0

k8s webhook requires tls verification, the official document says that the server certificate requires <svc_name>.<svc_namespace>.svc.

But when I deploy with helm, I may not know which namespace will be deployed in. The svc_name generally does not change, so is there some way to match any namespace. such as <svc_name>.<any_namespace>.svc.

Is there a method implementation that works for arbitrary namespaces?

I really appreciate any help with this

k8s version is 1.18

Attach a sample of my self-signed certificate

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN = webhook.kube-system.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = webhook.kube-system.svc
moluzhui
  • 1,003
  • 14
  • 34
  • Which Kubernetes version are you using? – Mikolaj S. Dec 24 '21 at 17:01
  • version is 1.18 – moluzhui Dec 24 '21 at 17:42
  • It seems the namespace name is required (this how [DNS in Kubernetes works](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services) - by using service and namespace name), another possible option is to [use URL to specify a location of the webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#url), did you consider it maybe? – Mikolaj S. Dec 27 '21 at 14:04
  • Well, then I can only use multiple DNS(1,2,3...) to preset the name space that may be deployed. Does this affect efficiency? – moluzhui Dec 28 '21 at 11:59
  • You may create another service at a predictable location (i.e. in a specific namespace) and link that to your actual service in the less predictable namespace. See https://stackoverflow.com/a/44329470/763875 – jwhb Dec 29 '21 at 01:57
  • Hi @moluzhui, please check my answer. – Mikolaj S. Dec 29 '21 at 08:55

1 Answers1

1

Posted community wiki answer for better visibility. Feel free to expand it.

EDIT: The workaround presented by the original poster (@moluzhui):

At present, I provide ValidatingWebhookConfiguration in chart/template in advance and write it through .Files.Get

As stated in the official documentation:

Note: When using clientConfig.service, the server cert must be valid for <svc_name>.<svc_namespace>.svc.

The namespace name is required - this is how DNS in Kubernetes works - by using service and namespace name.

However, there is a good article which presents best practices of managing TLS certificates for Kubernetes Admission Webhooks - 5 Ways of Managing TLS Certificates for your Kubernetes Admission Webhooks. Maybe some of them will be useful to you and will be solution for your issue:

  • for helm - use Certificator project and Helm Hooks - it automatically patches caBundle field
  • setup init container to create a certificate and provide CA bundle to the API server
  • generate certificate with cert-manager CA Injector and inject them to WebhookConfiguration

You can also set up URL with a location of the webhook, where you don't have to use caBundle:

Expects the TLS certificate to be verified using system trust roots, so does not specify a caBundle.

Answering your comment:

Well, then I can only use multiple DNS(1,2,3...) to preset the name space that may be deployed. Does this affect efficiency?

Probably depends how many namespaces you want to deploy, but for sure it is not good practice.

Another solution from the comment (thanks to @JWhy user):

You may create another service at a predictable location (i.e. in a specific namespace) and link that to your actual service in the less predictable namespace. See stackoverflow.com/a/44329470/763875

Mikolaj S.
  • 2,850
  • 1
  • 5
  • 17
  • None of these seem to fully meet my requirements. I cannot achieve dynamic injection due to the uncertainty of the namespace and the absence of cert-manager when deploying the service. It can only be set in advance, but the provided methods seem to be just to create a certificate. However, the key to the problem is how to write caBundle to `WebhookConfiguration`. At present, I provide ValidatingWebhookConfiguration in `chart/template` in advance and write it through `.Files.Get` – moluzhui Jan 04 '22 at 02:40
  • Thanks @moluzhui, I added your workaround to my community wiki answer. Please consider [up-voting / accepting it](https://stackoverflow.com/help/someone-answers) so it will be visible to the community that there is a workaround for your issue. – Mikolaj S. Jan 04 '22 at 09:34