kyverno icon indicating copy to clipboard operation
kyverno copied to clipboard

Published 20 hours ago verified publisher icon kyverno

fix: add CONNECT operation in the webhook config for pod/exec subresource

Open MariamFahmy98 opened this issue 11 months ago • 1 comments

Explanation

This PR checks for the Pod/exec subresource, and if it does exists, we return the operations specified by the user instead of returning back the default operations.

Related issue

Closes #9829

Milestone of this PR

/milestone 1.12.0

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

  1. policy.yaml:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: std-shell
spec:
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod/exec
          operations:
          - CONNECT
    mutate:
      patchesJson6902: |-
        - op: replace
          path: "/command/0"
          value: "bash" 
    name: std-shell-replace
  validationFailureAction: Audit

Check the mutating webhook configuration:

kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io kyverno-resource-mutating-webhook-cfg -o yaml

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  labels:
    webhook.kyverno.io/managed-by: kyverno
  name: kyverno-resource-mutating-webhook-cfg
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    caBundle: <ca-bundle>
    url: https://172.18.0.1:9443/mutate/fail
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: mutate.kyverno.svc-fail
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kyverno
  objectSelector: {}
  reinvocationPolicy: IfNeeded
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CONNECT
    resources:
    - pods/exec
    scope: Namespaced
  sideEffects: NoneOnDryRun
  timeoutSeconds: 10

Checklist

  • [ ] I have read the contributing guidelines.
  • [ ] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • [ ] This is a bug fix and I have added unit tests that prove my fix is effective.
  • [ ] This is a feature and I have added CLI tests that are applicable.
  • [ ] My PR needs to be cherry picked to a specific release branch which is .
  • [ ] My PR contains new or altered behavior to Kyverno and
    • [ ] CLI support should be added and my PR doesn't contain that functionality.

Further Comments

MariamFahmy98 avatar Mar 05 '24 13:03 MariamFahmy98