Generated changes

pull/900/head
actions 2020-12-09 01:07:44 +00:00
parent 828fdd507a
commit 4476584d9b
27 changed files with 1117 additions and 2 deletions

View File

@ -352,6 +352,34 @@ entries:
urls:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz
version: 1.0.100
rancher-external-ip-webhook:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: External IP Webhook
catalog.cattle.io/namespace: cattle-externalip-system
catalog.cattle.io/release-name: rancher-external-ip-webhook
catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v0.1.4
created: "2020-12-09T01:07:43.561742972Z"
description: |
Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
digest: 533a8d7721001eb5efe4efe23d398f619f3b51634fcd1848fc52d0eb11d01016
home: https://github.com/rancher/externalip-webhook
keywords:
- cve
- externalip
- webhook
- security
maintainers:
- email: raul@rancher.com
name: rawmind0
name: rancher-external-ip-webhook
sources:
- https://github.com/rancher/externalip-webhook
urls:
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
version: 0.1.400
rancher-gatekeeper:
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
@ -1098,4 +1126,4 @@ entries:
urls:
- assets/rio/rio-0.8.000.tgz
version: 0.8.000
generated: "2020-11-10T00:02:09.783616681Z"
generated: "2020-12-09T01:07:43.560407349Z"

View File

@ -0,0 +1,23 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: External IP Webhook
catalog.cattle.io/namespace: cattle-externalip-system
catalog.cattle.io/release-name: rancher-external-ip-webhook
catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v0.1.4
description: |
Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
home: https://github.com/rancher/externalip-webhook
keywords:
- cve
- externalip
- webhook
- security
maintainers:
- email: raul@rancher.com
name: rawmind0
name: rancher-external-ip-webhook
sources:
- https://github.com/rancher/externalip-webhook
version: 0.1.400

View File

@ -0,0 +1,70 @@
# externalip-webhook
## Chart Details
This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It's required to mitigate k8s CVE-2020-8554.
## Installing the Chart
To install the chart with the release name `rancher-external-ip-webhook`:
```bash
$ helm repo add rancher-chart https://charts.rancher.io
$ helm repo update
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
```
## Configuration
The following table lists the configurable parameters of the externalip-webhook chart and their default values.
| Parameter | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
| `allowedExternalIPCidrs` | Set allowed external IP CIDRs separated by a comma | `""` |
| `certificates.caBundle` | If cert-manager integration is disabled, add here self signed ca.crt in base64 format | `""` |
| `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` |
| `certificates.certManager.version` | Cert manager version to use | `""` |
| `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` |
| `global.systemDefaultRegistry` | Pull docker images from systemDefaultRegistry | `""` |
| `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` |
| `image.pullSecrets` | Webhook server docker pull secret | `""` |
| `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` |
| `image.tag` | Webhook server docker image tag Defaults to | `".Chart.appVersion"` |
| `metrics.enabled` | Enable metrics endpoint | `false` |
| `metrics.port` | Webhook metrics pod port | `8443` |
| `metrics.prometheusExport` | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false` |
| `metrics.authProxy.enabled` | Enable auth proxy for metrics endpoint | `false` |
| `metrics.authProxy.port` | Webhook auth proxy pod port | `8080` |
| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy | `"IfNotPresent"` |
| `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets | `""` |
| `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` |
| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag | `"v0.5.0"` |
| `metrics.authProxy.resources.limits.cpu` | Webhook auth proxy resource cpu limit | `"100m"` |
| `metrics.authProxy.resources.limits.memory` | Webhook auth proxy resource memory limit | `"30Mi"` |
| `metrics.authProxy.resources.requests.cpu` | Webhook auth proxy wesource cpu reservation | `"100m"` |
| `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation | `"20Mi"` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `rbac.apiVersion` | Rbac API version to use | `"v1"` |
| `resources.limits.cpu` | Resource cpu limit | `"100m"` |
| `resources.limits.memory` | Resource memory limit | `"30Mi"` |
| `resources.requests.cpu` | Resource cpu reservation | `"100m"` |
| `resources.requests.memory` | Resource memory reservation | `"20Mi"` |
| `service.metricsPort` | Webhook metrics service port | `8443` |
| `service.webhookPort` | Webhook server service port | `443` |
| `serviceAccountName` | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false | `"default"` |
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
| `webhookPort` | Webhook server pod port | `9443` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm repo add rancher-chart https://charts.rancher.io
$ helm repo update
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
```
> **Tip**: You can use the default [values.yaml](values.yaml)

View File

@ -0,0 +1,9 @@
# externalip-webhook
This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/)
External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. Cluster administrators
can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter.
The webhook will only allow services which either dont set external IP, or whose external IPs are within the range specified by the administrator.
For more information, review the Helm README of this chart.

View File

@ -0,0 +1,7 @@
questions:
# allowedExternalIPCidrs
- variable: allowedExternalIPCidrs
label: Allowed external IP cidrs
description: Set allowed external IP CIDRs separated by a comma
type: string
group: Configuration

View File

@ -0,0 +1,3 @@
To verify that externalip-webhook has started, run:
kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}"

View File

@ -0,0 +1,50 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "externalip-webhook.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "externalip-webhook.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if ne $name .Release.Name -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/* Generate basic labels */}}
{{- define "externalip-webhook.labels" }}
app: {{ template "externalip-webhook.name" . }}
heritage: {{.Release.Service }}
release: {{.Release.Name }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,30 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
{{- if .Values.certificates.certManager.enabled }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "externalip-webhook.fullname" . }}-server-cert
{{- end }}
creationTimestamp: null
name: {{ template "externalip-webhook.fullname" . }}-validating-webhook-configuration
webhooks:
- clientConfig:
{{- if not (.Values.certificates.certManager.enabled) }}
caBundle: {{ .Values.certificates.caBundle }}
{{- end }}
service:
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
path: /validate-service
failurePolicy: Ignore
name: {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- services

View File

@ -0,0 +1,33 @@
{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) -}}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
{{- end -}}

View File

@ -0,0 +1,31 @@
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRoleBinding
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-cluster-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
---
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRoleBinding
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "externalip-webhook.fullname" . }}-proxy-role
subjects:
- kind: ServiceAccount
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

View File

@ -0,0 +1,107 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ template "externalip-webhook.name" . }}
template:
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels: {{ include "externalip-webhook.labels" . | indent 8 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
containers:
{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
- name: {{ template "externalip-webhook.fullname" . }}-auth-proxy
args:
- --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}
- --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/
- --logtostderr=true
- --v=10
image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }}
imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}"
ports:
- containerPort: {{ .Values.metrics.port }}
name: webhook-metrics
protocol: TCP
resources:
{{ toYaml .Values.metrics.authProxy.resources | indent 10 }}
readinessProbe:
tcpSocket:
port: webhook-metrics
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: webhook-metrics
initialDelaySeconds: 5
failureThreshold: 10
periodSeconds: 30
{{- end }}
- name: {{ template "externalip-webhook.fullname" . }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
command:
- /webhook
args:
- --webhook-port={{ .Values.webhookPort }}
{{- if .Values.allowedExternalIPCidrs }}
- --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }}
{{- end }}
{{- if .Values.metrics.enabled }}
{{- if .Values.metrics.authProxy.enabled }}
- --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }}
{{- else }}
- --metrics-addr=0.0.0.0:{{ .Values.metrics.port }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.webhookPort }}
name: webhook-server
protocol: TCP
{{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }}
- containerPort: {{ .Values.metrics.port }}
name: webhook-metrics
protocol: TCP
{{- end }}
volumeMounts:
- name: server-cert
mountPath: /tmp/k8s-webhook-server/serving-certs
readOnly: true
resources:
{{ toYaml .Values.resources | indent 10 }}
readinessProbe:
tcpSocket:
port: webhook-server
initialDelaySeconds: 5
failureThreshold: 10
periodSeconds: 30
livenessProbe:
tcpSocket:
port: webhook-server
initialDelaySeconds: 5
failureThreshold: 10
periodSeconds: 30
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 6}}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
serviceAccountName: {{ template "externalip-webhook.fullname" . }}
volumes:
- name: server-cert
secret:
defaultMode: 420
secretName: {{ .Values.certificates.secretName }}

View File

@ -0,0 +1,52 @@
{{- if .Values.certificates.certManager.enabled -}}
{{- $certmanagerVer := split "." .Values.certificates.certManager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
apiVersion: cert-manager.io/v1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
# Setting latest version as default
apiVersion: cert-manager.io/v1
{{- end }}
kind: Certificate
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-server-cert
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
- {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ template "externalip-webhook.fullname" . }}-issuer
secretName: {{ .Values.certificates.secretName }}
---
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
apiVersion: cert-manager.io/v1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
# Setting latest version as default
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-issuer
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
{{- end -}}

View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: webhook-server
port: {{ .Values.service.webhookPort }}
protocol: TCP
targetPort: {{ .Values.webhookPort }}
selector:
app: {{ template "externalip-webhook.name" . }}
type: "ClusterIP"
{{- if .Values.metrics.enabled }}
---
apiVersion: v1
kind: Service
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-metrics-service
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: webhook-metrics
port: {{ .Values.service.metricsPort }}
protocol: TCP
targetPort: {{ .Values.metrics.port }}
selector:
app: {{ template "externalip-webhook.name" . }}
type: "ClusterIP"
{{- end }}

View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,16 @@
{{- if and (.Values.metrics.enabled) (.Values.metrics.prometheusExport) -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels: {{ include "externalip-webhook.labels" . | indent 4 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
name: {{ template "externalip-webhook.fullname" . }}-monitor
namespace: {{ .Release.Namespace }}
spec:
endpoints:
- path: /metrics
port: https
selector:
matchLabels:
app: {{ template "externalip-webhook.name" . }}
{{- end }}

View File

@ -0,0 +1,32 @@
suite: Test Admission Registration
templates:
- admissionregistration.yaml
tests:
- it: should render Admission Registration
asserts:
- equal:
path: apiVersion
value: admissionregistration.k8s.io/v1beta1
- it: should render Admission Registration annotation and not caBundle if certificates.certManager.enabled = true
release:
name: rancher-externalip-webhook
namespace: test
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/inject-ca-from: test/rancher-externalip-webhook-server-cert
- isNull:
path: webhooks[0].clientConfig.caBundle
- it: should render Admission Registration caBundle and not annotation if certificates.certManager.enabled = false
set:
certificates.caBundle: test
certificates.certManager.enabled: false
asserts:
- equal:
path: webhooks[0].clientConfig.caBundle
value: test
- isNull:
path: metadata.annotations

View File

@ -0,0 +1,37 @@
suite: Test Cluster Roles
templates:
- clusterrole.yaml
tests:
- it: should not render Cluster Roles if metrics.enabled = false or metrics.authProxy.enabled = false
set:
metrics.enabled: false
metrics.authProxy.enabled: false
asserts:
- hasDocuments:
count: 0
template: clusterrole.yaml
- it: should render Cluster Roles if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.authProxy.enabled: true
asserts:
- hasDocuments:
count: 2
template: clusterrole.yaml
- it: should render Cluster Roles with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.authProxy.enabled: true
asserts:
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- it: should render Cluster Roles with custom rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.authProxy.enabled: true
rbac.apiVersion: v1beta
asserts:
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1beta

View File

@ -0,0 +1,42 @@
suite: Test Cluster Role Bindings
templates:
- clusterrolebinding.yaml
tests:
- it: should render Cluster Role Bindings with default rbac api version
set:
rbac.apiVersion: v1
asserts:
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- it: should render Cluster Role Bindings with custom rbac api version
set:
rbac.apiVersion: v1beta
asserts:
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1beta
- it: should not render Cluster Role Binding proxy if metrics.enabled = false or metrics.authProxy.enabled = false
set:
metrics.enabled: false
metrics.authProxy.enabled: false
asserts:
- hasDocuments:
count: 1
template: clusterrolebinding.yaml
- it: should render Cluster Role Bindings proxy if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.authProxy.enabled: true
asserts:
- hasDocuments:
count: 2
template: clusterrolebinding.yaml
- it: should render Cluster Role Bindings with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.authProxy.enabled: true
asserts:
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1

View File

@ -0,0 +1,202 @@
suite: Test Deployments
templates:
- deployment.yaml
tests:
- it: should render Deployment with allowed-external-ip-cidrs arg if allowedExternalIPCidrs is set
release:
name: rancher-externalip-webhook
set:
allowedExternalIPCidrs: "1,2"
asserts:
- equal:
path: spec.template.spec.containers[0].args[1]
value: --allowed-external-ip-cidrs=1,2
- it: should render Deployment with default port, nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
release:
name: rancher-externalip-webhook
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 9443
name: webhook-server
protocol: TCP
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- equal:
path: spec.template.spec.nodeSelector
value:
kubernetes.io/os: linux
- it: should render Deployment with default port and custom nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
release:
name: rancher-externalip-webhook
set:
tolerations:
- key: "cattle.io/test"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
nodeSelector:
kubernetes.io/test: linux
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 9443
name: webhook-server
protocol: TCP
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- equal:
path: spec.template.spec.tolerations[1]
value:
key: "cattle.io/test"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- equal:
path: spec.template.spec.nodeSelector
value:
kubernetes.io/os: linux
kubernetes.io/test: linux
- it: should render Deployment with custom port and image if metrics.enabled = false and metrics.authProxy.enabled = false
release:
name: rancher-externalip-webhook
set:
webhookPort: 9000
image.repository: test
image.tag: dev-test
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[0].image
value: test:dev-test
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 9000
name: webhook-server
protocol: TCP
- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
release:
name: rancher-externalip-webhook
set:
metrics.enabled: true
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 9443
name: webhook-server
protocol: TCP
- equal:
path: spec.template.spec.containers[0].ports[1]
value:
containerPort: 8443
name: webhook-metrics
protocol: TCP
- it: should render Deployment with custom metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
release:
name: rancher-externalip-webhook
set:
metrics.enabled: true
metrics.port: 8000
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 9443
name: webhook-server
protocol: TCP
- equal:
path: spec.template.spec.containers[0].ports[1]
value:
containerPort: 8000
name: webhook-metrics
protocol: TCP
- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = true
release:
name: rancher-externalip-webhook
set:
metrics.enabled: true
metrics.authProxy.enabled: true
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook-auth-proxy
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 8443
name: webhook-metrics
protocol: TCP
- equal:
path: spec.template.spec.containers[1].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[1].ports[0]
value:
containerPort: 9443
name: webhook-server
protocol: TCP
- it: should render Deployment with custom metrics port and image if metrics.enabled = true and metrics.authProxy.enabled = true
release:
name: rancher-externalip-webhook
set:
metrics.enabled: true
metrics.authProxy.enabled: true
metrics.port: 8000
webhookPort: 9000
image.repository: test
image.tag: dev-test
metrics.authProxy.image.repository: auth
metrics.authProxy.image.tag: auth-test
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: rancher-externalip-webhook-auth-proxy
- equal:
path: spec.template.spec.containers[0].image
value: auth:auth-test
- equal:
path: spec.template.spec.containers[0].ports[0]
value:
containerPort: 8000
name: webhook-metrics
protocol: TCP
- equal:
path: spec.template.spec.containers[1].name
value: rancher-externalip-webhook
- equal:
path: spec.template.spec.containers[1].image
value: test:dev-test
- equal:
path: spec.template.spec.containers[1].ports[0]
value:
containerPort: 9000
name: webhook-server
protocol: TCP

View File

@ -0,0 +1,106 @@
suite: Test Issuers
templates:
- issuer.yaml
tests:
- it: should not render issuer if certificates.certManager.enabled = false
set:
certificates.certManager.enabled: false
asserts:
- hasDocuments:
count: 0
template: issuer.yaml
- it: should render issuer if certificates.certManager.enabled = true
set:
certificates.certManager.enabled: true
asserts:
- hasDocuments:
count: 2
template: issuer.yaml
- it: should set issuer apiVersion with default cert-manager
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 1.0.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 0.16.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1beta1
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1beta1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1alpha2
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: certmanager.k8s.io/v1alpha1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 1.0.0 using parameter
set:
certificates.certManager.version: 1.0.0
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 0.16.0 using parameter
set:
certificates.certManager.version: 0.16.0
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1beta1
template: issuer.yaml
- it: should set issuer apiVersion with cert-manager >= 0.11.0 using parameter
set:
certificates.certManager.version: 0.11.0
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: cert-manager.io/v1alpha2
template: issuer.yaml
- it: should set letsEncrypt apiVersion with cert-manager < 0.11.0 using parameter
set:
certificates.certManager.version: 0.9.0
certificates.certManager.enabled: true
asserts:
- equal:
path: apiVersion
value: certmanager.k8s.io/v1alpha1
template: issuer.yaml

View File

@ -0,0 +1,69 @@
suite: Test Services
templates:
- service.yaml
tests:
- it: should render webhook-server service with default webhookPort if metrics.enabled = false
set:
metrics.enabled: false
asserts:
- equal:
path: spec.ports[0]
value:
name: webhook-server
port: 443
protocol: TCP
targetPort: 9443
- it: should render webhook-server service with custom webhookPort if metrics.enabled = false
set:
metrics.enabled: false
webhookPort: 9000
asserts:
- equal:
path: spec.ports[0]
value:
name: webhook-server
port: 443
protocol: TCP
targetPort: 9000
- it: should render webhook-server and webhook-metrics services with default webhookPort and metrics.port, if metrics.enabled = true
set:
metrics.enabled: true
asserts:
- equal:
path: spec.ports[0]
value:
name: webhook-server
port: 443
protocol: TCP
targetPort: 9443
documentIndex: 0
- equal:
path: spec.ports[0]
value:
name: webhook-metrics
port: 8443
protocol: TCP
targetPort: 8443
documentIndex: 1
- it: should render webhook-server and webhook-metrics services with custom webhookPort and metrics.port, if metrics.enabled = true
set:
metrics.enabled: true
metrics.port: 8000
webhookPort: 9000
asserts:
- equal:
path: spec.ports[0]
value:
name: webhook-server
port: 443
protocol: TCP
targetPort: 9000
documentIndex: 0
- equal:
path: spec.ports[0]
value:
name: webhook-metrics
port: 8443
protocol: TCP
targetPort: 8000
documentIndex: 1

View File

@ -0,0 +1,9 @@
suite: Test Service Accounts
templates:
- serviceaccount.yaml
tests:
- it: should render Service Account
asserts:
- hasDocuments:
count: 1
template: serviceaccount.yaml

View File

@ -0,0 +1,20 @@
suite: Test Service Monitors
templates:
- servicemonitor.yaml
tests:
- it: should not render Service Monitor if metrics.enabled = false or metrics.prometheusExport = false
set:
metrics.enabled: false
metrics.prometheusExport: false
asserts:
- hasDocuments:
count: 0
template: servicemonitor.yaml
- it: should render Service Account if metrics.enabled = true and metrics.authProxy.enabled = true
set:
metrics.enabled: true
metrics.prometheusExport: true
asserts:
- hasDocuments:
count: 1
template: servicemonitor.yaml

View File

@ -0,0 +1,67 @@
## Allowed external IP cidrs
allowedExternalIPCidrs: ""
## Certificates generation for webhook
certificates:
certManager:
# Enable cert manager integration. Cert manager should be already installed at the k8s cluster
enabled: true
version: ""
# If cert-manager integration is disabled, add self signed ca.crt in base64 format
caBundle: ""
# If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
secretName: webhook-server-cert
## Details about the image to be pulled.
image:
pullPolicy: IfNotPresent
pullSecrets: []
repository: rancher/externalip-webhook
tag: v0.1.4
## Enabling metrics endpoint
# Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation
metrics:
enabled: false
port: 8443
# Enable webhook metrics export to Prometheus
prometheusExport: false
# Webhook metrics auth proxy. This option is just available for amd64 arch
authProxy:
enabled: false
port: 8080
image:
pullPolicy: IfNotPresent
pullSecrets: []
repository: rancher/kube-rbac-proxy
tag: v0.5.0
resources:
limits:
memory: 30Mi
cpu: 100m
requests:
memory: 20Mi
cpu: 100m
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## RBAC
rbac:
apiVersion: v1
## CPU and Memory limit and request for externalip-webhook
resources:
limits:
memory: 30Mi
cpu: 100m
requests:
memory: 20Mi
cpu: 100m
service:
metricsPort: 8443
webhookPort: 443
## Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false
serviceAccountName: default
## List of node taints to tolerate (requires Kubernetes >= 1.6)
tolerations: []
## Webhook server pod port
webhookPort: 9443
global:
systemDefaultRegistry: ""

View File

@ -352,6 +352,34 @@ entries:
urls:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz
version: 1.0.100
rancher-external-ip-webhook:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: External IP Webhook
catalog.cattle.io/namespace: cattle-externalip-system
catalog.cattle.io/release-name: rancher-external-ip-webhook
catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v0.1.4
created: "2020-12-09T01:07:43.561742972Z"
description: |
Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
digest: 533a8d7721001eb5efe4efe23d398f619f3b51634fcd1848fc52d0eb11d01016
home: https://github.com/rancher/externalip-webhook
keywords:
- cve
- externalip
- webhook
- security
maintainers:
- email: raul@rancher.com
name: rawmind0
name: rancher-external-ip-webhook
sources:
- https://github.com/rancher/externalip-webhook
urls:
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
version: 0.1.400
rancher-gatekeeper:
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
@ -1098,4 +1126,4 @@ entries:
urls:
- assets/rio/rio-0.8.000.tgz
version: 0.8.000
generated: "2020-11-10T00:02:09.783616681Z"
generated: "2020-12-09T01:07:43.560407349Z"

View File

@ -0,0 +1,2 @@
9f7d1eaa86b2b929e679dac7bb94e1632e959e6bc3f1137010474a24a38844b2 packages/rancher-external-ip-webhook/package.yaml
98bb6cea7a63466baaf420932e03dec62c4a0460b50303ec46f1836b5c7b00d2 packages/rancher-external-ip-webhook/rancher-external-ip-webhook.patch