kubewarden-controller icon indicating copy to clipboard operation
kubewarden-controller copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

Research a solution to allow operator rejects requests using not allowed Kubernetes API versions.

Open jvanz opened this issue 2 years ago • 2 comments

Bad actors could deploy workloads using features (API versions) not cover by the admission controller. Thus, bypassing the validations. We should look for a solution of how to prevent this to happen.

Issue from threat #14 of the threat model. One solution proposed during RFC discussions is a policy that rejects all the workloads using API version different from a defined allow list

NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible

jvanz avatar May 17 '22 19:05 jvanz

As an example, there is https://github.com/FairwindsOps/pluto as a CLI tool to discover deprecated apiVersions of resources.

viccuad avatar Sep 21 '22 07:09 viccuad

This is partially implemented by https://github.com/kubewarden/deprecated-api-versions-policy.

It is missing a policy with an allowlist for api versions.

viccuad avatar Jun 23 '23 15:06 viccuad