Inconsistent CA Injection for Conversion Webhooks #4285
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
What do you want to happen?
Context:
When creating conversion webhooks in Kubebuilder, we need to scaffold a patch to set the webhook's conversion path to
/convert
. The expected configuration in the CRD is as follows:Additionally, if Cert-Manager is enabled, the CRD should be patched with a specific annotation to enable CA injection:
cert-manager.io/inject-ca-from: /
Currently, the webhook path patch is scaffolded in
config/crd/patches/webhook_in_cronjobs.yaml
, as demonstrated here: Webhook Patch Example.Similarly, a CA injection patch for CRDs is scaffolded in
config/crd/patches/cainjection_in_cronjobs.yaml
, as seen here:CA Injection Patch Example.
Both above are implementation which came from go/v3 and kustomize/v1 (legacy when vars were supported by kustomize and used in the project)
Problem:
In Kubebuilder Go/v4 with Kustomize v2, the CA injection patch fails because
vars
are no longer supported, resulting in unresolved placeholders in the annotation:Note that in the
config/default/kustomization.yaml
it is partially addressed by using Kustomize'sreplacement
feature (see lines L148-L177), which correctly injects CA details when uncommented. However, this approach introduces a new issue: the CA annotation is applied to all CRDs, not just those configured with conversion webhooks. This poses a security risk, as CA injection should only apply to CRDs explicitly requiring conversion webhooks.Proposed Solution:
Proposed Solution:
replacements
inconfig/default/kustomization.yaml
in a way that limits CA injection specifically to CRDs with conversion webhooks. Ensure that only CRDs with a defined conversion path (/convert
) have the CA injection annotation.This can be achieved by using markers to properly inject CRD values, ensuring that only specified CRDs are annotated.
That mean we will scaffold by default
Example Result for Two CRDs with Conversion:
config/crd/patches/cainjection_in_cronjobs.yaml
,Impact:
Without this fix, users enabling Cert-Manager will encounter unintended CA annotations across all CRDs, undermining security by applying conversion webhook annotations to CRDs that do not require them.
Additionally we need to remove
config/crd/patches/cainjection_in_cronjobs.yaml
, since it does not work.The text was updated successfully, but these errors were encountered: