Documentation ¶
Overview ¶
Package webhook container PodMutator. It's a controller-runtime webhook that intercepts Pod Creation events and mutates them. Currently, there is only one registered Mutator, that's the SecretsMutator. It works as follows:
- The Webhook only works on Pods. If propeller/plugins launch a resource outside K8s (or in a separate k8s cluster), it's the responsibility of the plugin to correctly pass secret injection information.
- When a k8s-plugin builds a resource, propeller's PluginManager will automatically inject a label `inject-flyte -secrets: true` and serialize the secret injection information into the annotations.
- If a plugin does not use the K8sPlugin interface, it's its responsibility to pass secret injection information.
- If a k8s plugin creates a CRD that launches other Pods (e.g. Spark/PyTorch... etc.), it's its responsibility to make sure the labels/annotations set on the CRD by PluginManager are propagated to those launched Pods. This ensures secret injection happens no matter how many levels of indirections there are.
- The Webhook expects 'inject-flyte-secrets: true' as a label on the Pod. Otherwise, it won't listen/observe that pod.
- Once it intercepts the admission request, it goes over all registered Mutators and invoke them in the order they are registered as. If a Mutator fails, and it's marked as `required`, the operation will fail and the admission will be rejected.
- The SecretsMutator will attempt to look up the requested secret from the process environment. If the secret is already mounted, it'll inject it as plain-text into the Pod Spec (Less secure).
- If it's not found in the environment it'll, instead, fallback to the enabled Secrets Injector (K8s, Confidant, Vault... etc.).
- Each SecretsInjector will mutate the Pod differently depending on how its backend secrets system injects the secrets for example:
- For K8s secrets, it'll either add EnvFromSecret or VolumeMountSource (depending on the MountRequirement stated in the flyteIdl.Secret object) into the Pod. There is no validation that the secret exist and is available to the Pod at this point. If the secret is not accessible, the Pod will fail with ContainerCreationConfigError and will be retried.
- For Vault secrets, it'll inject the right annotations to trigger Vault's own sidecar/webhook to mount the secret.
Index ¶
- Constants
- Variables
- func AppendEnvVars(containers []corev1.Container, envVar corev1.EnvVar) []corev1.Container
- func AppendVolume(volumes []corev1.Volume, volume corev1.Volume) []corev1.Volume
- func AppendVolumeMounts(containers []corev1.Container, mount corev1.VolumeMount) []corev1.Container
- func CreateEnvVarForSecret(secret *core.Secret) corev1.EnvVar
- func CreateVaultAnnotationsForSecret(secret *core.Secret, kvversion config.KVVersion) map[string]string
- func CreateVolumeForSecret(secret *core.Secret) corev1.Volume
- func CreateVolumeMountForSecret(volumeName string, secret *core.Secret) corev1.VolumeMount
- func InitCerts(ctx context.Context, propellerCfg *config.Config, cfg *webhookConfig.Config) error
- func Run(ctx context.Context, propellerCfg *config.Config, cfg *config2.Config, ...) error
- type AWSSecretManagerInjector
- type GCPSecretManagerInjector
- type GlobalSecretProvider
- type GlobalSecrets
- type K8sSecretInjector
- type Mutator
- type MutatorConfig
- type PodMutator
- func (pm PodMutator) CreateMutationWebhookConfiguration(namespace string) (*admissionregistrationv1.MutatingWebhookConfiguration, error)
- func (pm PodMutator) GetMutatePath() string
- func (pm PodMutator) Handle(ctx context.Context, request admission.Request) admission.Response
- func (pm PodMutator) Mutate(ctx context.Context, p *corev1.Pod) (newP *corev1.Pod, changed bool, err error)
- func (pm PodMutator) Register(ctx context.Context, mgr manager.Manager) error
- type SecretsInjector
- type SecretsMutator
- type VaultSecretManagerInjector
Constants ¶
const ( // AWSSecretArnEnvVar defines the environment variable name to use to specify to the sidecar container which secret // to pull. AWSSecretArnEnvVar = "SECRET_ARN" // AWSSecretFilenameEnvVar defines the environment variable name to use to specify to the sidecar container where // to store the secret. AWSSecretFilenameEnvVar = "SECRET_FILENAME" // AWSSecretsVolumeName defines the static name of the volume used for mounting/sharing secrets between init-container // sidecar and the rest of the containers in the pod. AWSSecretsVolumeName = "aws-secret-vol" // #nosec // AWS SideCar Docker Container expects the mount to always be under /tmp AWSInitContainerMountPath = "/tmp" )
const ( PodNameEnvVar = "POD_NAME" PodNamespaceEnvVar = "POD_NAMESPACE" )
const ( CaCertKey = "ca.crt" ServerCertKey = "tls.crt" ServerCertPrivateKey = "tls.key" )
const ( K8sDefaultEnvVarPrefix = "_FSEC_" EnvVarGroupKeySeparator = "_" )
const ( SecretPathDefaultDirEnvVar = "FLYTE_SECRETS_DEFAULT_DIR" // #nosec SecretPathFilePrefixEnvVar = "FLYTE_SECRETS_FILE_PREFIX" // #nosec SecretEnvVarPrefix = "FLYTE_SECRETS_ENV_PREFIX" // #nosec )
const ( // GCPSecretsVolumeName defines the static name of the volume used for mounting/sharing secrets between init-container // sidecar and the rest of the containers in the pod. GCPSecretsVolumeName = "gcp-secret-vol" // #nosec )
Variables ¶
var ( // AWSSecretMountPathPrefix defines the default mount path for secrets AWSSecretMountPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"} )
var ( // GCPSecretMountPath defines the default mount path for secrets GCPSecretMountPath = filepath.Join(string(os.PathSeparator), "etc", "flyte", "secrets") )
var (
K8sSecretPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"}
)
var (
VaultSecretPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"}
)
Functions ¶
func AppendEnvVars ¶
func AppendVolume ¶
func AppendVolumeMounts ¶
func CreateVolumeMountForSecret ¶
func CreateVolumeMountForSecret(volumeName string, secret *core.Secret) corev1.VolumeMount
Types ¶
type AWSSecretManagerInjector ¶
type AWSSecretManagerInjector struct {
// contains filtered or unexported fields
}
AWSSecretManagerInjector allows injecting of secrets from AWS Secret Manager as files. It uses AWS-provided SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The role/serviceaccount used to run the Pod must have permissions to pull the secret from AWS Secret Manager. Otherwise, the Pod will fail with an init-error. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretKey>
func NewAWSSecretManagerInjector ¶
func NewAWSSecretManagerInjector(cfg config.AWSSecretManagerConfig) AWSSecretManagerInjector
NewAWSSecretManagerInjector creates a SecretInjector that's able to mount secrets from AWS Secret Manager.
func (AWSSecretManagerInjector) Type ¶
func (i AWSSecretManagerInjector) Type() config.SecretManagerType
type GCPSecretManagerInjector ¶
type GCPSecretManagerInjector struct {
// contains filtered or unexported fields
}
GCPSecretManagerInjector allows injecting of secrets from GCP Secret Manager as files. It uses a Google Cloud SDK SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The Google serviceaccount (GSA) associated with the Pod, either via Workload Identity (recommended) or the underlying node's serviceacccount, must have permissions to pull the secret from GCP Secret Manager. Currently, the secret must also exist in the same project. Otherwise, the Pod will fail with an init-error. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretGroupVersion>
func NewGCPSecretManagerInjector ¶
func NewGCPSecretManagerInjector(cfg config.GCPSecretManagerConfig) GCPSecretManagerInjector
NewGCPSecretManagerInjector creates a SecretInjector that's able to mount secrets from GCP Secret Manager.
func (GCPSecretManagerInjector) Type ¶
func (i GCPSecretManagerInjector) Type() config.SecretManagerType
type GlobalSecretProvider ¶
type GlobalSecrets ¶
type GlobalSecrets struct {
// contains filtered or unexported fields
}
GlobalSecrets allows the injection of secrets from the process memory space (env vars) or mounted files into pods intercepted through this admission webhook. Secrets injected through this type will be mounted as environment variables. If a secret has a mounting requirement that does not allow Env Vars, it'll fail to inject the secret.
func NewGlobalSecrets ¶
func NewGlobalSecrets(provider GlobalSecretProvider) GlobalSecrets
func (GlobalSecrets) Type ¶
func (g GlobalSecrets) Type() config.SecretManagerType
type K8sSecretInjector ¶
type K8sSecretInjector struct { }
K8sSecretInjector allows injecting of secrets into pods by specifying either EnvVarSource or SecretVolumeSource in the Pod Spec. It'll, by default, mount secrets as files into pods. The current version does not allow mounting an entire secret object (with all keys inside it). It only supports mounting a single key from the referenced secret object. The secret.Group will be used to reference the k8s secret object, the Secret.Key will be used to reference a key inside and the secret.Version will be ignored. Environment variables will be named _FSEC_<SecretGroup>_<SecretKey>. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretKey>
func NewK8sSecretsInjector ¶
func NewK8sSecretsInjector() K8sSecretInjector
func (K8sSecretInjector) Type ¶
func (i K8sSecretInjector) Type() config.SecretManagerType
type MutatorConfig ¶
type PodMutator ¶
type PodMutator struct { Mutators []MutatorConfig // contains filtered or unexported fields }
PodMutator implements controller-runtime WebHook interface.
func NewPodMutator ¶
func (PodMutator) CreateMutationWebhookConfiguration ¶
func (pm PodMutator) CreateMutationWebhookConfiguration(namespace string) (*admissionregistrationv1.MutatingWebhookConfiguration, error)
func (PodMutator) GetMutatePath ¶
func (pm PodMutator) GetMutatePath() string
type SecretsInjector ¶
type SecretsMutator ¶
type SecretsMutator struct {
// contains filtered or unexported fields
}
func NewSecretsMutator ¶
func NewSecretsMutator(cfg *config.Config, _ promutils.Scope) *SecretsMutator
NewSecretsMutator creates a new SecretsMutator with all available plugins. Depending on the selected plugins in the config, only the global plugin and one other plugin can be enabled.
func (SecretsMutator) ID ¶
func (s SecretsMutator) ID() string
type VaultSecretManagerInjector ¶
type VaultSecretManagerInjector struct {
// contains filtered or unexported fields
}
VaultSecretManagerInjector allows injecting of secrets into pods by leveraging an existing deployment of Vault Agent Vault Agent functions as an additional webhook that is triggered through annotations and then retrieves and mounts the requested secrets from Vault. This injector parses a secret Request into vault annotations, interpreting the secret Group as the vault secret path and the secret Key as the key for which to extract a value from a Vault secret. It supports adding multiple secrets. (The common annotations will simply be overwritten if added several times) Note that you need to configure the Vault role that this injector will try to use and add Vault policies for the service account and namespaces that your workflows run under. Files will be mounted at /etc/flyte/secrets/<SecretGroup>/<SecretKey>
func NewVaultSecretManagerInjector ¶
func NewVaultSecretManagerInjector(cfg config.VaultSecretManagerConfig) VaultSecretManagerInjector
func (VaultSecretManagerInjector) Type ¶
func (i VaultSecretManagerInjector) Type() config.SecretManagerType