valid = valid && (req.Kind.Kind == "IngressController")
+
+	return valid
+}
+
+func (wh *IngressControllerWebhook) renderIngressController(req admissionctl.Request) (*operatorv1.IngressController, error) {
+	decoder, err := admissionctl.NewDecoder(&wh.s)
+	if err != nil {
+		return nil, err
+	}
+	ic := &operatorv1.IngressController{}
+	err = decoder.DecodeRaw(req.Object, ic)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return ic, nil
+}
+
+func (wh *IngressControllerWebhook) authorized(request admissionctl.Request) admissionctl.Response {
+	var ret admissionctl.Response
+	ic, err := wh.renderIngressController(request)
+	if err != nil {
+		log.Error(err, "Couldn't render an IngressController from the incoming request")
+		return admissionctl.Errored(http.StatusBadRequest, err)
+	}
+
+	log.Info("Checking if user is unauthenticated")
+	if request.AdmissionRequest.UserInfo.Username == "system:unauthenticated" {
+		// This could highlight a significant problem with RBAC since an
+		// unauthenticated user should have no permissions.
+		log.Info("system:unauthenticated made a webhook request. Check RBAC rules", "request", request.AdmissionRequest)
+		ret = admissionctl.Denied("Unauthenticated")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+
+	log.Info("Checking if user is authenticated system: user")
+	if strings.HasPrefix(request.AdmissionRequest.UserInfo.Username, "system:") {
+		ret = admissionctl.Allowed("authenticated system: users are allowed")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+
+	log.Info("Checking if user is kube: user")
+	if strings.HasPrefix(request.AdmissionRequest.UserInfo.Username, "kube:") {
+		ret = admissionctl.Allowed("kube: users are allowed")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+
+	// Check if the group does not have exceptions
+	if !isAllowedUser(request) {
+		for _, toleration := range ic.Spec.NodePlacement.Tolerations {
+			if strings.Contains(toleration.Key, "node-role.kubernetes.io/master") || strings.Contains(toleration.Key, "node-role.kubernetes.io/infra") {
+				ret = admissionctl.Denied("Not allowed to provision ingress controller pods with toleration for master and infra nodes.")
+				ret.UID = request.AdmissionRequest.UID
+
+				return ret
+			}
+		}
+	}
+
+	ret = admissionctl.Allowed("IngressController operation is allowed")
+	ret.UID = request.AdmissionRequest.UID
+
+	return ret
+}
+
+// isAllowedUser checks if the user is allowed to perform the action
+func isAllowedUser(request admissionctl.Request) bool {
+	log.Info(fmt.Sprintf("Checking username %s on whitelist", request.UserInfo.Username))
+	if utils.SliceContains(request.UserInfo.Username, allowedUsers) {
+		log.Info(fmt.Sprintf("%s is listed in whitelist", request.UserInfo.Username))
+		return true
+	}
+
+	log.Info("No allowed user found")
+
+	return false
+}
+
+// Authorized implements Webhook interface
+func (wh *IngressControllerWebhook) Authorized(request admissionctl.Request) admissionctl.Response {
+	return wh.authorized(request)
+}
+
+// SyncSetLabelSelector returns the label selector to use in the SyncSet.
+func (s *IngressControllerWebhook) SyncSetLabelSelector() metav1.LabelSelector {
+	return utils.DefaultLabelSelector()
+}
+
+func (s *IngressControllerWebhook) HypershiftEnabled() bool { return false }
+
+// NewWebhook creates a new webhook
+func NewWebhook() *IngressControllerWebhook {
+	scheme := runtime.NewScheme()
+	return &IngressControllerWebhook{
+		s: *scheme,
+	}
+}