From 5903e113cb0108d2aa0bcbdb14283d40aed3dfb4 Mon Sep 17 00:00:00 2001 From: Jiahui Feng Date: Wed, 20 Mar 2024 17:29:51 -0700 Subject: [PATCH] polish. --- .../index.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/content/en/blog/_posts/2024-04-01-validating-admission-policy-ga/index.md b/content/en/blog/_posts/2024-04-01-validating-admission-policy-ga/index.md index 4690077d81..b5d8b91e75 100644 --- a/content/en/blog/_posts/2024-04-01-validating-admission-policy-ga/index.md +++ b/content/en/blog/_posts/2024-04-01-validating-admission-policy-ga/index.md @@ -12,11 +12,12 @@ We are excited to announce that Validating Admission Policy has reached its Gene as part of Kubernetes 1.30 release. If you have not yet read about this new declarative alternative to validating admission webhooks, it may be interesting to read our [previous post](/blog/2022/12/20/validating-admission-policies-alpha/) about the new feature. -If you have already heard about Validating Admission Policy and you are eager to try it out, there is no better way to -start using it by replacing an existing webhook. +If you have already heard about Validating Admission Policy and you are eager to try it out, there is no better time to do it now. + +Let's have a taste of Validating Admission Policy by replacing a simple webhook. # The Webhook -First, let's take a look at an example of a webhook that can be a good candidate. Here is an excerpt from a webhook that +First, let's take a look at an example of a simple webhook. Here is an excerpt from a webhook that enforce `runAsNonRoot`, `readOnlyRootFilesystem`, `allowPrivilegeEscalation`, and `privileged` to be set to the least permissive values. ```go @@ -47,7 +48,7 @@ func verifyDeployment(deploy *appsv1.Deployment) error { ``` Check out [the doc](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks) -for a refresher on how admission webhooks work. Or, see the [full code](https://gist.github.com/jiahuif/2653f2ce41fe6a2e5739ea7cd76b182b) of this webhook to follow along this tutorial. +for a refresher on how admission webhooks work. Or, see the [full code](https://gist.github.com/jiahuif/2653f2ce41fe6a2e5739ea7cd76b182b) of this webhook to follow along this walkthrough. # The Policy Now let's try to recreate the validation faithfully with a ValidatingAdmissionPolicy. @@ -75,6 +76,9 @@ spec: message: 'all containers must NOT set privileged to true' ``` Create the policy with `kubectl`. Great, no complain so far. But let's get the policy object back and take a look at its status. +```shell +kubectl get -oyaml validatingadmissionpolicies/pod-security.policy.example.com +``` ```yaml status: typeChecking: @@ -169,7 +173,7 @@ Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.ex Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must set readOnlyRootFilesystem to true Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must NOT set allowPrivilegeEscalation to true Warning: Validation failed for ValidatingAdmissionPolicy 'pod-security.policy.example.com' with binding 'pod-security.policy-binding.example.com': all containers must NOT set privileged to true -Error from server: error when creating "STDIN": admission webhook "cel-shim.example.com" denied the request: [container "nginx" must set RunAsNonRoot to true in its SecurityContext, container "nginx" must set ReadOnlyRootFilesystem to true in its SecurityContext, container "nginx" must NOT set AllowPrivilegeEscalation to true in its SecurityContext, container "nginx" must NOT set Privileged to true in its SecurityContext] +Error from server: error when creating "STDIN": admission webhook "webhook.example.com" denied the request: [container "nginx" must set RunAsNonRoot to true in its SecurityContext, container "nginx" must set ReadOnlyRootFilesystem to true in its SecurityContext, container "nginx" must NOT set AllowPrivilegeEscalation to true in its SecurityContext, container "nginx" must NOT set Privileged to true in its SecurityContext] ``` Looks great! The policy and the webhook give equivalent results. After a few other cases, when we are confident with our policy, maybe it is time to do some cleanup.