WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config#965
WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config#965jstuever wants to merge 2 commits intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jstuever: This pull request references CCO-787 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jstuever The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
This PR depends on the necessary flags existing on the pod-identity-webhooks as well as the kube-rbac-proxy removal
|
|
/test e2e-aws-manual-oidc e2e-azure-manual-oidc e2e-gcp-manual-oidc |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #965 +/- ##
==========================================
+ Coverage 46.48% 46.54% +0.06%
==========================================
Files 98 99 +1
Lines 12181 12228 +47
==========================================
+ Hits 5662 5692 +30
- Misses 5869 5883 +14
- Partials 650 653 +3
🚀 New features to boost your workflow:
|
jstuever
changed the title
openshift-merge-robot
added
the
needs-rebase
2uasimojo
left a comment
2uasimojo
left a comment
There was a problem hiding this comment.
This looks sane, BUT it seems like it's reinventing logic supplied by upstream libs. Is there a reason you're not using those?
|
I need to add TLSAdherence and possibly TLSCurvePreferences. |
jstuever
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Previously, a kube-rbac-proxy container was deployed with the operator deployment in order to provide RBAC security to the metrics port. Because it was deployed as part of the operator deployment, the tls configuration for the container could not be managed by the operator itself. This change removes kube-rbac-proxy from the metrics service and implements rbac via the controller-runtime directly. Additionally, it tightens the networkpolicy for the metrics port to be available only to the monitoring operator. As a result, the tls configuration on the metrics port can now be managed by the operator while maintaining equal or better security posture.
This change ensures the metrics server and pod-identity-webhooks are configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding tlsconfig to the metrics port and parameters to the pod-identity-webhook commands when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.
openshift-merge-robot
removed
the
needs-rebase
|
@jstuever: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
This change ensures the pod-identity-webhook is configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding parameters to the pod-identity-webhook command when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.