Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service credentials are not updated on reinvocation after another admission plugin modified the service account #1475

Open
masinger opened this issue Oct 21, 2024 · 0 comments · May be fixed by #1476
Open

Service credentials are not updated on reinvocation after another admission plugin modified the service account #1475

masinger opened this issue Oct 21, 2024 · 0 comments · May be fixed by #1476
Labels
bug Something isn't working

Comments

@masinger
Copy link

masinger commented Oct 21, 2024
edited
Loading

Describe the bug
When processing an admission request, that has been processed previously, the environment variables assigned during the first invocation are kept.

Failing to do so might result in a situation where the wrong credentials are projected into the container, if another admission plugin modifies the serviceAccountName.

Steps To Reproduce

  • Configure another mutating admission webhook (e.g. a Kyverno policy) that
    • is invoked after the aks-webhook-admission-controller
    • sets the .spec.serviceAccountName to unprivilged-account
  • Create a Pod that
    • uses Azure Workload Identities
    • has its serviceAccountName set to admin-account
  • Observe that the resulting container is assigned to the service account unprivileged-account (as per policy) while still possessing the admin-account's credentials (e.g CLIENT_ID and CLIENT_SECRET).

Expected behavior
The mutation webhook should update the SDK environment variables (e.g. CLIENT_ID, CLIENT_SECRET) whenever reinvoked.

Environment

  • Kubernetes version (use kubectl version): 1.28.3
  • Cloud provider or hardware configuration: Azure AKS
  • OS (e.g: cat /etc/os-release): Ubuntu

Additional context
The reinvocation has originally been added by #794.
@masinger masinger added the bug Something isn't working label Oct 21, 2024
@masinger masinger linked a pull request Oct 21, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Update existing SDK environment variables masinger/azure-workload-identity
1 participant
@masinger