externalip-webhook
created to address CVE-2020-8554
externalip-webhook, is a validating webhook which prevents services from using random external IPs. Cluster administrators
can specify list of CIDRs allowed to be used as external IP by specifying allowed-external-ip-cidrs
parameter.
Webhook will only allow creation of services which doesn't require external IP or whose external IPs are within the range
specified by the administrator.
externalip-webhook can also restrict who can specify allowed ranges of external IPs to services by specifying allowed-usernames
and allowed-groups
parameters.
This repo is built using kubebuilder.
Deploying
To restrict external IP to certain CIDRs, uncomment and update allowed-external-ip-cidrs
in webhook.yaml.
To restrict users that can specify external IPs to services, uncomment and update allowed-usernames
and/or allowed-groups
in webhook.yaml.
Default values for both parameters are empty and it means any users can specify.
If either of the parameters is set, specifying external IPs is restricted to the users that match to any of these parameters.
NOTE: If auth-proxy is enabled then update allowed-external-ip-cidrs
in metrics_server_auth_proxy.yaml.
Deploy pre-built webhook
To deploy the webhook using the manifests in this repo, you must have kustomize
in your path.
You can download kustomize
here: https://kubernetes-sigs.github.io/kustomize/installation/
make deploy
Build and deploy webhook
make docker-build docker-push IMG=DOCKER_IMAGE_TAG
make deploy IMG=DOCKER_IMAGE_TAG
Configuration
Updating webhook namespace
Webhook by default runs under externalip-validation-system
ns. This can be changed by updating namespace and
namePrefix in kustomization.yaml file.
Certificate generation for webhook
Webhook certificates can either be generated through cert-manager or by uploading certs. Following section explains how
this can be achieved.
Using cert manager
Uncomment all sections with 'CERTMANAGER' in kustomization.yaml file.
Uploading webhook certificates
- Upload certs data (ca.crt, tls.crt and tls.key) as kubernetes secret with name
webhook-server-cert
in namespace
same as kustomization.yaml.
- Update
caBundle
field in manifests.yaml.
Enabling metrics endpoint
Webhook emits webhook_failed_request_count
metrics whenever it rejects service creation or update operation.
Enabling without auth-proxy
Uncomment --metrics-addr
and the corresponding section in containers.Port in webhook.yaml.
Enabling /metrics with auth-proxy
- Uncomment all sections with 'METRICS_SERVER_RBAC' in kustomization.yaml file.
- Create cluster role binding for the cluster role in auth_proxy_client_clusterrole.yaml.
Exporting metrics for Prometheus
Follow the steps mentioned here to export the webhook metrics.
Community, discussion, contribution, and support
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
Code of conduct
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.